9.4.11 Investigative Services

Manual Transmittal

May 24, 2024

Purpose

(1) This transmits revised IRM 9.4.11, Investigative Services.

Material Changes

(1) Added Internal Controls to be compliant with IRM 1.11.2.2.4, Address Management and Internal Controls and IRM 1.4.2, Resource Guide for Managers, Monitoring and Improving Internal Control.

(2) Updated all “cryptocurrency” verbiage to “digital asset” verbiage throughout IRM.

(3) Updated all “National Forensic Laboratory Request (NFL)” to “Center for Science and Design (CSD)” throughout IRM.

(4) Updated the Acronym table.

(5) Updated “National Forensic Laboratory and SE:CI:CFS:NFL” to “Center for Science and Design and SE:CI:CFS:CSD” throughout IRM.

(6) Updated Section 9.4.11.3.1 to verbiage to current procedures.

(7) Subsection 9.4.11.3.1 bullet statement “CI Design Services” added to table.

(8) Subsection 9.4.11.3.1.4(2) updated name of Form 13437 to “IRS, Center for Science and Design Request for Services”.

(9) Subsection 9.4.11.3.1.8(1) updated verbiage.

(10) Removed Section 9.4.11.3.8.1(2).

(11) Subsection 9.4.11.3.8.1(3) renumbered to paragraph (2).

(12) Subsection 9.4.11.4.1(2) updated “non-1811” to “1801”.

(13) Subsection 9.4.11.4.1(4)(a) added verbiage “Externally hired CIFAs may substitute a combination of education, industry experience, and accredited industry specific certifications for BCERT with Director approval.”

(14) Subsection 9.4.11.4.2(2) updated “non-1811” to “1801” and added “Computer Scientists, contractors, and support staff.”

(15) Subsection 9.4.11.4.2(4)(a) added verbiage “Externally hired CIFAs may substitute a combination of education, industry experience, and accredited industry specific certifications for BCERT with Director approval.”

(16) Subsection 9.4.11.4.2(7) added “Investigative Technology” and bullet points “Research and select emerging technology to support Cyber and Forensics services in furtherance of CI’s mission.”, “Engineer and deploy broad scale technology solutions for Cyber and Forensic Services.”, and “Maintain broad scale technology solutions for Cyber and Forensic Services.” to the table.

(17) Subsection 9.4.11.4.5.1 removed first sentence “Case agents should follow procedures set forth in 9.7.12.4.” and added the email box for digital asset seizures “cryptoseizure@ci.irs.gov”.

(18) Subsection 9.4.11.5.1 removed the last sentence, verbiage no longer relevant.

(19) Subsection 9.4.11.5.2 updated verbiage to current procedures.

(20) Subsection 9.4.11.11.1(1) updated the verbiage to read “The CSAs are managed by and are assigned to a specific work group in the field office. Each CSA provides support to more than one group.”

(21) Subsection 9.4.11.11.2 updated verbiage to read “Special agents should request the assistance of the investigative professional staff for all authorized investigative services.”

(22) Subsection 9.4.11.11.3(1) changed “CSA’ to “TFIA”.

(23) Removed subsections 9.4.11.11.4 and 9.4.11.11.5 information is duplicated.

(24) Added Exhibit 9.4.11-1 Standard Operating Procedures Group 40/41 document.

(25) Additional revisions, deletions, and grammatical changes were made throughout the section, that did not result in substantive changes but contributed to procedural clarity of the subject matter.

Effect on Other Documents

This IRM supersedes IRM 9.4.11, dated May 5, 2022.

Audience

Criminal Investigation

Effective Date

(05-24-2024)

Shea C. Jones
Deputy Chief, Criminal Investigation
for
Guy A. Ficco
Chief, Criminal Investigation

Program Scope and Objectives

  1. Purpose: This section relates to the investigative services available within Criminal Investigation (CI) to provide special agents assistance in conducting criminal investigations and associated litigation activities.

