Silicon Valley

Silicon Valley RCFL

Silicon Valley RCFLThe SVRCFL provides assistance primarily to law enforcement agencies located within Alameda, Contra Costa, San Francisco, San Mateo, and Santa Clara counties. The Local Executive Board has authorized the RCFL Director to accept significant cases from any agency in the Northern District of California on a case-by-case basis.


SVRCFL
4600 Bohannon Drive
Suite 200
Menlo Park, CA 94025


service_area_map.png


Participating Agencies

The participating agencies contribute personnel and resources to staff and maintain the operations of the SVRCFL. While each of the participating agencies’ missions may differ, each of them shares the common goal of building law enforcement’s digital forensics capacity both in Northern California and nationwide. The RCFL Program is grateful for their dedication and commitment to fulfilling this goal.

Local Government

Federal Government

Contact Us

SVRCFL
4600 Bohannon Drive
Suite 200
Menlo Park, CA 94025

The SVRCFL is located in the Menlo Corporate Center, building 4600. 

Telephone Number: (650) 289-3000
Fax Number: (650) 289-3050 

Media Inquiries
Telephone Number: (415) 553-7400

Get Directions to this office

Request Assistance

Any law enforcement agency operating in the SVRCFL’s service area may request assistance with the following activities—

  • Pre-Seizure Consultation
    The SVRCFL can help with search warrant preparation (only as it applies to digital evidence) by advising on related language that may be included in the affidavit.
     
  • On-Site Seizure and Collection
    Requests for this type of assistance should be made a minimum of 48 hours in advance (the more lead time the better) by submitting a completed Service Request to the SVRCFL. On occasion, an agency will uncover digital evidence that they are unprepared to manage. Under these circumstances, the advance notice requirement is waived. Once the SVRCFL evaluates the search request, the Deputy Director assigns it to an Examiner for action.
     
  • Duplication, Storage and Preservation of Electronic Equipment and other Digital Evidence
    Examinations are typically conducted on copies of the original evidence. Therefore, RCFL Examiners, can either duplicate (or copy the information) the media on-site, or they will bring the electronic equipment to the laboratory where they will duplicate the media and perform the examination.
     
  • Prompt, Accurate, and Impartial Examinations of Digitally Stored Media
    RCFL Examiners are scientists—and as such, their job is to conduct a thorough and objective examination of digital evidence and turn it into something that the investigator can review. It is not the Examiner’s responsibility to analyze the data for its meaning or significance to the investigation. This impartiality and objectivity lends credibility to both their findings and subsequent court testimony.
     
  • Courtroom Testimony
    As records are recovered from seized digital evidence, the prosecutor is likely to direct the Examiner to introduce the computer or digital evidence into court. As an expert witness, the Examiner explains under oath, how they conducted the examination and what they discovered as a result.
     
  • Cell Phone Investigative Kiosk
    This kiosk allows users to extract data from a cell phone, put it into a report, and burn the report to a CD or DVD in as little as 30 minutes.
     
  • Loose Media Kiosk
    Our Loose Media Kiosk (LMK) enables users to review evidentiary data found on such items as hendheld electronic devices such as thumb drives, flash media, CDs/DVDs and more. 

Requesting Services

Requests for examination or on-site assistance are accepted on a case-by-case basis from any law enforcement agency in the SVRCFL service area. The SVRCFL prioritizes each request according to the nature of the crime and available resources.

Law enforcement agencies should first contact the SVRCFL to discuss the request for service, and then complete a Service Request.

All investigators are required to process loose media (USB flash drives, DVDs, CDs, floppies) and cellular phones with the kiosks available at the SVRCFL. Personnel with unescorted access to FBI facilities may use other kiosks available in the San Francisco FBI office, Oakland Resident Agency, and San Jose Resident Agency.

Non-Participating Agencies

The Silicon Valley Regional Computer Forensics Laboratory has temporarily suspended evidence submissions and examinations for all non-participating agencies. 

The SVRCFL may be able to assist on high profile or critical-need examinations on a case-by-case basis.   Please contact us regarding these requests.

