AF Computer Forensics Lab nabs criminals, byte by byte

"As a law enforcement agency
our ultimate goal is prosecution"

When Joseph Snodgrass cut two floppy disks into 23 pieces with shears, he thought he
had destroyed evidence linking him to his wife’s murder.

What Snodgrass didn’t count on was that the Air Force Computer Forensics
Laboratory could reconstruct the disks and cull information that put him behind bars.

The disks, which were pieced together by the lab, revealed that Snodgrass had increased
his wife’s life insurance policy and had hired a hit man to murder her. Snodgrass,
who is now serving a life prison sentence for the crime, learned the hard way that disks,
hard drives and CD-ROMs, even damaged ones, often hold valuable clues to crack criminal

The 1991 murder-for-hire case typifies the kind of work performed by the lab, which is
managed by the Air Force Office of Special Investigations. The lab, at Bolling Air Force
Base in Washington, pioneered the technique of reconstructing damaged disks for evidence
in counterintelligence, criminal, fraud, child pornography and hacker cases.

“Right now the greatest portion of the cases that we support are criminal
investigations—50 percent of which are child pornography cases,” said Lt. Col.
Anne Burtt, the lab’s director. The lab became a Defense Department facility under
the Defense Reform Initiative last month.

A February 1998 memo signed by deputy Defense secretary John Hamre created the new DOD
Computer Forensics Laboratory to process and analyze computer evidence for all three
services. The Air Force Office of Special Investigations is still in charge of the lab.

“Because we have high-tech talent and equipment, we want to focus on DOD
high-priority cases affecting national security, such as computer intrusion cases,”
Burtt said.

The lab works closely with the FBI’s Computer Analysis and Response Team at the
National Infrastructure Protection Center in Washington, as well as with other law
enforcement, intelligence and computer security agencies.

“Computer intrusion cases cross all boundaries,” said David Poole, chief of
the DOD Computer Forensics Lab. “That’s the kind of case where we pool resources
and expertise and try to find the right people to do the work.”

Burtt said the lab employs some of DOD’s youngest and smartest computer
professionals, who are setting the standards for digital and analog forensic analysis. The
lab has 23 employees, 16 of whom are computer forensics examiners. Many of the lab’s
examiners are handpicked from the Air Force’s technical training schools.

Forensics examiners use a combination of general and law enforcement software tools to
examine computer evidence, including AnaDisk by Sydex Inc. of Eugene, Ore., which rebuilds
magnetic traces of data from damaged disks sector by sector. Lab analysts also use
Sydex’s SafeBack to create a hard drive image, as well as Norton Utilities by
Symantec Corp. of Cupertino, Calif., to retrieve data and QuickView Plus by Verity Inc. of
Sunnyvale, Calif., to view graphics.

Hardware in the lab changes regularly depending on the investigation.

“We need whatever it takes to complete an investigation,” Poole said. The
lab, for the most part, uses Pentium PCs. But when cases warrant, lab examiners have
access to expensive Silicon Graphics Inc. and Hewlett-Packard Co. workstations. The lab
even has an archive of older computers, such as the TRS 80 from Tandy Corp.

The 16 examiners in the lab are divided into two teams. Each team member specializes in
a particular operating system, such as Unix, Microsoft Windows or Mac OS.

The lab helped the FBI investigate two California youths in connection with a series of
electronic break-ins at 11 DOD computer systems earlier this year. The suspects, both
minors, hacked into unclassified DOD systems in the United States and Okinawa, Japan, with
the help of an Israeli teen-ager nicknamed “The Analyzer” on the Internet.

“As a law enforcement agency our ultimate goal is prosecution,” Burtt said.

The FBI’s Computer Crime Squad in February raided the youths’ homes in
Cloverdale, Calif., about 80 miles north of San Francisco, and seized computers, software
and printers that the lab later analyzed. An Air Force OSI agent also joined the FBI team
on a fact-finding mission to Israel to investigate the role of the Israeli youth in the
hacking incident.

The team brought evidence gathered in Israel to the lab for analysis, Poole said. The
investigation is ongoing, he said.

The teen-agers, involved in what Hamre has called the “most organized and
systematic attack” to date on DOD systems, pleaded guilty late last month to charges
of juvenile delinquency. They likely will be placed on probation but won’t serve jail
time, DOD officials said.

The new DOD lab also provides on-site assistance for computer search and seizure
operations at crime scenes, as well as expert testimony in court, supporting
investigations that include forensic analysis of computer disks and hard drives.

Category I cases involving foreign or critical computer intrusions, espionage, death or
sensitive counterintelligence must be completed within 25 days. Category II cases
involving sexual assault, fraud and narcotics investigations must be in and out of the lab
within 50 days. All other cases, Category III, have a turnaround goal of 65 days.

Lab officials declined to provide details on the California hacker case and refused to
either confirm or deny that the lab examined notebook computers belonging to Cliff
Bernath, the former No. 2 man in DOD’s Public Affairs Office. Defense officials,
however, said the department had seized Bernath’s Apple Computer Inc. and Dell
Computer Corp. notebook computers as part of an investigation into charges that Bernath
allegedly leaked negative information to the media about Linda Tripp, a DOD employee and
the center of Ken Starr’s investigation into Monica Lewinsky’s activities.

“We can’t discuss ongoing investigations,” Burtt said.

“Since July 1, I’ve gotten six new investigations in the lab and only one of
them is from the Air Force,” which, Poole said, reflects a more diverse workload for
the lab. 

Stay Connected

Sign up for our newsletter.

I agree to this site's Privacy Policy.