  2. Audience: All CI employees.

  3. Policy Owner: Director, Global Financial Crimes & Policy.

  4. Program Owner: Director, Global Financial Crimes & Policy.

  5. Primary Stakeholders: All CI employees.

  6. Contact Information: To make changes to this IRM section email CIHQIRM@ci.irs.gov

  7. Goal: To provide special agents assistance in conducting criminal investigations and associated litigation activities.

Background

  1. The authority to enforce Federal laws is derived from a variety of statutes. These statutes may assign the enforcement of any given law to a particular department such as the Treasury Department, an agency of a department such as the Internal Revenue Service (IRS), or simply that the enforcement falls to the legal arm of the government, the Department of Justice (DOJ).

  2. Criminal Investigation has Operational and Investigative Strategies. Criminal Investigation’s strategies are classified in terms of:

    • Initiatives in which CI participates.

    • Priorities within the program area.

    • Schemes encountered in the program areas.

    • Other situations to which the special agent should be sensitive when conducting an investigation.

Authority

  1. See IRM 9.1.2, Authority for the delegated authority relating to 9.4.11, Investigative Services.

Roles and Responsibilities

  1. The Director, Global Financial Crimes & Policy is responsible for developing, maintaining, and overseeing this IRM and ensuring compliance with current policies and procedures.

Program Management and Review

  1. The Director, Global Financial Crimes & Policy will:

    1. Review the IRM annually.

    2. Update the IRM when content is no longer accurate and reliable to ensure employees correctly complete their work assignments and for consistent administration of the tax laws.

    3. Incorporate all permanent interim content into the next revision of the IRM section prior to the expiration date.

Program Controls

  1. The Director, Global Financial Crimes & Policy will review the instructions and guidelines relating to the investigation of tax returns and other IRS documents for procedural, operational, and editorial changes.

Acronyms

  1. The table lists commonly used acronyms and their definitions:

    Acronyms Definition
    ASAC Assistant Special Agent In Charge
    AVI Audio, Video, and Image
    BCERT Basic Computer Evidence Recovery Training
    CFS Cyber and Forensic Services
    CIECS Criminal Investigation Equipment Control System
    CIFA Computer Investigative Forensic Analysts
    CIMIS Criminal Investigation Management Information System
    CIS Computer Investigative Specialist
    CPE Continuing Professional Education
    CSA Compliance Support Assistant
    CSD Center for Science and Design
    DF Digital Forensics
    DFFS Digital Forensics Field Services
    DFL Digital Forensics Lab
    FBI Federal Bureau of Investigation
    IA Investigative Analyst
    IPS Investigative Professional Staff
    NCIC National Crime Information Center
    NFL National Forensic Laboratory
    ORI Originating Agency Identifying
    RDFL Regional Digital Forensics Lab
    SAC Special Agent In Charge
    SIA Supervisory Investigative Analyst
    SOP 40/41 Standard Operating Procedure Groups 40/41
    SSA Supervisory Special Agent
    TFIA Tax Fraud Investigative Assistant

Related Resources

  1. The sources providing investigative services include the following:

    1. Center for Science and Design.

    2. Digital Forensics.

    3. Field Office Resources, including: Investigative Analyst; Tax Fraud Investigative Assistant; and Compliance Support Assistant.

    4. Lead Development Centers.

Center for Science and Design (CSD)

  1. The CSD formerly known as the "National Forensic Lab" is a section under the office of Cyber and Forensic Services Criminal Investigation. The CSD is comprised of separate and distinct units, each of which offers services relating to evidence gathered in the course of an investigation.

  2. The CSD is headquartered in Chicago, Illinois, with additional examiners located in a few other cities across the nation.

  3. Each of these groups offers distinct services relating to evidence gathered in the course of an investigation. The CSD maintains up-to-date contact information and forensic reference material on CI Connections. The CSD's SharePoint site via CI Connections should be reviewed for additional information that may be utilized during investigations. The following subsections will briefly describe the individual units within the CSD and the services provided by each team. The subsections also detail how to request and obtain services provided by the CSD.

