Army debuts IT crime unit
Army debuts IT crime unit
Investigative agents use special PCs to gather evidence, build their cases
By Bill Murray
In a converted computer room at Fort Belvoir, Va., six Army chief warrant officers and a legal adviser are working in the Wild West of law enforcement: investigating network intrusions.
The Army Criminal Investigation Command's Computer Crime Investigative Unit had its formal debut on the new frontier of police work in early spring, and unit officials recently celebrated a big conviction. Army Pfc. Aaron J. Eden pleaded guilty on May 11 to four charges, including intentional damage to a government computer and intentional access to a government computer without permission.
Chief Warrant Officer Dave Shaver says one way that Army investigators study malicious code is by using it to attack systems on the crime unit's own network at Fort Belvoir.
Army officials apprehended Eden in November for installing the hacker tool BackOrifice 2000 on computers at the Army Enlisted Records and Evaluation Center at Fort Benjamin Harrison, Ind., said Chief Warrant Officer James S. Smith, commander of the computer crime unit.
Eden, who worked at the records center, had altered or deleted 58,000 personnel files, Smith said. The private also tried to copy office software and sell it illegally, Smith said.
Because the center makes tape backups of the 185 computers connected to its LAN servers, no data was lost, Smith said. Eden had gained access to many systems by using BackOrifice 2000 in stealth mode to determine the passwords of other users, he said.
The computer crime unit built its case against Eden by showing that he had logged on as the network's systems administrator and deleted personnel files during times when the sysadmin was not in the building, said Chief Warrant Officer Dave Shaver, one of the unit's special agents.Book 'em
The Staff Judge Advocate's office prosecuted Eden in a court-martial, Smith said. In addition to a dishonorable discharge, Eden received a four-month prison sentence and had to forfeit outstanding pay.
When the computer crime unit's agents collect evidence, they use special portable Pentium III computers developed jointly by the Army and NASA. These PCs come loaded with forensic software that lets the agents gain read-only access to computers, Smith said. The agents also carry their own SCSI devices and peripherals, and they can burn CD-ROMs on-site to collect evidence.
Agents must be prepared to retrieve data from whatever source they can, from internal hard
drives to digital linear tape storage subsystems.
The agents use EnCase, a law enforcement application from Guidance Software Inc. of Pasadena, Calif., to scan hard drives. When used on systems running Apple Mac OS, Microsoft Windows, Linux and other operating systems, EnCase searches for keywords and analyzes file structures. The agents' portable systems each have a RAID storage subsystem of eight drives.
On an isolated LAN at the unit's forensics laboratory, agents use 333-MHz Pentium II PCs from eMachines Inc. of Irvine, Calif., as well as Sun Microsystems Ultrasparc 10 workstations.
The LAN runs multiple OSes, including Windows 98, Windows NT Server 4.0 and SunSoft Solaris.
The unit tries to figure out how an attack proceeded by launching controlled attacks on its own LAN to see what happens.
Although the unit is concerned about insider threats, its agents have spent most of their time investigating outside hackers since 1998, when the Criminal Investigation Command assigned two agents to look into computer crimes, Shaver said.
In June 1999, the first two agents helped secure Chad Davis' conviction for hacking into and defacing the main Army Web site, at www.army.mil. The 19-year-old from Green Bay, Wis., made the mistake of storing e-mail logs from a month-long period when he planned the attack, Shaver said.
After pleading guilty to fraud and malicious mischief, Davis paid more than $8,000 in restitution to the Army and served a six-month prison sentence. During his probation, all computer and telephone access is being supervised for three years.Case studies
Currently, the computer crime unit has more than 30 open investigations into intrusions, Smith said. 'These cases go on for a long time,' which is partly why agents get so excited when a suspect is convicted, he said.
This year, the unit has filed 12 reports detailing its investigations.
To conduct investigations, Shaver said, the unit often must work with Internet service providers. Gaining access to the providers' customer data generally requires subpoenas. The subpoenas let agencies check subscriber names and connection logs for suspect IP addresses, he said.
'It's a real rat race, actually,' Shaver said of the crime unit's efforts to get subpoenas and to gain the aid of Internet service providers.
Using IP addresses, agents can sometimes determine the geographic origin of an attack.
Agents are still investigating a February distributed denial-of-service attack that made use of six Army computers as hosts, said Chief Warrant Officer Brent Pack, the unit's technical support team chief. The attack used at least 255 computers to flood several commercial online sites.
The hacker installed a sniffer program on one computer to ferret out passwords and eventually gained supervisor access to the six PCs, which let the hacker install files on the systems remotely, Smith said.
The unit has a couple of ways to follow up on an attack. When an Army organization reports a system breach, the service can either immediately repair the system and lock it down against further intrusion or it can opt to leave the system vulnerable so the computer crime unit can try to snare the offender, Smith said.
The choice often depends on the nature of the system, the data it contains and the programs it supports. Leaving a system open to further hacking attempts can help agents get subpoenas, install network intrusion devices and track any system ports that have been invaded, Smith said.