Inside the DEA, DEA Programs, Computer Forensics Program

Computer Forensics Program

Recognizing the digital revolution, DEA in October 1994, established a digital evidence program. The initial purpose of this program was to recover information of probative value from computers and magnetic storage media (diskettes, tapes and data cartridges). However, the need of digital examination services has broadened both in scope and numbers. Presently, the DEA digital evidence program routinely processes a wide variety of digital evidence, including laptops, desktop computers, network servers, backup and storage media (to include diskettes, flash drives, CDs, DVDs, and other non-volatile storage media).

Other forms of digital evidence currently being processed by the Digital Evidence Laboratory (SFL9) are hand held devices (which includes cellular phones, Personal Digital Assistants (PDAs), and Blackberries), Global Positioning System (GPS) devices, digital cameras, or any conceivable device that stores information in digital form.

This expansion of DEA’s computer forensic support services is a reflection of the broader role that digital technologies have in today’s society.

SFL9 routinely provides on-site imaging support when evidence cannot be removed from its location. Additionally, any original evidence can be duplicated at the laboratory in 1-3 workdays and returned if requested. SFL9 also provides expert witness testimony and training as required.

Detailed Information:

Digital Evidence Overview (PowerPoint file)
Prior to Search and Seizure (PowerPoint file)
Searching/Seizing Digital Evidence (PowerPoint file)
Digital Evidence Packaging and Shipping (PowerPoint file)
Go Bys – Search Warrant, 48a, 7a, 7b
Do’s and Don’ts when seizing digital evidence (PowerPoint file)

Questions & Answers:

Q: How do I contact the Digital Evidence Laboratory (SFL9)?

A: Either call SFL9 at (703) 495-6787 or email them at Digital_Evidence_Lab.

Q: How do I request support for an on-site hard drive duplication?

A: Call SFL9 at (703) 495-6787 and request the support or email the Firebird “Digital_Evidence_Lab” account with the request. On-site backup support should be requested when the computer cannot be physically removed because of search warrant constraints. An “On-Site Support Request Form” will be sent via Firebird to be filled out in order to know the scope of computers anticipated so that an appropriate number of personnel can be assigned. Imaging times vary according to the number of computers and the sizes of the hard drives. Servers normally will take more time due to their complexity. Advance notice of at least 72 hours for on-site support is desirable because of coordination and shipping of necessary equipment to the closest DEA office.

Q: How long does it take to process a computer?

A: It takes approximately 22 hours (3 days) to thoroughly examine one hard drive. Some hard drives may take longer due to the size and complexity of the operating system. In some occasions Interim findings can be provided as they are discovered and sent to the investigator/agent via Firebird or Fed Ex.

Q: What kind of results can I expect?

A: A typical computer forensic examination consists of an immediate duplication of the original evidence to prevent any possibility of evidence destruction due to a computer virus or Trojan horse “erase” program. Also, the duplication preserves the original date and time stamp information. The examiner will recover all case related information including documents, financial data, e-mail and Internet chat, pictures, computer and software registration information, and list of all file names (active and erased) with their date and time stamp information (date created, date edited, and date last accessed) as well as a list of all web sites visited and e-mail addresses found. A DEA-6 will be produced outlining the findings. The actual findings will be provided on a CD or DVD. The original evidence will be returned at the end of the examination. A copy of the original evidence, the DEA-6 and findings will be retained at the laboratory until the case is closed.

Q: How do I submit evidence for examination?

A: Package the evidence under seal. For small objects such as diskettes, flash drives, and hand held devices use a DEA heat seal envelope. For a large object such as a computer, use an anti-static mylar bag (currently at the DEA warehouse). Put the evidence in a box and insulate the evidence with anti-static styrofoam popcorn or bubble wrap. Accompanying paperwork required includes: DEA-7a, DEA-7b, a copy of the search authorization, and any key words to be used during analysis. The shipping address is: DEA Digital Laboratory, Attn: ET, 10555 Furnace Rd., Lorton, Virginia 22079. Federal Express overnight shipping is highly recommended.

Q: What is digital evidence?

A: Digital evidence can be any type of digital storage device such as a computer, data storage media (tapes, diskettes, zip data cartridges, CDs, DVDs), and consumer electronic devices including cell phones, two-way pagers, digital cameras, GPS navigational devices, satellite phones, Personal Data Assistants (PDAs), etc. The DEA Digital Evidence Laboratory will process all forms of digital evidence.

Q: What shoud I ask a computer user at the time of seizure, if they are willing to talk?

A: Who uses the computer? How long has the computer been in service? Is there an old computer no longer used? What kind of information is kept on the computer? What are the user names and assigned passwords? What Internet service provider (AOL, MSN, Verizon, etc.) is used? What are the e-mail addresses of the users of the computer? What Internet Chat aliases are used? Are there any backup files on diskette or tape? If there is a network, what information is kept locally and what is kept on the server? If there is a network, what is the System Administrator’s user name and password?

Q: What should I do if the user needs the computer returned immediately?

A: Request the digital laboratory to duplicate the original evidence immediately and return the computer. This procedure normally takes between 1-3 workdays. The Digital Evidence Laboratory can perform the examination using the duplicate copy.

Q: How do I request a rush examination?

A: Due to SFL9 workload, all requests for rushes must come from the prosecuting attorney or a DEA GS-15 or above. This does not apply to rushes based upon search warrant time constraints.

Q: Who will testify?

A: All digital evidence examiners are well trained and annually proficiency tested and will testify when necessary. All examinations are conducted and reviewed in accordance to industry standards and the American Society of Crime Laboratory Directors/Laboratory Accreditation Board (ASCLD/LAB) International standards to insure the quality of the product provided to the investigator.