301 North Market Street
Suite 500
Dallas, Texas 75202
Office: (972) 559-5800
Fax: (972) 559-5881

American Association of Laboratory Directors

Best Practices

As with any service program, RCFLs are dedicated to providing the most professional, high-quality digital forensics expertise to their law enforcement customers. To help the RCFLs provide the level of service its customers have come to expect, the RCFL Directors cite the following "best practices" —

Meet With the RCFL Staff at the Beginning of an Examination – Once digital evidence is brought to the RCFL for review, the investigator should either meet in person or personally speak to the Examiner over the telephone about the scope of the examination (e.g. What are they searching for? E-mails, Internet usage, password encryption, viruses?). By doing so, the RCFL is better able to screen, prioritize, and assign the case for examination. Moreover, both the investigator and the Examiner know in advance what is expected of them and can operate accordingly.

Enlighten the Examiner – When submitting digital evidence for examination, investigators should share what they know about the case with the Examiner. While the following suggestions may seem obvious, if this information is not provided to the Examiner early on, delays may result —

  • Inquire about the Owner's Sophistication Level – It is helpful for an Examiner to know the equipment owner's level of sophistication. For instance, a technically advanced owner may have installed password encryption measures. If an investigator is aware of such tactics or even knows the password – this is extremely valuable and time-saving information for the Examiner to have before starting the examination.
  • Names of Suspect(s)/Victim(s) – Provide the Examiner the name of the victim(s) and suspect(s) including nicknames and chat handles along with the specific spellings of these names. Accuracy is absolutely key.
  • Provide the Affidavit – If possible, provide the Examiner with a copy of the case's affidavit as it can help the Examiner better understand the investigation they are supporting. If an affidavit is not available, a written summary serves the same purpose.

Narrow the Examination's Scope – Investigators can help an Examiner be more efficient by stating what they are searching for by specifying the following —

  • File Names – If the investigator is looking for a particular file, or if they know the file's location, alert the Examiner – this will save valuable time.
  • Dates – Is there a specific date range relevant to the investigation? Is the examination limited to certain dates by the search warrant? If the answer is yes to either of these questions, the investigator should alert the Examiner.
  • Data Sources – If submitting multiple computers, media, or hard drives, state which system or piece of media might have the highest probability of finding what is being searched for. For instance, if the Examiner finds evidence on the first system, this may eliminate the need to conduct further examinations on the remaining systems and/or media.
  • Focus the Request – Focus the request based upon the investigation. This is accomplished by identifying a particular range of dates, Web sites, user profile(s), or even a downloaded file(s). By narrowing the search for any one of these items, the Examiner can fine tune their search in these areas.
  • E-Mail Addresses – A typical computer system contains hundreds, if not thousands of e-mail address – most of which are unrelated to the investigation. To save time, investigators are encouraged to identify exactly which e-mail addresses the Examiner.

Set timeframes – A quality digital forensics examination may take anywhere from 30 - 90 days, sometimes more, to complete. The time spent on an examination is impacted by several different variables such as the amount of data that must be reviewed; whether or not encryption is involved; the user's level of technical sophistication; etc. Once an Examiner begins work on the case, typically, they can determine the time frame for the examination, and will inform the investigator of this estimate. Conversely, if there is a change in the status of the case and the investigator needs the results sooner than expected – they should immediately inform the Examiner.

Remember the RCFL Case Number – Every case submitted to the RCFL is assigned a case number. Remember that number – because the Examiner will use it to provide information about the case should the customer request it.

The final product – The Examiner will provide their findings either in the form of a DVD, CD, floppy disk, hard copy, or via a review network. At that point, the Examiner's work is complete – and the investigator can now conduct a full review of the findings. It is important to remember that although most Examiners are investigators by training – they must remain impartial when conducting a digital forensics examination.

In The News

5/1/2012: NEW! Case Acceptance Guidelines — As of May 1, 2012, the NTRCFL has issued a new set of Case Acceptance Guidelines. Click here to read more.

04/13/2011: North Texas RCFL Supported Successful Child Pornography Prosecution — Dallas resident Timothy Honnoll, 39, plead guilty in federal court to receiving child pornography, and will serve eight years in prison along with a lifetime of supervised release. The North Texas RCFL provided digital forensics support to the investigation which was brought as part of Project Safe Childhood. According to a press release issued by the FBI's Dallas Division, 600 images and 180 videos of child pornography were found on Honnoll's computer and related storage media.  

Upcoming Training

There are no upcoming classes at this time.