Intermountain West

Intermountain West RCFL

Welcome to the Intermountain West RCFL Web Page

Intermountain West RCFLWelcome to the Intermountain West's Regional Computer Forensics Laboratory (IWRCFL) webpage. Our mission is to provide the highest quality digital forensics services and assistance to law enforcement agencies with jurisdiction in Utah, Idaho, and Montana. To better accommodate our expansive service area, the IWRCFL Satellite Network (ISN) was created, and has laboratories in Billings and Boise.

The IWRCFL is seeking law enforcement agencies to join us – especially those in and around Billings and Boise. Benefits of participation are numerous – contact IWRCFL Director Cheney Eng-Tow at 801-456-4801.

What is an RCFL?

An RCFL is a one-stop, full service forensics laboratory and training center devoted entirely to the examination of digital evidence in support of criminal investigations, such as, but not limited to —

  •     Terrorism
  •     Child pornography
  •     Crimes of violence
  •     The theft or destruction to intellectual property
  •     Internet crimes
  •     Fraud

The IWRCFL's service area includes the states of Utah, Montana, and Idaho and any law enforcement agency from those states may submit request for digital media forensic services to the IWRCFL.

Intermountain West RCFL

IWRCFL
Three Gateway Office Center
440 West 200 South, Suite 300
Salt Lake City, UT 84101

Montana satellite office

2929 Third Avenue North
Suite 400
Billings, MT 59101

Telephone: 406-254-8200
Fax: 406-254-8100

Idaho satellite office

Wells Fargo Center
877 W. Main Street, Suite 404
Boise, ID 83702

Telephone: 208-433-3527
Fax: 208-433-3500


Participating Agencies

The participating agencies contribute personnel and resources to staff and maintain the operations of the IWRCFL. The IWRCFL's partners are:

Local Government

State Government

Federal Government

Contact Us

Central Number: (801) 456-4838

Director, Cheney Eng-Tow
Email: creng-tow@rcfl.gov
Phone: (801) 456-4801

Deputy Director, Cole Thon
Email: mcthon@rcfl.gov
Phone: (801) 456-4824

Media Inquiries
For more information about the Intermountain West RCFL, members of the media can contact IWRCFL Director, Cheney Eng-Tow at (801) 456-4801.


Cell Phone Investigative Kiosk (CPIK)
Matt Anderson
Email: meanderson@rcfl.gov
Phone: (801) 456-4831 

Sean Drew
Email: sdrew@rcfl.gov
Phone: (801) 456-4823 


Intermountain West RCFL

IWRCFL
Three Gateway Office Center
440 West 200 South, Suite 300
Salt Lake City, UT 84101

Telephone: 801-456-4838

Fax: 801-456-4899 

Parking at the IWRCFL:

  • Enter the garage on the south side of the building (200 South) in the middle of the building.
  • Get a ticket.
  • Park on the second level down; follow the arrows to P1 which is the lower level.
  • Park at the far end near the building elevator which is south of the escalator.
  • Enter the elevator access room.
  • Go to the 3rd floor.
  • We are to the left as you get off the elevator. There may be a sign for you to go right and around the corner, down the hall to the classroom. Otherwise pick up the phone in the reception area and ask for assistance if the receptionist is not at her desk.
  • On-street parking is also available. Please be aware that parking validation may not be available for garage parking.

IWRCFL Satellite Network

The IWRCFL Satellite Network (ISN) is composed of the main digital forensics laboratory in Salt Lake City, with satellite locations in Billings and Boise. The satellite locations have the same capabilities and service offerings – including training, as the IWRCFL, but are smaller in scale. Together, these three laboratories follow the same rules, standards and methodologies established by the national RCFL Program Office, and are available to law enforcement agencies with jurisdiction in Utah, Idaho, and Montana. The location of the satellite facilities are as follows:

Idaho satellite office

Boise Satellite Location
Contact: Don Lukasik

Wells Fargo Center
877 W. Main Street, Suite 404
Boise, ID 83702

Phone: (208) 433-3527
Fax : (208) 433-3500
Email: dlukasik@rcfl.gov


Montana satellite office

Billings Satellite Location

Contact: Matt Salacinski
Intermountain West Regional Computer Forensic Laboratory
2929 3rd Ave, Suite 400
Billings, MT 59101
Phone: (406) 254-8200
Fax: (406) 254-8100
Email: msalacinski@rcfl.gov

Request Assistance

Any law enforcement agency operating in Utah, Idado, and Montana may request assistance from the IWRCFL and its satellite network (at no cost to them) with the following activities—

  • Pre-Seizure Consultation – The IWRCFL and its satellite network can help with search warrant preparation (only as it applies to digital evidence) by advising on related language that may be included in the affidavit.