Center for Science and Design Unit

  1. The CSD is made up of three sections, Trial and Design Services, Multimedia and Deception Detection, and Scientific Services. Units in each section deliver specific services. There is useful information on the CSD’s SharePoint site via CI Connections that should be reviewed early on in an investigation to determine if the CSD may be useful. The CSD is organized as follows:

    CSD Organization CSD Services
    Trial and Design Services
    • Trial Infographics

    • CI Design Services

    • Special Projects

    Scientific Services Pattern Interpretation and Chemistry Unit
    • Questioned Document Examination

    • Chemistry Examination

    • Latent Print Examination

    • DNA Collection

    Multimedia and Deception Detection Unit
    • Audio, Video, and Image Analysis

    • Polygraph Examination

Multimedia and Deception Detection Unit
  1. The Multimedia and Deception Detection Unit provides Audio, Video, and Image (AVI) analysis, as well as deception detection services through polygraph examinations.

  2. Using forensic software, examiners are able to apply non-destructive techniques to better hear and/or see events as they occurred. Examiners aim to clarify recordings and to preserve speech quality and recording authenticity. They also aim to clarify photographs or shot footage while preserving the integrity of the original image or video.

Polygraph Examination
  1. Polygraph Examiners conduct examinations to test credibility issues which may arise before, during, or after the completion of an investigation.

  2. Polygraph Examiners also evaluate examinations conducted by operators outside the IRS.

Suitability of a Polygraph Examination
  1. A polygraph examination may be used to determine the reliability of information provided by informants, subjects, witnesses, and cooperating defendants. A polygraph examination may also be conducted pursuant to a plea agreement in order to determine if the defendant is cooperating fully with the government.

  2. A polygraph examination should be used selectively as an investigative tool. A qualified polygraph examiner should be directly consulted by the special agent whenever a polygraph is being considered. A qualified examiner is trained to evaluate the suitability of the polygraph technique as requested by the special agent.

Legal Admissibility of the Results of a Polygraph
  1. The legal admissibility of the results of a test (deception indicated, no deception indicated, inconclusive, or no opinion) varies by jurisdiction. However, statements, admissions, and confessions, obtained during the examination process are generally admissible in court

DNA Collection
  1. Examiners at the CSD can attempt to collect DNA from items of evidence.

  2. Requests for DNA Collection may be made via the IRS Center for Science and Design Request for Services Form (13437).

  3. Collection of DNA samples does not necessarily require analysis of the sample. Suitability for subsequent DNA analysis will be determined on a case by case basis with the evaluation of the evidence in conjunction with documented communication with the submitter.

Torn/Shredded Paper
  1. Torn/shredded paper evidence should not be taped or glued together prior to submission to the laboratory. The examiner will evaluate the characteristics of the torn/shredded edges to reconstruct the documents. If the torn/shredded documents are found in the garbage or a shredder, the special agent should attempt to maintain the integrity of the torn/shredded documents by handling them as little as possible.

Latent Print Unit
  1. Latent Print Examiners process evidence and compare latent finger and palm prints found on evidence to fingerprint and palm print cards of known subjects. The use of new techniques has enabled the development of previously undetectable prints. Latent Print Examiners can search unidentified latent prints through computerized fingerprint and palm print databases throughout the country. Review CSD SharePoint site via CI Connections for additional technical information.

  2. When a subject is required to provide handwriting exemplars and/or to be photographed, special agents should also obtain fingerprints and palm prints of the subject, and submit them with the evidence to be examined.

    1. A full set of known prints consists of clearly and completely recorded fingerprints and palm prints, including the area referred to as the "writer’s palm." The writer’s palm is that area on the side of the palm which normally rests on the paper when writing.

    2. Fingerprints should be recorded on Form FD-249, Federal Bureau of Investigation. Form FD-249, with the Field Office’s Originating Agency Identifying (ORI) Number, may be obtained directly from the FBI.

    3. Fingerprints and palm prints are also taken by a method called live-scan or direct electronic fingerprinting/palm printing. This method records prints digitally into a computer database after fingerprints/palm prints are rolled/recorded on a piece of glass of a computer-driven scanner.