Participating Agencies

Agencies that support the SVRCFL with personnel or funding include:

  • Alameda County Sheriff's Office
  • Fremont Police Department
  • Newark Police Department
  • Palo Alto Police Department
  • San Francisco Police Department
  • Santa Clara Police Department
  • Federal Bureau of Investigation

Training Facilities

Law enforcement agencies in the SVRCFL service area may request use of the SVRCFL training facilities for law enforcement personnel.

Contact us for additional details.


Shipping Digital Evidence

If evidence is being shipped to the laboratory, please contact the SVRCFL for specific instructions regarding submittal procedures. For most examinations, submit only the central processing units and the internal and external storage media, and remember to:

  • Use a sturdy cardboard container when shipping computer components. If possible, use the original packing case with the fitted padding. Use large, plastic bubble wrap or foam rubber pads as packing and never use styrofoam because it lodges inside computers and/or components and creates static charges that can cause data loss or damage to circuit boards. Seal the container with a strong packing tape.

  • Pack and ship central processing units in the upright position. Label the outside container THIS END UP.

  • Secure loose media such as disks, cartridges, tapes, hard drives, etc., to avoid movement during shipping.


Tips for Law Enforcement

  • When Submitting a Service Request Form 
    The case agent or officer should be as concise and thorough as possible. These forms are used to make decisions about the request, therefore, any vague or ambiguous terminology may make it more difficult to interpret or understand what services are needed. As a result, this could slow down the processing of the request.

  • Turning On or Accessing a Computer
    Indicate on the Service Request Form, if you or anyone else in the chain of custody attempted to turn on or access the computer prior to submitting it to the SVRCFL. This is very important information for the Examiners to have.

  • Search Warrants
    If a service request is pursuant to a search warrant, a copy of the warrant must be included with the Service Request form. Likewise, if the service request is a result of a consensual search, a copy of the agency's “consent for search” form must be included. Failure to include this documentation will more than likely cause a delay in processing the request.

  • Handling Sensitive Equipment
    Always use extreme caution or take precautionary measures such as grounding the static electricity before touching any of the internal components of the computer or handling sensitive computer equipment. For example, if the internal workings of a computer are exposed, the equipment could be damaged by a buildup of static electricity that is held by the human body. (Walking across a rug can produce a static electricity voltage of up to 12,000 volts.) The hard drive is especially susceptible to static electricity, even if it is exposed to a small amount of voltage, while a microchip can be damaged with as little as 500 volts of static electricity. If you’re unsure about how to handle the equipment, then it is best to defer to a professional.

Examination Best Practices FAQ Sheet 

Documents & Forms

Silicon Valley RCFL forms, documents, publications, and brochures.

Documents & Forms - Read More…

Training Courses

Digital Imaging & Video Recovery Team

The Digital Imaging & Video Recovery Team (DIVRT) is comprised of State, Local and Federal Law Enforcement Officers working jointly with FBI's Forensic Audio, Video and Image Analysis Unit (FAVIAU) to provide instruction in the retrieval and dissemination of digital video evidence.   

Students who participate in the DIVRT training will learn techniques on how to collect digital video evidence from surveillance systems and edit it for mass distribution to traditional and social media outlets to ensure maximum visibility of the video evidence. 

Training is Tuesday through Thursday, 8am - 5pm and free for law enforcement.


Mobile Device Basics for Investigators

This class will introduce law enforcement officers and investigators to fundamental principles for addressing mobile devices with a focus on those running iOS or Android. It will also provide an overview of Cellebrite's general tools for extraction and review of data stored within those devices.

This class is designed for students who have LITTLE to NO experience handling mobile devices as evidence. The objective is to teach students forensically sound methods of dealing with mobile devices, resolve basic technical challenges, and create an effective digital report of the material pertinent to their particular investigation for prosecution.

The class will use a lecture and hands-on format demonstrating:

  • Best practices for seizure of devices
  • Use of Cellebrite UFED 4PC or UFED Touch (if students have them) to extract data from a device
  • Use of Cellebrite Physical Analyzer to parse and review the data
  • Creation of a digital report containing the data relevant to the investigation

Upon completion of this class, investigators should be able to conduct their own basic mobile device examinations using the SVRCFL Cellular Phone Kiosk (a free resource) or any department-owned Cellebrite systems (if available).

