Request Assistance

A GHRCFL examiner is highly skilled and may be able to support an investigation by determining:

  • The type of computers and operating systems.
  • The type of network software, the location of the network servers, and the number of computers on the network.
  • Whether encryption and/or password protection was enacted.

Any law enforcement agency operating in the Greater Houston RCFLs service area is encouraged to request assistance with the following activities:

  • Pre-Seizure Consultation
    The GHRCFL can help with search warrant preparation as it applies to computer evidence, by advising on computer related language, which may be included in the affidavit.
     
  • On-Site Seizure and Collection
    Requests for this type of assistance should be made a minimum of 48 hours in advance by filling out a Service Request form. However, the GHRCFL understands that there will be times when an agency will unexpectedly discover computer evidence that they are unprepared to manage. Under these circumstances, the advance notice requirement is waived, but for scheduling purposes, the more lead-time given to the GHRCFL, the better. Once the search request is evaluated by the GHRCFL, the Operations Manager will assign it to an examiner who will then contact the requesting agency.

  • Duplication, Storage and Preservation of Computers and Computer Related Evidence
    Examinations are typically conducted on copies of the original evidence because of the possibility that the data may be contaminated. Therefore, GHRCFL Examiners, depending on the circumstances, will either duplicate the media (or copy the information) on-site, or they will bring the electronic equipment to the laboratory where they will duplicate the media and then perform the examination.

  • Prompt, Accurate and Impartial Forensics Examinations of Digitally Stored Media
    Computer Forensics Examiners are scientists. As scientists, their job is to conduct a thorough and objective examination of a computer and/or computer related evidence to convert it from a digital format into something that the investigator can view. It is not the examiner's responsibility to analyze the data for its meaning or significance to the investigation. This impartiality and objectivity lends credibility to both their findings and subsequent testimony.

  • Courtroom Testimony
    As records are recovered from seized computer evidence, the prosecutor is likely to use the Examiner to introduce the computer or computer related evidence into court. As an expert witness, the Examiner can explain, under oath, about how they conducted the examination and what they discovered as a result.

Requesting Services

When requesting assistance, as a general rule:

First, contact the GHRCFL to discuss the request and then based on this information, carefully complete and submit a Service Request Form.

Service Request Form

Requests for on-site assistance are accepted on a case-by-case basis, regardless of which law enforcement agency in the GHRCFL's service area made the request. The GHRCFL prioritizes each case according to the nature of the crime.

For assistance with a search or field examination, submit this form to the GHRCFL with advance notice of 48 hours to one week whenever possible. Specify whether a seizure of computers/media or an on-site image collection is required, and if possible, include a copy of the search warrant or other legal authority (e.g. consent form) that authorizes the seizure or collection of the digital evidence with the form. The GHRCFL also uses the Service Request form to monitor and track cases.

Please note that regardless of whether a service request is pursuant to either a search warrant or a consent to search, a copy of the search warrant or agency consent form must be provided to the RCFL with the Service Request prior to the examination. Failure to include proper legal authority with the Service Request will more than likely cause a delay in processing the request.

When requesting assistance, please use the new GHRCFL Service Request Form:

Examination Best Practices FAQ Sheet


Submitting Digital Evidence

If the evidence cannot be brought directly to the GHRCFL (always phone before making the trip) then prior to packaging and shipping the evidence, call the GHRCFL for specific instructions regarding submittal procedures. For most examinations, submit only the central processing units, the hardware and software, plus:

  • Use a sturdy cardboard container when shipping computer components. If possible, use the original packing case with the fitted padding. Use large, plastic bubble wrap or foam rubber pads as packing and never use Styrofoam because it lodges inside computers and/or components and creates static charges that can cause data loss or damage to circuit boards. Seal the container with a strong packing tape.
  • Pack and ship central processing units in the upright position. Label the outside container THIS END UP.
  • Disks, cartridges, tapes, and hard drives should be packed to avoid movement during shipping.
  • Label the outer container FRAGILE, SENSITIVE ELECTRONIC EQUIPMENT and KEEP AWAY FROM MAGNETS OR MAGNETIC FIELDS.

Tips for Law Enforcement

The GHRCFL encourages you to call for assistance any time you have a question about the best way to proceed with evidence collection.

When submitting a Service Request Form or an Evidence Custody Form, the case agent or officer should be as concise and thorough as possible. These forms are used to make decisions about the request, therefore, any vague or ambiguous terminology may make it more difficult to interpret or understand what services are needed. This may slow down the processing of the request.

As they apply. Please indicate the following on the Service Request Form. They are very important details for the Examiners to have.

    • The on or off status of the computer when it was located.
    • If the device was on, the method used to turn it off.
    • Any efforts on your part or anyone else in the chain of custody, to turn on or access the computer. It is considered a best practice to never attempt to turn on or attempt to access a computer that may be examined since this can alter or destroy evidence.

Important Note:

Exercise caution while handling sensitive computer equipment. In situations where the casing of a computer is open and the internal working are exposed, there is danger of damaging the computer because of the buildup of static electricity that is held by the human body. The hard drive is especially susceptible to static electricity, even if it is exposed to a small amount of voltage, and a microchip can be damaged with as little as 500 volts of static electricity. (Walking across a rug can produce a static electricity voltage of up to 12,000 volts.) Static electricity, at very low levels may not even be felt by a person, but can still cause damage to a hard drive or a microchip. It is best to let a professional handle the equipment or take precautionary measures such as grounding the static electricity before touching any of the internal components of the computer.

Examination Best Practices FAQ Sheet