    4. If an agent is unable to roll/record the subject’s prints, fingerprints and palm prints may be obtained from the FBI Identification Division, which contains civilian and criminal records. The FBI number of an individual with a criminal history may be found in the NCIC. This number is necessary for ordering purposes. When using the services of the CSD to obtain a set of prints, special agents must provide the person’s FBI number.

    5. Although a set of recorded fingerprints/palm prints might be considered classifiable, that does not mean they are fully comparable or identifiable to latent fingerprints/palm prints.

    6. The utmost care must be utilized to ensure that subjects do not handle any original documents relating to the investigation during interviews, etc. This would negate any subsequent examination for latent prints on those documents. If it is appropriate to preserve the evidence for examination, the evidence should be placed in document protectors before it is shown to the subjects.

Questioned Document and Chemistry Examiners
  1. The Questioned Document and Chemistry Examiners conduct analysis and comparisons of questioned and known documentary evidence. This includes handwriting, hand printing, numerals, mechanical impressions, and ink and paper. Examiners also decipher obliterations and alterations, and develops indented writing on documents. Burned or torn/shredded documents may be submitted; however, special agents should contact the laboratory for specific instructions and guidance before handling and/or submitting burned or torn/shredded documents.

    Note:

    It is very important not to add any indentations to the questioned documents during their collection, handling, or shipping. The documents should be put in plastic sleeves or document protectors for handling. Never place other papers on top of the evidence and then write on them. The transmittal envelope should be addressed before the documents are placed inside.

  2. Exemplars should be obtained whenever special agents become aware that the authenticity or origin of a document may be questioned. It is critical that special agents obtain original known exemplars before submitting a request. The results of the examinations performed by the CSD depend largely on the quality of the known writing that is submitted for comparison.

Types of Exemplars
  1. There are two types of exemplars: requested and collected. Whenever possible, both types should be submitted.

Requested Exemplars (Known Writing Exemplars)
  1. Requested exemplars contain repetitions of all of the letters and letter combinations that are present in the text of the questioned documents.

  2. Requested exemplars are gathered during the course of an investigation as a result of a request, summons, or subpoena of the suspected writer.

  3. A summons or a subpoena may be issued to a subject for the purpose of providing handwriting exemplars. Compulsion of handwriting exemplars is neither a search nor seizure subject to Fourth Amendment protections, nor testimonial evidence protected by the Fifth Amendment privilege against self-incrimination. Serving a summons on a subject for the purpose of taking exemplars is within the authority of 26 USC 7602. This action does not violate the Fifth Amendment rights of a subject, or policies established by Congress because handwriting exemplars are deemed identifying physical characteristics. The CSD SharePoint site via CI Connections has more information, or contact examiners at the CSD on requesting known writing exemplars.

Collected Exemplars
  1. Collected exemplars consist of normal course-of-business records such as personal papers, canceled checks, rent applications, receipts, school documents, etc. Collected exemplars are naturally written (no disguise) and they are an excellent source of known writing when comparing writings.

Comparisons of Handwriting, Printing and Numeral Exemplars
  1. Special agents should contact Questioned Document and Chemistry Examiners at the CSD prior to obtaining exemplars. Special agents should use the following guidelines when obtaining exemplars:

    1. Exemplars should be original documents known to have been written by the person suspected of writing the questioned document.

    2. Exemplars should contain repetitions of all of the letters and letter combinations that are present in the text of the questioned documents.

    3. Exemplars should approximate the questioned writing conditions (i.e., if handwritten, get known handwriting; if upper-case hand printed, get known upper-case hand printing, etc.).

    4. Exemplars should be made with a similar writing instrument, on similar paper, and should include, as nearly as possible, the full text of the questioned document.

  2. In addition to getting exemplars containing comparable repetitions of the questioned text, special agents should use Form 6540 (EN-SP), (see Unified Checklist or the Media and Publication Services catalog page) to obtain a general sample of an individual’s writing.

