A list of services provided by the HARCFL. Some services are only available to participating agencies.
Any law enforcement agency operating in the HARCFL service area may request assistance with the following activities:
The RCFL can help with search warrant preparation (only as it applies to computer evidence) by advising on computer related language, which may be included in the affidavit.
On-Site Seizure and Collection
Requests for this type of assistance should be made a minimum of 48 hours in advance (the more lead time the better) by submitting a completed Field Service Request form. On occasion, an agency will uncover computer evidence that they are unprepared to manage. Under these circumstances, the advance notice requirement is waived. Once the RCFL evaluates the search request, the Operations Manager will assign it to an Examiner for action.
Duplication, Storage and Preservation of Computers and Computer Related Evidence
Examinations are typically conducted on copies of the original evidence because of the possibility that the data may be contaminated. Therefore, RCFL Examiners, depending on the circumstances, will either duplicate (or copy the information) the media on-site, or they will bring the electronic equipment to the laboratory where they will duplicate the media and then perform the examination.
Prompt, Accurate and Impartial Forensic Examinations of Digitally Stored Media
Computer Forensic Examiners are scientists. As scientists, their job is to conduct a thorough and objective examination of a computer and/or computer related evidence to convert it from a digital format into something that the investigator can view. It is not the Examiner's responsibility to analyze the data for its meaning or significance to the investigation. This impartiality and objectivity lends credibility to both their findings and subsequent court testimony.
As records are recovered from seized computer evidence, the prosecutor is likely to direct the Examiner to introduce the computer or computer related evidence into court. As an expert witness, the Examiner can explain, under oath, about how they conducted the examination and what they discovered as a result.
The Heart of America Regional Computer Forensics Laboratory is now offering vehicle forensics. This is a new service from the RCFL that could potentially make an investigation for you. Really think outside the box on this, it goes way beyond "crash data". These systems are designed to store a vast amount of data which may include recent destinations, favorite locations, call logs, contacts, SMS messages, emails, pictures, videos, social media feeds and the navigation history of where the vehicle has traveled. They may also record vehicle events such as the activation or deactivation of the headlights, the opening and closing of doors, shifting into reverse, hard acceleration, hard braking, velocity and the location of the vehicle when these things occurred. Imaged rental cars can store the information for multiple users. It is possible to recover a great deal of information off of the phones that have been connected to the car without access to the phone itself. Think of how this can assist you in things like homicides, kidnappings, robberies, stolen autos, burglary rings, sex crimes, drug trafficking, etc. This information could help put your suspect at the scene of the crime. Again, think outside the box. There are over 10,000 supported vehicles by BMW, Buick, Cadillac, Chevrolet, Chrysler, Dodge, Fiat, Ford, GMC, Hummer, Jeep, Lincoln, Maserati, Mercedes, Mercury, Pontiac, Ram, Saturn, Toyota, Volkswagon. When checking on compatibility, we will need the year, make, model, and trim package. VIN may provide that information as well. As a general guideline, supported vehicles are roughly 2008 and newer with infotainment, and/or telematic systems (think OnStar, Navigation Units, Touchscreen consoles with apps etc.) Sample verbiage for writing search warrants is included below.
"Any and all electronic systems onboard the vehicle that collect, maintain, and/or store data including but not limited to the vehicle's infotainment and/or telematics devices. The vehicle operated from DATE to DATE by NAME/SUSPECT is equipped with an infotainment system which is installed within the center console/dashboard. These systems are designed to store a vast amount of data which may include recent destinations, favorite locations, call logs, contact lists, SMS messages, emails, pictures, videos, social media feeds, and the navigation history of everywhere the vehicle has traveled. These systems may also record events such as the activation and de-activation of the vehicle's headlights, the opening and closing of doors at a specific location, and the location of the vehicle at the time Bluetooth devices are connected. This data will be acquired to assist law enforcement during their investigation."
MOBILE DEVICE UNLOCK SERVICES
(FOR PARTICIPATING AGENCIES ONLY)
The Heart of America Regional Computer Forensic Laboratory (HARCFL) will facilitate the unlocking and analysis of cellular devices either through in-house operation, or through the FBI’s digital laboratory in Quantico, Virginia. Due to cost and the number of requests for this service, the HARCFL will only accept devices for Mobile Device Unlock Services (MDUS) from participating agencies involving a homicide investigation. All other requests for the service will be taken on a case by case basis and should involve a homicide or violent felony investigation to be considered. Non-participating agencies will hold lower priority for scheduling.
