Inside the DoD's crime lab

[InfoSec News <isn () c4i org>]

Forwarded from: William Knowles <wk () c4i org>

http://www.nwfusion.com/research/2004/0308dod.html

By Deborah Radcliff
Network World
03/08/04

Digital evidence comes in all shapes and sizes: pallets full of 
computers, a hard drive with an AK-47 bullet hole in it, audio tapes 
fished out of the ocean, mangled floppies, garbled 911 calls. 

Whenever U.S. government agencies investigating a crime or a 
cybercrime has digital evidence that's too difficult to analyze, they 
send it to the Department of Defense computer forensics lab. 

The evidence can arrive in a military vehicle, via FedEx or through 
the U.S. Postal Service. However it gets there, it's accepted at the 
loading dock of an unmarked commercial building on the outskirts of 
Baltimore. 

It's then logged and sent to an evidence custodian, who inventories, 
tags and stores it in a locked cage.

Network World was invited into the Defense Computer Forensics Lab 
(DCFL) for an inside look at how computer investigators at the cutting 
edge are using digital evidence to help solve crimes. 

The purpose of the lab is to analyze evidence gathered at crime scenes 
involving the military. Whatever crimes occur in the civilian world, 
you also see in the military. It could be homicide, child pornography, 
identity theft, counterfeiting, misconduct, terrorism, espionage, 
contractor fraud or misuse of government property. 

With these crimes, there's often digital evidence in cell phones, 
pagers, PDAs, geo-mapping systems, digital cameras, cockpit recording 
systems and anything else with flash memory or ROM. 

"We estimate that 95% of criminals leave digital evidence at the 
scene," says Donald Flynn, attorney adviser for the Defense Department 
Cyber Crime Center, which houses the DCFL. 

That evidence must be able to stand up in court, particularly now that 
judges and attorneys are becoming savvy enough to start asking 
questions about the integrity of digital evidence. The DCFL addresses 
this through rigorous training and advanced tools such as certified, 
high-capacity extraction and imaging processes and tools. 


Inside the lab

My tour guide at the high-security lab pushed a button at the 
double-door entryway into the lab that triggered blue ceiling lights, 
which blinked incessantly to alert technicians that unclassified 
visitors were on the premises. 

The lab includes your standard office cubicles, but every cube is 
outfitted with state-of-the-art processors, multi-system server stacks 
and 42-inch flat-screen monitors. 

"Some of the evidence comes in on pallets - cases full of servers, 
CPUs, RAID disk arrays, floppy diskettes, Palm Pilots, digital 
cameras," says special agent Bob Renko, director of operations for the 
lab. "We've even gotten evidence in buckets of water - for example, 
video tapes recovered from jets crashing into the sea during training 
exercises." 

The first stage in evidence extraction is digital imaging. This is 
trickier than it sounds because contents can be altered in the process 
- such as adding a date stamp when copying a hard drive, thus tainting 
the evidence and rendering it inadmissible. 

Then there's the sheer volume of data. In 1999, analysts examined 
their first terabyte-sized case when they received a palette of 
computers belonging to a defense contractor accused of violating 
Environmental Protection Agency guidelines in its handling of toxic 
waste. If analysts had tried to use technology that copied and 
examined one drive at a time, they still would be investigating that 
case, says the lab's director, Lt. Col. Ken Zatyko, special agent with 
the Air Force Office of Special Investigation. 

So analysts created their own script, which moves images of all the 
media into one place. In this location, searching and extraction is 
conducted across all the data simultaneously using the same search 
phrase. 

Last month,the lab received several palettes, containing more than 3T 
bytes of data to image and extract. The evidence, which filled a 
20-by-10-foot windowless room, required its own storage-area network . 

The recovery process begins with entry-level technicians checking 
evidence out of lockup. Then they create bit-stream mirror images onto 
cleaned hard drives to prevent contamination. 

They make the copies using a modified Linux  tool dubbed DCFL Data 
Dump. The tool is akin to private-sector imaging tools such as 
SafeBack, which takes a mathematical hash of the image and compares it 
to the original hash to prove the image is an exact replica. 


Crimes and misdemeanors

The busiest unit in the lab is Major Crimes and Safety, which handles 
criminal cases involving digital media. The forensic analysts in this 
unit work in open cubicles, each with two Windows 2000 workstations, 
one to search the imaged data and another to store recovered evidence 
or for when they're working two cases at once. 

Renko says the agency's extraction tools work in a forensically sound 
manner across computers and PDAs, but become problematic when it comes 
to cell phones and pagers. 

"At least one time, we've had to work directly with the telephone 
manufacturer to successfully retrieve data," he says.