Mechanical Impression Comparisons
  1. Examinations and comparisons of mechanical impressions, including typewriter impressions and rubber stamp impressions can be conducted. Identifications are based on individual defects usually caused by wear or damage.

Typewriter Exemplars
  1. If a known typewriter is located, Questioned Document and Chemistry Examiners at the CSD should be contacted to determine if the typewriter should be submitted to the laboratory or if exemplars should be taken from it.

    1. If the machine is equipped with a readable carbon ribbon, the ribbon should be removed, protected, and submitted. The team has the capability of transcribing the text found on readable carbon ribbons.

Printer Exemplars
  1. If a printer is located, Questioned Document and Chemistry Examiners at the CSD should be contacted before submitting it or exemplars from it to the laboratory.

Rubber Stamp Exemplars
  1. If available, the known rubber stamp should be submitted along with the questioned documents bearing rubber stamp impressions. The document examiner will examine the rubber stamp before producing exemplars. No attempt should be made to clean the rubber stamp before submitting it to the laboratory.

Charred Documents
  1. Charred or burned documents may be examined and imaged with the aid of various light sources. Many times what is not visible under ordinary light may be deciphered and recorded using specialized light sources. Charred or burned documents should be placed in protective packaging and submitted, as soon as possible to the laboratory. Special agents should contact the laboratory for specific instructions and guidance before handling charred or burned paper evidence.

Trial and Design Services
  1. Visual Information Specialists design courtroom infographics and data visualizations based on supporting evidence and statistical information provided by the trial team during consultation. All products are provided to customers after a thorough product development process. Methods used in the design of graphics include consultations and correspondence, review of evidence and charges. The types of graphics vary from bar charts, line, pie, maps, timeliness, link analysis, computations, element of the offense charts. Ongoing communications and support is provided throughout the trial and product development.
    Designers collaborate with CI counterparts and leadership to create print and digital marketing material in accordance with the CI Branding Standards. Products include single and multi-page documents, interactive documents, recruitment material, standardized templates and many other specialized design projects.

  2. Form 13437, IRS Center for Science and Design Request for Services, should be submitted a minimum of 30 days before to allow for consultation and to provide sufficient time to discuss the evidence and documentation that will assist in the preparation of the graphics. Form 13437, IRS CSD, can be located on the CI Connections page under Cyber and Forensic Services, on the CSD's SharePoint site.

Evidence Control at National Forensic Laboratory
  1. Evidence Control receives all requests for the CSD and tracks these requests as they move through the CSD between services. Evidence Control is responsible for ensuring the integrity of the evidence when it comes in and leaves the laboratory.

How to Request Services of the Center for Science and Design

  1. Special agents should initiate requests for any service offered by the CSD using Form 13437, IRS CSD Request for Services (see Unified Checklist or the Media and Publication Services catalog page). Information required on the form includes the investigation name and number, type of request, type of investigation, investigation synopsis, description of the submitted evidence, and the submitter’s contact information.

  2. Whenever possible, original evidence should be submitted for examination. If copies are the only available evidence they can be submitted; however, the examination may be limited. Special agents should keep copies of the original evidence submitted to the CSD.

  3. Form 13437, IRS Request for Services, includes instructions on how to fill out the form and how to package, seal and ship the evidence. If an expedited examination is needed, the special agent should indicate the reason and/or pending court or grand jury date. Special agents should call and advise the team in advance of an exigent request.

    Note:

    All evidence should be secured from the time the evidence is obtained through the course of the investigation. Before submitting evidence to the laboratory, it is recommended that special agents call the laboratory and/or review the CASE web page under Forensic Lab/Evidence Control.

  4. Requests for services and evidence for any of the CSD teams should be sent to the following address:

    Evidence Control, Center for Science and Design
    SE:CI:CFS:CSD
    Internal Revenue Service
    Criminal Investigation Division
    525 W. Van Buren St., Suite 400
    Chicago, Illinois 60607

  5. Special agents should submit the request for services and the evidence as soon as they realize their investigation may benefit from the services offered by the CSD.

