Inside the FBI lab that processed Chad Daybell’s devices and other electronic evidence
Published at | Updated at
SALT LAKE CITY — It’s no secret FBI agents have been actively assisting local law enforcement in the Chad and Lori Daybell criminal investigations.
Agents in Idaho and from the Salt Lake City division are involved and a large part of the case is being worked on from the Intermountain West Regional Computer Forensic Laboratory (RCFL).
When investigators seized 43 items from Chad Daybell’s Fremont County home in January, computers, cell phones and other devices were sent to the RCFL where Cheney Eng-Tow is the lab director and a supervisory special agent for the FBI.
“We’re essentially a digital forensic task force,” Eng-Tow tells EastIdahoNews.com. “We’re made up of FBI and state and local officers who are assigned here by their agencies. Our role is to provide digital forensic services to all law enforcement agencies in Utah, Montana and Idaho.”
The Daybell case is still very active, so Eng-Tow can’t speak about it specifically, but he was able to explain what the 12 employees in the RCFL do when computers, laptops, phones, drones, vehicles, watches and other electronics come in.
“If there is stuff on there that’s going to help prosecute somebody, we want to find it. If there’s not anything on there, that’s fine as well, but at least the case agent knows for sure what’s on there,” Eng-Tow says.
When a computer is checked into the RCFL for evidence, a forensic examiner removes the hard drive and images, or duplicates, it on a separate hard drive. The original is put back into the computer and left alone.
“The computer goes back in the evidence room, and we now just work on the copy that we made,” Eng-Tow says. “After you’ve taken an image of the hard drive, you can hash it.”
A hash value is a string of text generated from a mathematical algorithm. Eng-Tow compares it to a “digital fingerprint” where every piece of data is unique.
Some computers have millions of files and terabytes of information, but with the help of software, examiners can scour the duplicate hard drive for anything that might be helpful to the case. It can takes hours, weeks or even months to collect the necessary information.
“After we’ve done our examination, we then run a hash value again, which should match the original one,” Eng-Tow says. “If (the case) goes to court, we can then say that hash value at the end matched the one at the beginning, which matched the original hard drive. Therefore, we can say that any evidence we pulled out of there was on there from the beginning – we didn’t touch or add anything to it.”
Analyzing cell phones
Working on cell phones is a little different. You can’t image (duplicate) a phone, so examiners use software and programs developed by the FBI to conduct their searches.
The challenge can come when the phone has a password or PIN that can’t be cracked.
“Sometimes when you’re trying to break these passwords, you’re trying millions of combinations a second. We’ve had them run for months and not be successful,” Eng-Tow says. “Sometimes we get in, sometimes we don’t. If you let it run long enough, hopefully, you’ll get in.”
Often, the case agent assigned to the case might obtain password information from other evidence, like hand-written journals. Eng-Tow says sometimes examiners find passwords for phones stored on computers or vice versa.
If a phone or encrypted computer is particularly difficult to crack, it could be sent to FBI headquarters in Quantico, Virginia, where enhanced programs and tools are available.
How the RCFL works
When evidence is brought to the RCFL, it is checked in, and a “chain of custody” is generated. That means any time anybody looks at it or checks it out, a record is made.
The forensic examiners will gather information for the case agent and local law enforcement. Any law enforcement agency in Utah, Montana and Idaho can submit digital evidence to the RCFL, and the FBI covers the costs. That can be beneficial to small departments that don’t have a trained professional or the budget to analyze electronic evidence.
There are 16 other Regional Computer Forensic Laboratories across the country, and they only handle police investigations.
“We can’t do work for private citizens. All the stuff that’s submitted to us has to come from a law enforcement agency,” Eng-Tow says.
Last year, 455 cases were submitted to the Intermountain West RCFL. The lab currently has about 150 active cases, and at any given time, around 50 percent of investigations deal with child pornography, sexual exploitation or sexual assault.
It takes 24 months to become a digital forensic examiner, and not just anybody can get a job at the RCFL. You have to work for the FBI or the eight other agencies that participate in the lab: the Sandy City Utah Police Department, Salt Lake City Utah Police Department, Ada County Idaho Sheriff’s Office, Billings Montana Police Department, Davis County Utah Sheriff’s Office, Boise Idaho Police Department, Utah Department of Public Safety and the Utah Attorney Generals Office. The Intermountain West RCFL also has satellite offices in Boise and Billings, Montana.
Some of the biggest criminal cases — and many that aren’t so public — have been solved thanks to the men and women who work in the RCFL. As technology continues to change, the work is not slowing down and will continue to evolve.
“Every case these days, the person either has a phone or computer or both,” Eng-Tow says. “The trend has been more and more cases each year. It’s a neverending thing for us to continually try and stay up.”