The Department of Justice's Computer Crime and Intellectual Property Section Criminal Division's manual, Searching and Seizing Computers and Obtaining Electronic Evidence in Criminal Investigations, advises agents that electronic media does not have to be searched on-site during the execution of a search warrant. It acknowledges the difficulty of searching hidden directories; encrypted data; intentionally mislabeled files; and slack space. The tendency of operating systems to automatically alter data, and the possibility of the remote deletion of relevant data is also discussed. The manual cites several court decisions which have approved removing hard drives and other devices to off-site locations for review.
"Agents are recommended to consider removing hard drives from computers in order to make an image copy on-site. If the entire computer has to be seized, the need to so should specified in the affidavit for the warrant.
As imaging and/or removal is necessary in nearly every computer search warrant case, it is doubtful that failure to include such a statement in the affidavit constitutes a Fourth Amendment violation. Nevertheless, although explicitly required only by the Ninth Circuit, it is a good practice for every search warrant affidavit to explain why it is necessary to image an entire hard drive (or physically seize it) and later examine it for responsive records." (page 78)
Affidavits are not to specify a protocol for the review of hard drive, but simply note that off-site review may be required.