Use of a Non-IRS Laboratory
  1. In situations where the use of a non-IRS laboratory is being considered, the SAC of the requesting field office may contact the CSD Director, SE:CI:CFS:CSD for recommendations and guidance based on services needed and/or turn-around-time.

Role of the Examiners

  1. Examiners prepare reports based on their examinations and conclusions. They are available to testify in court or other judicial proceedings regarding their conclusions.

Travel by the Examiners
  1. In situations where it is necessary for examiners to travel to a field office to perform on-site examinations and/or consultations, travel must be coordinated with the specific examiner and CSD management. The examiners are also available to travel to the field offices for CPE presentations.

  2. Requests for travel by CSD examiners to perform on-site examinations should be submitted on Form 13437 as specified (see subsection 9.4.11.2.2). Requests for examiners to participate in CPE presentations should be made in writing (either memorandum or e-mail) by the SAC to the Laboratory Director, SE:CI:CFS:CSD.

  3. The cost of the services provided by the CSD is not charged to the requesting field office as the cost is paid using the CSD’s budget. The cost of CSD services may be charged to the defendant if the judge orders the defendant to pay court costs.

Evaluation of Services

  1. At the completion of a case, special agents will receive and are asked to complete Form 13436, IRS Center for Science and Design. The evaluation will enable the CSD to meet laboratory accreditation requirements, while maintaining quality services and keep apprised of the field offices’ needs.

Digital Forensics (DF)

  1. Digital Forensics (DF), formerly known as Electronic Crimes, is a section within Cyber and Forensic Services (CFS), Forensic Services. Digital Forensics is comprised of two units:

    1. Digital Forensics Field Services, and

    2. Digital Forensics Lab

  2. DF is led by a Director, Digital Forensics

Digital Forensics Field Services (DFFS)

  1. DFFS is led by an Associate Director(s), Digital Forensics Field Services.

  2. Each DFFS group is comprised of one SSA, a mix of 1811 CISs, 1801 CIFAs and contract employees.

  3. Each DFFS group is located in RDFL or in a smaller remote lab throughout the country.

  4. DFFS personnel are trained in digital forensics methodology to ensure digital evidence is acquired, authenticated, analyzed, and reported in a forensically sound manner according to established forensic best practices.

    1. Each CIS and CIFA successfully completes BCERT a six-week course that provides baseline digital forensics training, and Basic Mobile Forensics, a two-week course that provides baseline mobile forensics training. Externally hired CIFAs may substitute a combination of education, industry experience, and accredited industry specific certifications for BCERT with Director approval.

    2. Each CIS and CIFA attends annual advanced training courses to maintain a high level of proficiency and develop additional skills.

    3. Each CIS and CIFA is required to obtain and maintain various digital forensics certifications to ensure their skills meet industry standards.

  5. DFFS provides vital services to support criminal investigations:

    1. Assist case agents with affidavit writing and review.

    2. Provide technical digital forensics services at search warrants, for subpoena/summons responses, and during consent evidence production.

    3. Ensure digital evidence is obtained, validated, and maintained in a forensically sound manner.

    4. Conduct analysis on digital evidence to locate and properly interpret potential evidence.

    5. Report to case agent on results of analysis.

    6. Assist with discovery production by providing validated copies of digital evidence obtained throughout the investigation.

    7. Assist case agents with seizure of digital assets.

    8. Other digital forensics tasks as required.

  6. It is vital to request DFFS services as early as possible in the investigation when digital evidence is anticipated. Affidavit review must occur prior to final approval to ensure legal requirements are met, all investigative needs are addressed, and no undue restrictions are present. Digital forensics requires extensive planning, research, and resources prior to enforcement actions.

Digital Forensics Lab (DFL)

  1. DFL is led by an Associate Director, Digital Forensics Lab.

  2. Each DFL group is comprised of one SSA and a mix of 1811 Senior Analysts and 1801 CIFAs, Computer Scientists, contractors, and support staff.

  3. The DFL is headquartered in Woodbridge, Virginia. Some DFL personnel are located in a RDFL or in a smaller remote lab throughout the country.

