Intake

Digital Forensics Request Intake Checklist

The information a forensic examiner should receive about the case, requestor, authority, scope, devices, accounts, urgency, credentials, and delivery needs.

Why intake quality matters

Incomplete requests delay technical work and increase the chance that the examiner solves the wrong problem.

Case information

Collect the case number, agency or unit, matter type, requestor, lead investigator, contact information, priority, and required date.

Authority

Record the applicable authority or approval reference, such as a warrant, consent, order, subpoena, owner authorization, or internal approval.

The intake form collects the reference. It does not make the legal determination.

Requested scope

Avoid “download everything.” Ask:

  • What questions should the examination support?
  • Which data types are requested?
  • Which date range matters?
  • Which users, accounts, or applications matter?
  • Are deleted items relevant?
  • Are cloud records requested?
  • Are there known exclusions?

Device and account details

For each item, capture make, model, serial or asset number, phone number, IMEI, operating system, user, account names, known credentials, power state, damage, and special handling concerns.

Urgency and delivery

Clarify the reason for urgency, deadlines, whether the device must be returned quickly, preferred report format, recipients, and follow-up needs.

Safety and handling

Capture relevant concerns such as damaged batteries, contamination, remote-wipe risk, encryption, network isolation, sensitive content, or special storage requirements.

Final review

Before submission, show a summary and confirm that devices, scope, authority reference, deadlines, and delivery expectations are accurate.

Where ByteCase Intake fits

ByteCase Intake is intended to create this structured request and preserve it as the first record in the shared case folder.