Any law enforcement agency operating in Utah, Idado, and Montana may request assistance from the IWRCFL and its satellite network (at no cost to them) with the following activities—
- Pre-Seizure Consultation – The IWRCFL and its satellite network can help with search warrant preparation (only as it applies to digital evidence) by advising on related language that may be included in the affidavit.
- On-Site Seizure and Collection – Requests for this type of assistance should be made a minimum of 48 hours in advance (the more lead time the better) by submitting a completed Field Service Request Form to the IWRCFL and/or its satellite network. On occasion, an agency will uncover digital evidence that they are unprepared to manage. Under these circumstances, the advance notice requirement is waived. Once the RCFL evaluates the search request, the Operations Manager assigns it to an Examiner for action.
- Duplication, Storage and Preservation of Electronic Equipment and other Digital Evidence – Examinations are typically conducted on copies of the original evidence. Therefore, RCFL Examiners, can either duplicate (or copy the information) the media on-site, or they will bring the electronic equipment to the laboratory where they will duplicate the media and perform the examination.
- Prompt, Accurate, and Impartial Examinations of Digitally Stored Media – RCFL Examiners will conduct a thorough and objective examination of an electronic device to locate digital evidence and turn it into something that the investigator can review. It is not the Examiner’s responsibility to analyze the data for its meaning or significance to the investigation. This impartiality and objectivity lends credibility to both their findings and subsequent court testimony.
- Courtroom Testimony - As records are recovered from seized electronic equipment, the prosecutor is likely to direct the Examiner to introduce the digital evidence into court. As an expert witness, the Examiner explains under oath, how they conducted the forensics examination and what they discovered as a result.
- Training -The IWRCFL conducts a variety of digital forensics courses for all skill levels in their state-of-the-art training classroom. Law enforcement personnel in the IWRCFL's service area may receive this training at no cost to them.
- Cell Phone Kiosks - An alternative to a traditional forensic examination offered by the IWRCFL is our Cell Phone Kiosks. In those situations where investigators don't require a complete forensic exam but are still interested in accessing data extracted from a cell phone, the lab offers two self-service kiosks with equipment, supplies, and immediate expert assistance. These stations are available to any agency, at any time, during normal IWRCFL business hours. Evidence derived from these devices can be taken that day. (Due to increasing use and demand we request that appointments be made to use these stations.)
- Loose Media Kiosk - The Loose Media Kiosk (LMK) is a similar service to the Cell Phone Kiosk and is a preview tool for investigators. LMK enables users to review evidentiary data found on such items as USB devices, CD/DVDs, flash memory cards, floppy disks, and firewire media. Like the cell phone kiosks, the LMK is self-service. (Due to increasing use and demand we request that appointments be made to use these stations.)
*The IWRCFL will select the method(s) and/or subcontractor(s) needed to comply with a service request once it is accepted by the laboratory.
When requesting assistance, the law enforcement agency should first contact the RCFL to discuss the request, and then carefully complete one of the following forms or letters—
- Request Letter
The requesting agency should write a letter on their stationary that explains the nature of the request. The letter must contain a supervising agent's signature, and can accompany either the Field Service Request Form or the Evidence Custody Form.
- Field Service Request Form
Requests for on-site assistance are accepted on a case-by-case basis from any law enforcement agency in the RCFL's service area. The RCFL prioritizes each request according to the nature of the crime and uses the Field Service Request form to monitor and track cases.
Download Field Request Service Form
- Training Requests
Any law enforcement agency in the RCFL's service area may request training.
The following downloadable forms are required by the IWRCFL.
For additional information please see the Examination Best Practices section below.
Shipping Digital Evidence
When shipping evidence to the laboratory, please contact the RCFL for specific instructions regarding submittal procedures. For most examinations, submit only the central processing units and the internal and external storage media, and remember to:
- Use a sturdy cardboard container when shipping computer components - If possible, use the original packing case with the fitted padding. Use large, plastic bubble wrap or foam rubber pads as packing and never use styrofoam because it lodges inside computers and/or components and creates static charges that can cause data loss or damage to circuit boards. Seal the container with a strong packing tape.
- Pack and ship central processing units in the upright position - Label the outside container THIS END UP.
- Secure loose media - Such as disks, cartridges, tapes, hard drives, etc., to avoid movement during shipping.
Examination Best Practices
To help the RCFLs provide the level of service its customers have come to expect, click here to review our list of "Examination Best Practices – What Every RCFL Customer Should Know."
