Computer forensics: On the cutting edge

A few miles outside Hamilton, N.J., in a sparkling facility that still smells of fresh paint and sawn wood, Larry Depew flips a switch and a blue light starts flashing overhead.That's the signal that a visitor without a security clearance is on the premises of the FBI's brand new Regional Computer Forensics Laboratory. This facility is just one of 13 regional labs across the United States sponsored by the FBI.The RCFL is not, in the strictest sense, an FBI operation, but more like a federal and state law enforcement joint venture staffed by representatives from several agencies at both levels. Its sole purpose is the examination of digital evidence in support of criminal investigations being conducted by any of the 550 law enforcement agencies in the 21 counties of New Jersey.In fiscal 2004, the FBI's forensic examiners in New Jersey fielded 340 service requests. Depew estimated that the RCFL would handle about 500 requests in 2005.'We serve anybody in the state of New Jersey,' he said. 'Our clients are the courts, or the justice system.'But there are guidelines for determining which cases the RCFL will handle.'We have a prioritization schedule,' Depew said. 'First is an ongoing event that is likely to result in injury, death or serious property damage, such as kidnapping. Second is an event with the likelihood of injury or damage, like a planned terrorist event.'After that come all other cases going to court, requests to recover data, and R&D on forensic tools, he said.The RCFL is state-of-the-art when it comes to handling computer forensics. At one end of the building is a dedicated, automated evidence room. When law enforcement agencies want to submit technology for examination, they have to hold onto it until the RCFL notifies them it can be submitted.Once the devices arrive for examination, they are bar-coded and heat-sealed in plastic bags to maintain the chain of custody. There is a dedicated server in the evidence room just to keep the records of where materials are, who had access, who conducted the examinations and where the duplicates are kept.Down the hall from the evidence room is the forensics lab'a very large open room with tall chrome wire shelves sectioning off individual work areas. Each work area can have up to six forensic stations hooked up at once.'We have a storage area network connected to the review stations, with eight terabytes for each station,' Depew said. With that kind of capacity, 'agents can review case data at leisure.'The RCFL has the equipment to undertake analysis of images from surveillance cameras, Depew said, which is high-volume work requiring massive processing.One examiner, assigned from the New Jersey State Police, was distilling information from 196 hours of video fed from 32 different cameras.The video feed normally flashes still images from each of the cameras, he said, and it takes sophisticated software to 'filter' all the analog images and put all the images from one camera together.'We handle four or five a month,' the examiner said. 'In addition to analog, we're encountering more and more proprietary systems' with specialized chips.The use of custom chips and proprietary data architectures makes it more difficult to extract the information, the agent said, and requires contacting the system manufacturer for technical information.Another examiner said the RCFL might encounter a technology that is very specialized, requiring more groundwork before it can be analyzed. For example, he recently was given a 'skimmer,' a device that captures the information on the electronic stripe of a credit card and uses the data to encode a blank card. That was a first for him, he said.Depew created a configuration control process to provide a baseline for analysts as they start new cases. Everything begins with a complete wipe of the hard drive, so there is no pollution, so to speak, with data from one case spilling into another.All of the 22 examiners have to be certified in particular areas of forensic examination. 'Basic training' is in Wintel, or Microsoft Corp.'s Windows operating system and Intel Corp.'s chips, Depew said. Then there are specialty certifications in such subjects as Linux, Apple Computer Inc.'s operating systems, cell phones and personal data assistants. It takes 18 months to earn a certification.Depew has been certified in several specialties, most recently as a PDA examiner, one of the newest areas in computer forensics.'We keep telling [field agents], 'Don't overlook devices, but remember most have volatile memory [so] you have to keep it charged.' ' In other words, when law enforcement executes a search warrant and seizes a PDA or a cell phone, take the charger cord, he said.The certifications extend to old technologies, as well. Depew continues to hold a certification in DOS, for example.'It would hurt, but I could do it,' he said of the prospect of a DOS-based forensic exam.The RCFL also archives old applications, such as all the earlier versions of Windows and early word processing software, in case a criminal investigation turns up some obsolete equipment still in use.The government classifies a vast amount of information, including data turned up in investigations. The RCFL was built to meet the specifications for handling up to 'secret' level material'thus the flashing blue light.'If we hit something that's top secret, we ship it to another agency or another facility' able to handle that level, Depew said.The need for computer forensics in order to develop evidence of a crime is obvious, but the discipline has also improved the law enforcement process, Depew said.'Years ago we had a Russian organized crime case with 2,500 wiretap tapes, a lot of them international. Los Angeles wanted to use them, so we had to physically copy and send them,' he said.Today that would not be necessary. The RCFL effectively serves as 'an investigative data warehouse,' he said, and agents can be given access to targeted files.