By Anthony Diosdi
The world is becoming a smaller place in which to live and work. A technological revolution in communications and information exchange has taken place within business, industry, and our homes. America is substantially more invested in information and management than manufacturing goods, and this has affected our professional and personal lives. We bank and transfer money electronically, and we are much more likely to receive an email than a letter.
In this information technology age, the needs of the Internal Revenue Service ( or “IRS”) Criminal Investigation are changing as well. Some traditional tax crimes, especially those concerning finance and commerce, continue to be upgraded technically. Paper trails have become electronic trails. As a result, the IRS has been training agents to closely look at the computers of individuals being investigated for tax crimes.
General Search Warrant Procedures
Before the IRS can seize a computer from an individual or business being investigated for a tax crime, the IRS must obtain a court approved search warrant. This section of our article discusses the procedural requirements for the use of a search warrant. A search warrant consists of a set of documents, each with a specified legal purpose. These documents are:
1. Application for Search Warrant;
3. Search Warrant Attachment “A” description of “Location to be searched;”
4. Search Warrant Attachment “B” description of “items to be seized;”
5. Search Warrant Return.
The Affidavit for Search Warrant is a standard form signed and sworn by the special agent that summarizes the specifics of the search warrant. The application addresses the particulars of the person, property, or premises to be searched; and the nature of the alleged criminal violation. When it is anticipated that a computer is on site, the following issues should be considered when obtaining a search warrant:
1) The role of the computer in the alleged offense;
2) The IRS agent should articulate a factual basis to believe that the computer was used for the creation and/or storage of evidentiary records;
3) The affidavit should describe with particularity the places to be searched and the items to be seized. The affidavit should also describe the hardware components of the computer and data domiciled within the computer;
4) The affidavit should discuss the possibility of email on the computer. The affidavit should identify whose email is going to be read and if it is subject to search.
In order to obtain a search warrant, the IRS agents must convince a Federal Judge Magistrate through the affidavit that there is probable cause to believe that:
1. A crime has been committed;
2. Items sought may be seized by virtue of their connection to the crime;
3. Items sought are on the premises to be searched.
The search and seizure of computers is a highly technical and evolving area of search warrant law. Several laws and regulations govern obtaining evidence from electronic sources such as computers. These statutes impose restrictions and obligations on the IRS. At a minimum, the following should be carefully examined anytime the IRS seizes a computer or computers:
1. First Amendment to the Constitution;
2. Four Amendment to the Constitution;
3. Wiretap Act, 18 USC Section 2510-2521;
4. Electronic Communications Privacy Act of 1988, 18 USC Sections 2701-2711;
5. Privacy Protection Act, 42 USC Section 2000aa
6. Fed. R. Crim. P. R 41;
7. Federal Rules of Evidence, Section 901, 1001, and 1002;
8. IRM 9.4.9, Search Warrant, Evidence, and Chain of Custody.
We will write separate articles about these laws and regulations as they pertain to defenses to search warrants and the seizures of computers, laptops, phones, and other electronic devices. This article will focus on the basic forensics that the IRS may employ to examine a computer seized in a criminal tax case. More importantly, this article will discuss just how easy it is for the IRS to forensically recover files that have been deleted from a computer.
Computer forensics deals with the preservation, identification, extraction, and documentation of computer evidence. Computer forensics investigations may take advantage of the way computers store and retrieve data. Relevant computer data usually includes information stored in files on a hard drive, as well as information in files that were “erased” from the hard drive. Computer forensics also takes advantage of the way personal computers operate, and the temporary and/or permanent information recorded by the operating system during normal operations. During normal operation, a Windows System on a personal computer will record data identifying thumb drives that were connected to a computer, the date and time a file was last accessed or modified, Internet searches, Internet websites visited, email read or sent or sent using the computer, and computer programs that were installed or used on the computer.
Beginning with the Windows 2000 operating systems, Microsoft introduced the thumbnail cache. The thumbnail cache assists the computer user in reviewing a large number of images at once by taking the full-sized images and making miniature representations of them. Instead of having to look at each image individually within a folder to find a particular picture you are looking for, the thumbnail cache displays all the images at once as “thumbnail”-sized pictures. The thumbnail cache also speeds up how quickly pictures will display; it reduces the load time of images because the smaller thumbnail images no longer have to be recalculated every time they are accessed by a user, unlike the original images.