PLEASE NOTE: If your department has any of the following items, we will ask you to let us know when you sign up and to bring them with you for the class:

  • UFED Touch (and associated cables, etc)
  • UFED 4PC dongle
  • UFED Physical Analyzer dongle

If you bring a department UFED Touch, we will provide instruction during the class that allows you to use it so you are familiar with your own system when you return to your department. We will provide the computers that run 4PC and Physical Analyzer.


CAIR (Case Agent Investigative Review) 1-Day

CAIR is one of the tools that the Silicon Valley RCFL uses in computer forensic examinations. We believe that the case investigator is the most knowledgeable person to conduct an analysis of digital media to determine its relevance to an investigation. For example, who better to determine that a particular e-mail between two individuals is relevant?

This course provides students with the knowledge and skills necessary to effectively use CAIR to conduct a comprehensive review of digital media that has been submitted to and processed by the SVRCFL. This includes techniques to locate and examine e-mail messages, deleted files, documents, graphic files, as well as searching for key words and phrases.


Oxygen Forensics Training

Students will obtain an introduction to the Oxygen Forensic Detective and the many advanced features.  Students will examine and analyze data from iOS and Android smart devices during the one-day event. In addition, students receive training and instruction on cloud storage, extraction techniques using Oxygen Forensic Detective, application analysis, and the built-in analytics.  For additional information see the following course description and its second page.


Cellebrite Certified Mobile Examiners Course (5 days)

The Cellebrite Certified Mobile Examiners Course is designed for the intermediate or advanced investigator / digital forensic examiner. This five-day, 35-hour class combines the curriculum from the Cellebrite Certified Operator (CCO) and the Cellebrite Certified Physical Analyst (CCPA) courses, providing the participant with an intensive exposure to Cellebrite UFED, the Physical Analyzer software, and the core competencies associated with examining mobile devices using Cellebrite’s tools and methods. During the course, optional written exams and practical skill challenges are administered, and students may earn the Cellebrite Certified Operator (CCO) and the Cellebrite Certified Physical Analyst (CCPA).  The cost for this course is $3,850 per student.  Visit Cellebrite's Learning Center for more information regarding their various certifications.  The two certifications listed above are described on two separate Learning Center pages; this page describes the Cellebrite Certified Operator (CCO) and this page describes the Cellebrite Physical Analyst (CCPA).


Image Scan Training

The Federal Bureau of Investigation’s (FBI) Computer Analysis Response Team (CART) developed the Image Scan system to help investigators locate the presence of picture files that may contain contraband on a computer. This system allows the investigator to view a variety of graphic formats during a consensual search, and protects valuable digital evidence by booting up a computer using the Linux operating system. After mounting the hard drive in a “read only” manner, Image Scan prompts the investigator to search for picture files only. During this process, the tool logs every step taken by the investigator, further documenting what occurred during the search process.

Law enforcement personnel that conduct on-site investigations for child pornography are encouraged to take the Image Scan training.


Seizing and Handling of Digital Evidence

Investigators learn how to collect and preserve digital evidence, and to integrate digital evidence into a case. Additionally, investigators are exposed to the advanced tools and techniques used by the RCFL, so they can better understand what to expect from a forensics examination. This course requires no prerequisites, but attendees should have a working knowledge of computers.


osTriage

Investigator learns how to use osTriage, the live response and triage tool. The tool provides more information to investigators in a few minutes than most full forensic reports include after months of waiting. osTriage can find images, videos, passwords, encrypted files, virtual machines, archives, and P2P files fast! osTriage can also capture memory which is becoming more and more critical.


Linux Boot CD

This course is designed for forensic professionals who will use the FBI developed Live CD for imaging anything from thumbdrives to RAID servers. Topics cover basic usage of the Linux Boot CD, imaging multiple devices simultaneously, and outputing to multiple devices simultaneously. Advanced topics include network acquisition, drive recovery, LVM and RAIDS.

Training Schedule

A scheduled of courses being offered by Silicon Valley RCFL.

Training Schedule - Read More…

Filed under: