program

operations

training

news & info

links

service request

submitting evidence

speakers bureau

customer survey

home

contact us

Shipping Digital Evidence

When shipping evidence to the laboratory, please contact the RCFL for specific instructions regarding submittal procedures. For most examinations, submit only the central processing units and the internal and external storage media, and remember to:

• Use a sturdy cardboard container when shipping computer components- If possible, use the original packing case with the fitted padding. Use large, plastic bubble wrap or foam rubber pads as packing and never use styrofoam because it lodges inside computers and/or components and creates static charges that can cause data loss or damage to circuit boards. Seal the container with a strong packing tape.
• Pack and ship central processing units in the upright position- Label the outside container THIS END UP.
• Secure loose media- Such as disks, cartridges, tapes, hard drives, etc., to avoid movement during shipping.

Tips for Law Enforcement

When Submitting a Service Request Form or an Evidence Custody Form - The case agent or officer should be as concise and thorough as possible. These forms are used to make decisions about the request, therefore, any vague or ambiguous terminology may make it more difficult to interpret or understand what services are needed. As a result, this could slow down the processing of the request.

Turning On or Accessing a Computer - Indicate on the Service Request Form, if you or anyone else in the chain of custody attempted to turn on or access the computer prior to submittal. This is very important information for the Examiners to have.

Search Warrants – If a field service request is pursuant to a search warrant, a copy of the warrant must be included with the Field Service Request form. Likewise, if the service request is a result of a consensual search, a copy of the agency’s “consent for search” form must be included. Failure to include this documentation will more than likely cause a delay in processing the request.

Handling Sensitive Equipment – Always use extreme caution or take precautionary measures such as grounding the static electricity before touching any of the internal components of the computer or handling sensitive computer equipment. For example, if the internal workings of a computer are exposed, the equipment could be damaged by a buildup of static electricity that is held by the human body. (Walking across a rug can produce a static electricity voltage of up to 12,000 volts.) The hard drive is especially susceptible to static electricity, even if it is exposed to a small amount of voltage, while a microchip can be damaged with as little as 500 volts of static electricity. If you’re unsure about how to handle the equipment— defer to a professional.

Examination Best Practices

As with any service program, RCFLs are dedicated to providing the most professional, high-quality digital forensics expertise to their law enforcement customers. To help the RCFLs provide the level of service its customers have come to expect, the RCFL Directors cite the following “best practices”—

Meet With the RCFL Staff at the Beginning of an Examination – Once digital evidence is brought to the RCFL for review, the investigator should either meet in person or personally speak to the Examiner over the telephone about the scope of the examination (e.g. What are they searching for? E-mails, Internet usage, password encryption, viruses?). By doing so, the RCFL is better able to screen, prioritize, and assign the case for examination. Moreover, both the investigator and the Examiner know in advance what is expected of them and can operate accordingly.

Enlighten the Examiner – When submitting digital evidence for examination, investigators should share what they know about the case with the Examiner. While the following suggestions may seem obvious, if this information is not provided to the Examiner early on, delays may result—

- Inquire about the Owner’s Sophistication Level - It is helpful for an Examiner to know the equipment owner’s level of sophistication. For instance, a technically advanced owner may have installed password encryption measures. If an investigator is aware of such tactics or even knows the password—this is extremely valuable and time-saving information for the Examiner to have before starting the examination.

- Names of Suspect(s)/Victim(s) – Provide the Examiner the name of the victim(s) and suspect(s) including nicknames and chat handles along with the specific spellings of these names. Accuracy is absolutely key.

- Provide the Affidavit – If possible, provide the Examiner with a copy of the case’s affidavit as it can help the Examiner better understand the investigation they are supporting. If an affidavit is not available, a written summary serves the same purpose.

Narrow the Examination’s Scope – Investigators can help an Examiner be more efficient by stating what they are searching for by specifying the following—

- File Names - If the investigator is looking for a particular file, or if they know the file’s location, alert the Examiner—this will save valuable time.

- Dates – Is there a specific date range relevant to the investigation? Is the examination limited to certain dates by the search warrant? If the answer is yes to either of these questions, the investigator should alert the Examiner.

- Data Sources – If submitting multiple computers, media, or hard drives, state which system or piece of media might have the highest probability of finding what is being searched for. For instance, if the Examiner finds evidence on the first system, this may eliminate the need to conduct further examinations on the remaining systems and/or media.

- Focus the Request – Focus the request based upon the investigation. This is accomplished by identifying a particular range of dates, Web sites, user profile(s), or even a downloaded file(s). By narrowing the search for any one of these items, the Examiner can fine tune their search in these areas.

- E-Mail Addresses – A typical computer system contains hundreds, if not thousands of e-mail address—most of which are unrelated to the investigation. To save time, investigators are encouraged to identify exactly which e-mail addresses the Examiner.

Set timeframes – A quality digital forensics examination may take anywhere from 30 to 90 days, sometimes more, to complete. The time spent on an examination is impacted by several different variables such as the amount of data that must be reviewed; whether or not encryption is involved; the user’s level of technical sophistication; etc. Once an Examiner begins work on the case, typically, they can determine the time frame for the examination, and will inform the investigator of this estimate. Conversely, if there is a change in the status of the case and the investigator needs the results sooner than expected—they should immediately inform the Examiner.

Remember the RCFL Case Number – Every case submitted to the RCFL is assigned a case number. Remember that number—because the Examiner will use it to provide information about the case should the customer request it.

The final product - The Examiner will provide their findings either in the form of a DVD, CD, floppy disk, hard copy, or via a review network. At that point, the Examiner’s work is complete—and the investigator can now conduct a full review of the findings. It is important to remember that although most Examiners are investigators by training—they must remain impartial when conducting a digital forensics examination.

Home | Contact Us | Web Accessibility Statement | Privacy Policy | Site Map