For computer examinations, the agency's standard data search and 
extraction suite of tools is called iLook, which is licensed by the 
Treasury Department. A private-sector equivalent would be EnCase. 

Bill (for security reasons, analysts are only allowed to give their 
first names) is an advanced forensics examiner and former metropolitan 
detective in Washington, D.C. He explains how the tool conducts 
keyword searches, and reassembles damaged and erased files, e-mails, 
attachments, temporary Internet files, data files and renamed files 
into a list of searchable files. 

"Say you have a contractor using sub-standard explosive bolts, which 
are critical to pilot safety because they're what makes the cockpit 
lid fly off in an emergency ejection. We know the cost of quality 
bolts should be about $100. We can do keyword searches through their 
accounting systems on 'explosive bolts,' to see what they're actually 
paying for them," Bill says. "Or, if we have a child porn case, we can 
order up a thumbnail view of all Internet cached files across multiple 
drives to see what's been downloaded." 

As Bill finishes talking, a long list of files appears in the search 
window of his workstation. Six suspicious files are highlighted in 
yellow, indicating that the search phrases were found in those files. 


Hardware magicians

Shortly after it became operational in 1998, the lab received a 
classified hard drive that seemed impossibly damaged. An outside firm 
estimated it would cost $250,000 to repair. Renko balked. 

"We figured it was more feasible to train our own people to repair 
hard drives," Renko says, while pointing out lockers where evidence is 
stored when not being processing. 

He stops in a small room with two Plexiglas-enclosed clean areas where 
technicians have soldered mutilated floppies and repaired hard drives 
that have been thrown off balconies and even shot with AK-47s, as in 
one recent battlefield case. The data where the bullet holes and 
solder marks are can't be recovered, but the rest can, Zatyko says. 

The intrusion-analysis squad occupies the rear section of the lab, 
where examiners, who work primarily on Linux systems, investigate 
hacks on Defense Department networks. 

"Our first job is to find out how the computer was intruded upon and 
what data was accessed by the intruder," says "Sig," who was recruited 
from his job as head of information security  for a university. "For 
the information assurance part, we tell our client agencies what their 
entry point was and what needs to be patched to protect from future 
hacks." 

Sig pulls up an advanced tool named Starlight. A multi-colored, 
three-dimensional map pops up: Each of its lines represent a separate 
connection made into the defense network and each color representing a 
different protocol. 

"We've had entire underground hacker ISPs coming at us," Sig explains. 
Color-coding protocols makes it easier to determine which computer is 
sending which attack. "For example, the exploit in this case ran over 
HTTPS, so we color-coded all the HTTP proxy traffic in red. Then we 
can see that three of these IPs coming at us are involved in that type 
of traffic," he says. 

In this case, the hackers were caught and prosecuted, and the entire 
hacking group disappeared from the Internet underground, he says. 

As examiners trace hackers back to different hops and examine those 
boxes, they run into new variants of hacker tools stored on those 
computers that haven't been reported by tracking services such as CERT 
and Bugtraq. 

The new hacker tools are added to the unit's malicious logic database, 
which will then detect them if they're used in future cases. 

Furthermore, the database helps analysts spot similarities when 
multiple attacks are hitting different Defense Department networks at 
the same time, indicative of a large-scale attack by one source. Such 
cases are then reported to the Joint Task Force on Computer Network 
Operations. 

In recent months, law enforcement agents from Australia, Canada, 
Germany, Hong Kong, Singapore, the U.K. and other nations have toured 
the facility to better develop their own cybercrime units. U.S. 
attorneys, judges and law enforcement agencies also frequently call 
for technical clarification. (For example, a recent call came in from 
a judge who needed to know the difference between evidence recovered 
from a cached memory vs. evidence found in a file on the hard drive.) 

As more cases involve digital evidence, the need for sophisticated 
digital forensics capability throughout the legal system will continue 
to grow, says Gail Thackery, U.S. Attorney for the state of Arizona. 
Thackery has prosecuted a number of computer-related crime cases and 
teaches at ACIS International Association of Computer Investigative 
Specialists. 

"Police used to worry about guns and blood and chemical evidence, but 
now every case in America has a computer involved in it. The legal 
system is hungry for experts at digital evidence," she says. 

"So computer forensics training and careers are going to be hot for a 
long time," she adds.

-=-

Radcliff is a freelancer writer in California. She can be reached at 
deb () radcliff com. 


 
*==============================================================*
"Communications without intelligence is noise;  Intelligence
without communications is irrelevant." Gen Alfred. M. Gray, USMC
----------------------------------------------------------------
C4I.org - Computer Security, & Intelligence - http://www.c4i.org
================================================================
Help C4I.org with a donation: http://www.c4i.org/contribute.html
*==============================================================*



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.