  • On-Site Seizure and Collection – Requests for this type of assistance should be made a minimum of 48 hours in advance (the more lead time the better) by submitting a completed Field Service Request Form to the IWRCFL and/or its satellite network. On occasion, an agency will uncover digital evidence that they are unprepared to manage. Under these circumstances, the advance notice requirement is waived. Once the RCFL evaluates the search request, the Operations Manager assigns it to an Examiner for action.

  • Duplication, Storage and Preservation of Electronic Equipment and other Digital Evidence – Examinations are typically conducted on copies of the original evidence. Therefore, RCFL Examiners, can either duplicate (or copy the information) the media on-site, or they will bring the electronic equipment to the laboratory where they will duplicate the media and perform the examination.

  • Prompt, Accurate, and Impartial Examinations of Digitally Stored Media – RCFL Examiners will conduct a thorough and objective examination of an electronic device to locate digital evidence and turn it into something that the investigator can review. It is not the Examiner’s responsibility to analyze the data for its meaning or significance to the investigation. This impartiality and objectivity lends credibility to both their findings and subsequent court testimony.

  • Courtroom Testimony - As records are recovered from seized electronic equipment, the prosecutor is likely to direct the Examiner to introduce the digital evidence into court. As an expert witness, the Examiner explains under oath, how they conducted the forensics examination and what they discovered as a result.

  • Training -The IWRCFL conducts a variety of digital forensics courses for all skill levels in their state-of-the-art training classroom. Law enforcement personnel in the IWRCFL's service area may receive this training at no cost to them. 
  • Cell Phone Kiosks - An alternative to a traditional forensic examination offered by the IWRCFL is our Cell Phone Kiosks. In those situations where investigators don't require a complete forensic exam but are still interested in accessing data extracted from a cell phone, the lab offers two self-service kiosks with equipment, supplies, and immediate expert assistance. These stations are available to any agency, at any time, during normal IWRCFL business hours. Evidence derived from these devices can be taken that day. (Due to increasing use and demand we request that appointments be made to use these stations.)
    • Loose Media Kiosk - The Loose Media Kiosk (LMK) is a similar service to the Cell Phone Kiosk and is a preview tool for investigators. LMK enables users to review evidentiary data found on such items as USB devices, CD/DVDs, flash memory cards, floppy disks, and firewire media.  Like the cell phone kiosks, the LMK is self-service. (Due to increasing use and demand we request that appointments be made to use these stations.)

    Examination Best Practices FAQ Sheet

    *The IWRCFL will select the method(s) and/or subcontractor(s) needed to comply with a service request once it is accepted by the laboratory. 


    Requesting Services

    When requesting assistance, the law enforcement agency should first contact the RCFL to discuss the request, and then carefully complete one of the following forms or letters—

    • Request Letter
      The requesting agency should write a letter on their stationary that explains the nature of the request. The letter must contain a supervising agent's signature, and can accompany either the Field Service Request Form or the Evidence Custody Form.

    • Field Service Request Form
      Requests for on-site assistance are accepted on a case-by-case basis from any law enforcement agency in the RCFL's service area. The RCFL prioritizes each request according to the nature of the crime and uses the Field Service Request form to monitor and track cases.
      Download Field Request Service Form
       
    • Training Requests
      Any law enforcement agency in the RCFL's service area may request training. 

    Forms

    The following downloadable forms are required by the IWRCFL.

    For additional information please see the Examination Best Practices section below. 


    Shipping Digital Evidence

    When shipping evidence to the laboratory, please contact the RCFL for specific instructions regarding submittal procedures. For most examinations, submit only the central processing units and the internal and external storage media, and remember to:

    • Use a sturdy cardboard container when shipping computer components - If possible, use the original packing case with the fitted padding. Use large, plastic bubble wrap or foam rubber pads as packing and never use styrofoam because it lodges inside computers and/or components and creates static charges that can cause data loss or damage to circuit boards. Seal the container with a strong packing tape.
       
    • Pack and ship central processing units in the upright position - Label the outside container THIS END UP.
       
    • Secure loose media - Such as disks, cartridges, tapes, hard drives, etc., to avoid movement during shipping.

