Compu-crime unit finds cyber evidence

Last year, in the court-martial of an Air Force captain accused of downloading child
pornography from government computers at Kadena Air Base, Japan, prosecutors used a
forensics expert to nail their case.

Computer forensics, that is. Howard Schmidt, director of computer crime investigations
at the Air Force Office of Special Investigations, flew to Japan to explain how
investigators had undeleted files, found hidden date and time codes, and generally
dissected the suspect's hard drive to reconstruct his visits to pornography sites on the
World Wide Web.

"I also gave basic testimony on how the Internet works and details about what kind
of file viewers and monitor resolution would have been required by the suspect,"
recalls Schmidt, who worked as a police officer and FBI agent before joining AFOSI.

The captain was found guilty, fined and dismissed in one of 129 cases AFOSI
investigated last year that involved computer-based evidence.

Last month, AFOSI opened a full-time Computer Forensics Laboratory at Bolling Air Force
Base in Washington to stay ahead of a growing backlog of cases requiring such expertise.
Like the digital equivalents of medical examiners poring over a cadaver, the lab's
half-dozen full-time staff members delicately take apart computers sent to Bolling from
around the world.

"The challenge is to get relevant data off the system in a totally pristine manner
so it can be submitted to court," Schmidt said. That is easier said than done. Many
operating systems automatically alter a file by changing data and time codes the instant a
system is booted up. That can ruin the evidence instantly, Schmidt said.

The lab uses a variety of custom and commercial software tools--including Norton
Utilities from Symantec Corp. of Cupertino, Calif., and QuickView Plus from Inso Corp. of
Chicago--to sift through the dozens of different file formats, operating systems and
hardware combinations that arrive at its door.

When incriminating files are found and copied off the suspect's machine, staff members
use one of 10 166-MHz Pentium PCs to further dissect the code, searching for encrypted or
otherwise hidden files and pictures. Evidence is then stored on CD-ROM disks to ensure
long-term integrity.

The lab's staff is mainly young enlisted personnel with exceptional skills who were
recruited directly from the Air Force's computer track at the Air Training and Education
Command at Keesler Air Force Base, Miss., or other Air Force organizations.

"We handpick these people," Schmidt said. "When we went to Keesler last
year we interviewed 60 people for three slots."

At the lab recruits get additional training in law enforcement and evidence-handling
techniques and are encouraged to develop specialties. "I've been designated the
Macintosh expert because nobody else likes to do it," said Airman 1st Class Cheri
Holtz, a recent Keesler recruit.

Brig. Gen. Robert Hoffman, AFOSI's commander, said the lab and an expanded computer
intrusion-detection branch at Bolling were made possible by a $1 million infusion of funds
supported by senior Air Force leadership.

The Air Force sees an increasing number of computer crimes, he said. "We are
working to train our agents so that every one of them can recognize the evidence potential
any piece of computer equipment."

Most cases handled by AFOSI's computer crime investigations branch are referred by the
Air Force Computer Emergency Response Team (AFCERT) at the Air Intelligence Agency, San
Antonio, Texas.

When AFCERT suspects an intrusion violates the law, it contacts AFOSI's intrusion
detection experts, who then work with AFCERT to monitor and record a hacker's activities
until sufficient evidence has been collected to make a case. AFOSI has 21 full-time
computer crime investigators worldwide, 12 of whom are based at Bolling.

Stay Connected

Sign up for our newsletter.

I agree to this site's Privacy Policy.