LEOs with a warrant to search and seize electronic evidence have some
discretion about the execution. They can take copies of the evidence,
media, or entire systems that they believe contain what they're looking for
[2]. Although letting them take forensic copies of your systems may be
annoying, wholesale removal of several servers is far worse. There's an
obvious temptation to assist the LEOs so that they don't feel the need to
truck your entire server room back to their office. Generally, I'd recom-
mend keeping the conversation to a minimum, both to stay safe and to
prevent expansion of the scope of the search. LEOs can expand the search
if you grant permission, which you may do during the course of the dis-
cussion. You may also unintentionally admit knowledge of or control over
evidence, which may make you "of interest" to the LEOs. That's not a good
thing. Ever.
Imagine the following hypothetical situation: A LEO arrives with a warrant
to search system A1 for Alice's email. Bob is the sysadmin for A1 and A2.
The LEO, while debating on whether or not to put A1 on a hand truck,
asks Bob if he can look at Alice's files on A2 or Abe's files on A1. If Bob
doesn't clearly say no, the LEO may start looking. Or, imagine that the
LEO's warrant includes A3, a system on which only Alice has a login. If
Bob, attempting to be helpful, knows Alice's password on A3 and gives it
to the LEO, he's now opened himself up to possessing whatever is on A3.
I want to end this section with two final ideas of what to do during the
search. First off, do not interfere with the search. Such behavior may subject
you to several criminal charges, in addition to charges related to whatever
the search was about. Second, have a witness or two available to watch.
You may want an additional person who can say what happened during the
search, in case your recollection disagrees with the LEO's.