03/10/2004: Technologica
Defense Computer Forensics Lab: Terabytes of Evidence
from NetworkWorldFusion
Whenever U.S. government agencies investigating a crime or a cybercrime has digital evidence that's too difficult to analyze, they send it to the Department of Defense computer forensics lab.
[...]
Bill (for security reasons, analysts are only allowed to give their first names) is an advanced forensics examiner and former metropolitan detective in Washington, D.C. He explains how the tool conducts keyword searches, and reassembles damaged and erased files, e-mails, attachments, temporary Internet files, data files and renamed files into a list of searchable files.
"Say you have a contractor using sub-standard explosive bolts, which are critical to pilot safety because they're what makes the cockpit lid fly off in an emergency ejection. We know the cost of quality bolts should be about $100. We can do keyword searches through their accounting systems on 'explosive bolts,' to see what they're actually paying for them," Bill says. "Or, if we have a child porn case, we can order up a thumbnail view of all Internet cached files across multiple drives to see what's been downloaded."
More
http://www.nwfusion.com/research/2004/0308dod.htmlFeature /
Inside the DoD's crime lab
Digging for digital dirt.
By Deborah Radcliff
Network World, 03/08/04
Digital evidence comes in all shapes and sizes: pallets full of computers, a hard drive with an AK-47 bullet hole in it, audio tapes fished out of the ocean, mangled floppies, garbled 911 calls.
Whenever U.S. government agencies investigating a crime or a cybercrime has digital evidence that's too difficult to analyze, they send it to the Department of Defense computer forensics lab.
Securing the digital crime scene
Wanted: A few good forensic investigators
Testing and accreditation
The evidence can arrive in a military vehicle, via FedEx or through the U.S. Postal Service. However it gets there, it's accepted at the loading dock of an unmarked commercial building on the outskirts of Baltimore.
It's then logged and sent to an evidence custodian, who inventories, tags and stores it in a locked cage.
Network World was invited into the Defense Computer Forensics Lab (DCFL) for an inside look at how computer investigators at the cutting edge are using digital evidence to help solve crimes.
The purpose of the lab is to analyze evidence gathered at crime scenes involving the military. Whatever crimes occur in the civilian world, you also see in the military. It could be homicide, child pornography, identity theft, counterfeiting, misconduct, terrorism, espionage, contractor fraud or misuse of government property.
With these crimes, there's often digital evidence in cell phones, pagers, PDAs, geo-mapping systems, digital cameras, cockpit recording systems and anything else with flash memory or ROM.
"We estimate that 95% of criminals leave digital evidence at the scene," says Donald Flynn, attorney adviser for the Defense Department Cyber Crime Center, which houses the DCFL.
That evidence must be able to stand up in court, particularly now that judges and attorneys are becoming savvy enough to start asking questions about the integrity of digital evidence. The DCFL addresses this through rigorous training and advanced tools such as certified, high-capacity extraction and imaging processes and tools.
Inside the lab
My tour guide at the high-security lab pushed a button at the double-door entryway into the lab that triggered blue ceiling lights, which blinked incessantly to alert technicians that unclassified visitors were on the premises.
The lab includes your standard office cubicles, but every cube is outfitted with state-of-the-art processors, multi-system server stacks and 42-inch flat-screen monitors.
"Some of the evidence comes in on pallets - cases full of servers, CPUs, RAID disk arrays, floppy diskettes, Palm Pilots, digital cameras," says special agent Bob Renko, director of operations for the lab. "We've even gotten evidence in buckets of water - for example, video tapes recovered from jets crashing into the sea during training exercises."
The first stage in evidence extraction is digital imaging. This is trickier than it sounds because contents can be altered in the process - such as adding a date stamp when copying a hard drive, thus tainting the evidence and rendering it inadmissible.
Then there's the sheer volume of data. In 1999, analysts examined their first terabyte-sized case when they received a palette of computers belonging to a defense contractor accused of violating Environmental Protection Agency guidelines in its handling of toxic waste. If analysts had tried to use technology that copied and examined one drive at a time, they still would be investigating that case, says the lab's director, Lt. Col. Ken Zatyko, special agent with the Air Force Office of Special Investigation.
The busted boyfriend
A suspect said the gun used in the murder of his girlfriend was stolen earlier that day from his car by someone who smashed his right passenger car window.
A video technician at the Department of Defense lab painstakingly upgraded a grainy image of the suspect's car taken from a military surveillance camera three hours after he claims the window was broken.
Finally, she enhanced the image to provide the damning evidence against the suspect: light refracting off an intact, passenger-side window. The suspect got a 25-year sentence.
So analysts created their own script, which moves images of all the media into one place. In this location, searching and extraction is conducted across all the data simultaneously using the same search phrase.
Last month,the lab received several palettes, containing more than 3T bytes of data to image and extract. The evidence, which filled a 20-by-10-foot windowless room, required its own storage-area network .
The recovery process begins with entry-level technicians checking evidence out of lockup. Then they create bit-stream mirror images onto cleaned hard drives to prevent contamination.
They make the copies using a modified Linux tool dubbed DCFL Data Dump. The tool is akin to private-sector imaging tools such as SafeBack, which takes a mathematical hash of the image and compares it to the original hash to prove the image is an exact replica.
Crimes and misdemeanors
The busiest unit in the lab is Major Crimes and Safety, which handles criminal cases involving digital media. The forensic analysts in this unit work in open cubicles, each with two Windows 2000 workstations, one to search the imaged data and another to store recovered evidence or for when they're working two cases at once.
Renko says the agency's extraction tools work in a forensically sound manner across computers and PDAs, but become problematic when it comes to cell phones and pagers.
"At least one time, we've had to work directly with the telephone manufacturer to successfully retrieve data," he says.
For computer examinations, the agency's standard data search and extraction suite of tools is called iLook, which is licensed by the Treasury Department. A private-sector equivalent would be EnCase.
Bill (for security reasons, analysts are only allowed to give their first names) is an advanced forensics examiner and former metropolitan detective in Washington, D.C. He explains how the tool conducts keyword searches, and reassembles damaged and erased files, e-mails, attachments, temporary Internet files, data files and renamed files into a list of searchable files.
"Say you have a contractor using sub-standard explosive bolts, which are critical to pilot safety because they're what makes the cockpit lid fly off in an emergency ejection. We know the cost of quality bolts should be about $100. We can do keyword searches through their accounting systems on 'explosive bolts,' to see what they're actually paying for them," Bill says. "Or, if we have a child porn case, we can order up a thumbnail view of all Internet cached files across multiple drives to see what's been downloaded."
The watered-down evidence
If you watch the television series "CSI," you might think forensics work is glamorous. But Melody, a forensics video examiner who used to work for a state crime lab before moving to the DCFL, says it can be highly specialized and very tedious.
Melody works with state-of-the-art video analysis software programs to enhance marginal and damaged video images. She's received melted, crushed and mangled tapes - even tapes in buckets of water (for example, when two aircraft crashed into the sea during a training session).
"If a plane goes down into the water, I request that the training tapes be kept in water until they get to me where I can dry them out properly," she says. "I take the tape out, clean it, dry it and put it back together. The safety board needs me to repair these tapes so they can determine if the cause of crash was a training, equipment or environmental problem."
As Bill finishes talking, a long list of files appears in the search window of his workstation. Six suspicious files are highlighted in yellow, indicating that the search phrases were found in those files.
Hardware magicians
Shortly after it became operational in 1998, the lab received a classified hard drive that seemed impossibly damaged. An outside firm estimated it would cost $250,000 to repair. Renko balked.
"We figured it was more feasible to train our own people to repair hard drives," Renko says, while pointing out lockers where evidence is stored when not being processing.
He stops in a small room with two Plexiglas-enclosed clean areas where technicians have soldered mutilated floppies and repaired hard drives that have been thrown off balconies and even shot with AK-47s, as in one recent battlefield case. The data where the bullet holes and solder marks are can't be recovered, but the rest can, Zatyko says.
The intrusion-analysis squad occupies the rear section of the lab, where examiners, who work primarily on Linux systems, investigate hacks on Defense Department networks.
"Our first job is to find out how the computer was intruded upon and what data was accessed by the intruder," says "Sig," who was recruited from his job as head of information security for a university. "For the information assurance part, we tell our client agencies what their entry point was and what needs to be patched to protect from future hacks."
Sig pulls up an advanced tool named Starlight. A multi-colored, three-dimensional map pops up: Each of its lines represent a separate connection made into the defense network and each color representing a different protocol.
"We've had entire underground hacker ISPs coming at us," Sig explains. Color-coding protocols makes it easier to determine which computer is sending which attack. "For example, the exploit in this case ran over HTTPS, so we color-coded all the HTTP proxy traffic in red. Then we can see that three of these IPs coming at us are involved in that type of traffic," he says.
In this case, the hackers were caught and prosecuted, and the entire hacking group disappeared from the Internet underground, he says.
As examiners trace hackers back to different hops and examine those boxes, they run into new variants of hacker tools stored on those computers that haven't been reported by tracking services such as CERT and Bugtraq.
The new hacker tools are added to the unit's malicious logic database, which will then detect them if they're used in future cases.
The meandering hubby
A man called 911 to report that he came home to find that his wife had been stabbed. But instead of saying, ‘Oh my God, someone's tried to kill my wife,' he babbled incoherently on the phone for 15 minutes while his wife was bleeding on the kitchen floor.
"Police thought his reaction wasn't normal, and they wanted to know what was happening during the 911 call because they could hear noises in the background," says Donald Flynn, attorney adviser for the Defense Department's Cyber Crime Center in which the DCFL is housed. Were those noises the sound of the husband attacking his wife? "Our analysis was able to prove the sounds were just him walking around the house bumping into things. Turns out, a neighbor did stab the woman. She later recovered."
Furthermore, the database helps analysts spot similarities when multiple attacks are hitting different Defense Department networks at the same time, indicative of a large-scale attack by one source. Such cases are then reported to the Joint Task Force on Computer Network Operations.
In recent months, law enforcement agents from Australia, Canada, Germany, Hong Kong, Singapore, the U.K. and other nations have toured the facility to better develop their own cybercrime units. U.S. attorneys, judges and law enforcement agencies also frequently call for technical clarification. (For example, a recent call came in from a judge who needed to know the difference between evidence recovered from a cached memory vs. evidence found in a file on the hard drive.)
As more cases involve digital evidence, the need for sophisticated digital forensics capability throughout the legal system will continue to grow, says Gail Thackery, U.S. Attorney for the state of Arizona. Thackery has prosecuted a number of computer-related crime cases and teaches at ACIS International Association of Computer Investigative Specialists.
"Police used to worry about guns and blood and chemical evidence, but now every case in America has a computer involved in it. The legal system is hungry for experts at digital evidence," she says.
"So computer forensics training and careers are going to be hot for a long time," she adds.
RELATED LINKS
Radcliff is a freelancer writer in California. She can be reached at deb@radcliff.com.