  4. DFL personnel are trained in digital forensics methodology to ensure digital evidence is acquired, authenticated, analyzed, and reported in a forensically sound manner according to forensic best practices.

    1. Each Senior Analyst and CIFA successfully completes BCERT, a six-week course that provides baseline digital forensics training, and Basic Mobile Forensics, a two-week course that provides baseline mobile forensics training. Externally hired CIFAs may substitute a combination of education, industry experience, and accredited industry specific certifications for BCERT with Director approval.

    2. Each Senior Analyst and CIFA attends annual advanced training courses to maintain a high level of proficiency and develop additional skills.

    3. Each Senior Analyst and CIFA is required to obtain and maintain various digital forensics certifications to ensure their skills meet industry standards.

  5. DFL assists DFFS as needed to provide support in criminal investigations.

    1. Provide technical digital forensics services at search warrants, for subpoena/summons responses, and during consent evidence production.

    2. Ensure digital evidence is obtained, validated, and maintained in a forensically sound manner.

    3. Conduct analysis on digital evidence to locate and properly interpret potential evidence.

    4. Assist case agents with seizure of digital assets.

    5. Advanced support through DFL Teams as needed.

    6. Other digital forensics tasks as required.

  6. DFL provides advanced support to DFFS through the following DFL Teams.

    DFL Team Advanced Support
    Cyber Team
    • Digital asset seizures

    • Cloud investigations

    • Network intrusions

    • Pent/Trap orders

    • Title III Intercepts

    • Dark Web investigations

    • Website captures

    Data Recovery Team
    • Hard drive recovery

    • Encryption

    • Password cracking

    • Specialized imaging

    Hardware Team
    • Selection and purchase of DF equipment

    • Testing and validation of equipment

    • Maintain inventory records

    Mac Team
    • Mac Imaging

    • Apple specific tools

    • Apple cloud analysis

    Mobile Team
    • Mobile forensics tools

    • Advanced mobile device extraction

    • Cloud analysis

    Programming/Databases
    • Databases

    • Linux based forensics

    • DF created forensic programs

    Software
    • RAM captures

    • Windows forensics

    • Selection and maintenance of DF software

    • Testing and validation of software

    Systems
    • Network forensics

    • Server forensics

    • Virtualization

  7. In addition to the DFL teams above, DF has several DFL Teams which support the infrastructure of DF.

    DFL Teams DF Infrastructure Support
    Training and Education
    • Coordinate DF basic and advanced DF training

    • Develop basic and advanced DF training curricula

    • Certification maintenance and renewal

    Quality Assurance
    • Creation and maintenance of DF Standard Operating Procedures (SOP)

    • Ensure established procedures conform with industry practices for accreditation

    • Create and maintain methodologies for DF proficiency testing

    • Create and maintain protocols for DF technical reviews

    • Monitor DF training and certification compliance

    Digital Forensics Environment
    • Technical lead for ECE

    • Lead Area CIS cadre lead

    • Develop and deploy ECE training

    • Monitor resources

    Investigative Technology
    • Research and select emerging technology to support Cyber and Forensics services in furtherance of CI’s mission.

    • Engineer and deploy broad scale technology solutions for Cyber and Forensic Services.

    • Maintain broad scale technology solutions for Cyber and Forensic Services.

Evidence Control at Digital Forensics

  1. DF employees will maintain proper Chain of Custody for all items in DF custody as per DF Standard Operating Procedures.

  2. DF employees will maintain custody of digital devices as needed during the acquisition phase. Once acquisition is complete, custody will be transferred to the case agent. Any exception will be approved by the SSA-CIS and recorded in the case file.

How to Request Services of DFFS

  1. Case agents should initiate requests for service using Form 10908, Computer Investigative Specialist Request for Assistance.

  2. Case agents should initiate requests as soon as practicable upon determining a search warrant will be executed, a consent involving digital evidence will be scheduled, a digital asset seizure is likely, or a search warrant or subpoena for digital evidence will be issued.