    Examination Best Practices

    To help the RCFLs provide the level of service its customers have come to expect, click here to review our list of "Examination Best Practices – What Every RCFL Customer Should Know."

    As with any service program, RCFLs are dedicated to providing the most professional, high-quality digital forensics expertise to their law enforcement customers. To help the RCFLs provide the level of service its customers have come to expect, the RCFL Directors cite the following “best practices”—

    Meet With the RCFL Staff at the Beginning of an Examination – Once digital evidence is brought to the RCFL for review, the investigator should either meet in person or personally speak to the Examiner over the telephone about the scope of the examination (e.g. What are they searching for? E-mails, Internet usage, password encryption, viruses?). By doing so, the RCFL is better able to screen, prioritize, and assign the case for examination. Moreover, both the investigator and the Examiner know in advance what is expected of them and can operate accordingly.

    Enlighten the Examiner – When submitting digital evidence for examination, investigators should share what they know about the case with the Examiner. While the following suggestions may seem obvious, if this information is not provided to the Examiner early on, delays may result—

    • Inquire about the Owner’s Sophistication Level - It is helpful for an Examiner to know the equipment owner’s level of sophistication. For instance, a technically advanced owner may have installed password encryption measures. If an investigator is aware of such tactics or even knows the password—this is extremely valuable and time-saving information for the Examiner to have before starting the examination.
    • Names of Suspect(s)/Victim(s) – Provide the Examiner the name of the victim(s) and suspect(s) including nicknames and chat handles along with the specific spellings of these names. Accuracy is absolutely key.
    • Provide the Affidavit – Provide the Examiner with a copy of the case’s affidavit as it can help the Examiner better understand the investigation they are supporting. If an affidavit is not available, a written summary serves the same purpose.
    • Narrow the Examination’s Scope – Investigators can help an Examiner be more efficient by stating what they are searching for by specifying the following—
    • File Names - If the investigator is looking for a particular file, or if they know the file’s location, alert the Examiner—this will save valuable time.
    • Dates – Is there a specific date range relevant to the investigation? Is the examination limited to certain dates by the search warrant? If the answer is yes to either of these questions, the investigator should alert the Examiner.
    • Data Sources – If submitting multiple computers, media, or hard drives, state which system or piece of media might have the highest probability of finding what is being searched for. For instance, if the Examiner finds evidence on the first system, this may eliminate the need to conduct further examinations on the remaining systems and/or media.
    • Focus the Request – Focus the request based upon the investigation. This is accomplished by identifying a particular range of dates, Web sites, user profile(s), or even a downloaded file(s). By narrowing the search for any one of these items, the Examiner can fine tune their search in these areas.
    • E-Mail Addresses – A typical computer system contains hundreds, if not thousands of e-mail address—most of which are unrelated to the investigation. To save time, investigators are encouraged to identify exactly which e-mail addresses the Examiner.

    Set timeframes – A quality digital forensics examination may take anywhere from 30 to 90 days, sometimes more, to complete. The time spent on an examination is impacted by several different variables such as the amount of data that must be reviewed; whether or not encryption is involved; the user’s level of technical sophistication; etc. Once an Examiner begins work on the case, typically, they can determine the time frame for the examination, and will inform the investigator of this estimate. Conversely, if there is a change in the status of the case and the investigator needs the results sooner than expected—they should immediately inform the Examiner.

    Remember the RCFL Case Number – Every case submitted to the RCFL is assigned a case number. Remember that number—because the Examiner will use it to provide information about the case should the customer request it.

    The final product - The Examiner will provide their findings either in the form of a DVD, CD, floppy disk, hard copy, or via a review network. At that point, the Examiner’s work is complete—and the investigator can now conduct a full review of the findings. It is important to remember that although most Examiners are investigators by training—they must remain impartial when conducting a digital forensics examination.


    Tips for Law Enforcement

    When Submitting a Service Request Form or an Evidence Custody Form - The case agent or officer should be as concise and thorough as possible. These forms are used to make decisions about the request, therefore, any vague or ambiguous terminology may make it more difficult to interpret or understand what services are needed. As a result, this could slow down the processing of the request.

    Turning On or Accessing a Computer - Indicate on the Service Request Form, if you or anyone else in the chain of custody attempted to turn on or access the computer prior to submittal. This is very important information for the Examiners to have.

    Search Warrants – If a field service request is pursuant to a search warrant, a copy of the warrant must be included with the Field Service Request form. Likewise, if the service request is a result of a consensual search, a copy of the agency’s “consent for search” form must be included. Failure to include this documentation will more than likely cause a delay in processing the request.