The recommended evidence handling procedures for locked devices for which you cannot obtain a password is different than with other devices. For locked devices, follow this procedure:
- If the phone is on, ensure it stays ON
- Remove the SIM Card from the device. Attempt to place the phone in airplane mode and ensure that WiFi and Bluetooth is also shut off
- Place in faraday bag, connect phone to battery pack with charging cable and verify the charging pack is turned on. The battery pack, charging cable, and phone must be entirely contained in the bag or signals may be able to reach the phone
- Gather legal authority
- Submit request to HARCFL through our website
- Bring evidence to the HARCFL for drop-off (battery pack and faraday bag will be returned at the time of drop-off)
It is strongly encouraged for departments to purchase faraday bags and battery charging packs. A limited number will be available at the HARCFL for check-out and on-scene requests. While the HARCFL does not endorse any particular company for purchasing, there are several options available in stores and on-line. We recommend agencies purchase a faraday bag large enough to contain the cellular device, a battery charging pack, and lightning cable.
As always, if you have any questions, you may contact the RCFL Director Sarah Lucas or Assistant Director Scott Slifer, or reach out to your department's TFO on the squad. Examiners are available for call-out and on-site assistance as needed.
The HARCFL now provides three distinct methods of examining and reviewing computer evidence. In addition to a traditional forensic examination of digital media, which can be time-consuming and resource intensive, the HARCFL has implemented two additional programs designed to expedite the process of extracting meaningful and relevant information from digital media to facilitate ongoing investigations.
- Case Agent Investigative Review (CAIR) Program
The Case Agent Investigative Review (CAIR) program can assist investigators in advancing their cases, setting leads, establishing probable cause for search and/or arrest warrants, testifying at preliminary hearings, etc. The HARCFL is the first digital forensic laboratory to allow state and local investigators to utilize this program at their desks via a secure law enforcement Internet system. This has proven to be a great time saver both for the laboratory and its customers, and is extremely user-friendly. Through the implementation of this program, the HARCFL has been able to significantly reduce the average amount of time required for results to be returned to the investigator. A one-day training course is required for investigators intending to review their evidence through the CAIR program.*
- Cell Phone and Video Kiosks
Another alternative to a traditional forensic examination offered by the HARCFL is our Cell Phone and Video Kiosks. In those situations where investigators don't require a complete forensic examination, but are still interested in accessing data extracted from a cell phone or still images from a surveillance video or DVD, the laboratory offers self-service kiosks with equipment, supplies and immediate expert assistance. These stations are available to any agency at any time during normal HARCFL business hours. Evidence derived from these devices can be taken that day. Self-service features include—
- Cell phone extraction device
- CD/DVD review and duplication
- Digital extraction and screen capture to produce still images (photographs)
- Conversion of VHS to DVD video
- Preview of media for illicit images or pornography.
Not all cell phones are supported by the tools available in our Cell Phone Kiosk. If you wish, you can lookup the model of your phone on following two websites to see if your phone is supported prior to making your trip to the RCFL:
- How to Request Assistance
- Review our Case Submission FAQs to learn about our case submission policies, what evidence should be submitted or left behind, and more about our CAIR and Kiosk programs.
- To request a traditional examination, CAIR processing, or onsite assistance in the acquisition of digital media, refer to the Case Submissions page and fill out a service request form. Please clearly indicate which type of service is being requested. No service request form is required to use the Cell Phone and Video Kiosks.
* As of March 1, 2008, policy changes were put into place that require the use of CAIR in some cases. Please see the Case Submission FAQs for current information.
Prioritization of HARCFL Cases
Cases and/or evidence submitted to the HARCFL are prioritized for processing and examination based upon the following criteria, regardless of the identity of the agency submitting them:
- Matters involving or affecting national security;
- Imminent credible threat of serious bodily injury or death to persons known or unknown, including examinations of evidence necessary to further the investigation of an at-large or unknown suspect who poses an imminent threat of serious bodily injury or death to persons known or unknown;
- Potential threat of serious bodily injury or death to person(s); I
- mminent credible risk of loss of or destruction to property of significant value;
- Immediate pending court date, or non-extendable, outcome-determinative legal deadline;
- Potential risk of loss of or destruction to property, or exam needed to further the investigation; and,
- No credible potential threat of bodily injury or death to person(s) and/or loss or destruction of property.
An RCFL examiner is highly skilled and may be able to support an investigation by determining:
- The type of computers and operating systems.
- The type of network software, the location of the network servers, and the number of computers on the network.
- Whether encryption and/or password protection was enacted.
Law Enforcement Agencies
When requesting assistance, as a general rule, contact the RCFL to discuss the request and then based on this information, carefully complete one of the following forms or letter according to the type of assistance needed. Due to the time involved to process evidence and maintain the “chain-of-custody,” budgetary and overtime restrictions preclude the acceptance of evidence after 4:30 p.m.
The agency seeking assistance is requested to complete and submit an on-line service request form. The form provides background and related information to assist the HARCFL analyze and prioritize the cases the laboratory accepts for examination. It is the policy of the HARCFL to accept all cases from participating agencies, and cases from non-participating agencies as can be completed by the laboratory in a reasonable period. It is the goal of the HARCFL to provide quality examinations in a timely manner to all of law enforcement.
Shipping Computer Evidence
If the evidence cannot be brought directly to the RCFL* (always phone the RCFL before making the trip to the facility) then prior to packaging and shipping the evidence, contact the RCFL for specific instructions regarding submittal procedures. For most examinations, submit only the central processing units and the internal and external storage media, and:
- Use a sturdy cardboard container when shipping computer components. If possible, use the original packing case with the fitted padding. Use large, plastic bubble wrap or foam rubber pads as packing and never use styrofoam because it lodges inside computers and/or components and creates static charges that can cause data loss or damage to circuit boards. Seal the container with a strong packing tape.
- Pack and ship central processing units in the upright position. Label the outside container THIS END UP.
- Disks, cartridges, tapes, and hard drives should be packed to avoid movement during shipping.
- Highlight our address with yellow highlighter. This signals the package to be routed directly to the evidence room. Do not mark the external package as evidence in any other way. Use the following address only:
Heart of America RCFL
4150 North Mulberry, Suite 250
Kansas City, MO 64116
- Ensure the actual evidence, inside the package, is completely enclosed, packaged, and sealed to evidentiary standards.
- Retain all shipping receipts and use a tracking service.
*Due to the time involved to process evidence and maintain the “chain-of-custody,” budgetary and overtime restrictions preclude the acceptance of evidence after 4:30 p.m.
Tips for Law Enforcement
When Submitting a Service Request Form the case agent or officer should be as concise and thorough as possible. These forms are used to make decisions about the request, therefore, any vague or ambiguous terminology may make it more difficult to interpret or understand what services are needed. As a result, this could slow down the processing of the request.
Turning On or Accessing a Computer
Indicate on the Service Request Form, if you or anyone else in the chain of custody attempted to turn on or access the computer prior to submitting it to the HARCFL. This is very important information for the Examiners to have.
If a field service request is pursuant to a search warrant, a copy of the warrant must be included with the Field Service Request form. Likewise, if the service request is a result of a consensual search, a copy of the agency's “consent for search” form must be included. Failure to include this documentation will more than likely cause a delay in processing the request.
Handling Sensitive Equipment
Always use extreme caution or take precautionary measures such as grounding the static electricity before touching any of the internal components of the computer or handling sensitive computer equipment. For example, if the internal workings of a computer are exposed, the equipment could be damaged by a buildup of static electricity that is held by the human body. (Walking across a rug can produce a static electricity voltage of up to 12,000 volts.) The hard drive is especially susceptible to static electricity, even if it is exposed to a small amount of voltage, while a microchip can be damaged with as little as 500 volts of static electricity. If you're unsure about how to handle the equipment, then it is best to defer to a professional.
Tips for Law Enforcement - Submitting Images to be Reviewed for Identified Children
The United States Postal Inspection Service (USPIS) and the National Center for Missing & Exploited Children (NCMEC) are working together to assist law enforcement agencies and prosecutors with determining if child pornography images contain children who have been identified by law enforcement in past investigations. USPIS Instructions for NCMEC submissions
- Submitting Images to be Reviewed for Identified Children, How to Zip Files for Submission to NCMEC, and Submission Requirements for Newly Identified Victims
Sample Cover Letters