Examination Best Practices

Best Practices for a Quality Exam – What Every RCFL Customer Should Know

As with any service program, RCFLs are dedicated to providing the most professional, high-quality digital forensics expertise to their law enforcement customers. To help the RCFLs provide the level of service its customers have come to expect, the RCFL Directors cite the following “best practices”—

Meet With the RCFL Staff at the Beginning of an Examination— Once digital evidence is brought to the RCFL for review, the investigator should either meet in person or personally speak to the Examiner over the telephone about the scope of the examination (e.g. What are they searching for? E-mails, Internet usage, password encryption, viruses?). By doing so, the RCFL is better able to screen, prioritize, and assign the case for examination. Moreover, both the investigator and the Examiner know in advance what is expected of them and can operate accordingly.

Enlighten the Examiner— When submitting digital evidence for examination, investigators should share everything they know about the case with the Examiner. While the following suggestions may seem obvious, if this information is not provided to the Examiner early on, delays may result—

Narrow the Examination's Scope— Investigators can help an Examiner be more efficient by stating what they are searching for by specifying the following—

Set time frames— A quality digital forensics examination may take anywhere from 30 to 90 days to complete, sometimes longer. The time spent on an examination is impacted by several different variables such as the amount of data that must be reviewed; whether or not encryption is involved; the user's level of technical sophistication; etc. Once an Examiner begins work on the case, typically, they can determine the time frame for the examination, and will inform the investigator of this estimate. Conversely, if there is a change in the status of the case and the investigator needs the results sooner than expected— they should immediately inform the Examiner.

Remember the RCFL Case Number— Every case submitted to the RCFL is assigned a case number. Remember that number—because the Examiner will use it to provide information about the case should the customer request it.

The final product— The Examiner will provide their findings either in the form of a DVD, CD, floppy disk, hard copy, or via a review network. At that point, the Examiner's work is complete—and the investigator can now conduct a full review of the findings. It is important to remember that although most Examiners are investigators by training— they must remain impartial when conducting a digital forensics examination.



home | program info | operations | news and info | links | accessibility | privacy policy | contact us | site map