Individuals or business owners anticipating the seizure of their computers by the IRS or even another law enforcement agency such as the FBI may be tempted to delete data from the harddrive of their computer. This is easier said than done. The IRS (and other law enforcement agencies) employs forensic experts to analyze digital evidence from computers that have been seized as part of a criminal investigation. A computer forensic expert employed by law enforcement can analyze a forensic image of a storage device to determine what was stored on the device, what files were accessed, and when the files were last accessed or modified. A forensic image of a computer’s hard drive also includes data from which an investigator can determine what peripheral devices have been connected to the computer. Not only will the IRS forensic expert employed by the IRS likely discover an attempt to delete data, attempting to delete data could actually make things worse for the individual under investigation. Attempting to delete files can result in a prosecution for obstruction of justice or a number of other serious offenses.
The Recycle Bin
In order to understand just how easy it is for a computer forensic expert to obtain deleted data, we will begin by discussing the “recycle bin.” In Windows, a recycle bin is a folder or directory where deleted items are temporarily stored. When someone deletes files, the deleted files are not permanently removed from a computer’s hard drive. Instead, unless they are too large, deleted items are sent instead to the recycle bin. Deleted files sent to the recycle bin can be restored to their original location. When a file is deleted, it is not actually deleted; instead the deleted file is sent to the recycle bin where it can be restored if necessary. However, if a file is deleted from the recycle bin, the file is permanently deleted and it cannot be recovered from the recycle bin.
Let’s assume that Tom, a business owner, is the target of an IRS criminal tax fraud investigation and is concerned the IRS will discover documents on his computer. These documents establish that Tom did not report $10 million in taxable income to the IRS over the last three years. Tom deletes the files that contain the incriminating documents. Unknown to Tom, the incriminating files he believed were deleted were not actually deleted. Instead, the deleted incriminating files were only moved to the recycle bin. If the IRS were to legally obtain a warrant to seize and search Tom’s computer, a forensic expert could likely easily locate the incriminating files that Tom attempted to delete.
When a file is deleted by a user, the data contained on a hard drive is not actually erased. All that Windows does is to designate that space on a hard drive as unallocated space, (and to mark the directory entry for the file as deleted). The next time that a file needs to be saved on the hard drive, some part of unallocated space will be used to store the electronic data. Whatever old data may be contained in the space used to record the new file will be overwritten by the electronic data for the new file. However, until the storage space on the hard drive is reused, and the old data has not been overwritten, the electronic data can be recovered in a forensic examination of the hard drive. In a criminal tax case, a forensic examination of unallocated space on a hard drive will uncover files and data that were once stored on the hard drive, and then permanently deleted, as long as the space on the hard drive has not been overwritten.
Slack Storage Space
Slack space is the leftover storage that exists on a computer’s hard drive when a computer file does not need all the space it has been allocated by the operating system. The examination of slack space is an important aspect of computer forensics.
To understand why slack space plays an important role in computer forensics, one must first understand how data is stored on computers that have hard disk drives. Computers with hard disk drives store data in a sealed unit that contains a stack of circular, spinning disks called platters. Each platter is composed of logically defined spaces called sectors and by default, most operating systems sectors are configured to hold no more than 512 bytes of data. If a text file that is 400 bytes is saved to disk, the sector will have 112 bytes of extra space left over. When the computer’s hard drive is brand new, the space in a sector is not used- the slack space- is blank, but that changes as the computer gets used.
When a file is deleted, the operating system does not erase the file, it simply makes the sector the file occupied available for reallocation. Should a new file that is only 200 bytes be allocated to the original sector, the sector’s slack space will now contain 200 bytes of leftover data from the first file in addition to the original 112 bytes of extra space. That leftover data, which is called latent data or ambient data, can provide an expert or investigator with clues as to prior uses of the computer in question as well as leads for further inquiries. For example, the Federal Bureau of Investigation (“FBI”) revealed that it had reviewed millions of email fragments that resided in the slack space of former Secretary of State Hillary Clinton’s personal servers in order to determine whether or not the servers have improperly stored or transmitted classified information.
A file’s slack space is the difference between its logical and physical size. The logical size of a file is determined by the file’s actual size of a file is determined by the number of sectors that are allocated to the file. Thus, each time a file is recorded, a sheet of paper is selected from the stack and used to store the file. If a file does not completely fill up the page, the remaining space on the sheet of paper will not be used to store any other file, because it cannot be addressed by the operating system. If the remainder of that page has something recorded on it from a previous file, the information written on the piece of paper still exists and can be found by a forensic expert. For example, let’s assume that Tom had financial statements of his business on his laptop. Let’s also assume that the IRS wants to know if Tom is attempting to destroy or alter the financial statements. And in this hypothetical example, assume that Tom copied the financial statements, and then copied a large number of small files onto the hard drive in order to overwrite the deleted file. An analysis of a forensic image of the hard drive in question could include a search for unique file fragments of the database. File fragments that uniquely correspond to the database may be found in slack space even when Tom saved a large number of smaller files on the hard drive after the file was deleted.
Dates for Files in the Recycle Bin
Files moved to the recycle bin have a “date created,” a “date accessed,” and a “date modified.” A file cannot be opened while it is in the recycle bin. Thus, no one can accuse a user of a seized computer of using or “accessing” a file during the time that the file was in the recycle bin. With that said, Windows maintains a record for the recycle bin that shows every file that was permanently deleted from the recycle bin in this manner, every file that was moved into the recycle bin, and every file that was restored from the recycle bin, since the date and time that the recycle bin was last emptied. Once the recycle bin is emptied, this record is lost, and Windows creates a new record for the recycle bin from that time forward. A forensic examination will show the date and time when the recycle bin was last emptied, and will reveal the files that were contained in the recycle bin at any time subsequent to the last time it was emptied.
Email and Social Media
Once the IRS seizes a computer it will likely have access to emails the user has sent or received. This is a very important consideration in any criminal tax case. Sometimes people say things in an email message that they might not otherwise say in writing, because they assume that electronic communications are ephemeral things that disappear without a trace. Just the opposite is true. For example, Hunter Biden’s financial and overseas exploits were uncovered in emails retrieved from Hunter Biden’s laptop. As the Hunter Biden matter demonstrates, emails are often a treasure trove for the government in any criminal investigation. Consequently, individuals under a criminal tax investigation may be tempted to delete incriminating emails. The problem is even if somehow an email is deleted from the user’s computer, numerous copies of the incriminating email message are often stored in multiple locations which can be obtained by an IRS criminal investigator. An email may be also forwarded to others, which also may create additional copies of the email message. This provides an IRS criminal investigator additional opportunities to access an incrementing email or emails.
Social media activity may also cause problems in the search and seizure context of a computer. During the process of a computer examination by the IRS, it is common to find information pertaining to the social media activity of the individual being investigated. For example, a computer can store information about social media websites in Internet history. While only a limited amount of information might be available on the computer regarding social media activity, if pertinent information is found, such as usernames or an email address that information can in turn be used in the process of a social media examination to find information about the individual being investigated online. This may lead the IRS examiner to locate the individual’s social media accounts where he posted questionable content such as posts from exotic expensive trips or a luxurious lifestyle.
Winning or losing a criminal tax case obviously will depend to a large extent on the actual facts of any particular case. Nevertheless, this is one of the few areas of criminal law where the most vital facts are consistently developed from the accused, because he or she often makes incriminating statements. Criminal tax cases often involve many types of digital evidence that are often used by the IRS to develop its prima facie case. In any area of the law where proof of guilt is thus typically self-generated, the value of a qualified criminal tax attorney is inestimable. Moreover, digital evidence in a criminal tax case can give rise to unique defensive considerations. Make sure the attorney that you select to defend you understands these unique defense considerations.
Anthony Diosdi is tax attorney at Diosdi Ching & Liu, LLP. He focuses his practice in civil and criminal tax controversies and the defense of white-collar criminal cases. His experience covers a broad range of engagements at all stages of the IRS administrative process, including assisting with audits and representing clients at Appeals, as well as litigation in the federal courts. He has also represented clients in all aspects of grand jury investigations, including the production of information, witness preparation, and pre-indictment presentations to the Department of Justice accused of white-collar crimes. Anthony is a member of the California and Florida bars. He can be reached at 415-318-3990 or email@example.com.
This article is not legal or tax advice. If you are in need of legal or tax advice, you should immediately consult a licensed attorney.