Government's cyberinvestigators look for a little help from industry
- By William Jackson
- Feb 28, 2007
The discipline of digital forensics is quickly becoming more professional as standards are established and courts are beginning to require that evidence be processed only in certified laboratories.
But professionalism does not come cheap. In fact, 'it's tremendously expensive,' said Jim Christy of the Defense Department's Cyber Crime Center, which runs the nation's largest certified digital forensics lab.
Christy told an audience of security professionals Wednesday at the Black Hat Federal Briefings in Arlington, Va., that keeping up certification for the lab, its personnel and its hardware and software accounts for up to 40 percent of the lab's overhead. Faced with these requirements and the challenge of processing rapidly growing volumes of data, the Cyber Crime Center needs industry's help.
'One of the reasons I'm here is to appeal to the vendors to crate the tools and processes to help us process the evidence in a timely manner,' Christy said.
One of the greatest needs is tools for testing and evaluating hardware and software used in the lab.
Digital forensics is the discipline of analyzing and preparing digital evidence in criminal investigations. Christy is a pioneer in computer crime investigation, with more than 30 years experience in the field. When he began, there were no standards or guidelines for how to gather and handle this data. Today it is a structured and increasingly regulated field. In 2003, the American Society of Crime Lab Directors set standards for certifying digital forensics labs.
All tools used in the lab have to be certified to these standards, and all personnel have to be tested and evaluated annually. All work on evidence done by an analyst must be reviewed by other certified analysts. The failure of an analyst could jeopardize any convictions in recent trials for which the analyst testified or prepared evidence.
The accreditation program still is in its infancy. There are 327 accredited general forensics labs in the country, Christy said, but only 12 accredited digital forensics labs. With more than 19,000 law enforcement agencies in the country, most with fewer than 25 officers, demands on certified labs are growing.
The Cyber Crime Center lab has 90 analysts. But its workload is growing faster than its workforce. The number of digital devices from which evidence can be gleaned is growing rapidly, and now includes iPods and X-Box game consoles as well as PCs, GPS devices and cellular phones. The volume of data gathered in a single investigation can rapidly amount to a terabyte.
The Cyber Crime Center lab handled about 12 terabytes of data in 2001, Christy said, and 156 terabytes in the 700 cases it handled last year. At the same time, the turnaround time for each case has decreased, from 89 days in 2003 to 41 days in 2006.
'You need bigger and better tools,' to handle that volume of data, Christy said.
Christy recently retired as a special agent from the Cyber Crime Center and now heads up the center's newly formed Futures Exploration division, an outreach program to seek support from industry and academia. As part of that outreach, the center announced the DC3 challenge at last August's Black Hat Briefings in Las Vegas. The contest was a set of 11 challenges on data recovery and analysis. Twenty-one teams entered and the winner, a team from Access Data, won a trip in January to the Defense Cyber Crime Conference in St. Louis.
One of the challenges was to recover data from a broken CD, a problem for which the lab had no solution. Eleven of the teams solved that problem, Christy said. 'And they all had different techniques.' So now when a damaged CD comes in as evidence, analysts have 11 techniques to use on it.
The challenge will be repeated this year. One of the tasks likely to be included will be recovery of data from the BitLocker encryption feature in Microsoft's Vista operating system.
William Jackson is freelance writer and the author of the CyberEye blog.