Government's cyberinvestigators look for a little help from industry

[InfoSec News <alerts () infosecnews org>]

http://www.gcn.com/online/vol1_no1/43207-1.html

By William Jackson
GCN Staff
02/28/07

The discipline of digital forensics is quickly becoming more 
professional as standards are established and courts are beginning to 
require that evidence be processed only in certified laboratories.

But professionalism does not come cheap. In fact, its tremendously 
expensive, said Jim Christy of the Defense Departments Cyber Crime 
Center, which runs the nations largest certified digital forensics lab.

Christy told an audience of security professionals Wednesday at the 
Black Hat Federal Briefings in Arlington, Va., that keeping up 
certification for the lab, its personnel and its hardware and software 
accounts for up to 40 percent of the labs overhead. Faced with these 
requirements and the challenge of processing rapidly growing volumes of 
data, the Cyber Crime Center needs industrys help.

One of the reasons Im here is to appeal to the vendors to crate the 
tools and processes to help us process the evidence in a timely manner, 
Christy said.

One of the greatest needs is tools for testing and evaluating hardware 
and software used in the lab.

Digital forensics is the discipline of analyzing and preparing digital 
evidence in criminal investigations. Christy is a pioneer in computer 
crime investigation, with more than 30 years experience in the field. 
When he began, there were no standards or guidelines for how to gather 
and handle this data. Today it is a structured and increasingly 
regulated field. In 2003, the American Society of Crime Lab Directors 
set standards for certifying digital forensics labs.

All tools used in the lab have to be certified to these standards, and 
all personnel have to be tested and evaluated annually. All work on 
evidence done by an analyst must be reviewed by other certified 
analysts. The failure of an analyst could jeopardize any convictions in 
recent trials for which the analyst testified or prepared evidence.

The accreditation program still is in its infancy. There are 327 
accredited general forensics labs in the country, Christy said, but only 
12 accredited digital forensics labs. With more than 19,000 law 
enforcement agencies in the country, most with fewer than 25 officers, 
demands on certified labs are growing.

The Cyber Crime Center lab has 90 analysts. But its workload is growing 
faster than its workforce. The number of digital devices from which 
evidence can be gleaned is growing rapidly, and now includes iPods and 
X-Box game consoles as well as PCs, GPS devices and cellular phones. The 
volume of data gathered in a single investigation can rapidly amount to 
a terabyte.

The Cyber Crime Center lab handled about 12 terabytes of data in 2001, 
Christy said, and 156 terabytes in the 700 cases it handled last year. 
At the same time, the turnaround time for each case has decreased, from 
89 days in 2003 to 41 days in 2006.

You need bigger and better tools, to handle that volume of data, Christy 
said.

Christy recently retired as a special agent from the Cyber Crime Center 
and now heads up the centers newly formed Futures Exploration division, 
an outreach program to seek support from industry and academia. As part 
of that outreach, the center announced the DC3 challenge at last Augusts 
Black Hat Briefings in Las Vegas. The contest was a set of 11 challenges 
on data recovery and analysis. Twenty-one teams entered and the winner, 
a team from Access Data, won a trip in January to the Defense Cyber 
Crime Conference in St. Louis.

One of the challenges was to recover data from a broken CD, a problem 
for which the lab had no solution. Eleven of the teams solved that 
problem, Christy said. And they all had different techniques. So now 
when a damaged CD comes in as evidence, analysts have 11 techniques to 
use on it.

The challenge will be repeated this year. One of the tasks likely to be 
included will be recovery of data from the BitLocker encryption feature 
in Microsofts Vista operating system.


__________________________________________
Visit the InfoSec News Security Bookstore!
http://www.shopinfosecnews.org