As with any service program, RCFLs are dedicated to providing the most professional, high-quality digital forensics expertise to their law enforcement customers. To help the RCFLs provide the level of service its customers have come to expect, the RCFL Directors cite the following “best practices”—
Meet With the RCFL Staff at the Beginning of an Examination – Once digital evidence is brought to the RCFL for review, the investigator should either meet in person or personally speak to the Examiner over the telephone about the scope of the examination (e.g. What are they searching for? E-mails, Internet usage, password encryption, viruses?). By doing so, the RCFL is better able to screen, prioritize, and assign the case for examination. Moreover, both the investigator and the Examiner know in advance what is expected of them and can operate accordingly.
Enlighten the Examiner – When submitting digital evidence for examination, investigators should share what they know about the case with the Examiner. While the following suggestions may seem obvious, if this information is not provided to the Examiner early on, delays may result—
- Inquire about the Owner’s Sophistication Level - It is helpful for an Examiner to know the equipment owner’s level of sophistication. For instance, a technically advanced owner may have installed password encryption measures. If an investigator is aware of such tactics or even knows the password—this is extremely valuable and time-saving information for the Examiner to have before starting the examination.
- Names of Suspect(s)/Victim(s) – Provide the Examiner the name of the victim(s) and suspect(s) including nicknames and chat handles along with the specific spellings of these names. Accuracy is absolutely key.
- Provide the Affidavit – Provide the Examiner with a copy of the case’s affidavit as it can help the Examiner better understand the investigation they are supporting. If an affidavit is not available, a written summary serves the same purpose.
- Narrow the Examination’s Scope – Investigators can help an Examiner be more efficient by stating what they are searching for by specifying the following—
- File Names - If the investigator is looking for a particular file, or if they know the file’s location, alert the Examiner—this will save valuable time.
- Dates – Is there a specific date range relevant to the investigation? Is the examination limited to certain dates by the search warrant? If the answer is yes to either of these questions, the investigator should alert the Examiner.
- Data Sources – If submitting multiple computers, media, or hard drives, state which system or piece of media might have the highest probability of finding what is being searched for. For instance, if the Examiner finds evidence on the first system, this may eliminate the need to conduct further examinations on the remaining systems and/or media.
- Focus the Request – Focus the request based upon the investigation. This is accomplished by identifying a particular range of dates, Web sites, user profile(s), or even a downloaded file(s). By narrowing the search for any one of these items, the Examiner can fine tune their search in these areas.
- E-Mail Addresses – A typical computer system contains hundreds, if not thousands of e-mail address—most of which are unrelated to the investigation. To save time, investigators are encouraged to identify exactly which e-mail addresses the Examiner.
Set timeframes – A quality digital forensics examination may take anywhere from 30 to 90 days, sometimes more, to complete. The time spent on an examination is impacted by several different variables such as the amount of data that must be reviewed; whether or not encryption is involved; the user’s level of technical sophistication; etc. Once an Examiner begins work on the case, typically, they can determine the time frame for the examination, and will inform the investigator of this estimate. Conversely, if there is a change in the status of the case and the investigator needs the results sooner than expected—they should immediately inform the Examiner.
Remember the RCFL Case Number – Every case submitted to the RCFL is assigned a case number. Remember that number—because the Examiner will use it to provide information about the case should the customer request it.
The final product - The Examiner will provide their findings either in the form of a DVD, CD, floppy disk, hard copy, or via a review network. At that point, the Examiner’s work is complete—and the investigator can now conduct a full review of the findings. It is important to remember that although most Examiners are investigators by training—they must remain impartial when conducting a digital forensics examination.
Tips for Law Enforcement
When Submitting a Service Request Form or an Evidence Custody Form - The case agent or officer should be as concise and thorough as possible. These forms are used to make decisions about the request, therefore, any vague or ambiguous terminology may make it more difficult to interpret or understand what services are needed. As a result, this could slow down the processing of the request.
Turning On or Accessing a Computer - Indicate on the Service Request Form, if you or anyone else in the chain of custody attempted to turn on or access the computer prior to submittal. This is very important information for the Examiners to have.
Search Warrants – If a field service request is pursuant to a search warrant, a copy of the warrant must be included with the Field Service Request form. Likewise, if the service request is a result of a consensual search, a copy of the agency’s “consent for search” form must be included. Failure to include this documentation will more than likely cause a delay in processing the request.
Handling Sensitive Equipment – Always use extreme caution or take precautionary measures such as grounding the static electricity before touching any of the internal components of the computer or handling sensitive computer equipment. For example, if the internal workings of a computer are exposed, the equipment could be damaged by a buildup of static electricity that is held by the human body. (Walking across a rug can produce a static electricity voltage of up to 12,000 volts.) The hard drive is especially susceptible to static electricity, even if it is exposed to a small amount of voltage, while a microchip can be damaged with as little as 500 volts of static electricity. If you’re unsure about how to handle the equipment— defer to a professional.