  3. Form will be submitted through SSA to SSA-CIS for assignment.

  4. It is vital to request services as early as possible in the investigation when digital evidence is anticipated. Digital forensics requires planning, research, and resources prior to enforcement actions.

How to Request Services of Digital Forensics Lab (DFL)

  1. If a DF employee is assigned to an investigation, no additional form is required. If not, case agents should initiate requests for DFL service using Form 10908, Computer Investigative Specialist Request for Assistance through the SSA-CIS.

  2. DFFS will initiate requests for DFL assistance through internal request processes. DFL SSA or Associate Director, DFL will assign an appropriate Team and DFL personnel to assist on the case.

How to Request Digital Forensics (DF) Services for Digital Asset Seizures
  1. DF has set up a digital asset shared mailbox, cryptoseizure@ci.irs.gov, specifically for digital asset seizures.

Field Office Investigative Professional Staff Group 40/41 (IPS)

  1. The IPS is comprised of Investigative Analysts (IA) and Tax Fraud Investigative Analysts (TFIA), who are managed by a Supervisory Investigative Analyst (SIA).

  2. The IPS provides investigative support to field office investigative activities.

Investigative Analyst (IA)

  1. The Investigative Analyst (IA) assists in the identification of noncompliance with tax laws and supports ongoing criminal investigations by researching, collecting, analyzing, and evaluating raw data. The IA is available to support any investigation in the field office. For more information pertaining to IA assistance refer to exhibit 9.4.11-1, Standard Operating Procedures (SOP) Groups 40/41.

Tax Fraud Investigative Assistant (TFIA)

  1. A TFIA provides technical support to investigative activities and has some administrative responsibilities that support the field office. For more information pertaining to TFIA assistance refer to exhibit 9.4.11-1, SOP Groups 40/41.

Supervisory Investigative Analyst (SIA)

  1. The SIA manages the activities, assignments, training, and performance management of the IAs and TFIAs in their assigned groups. For additional information pertaining to SIA responsibilities refer to exhibit 9.4.11-1, SOP Groups 40/41.

When to Request IPS Services

  1. Special agents shall request IPS whenever necessary to further investigative activities.

How to Request IPS Services

  1. Requests for investigative support shall be submitted through the established Customer Support request system. For additional guidance refer to the Footprints User Guide.

Standard Operating Procedures Groups 40/41 (SOP 40/41)

  1. Criminal Investigation employees can find additional information and guidance in exhibit 9.4.11-1, SOP Groups 40/41.

Compliance Support Assistant (CSA)

  1. Compliance Support Assistants (CSA) are part of the field office structure and may be centrally managed by the SAC/ASAC or may be assigned to a specific work group in the field office. Each CSA provides support to more than one group.

  2. A CSA provides a variety of services. Possible services performed by a CSA include but are not limited to the following:

    1. Performs research in support of ongoing investigations and gathers, extracts, and compiles information from a variety of sources. These sources include internal and external databases and the internet.

    2. Assists as directed in various administrative and investigative tasks.

    3. Selects and uses computer applications for presentation of information to meet users’ needs.

    4. Assembles investigative files and reports into proper formats ensuring all required or related materials have been included.

    5. Inputs CIMIS updates as directed, assists in the maintenance of Criminal Investigation Equipment Control System (CIECS); may requisition tax returns using IDRS; may maintain the tax return inventory; and oversee the maintenance of office files.

Field Office Resource

  1. The CSAs may be centrally managed by the SAC or an ASAC or may be assigned to a specific work group in a field office. Each CSA provides support to more than one group.

  2. The CSA duties and support are normally limited to the office environment. A CSA is not authorized to perform field investigation work typically performed by TFIAs or IAs.

When to Request CSA Services

  1. Special agents should request the assistance of a CSA during an investigation or when help is needed. Special agents should consider requesting the services of a CSA whenever the services will result in more efficient use of CI’s resources.

How to Request Compliance Support Assistance (CSA) Services

  1. To request the services of a CSA, special agents should coordinate through the CSA’s immediate supervisor.