    Handling Sensitive Equipment – Always use extreme caution or take precautionary measures such as grounding the static electricity before touching any of the internal components of the computer or handling sensitive computer equipment. For example, if the internal workings of a computer are exposed, the equipment could be damaged by a buildup of static electricity that is held by the human body. (Walking across a rug can produce a static electricity voltage of up to 12,000 volts.) The hard drive is especially susceptible to static electricity, even if it is exposed to a small amount of voltage, while a microchip can be damaged with as little as 500 volts of static electricity. If you’re unsure about how to handle the equipment— defer to a professional.

    Documents & Forms

    Intermountain West RCFL forms, documents, publications, and brochures.

    Documents & Forms - Read More…

    Training Courses

    The following descriptions describe the various courses offered by the IWRCFL.


    Seizing and Handling of Digital Evidence (SHDE)

    Investigators learn how to collect and preserve digital evidence, and to integrate digital evidence into a case. Additionally, investigators are exposed to the advanced tools and techniques used by the IWRCFL, so they can better understand what to expect from a forensics examination. This course requires no prerequisites, but attendees should have a working knowledge of computers.


    Seizing and Handling of Digital Evidence for Law Enforcement Executives (Lieutenant and above)

    The goal of this training is to provide law enforcement executives with the information necessary to identify, access, and address their agency's digital evidence needs. They will also gain the technical knowledge that will allow today's police executive to adapt and understand these dramatic changes. Digital technologies are rapidly being applied to all areas of law enforcement. This course will provide a survey of digital evidence and computer forensics, evidence handling challenges, legal issues with digital evidence, imaging technologies, processing technologies, digital video technologies, encryption, and review technologies. This course is taught in a forensic laboratory, devoted solely to the examination of digital evidence in support of criminal investigations. The IWRCFL specializes in cases involving terrorism, crimes of violence, theft or destruction of intellectual property, internet crimes and child pornography, and fraud.


    Image Scan Training

    The FBI's Computer Analysis Response Team (CART) developed the Image Scan system to help investigators locate the presence of picture files that may contain contraband on a computer. This system allows the investigator to view a variety of graphic formats during a consensual search, and protects valuable digital evidence by booting up a computer using the Linux operating system. After mounting the hard drive in a “read only” manner, Image Scan prompts the investigator to search for picture files only. During this process, the tool logs every step taken by the investigator, further documenting what occurred during the search process.

    Law enforcement personnel that conduct on-site investigations for child pornography are encouraged to take the Image Scan training. 

    Training Schedule

    Training Schedule for Intermountain West RCFL.

    Training Schedule - Read More…

    Frequently Asked Questions

    IWRCFL Frequently Asked Questions


    IWRCFL Satellite Network

    Q: What features do the Boise/Billings locations have? Are they similar to a full-scale RCFL?

    A: The satellite laboratories offer the same services and conveniences as a full-scale RCFL. The Boise/Billings facilities are staffed by Computer Analysis Response Team (CART) certified Examiners who conduct digital forensics services on electronic equipment such as computers, cell phones, video cameras, PDAs, etc. They can also provide technical assistance such as advice on preparing a search warrant or affidavit pertaining to the seizure or potential seizure of digital evidence, and on occasion, can deploy to off-site locations to execute a search warrant.

    Q: RCFLs are known for the excellent training they provide at no charge to law enforcement. Will the satellite locations provide the same training as other RCFLs in the program, including the IWRCFL?

    A: Yes. The satellite locations will provide training, however, because they are not equipped with a classroom, instructors must travel to the law enforcement agency that requests their assistance. To request training, law enforcement personnel may register on-line by visiting the IWRCFL's training site.

    Q: Can law enforcement personnel in Idaho and Montana still attend training at the IWRCFL?

    A: Yes, however, the IWRCFL does not reimburse them for any travel/lodging expenses incurred. There is no charge for the actual training – that is absorbed by the RCFL Program.

    Q: Should law enforcement agencies in Idaho and Montana ship their digital evidence to the laboratories that are closest to them?

    A: Yes, please ship evidence to the local RCFL location.

    Q: If evidence is shipped to the satellite locations for processing, can the requesting agency travel to that location to retrieve the findings once they're ready?

    A: Once an Examiner produces their final findings for the investigator to review, they will notify the customer to determine the most convenient method of delivery.

    Filed under: