[ISN] Inside the DoD's crime lab

From: InfoSec News (isn@private)
Date: Wed Mar 10 2004 - 05:19:57 PST

  • Next message: InfoSec News: "[ISN] MSN Messenger flaw allows hard-drive access"

    Forwarded from: William Knowles <wk@private>
    
    http://www.nwfusion.com/research/2004/0308dod.html
    
    By Deborah Radcliff
    Network World
    03/08/04
    
    Digital evidence comes in all shapes and sizes: pallets full of 
    computers, a hard drive with an AK-47 bullet hole in it, audio tapes 
    fished out of the ocean, mangled floppies, garbled 911 calls. 
    
    Whenever U.S. government agencies investigating a crime or a 
    cybercrime has digital evidence that's too difficult to analyze, they 
    send it to the Department of Defense computer forensics lab. 
    
    The evidence can arrive in a military vehicle, via FedEx or through 
    the U.S. Postal Service. However it gets there, it's accepted at the 
    loading dock of an unmarked commercial building on the outskirts of 
    Baltimore. 
    
    It's then logged and sent to an evidence custodian, who inventories, 
    tags and stores it in a locked cage.
    
    Network World was invited into the Defense Computer Forensics Lab 
    (DCFL) for an inside look at how computer investigators at the cutting 
    edge are using digital evidence to help solve crimes. 
    
    The purpose of the lab is to analyze evidence gathered at crime scenes 
    involving the military. Whatever crimes occur in the civilian world, 
    you also see in the military. It could be homicide, child pornography, 
    identity theft, counterfeiting, misconduct, terrorism, espionage, 
    contractor fraud or misuse of government property. 
    
    With these crimes, there's often digital evidence in cell phones, 
    pagers, PDAs, geo-mapping systems, digital cameras, cockpit recording 
    systems and anything else with flash memory or ROM. 
    
    "We estimate that 95% of criminals leave digital evidence at the 
    scene," says Donald Flynn, attorney adviser for the Defense Department 
    Cyber Crime Center, which houses the DCFL. 
    
    That evidence must be able to stand up in court, particularly now that 
    judges and attorneys are becoming savvy enough to start asking 
    questions about the integrity of digital evidence. The DCFL addresses 
    this through rigorous training and advanced tools such as certified, 
    high-capacity extraction and imaging processes and tools. 
    
    
    Inside the lab
    
    My tour guide at the high-security lab pushed a button at the 
    double-door entryway into the lab that triggered blue ceiling lights, 
    which blinked incessantly to alert technicians that unclassified 
    visitors were on the premises. 
    
    The lab includes your standard office cubicles, but every cube is 
    outfitted with state-of-the-art processors, multi-system server stacks 
    and 42-inch flat-screen monitors. 
    
    "Some of the evidence comes in on pallets - cases full of servers, 
    CPUs, RAID disk arrays, floppy diskettes, Palm Pilots, digital 
    cameras," says special agent Bob Renko, director of operations for the 
    lab. "We've even gotten evidence in buckets of water - for example, 
    video tapes recovered from jets crashing into the sea during training 
    exercises." 
    
    The first stage in evidence extraction is digital imaging. This is 
    trickier than it sounds because contents can be altered in the process 
    - such as adding a date stamp when copying a hard drive, thus tainting 
    the evidence and rendering it inadmissible. 
    
    Then there's the sheer volume of data. In 1999, analysts examined 
    their first terabyte-sized case when they received a palette of 
    computers belonging to a defense contractor accused of violating 
    Environmental Protection Agency guidelines in its handling of toxic 
    waste. If analysts had tried to use technology that copied and 
    examined one drive at a time, they still would be investigating that 
    case, says the lab's director, Lt. Col. Ken Zatyko, special agent with 
    the Air Force Office of Special Investigation. 
    
    So analysts created their own script, which moves images of all the 
    media into one place. In this location, searching and extraction is 
    conducted across all the data simultaneously using the same search 
    phrase. 
    
    Last month,the lab received several palettes, containing more than 3T 
    bytes of data to image and extract. The evidence, which filled a 
    20-by-10-foot windowless room, required its own storage-area network . 
    
    The recovery process begins with entry-level technicians checking 
    evidence out of lockup. Then they create bit-stream mirror images onto 
    cleaned hard drives to prevent contamination. 
    
    They make the copies using a modified Linux  tool dubbed DCFL Data 
    Dump. The tool is akin to private-sector imaging tools such as 
    SafeBack, which takes a mathematical hash of the image and compares it 
    to the original hash to prove the image is an exact replica. 
    
    
    Crimes and misdemeanors
    
    The busiest unit in the lab is Major Crimes and Safety, which handles 
    criminal cases involving digital media. The forensic analysts in this 
    unit work in open cubicles, each with two Windows 2000 workstations, 
    one to search the imaged data and another to store recovered evidence 
    or for when they're working two cases at once. 
    
    Renko says the agency's extraction tools work in a forensically sound 
    manner across computers and PDAs, but become problematic when it comes 
    to cell phones and pagers. 
    
    "At least one time, we've had to work directly with the telephone 
    manufacturer to successfully retrieve data," he says.
    
    For computer examinations, the agency's standard data search and 
    extraction suite of tools is called iLook, which is licensed by the 
    Treasury Department. A private-sector equivalent would be EnCase. 
    
    Bill (for security reasons, analysts are only allowed to give their 
    first names) is an advanced forensics examiner and former metropolitan 
    detective in Washington, D.C. He explains how the tool conducts 
    keyword searches, and reassembles damaged and erased files, e-mails, 
    attachments, temporary Internet files, data files and renamed files 
    into a list of searchable files. 
    
    "Say you have a contractor using sub-standard explosive bolts, which 
    are critical to pilot safety because they're what makes the cockpit 
    lid fly off in an emergency ejection. We know the cost of quality 
    bolts should be about $100. We can do keyword searches through their 
    accounting systems on 'explosive bolts,' to see what they're actually 
    paying for them," Bill says. "Or, if we have a child porn case, we can 
    order up a thumbnail view of all Internet cached files across multiple 
    drives to see what's been downloaded." 
    
    As Bill finishes talking, a long list of files appears in the search 
    window of his workstation. Six suspicious files are highlighted in 
    yellow, indicating that the search phrases were found in those files. 
    
    
    Hardware magicians
    
    Shortly after it became operational in 1998, the lab received a 
    classified hard drive that seemed impossibly damaged. An outside firm 
    estimated it would cost $250,000 to repair. Renko balked. 
    
    "We figured it was more feasible to train our own people to repair 
    hard drives," Renko says, while pointing out lockers where evidence is 
    stored when not being processing. 
    
    He stops in a small room with two Plexiglas-enclosed clean areas where 
    technicians have soldered mutilated floppies and repaired hard drives 
    that have been thrown off balconies and even shot with AK-47s, as in 
    one recent battlefield case. The data where the bullet holes and 
    solder marks are can't be recovered, but the rest can, Zatyko says. 
    
    The intrusion-analysis squad occupies the rear section of the lab, 
    where examiners, who work primarily on Linux systems, investigate 
    hacks on Defense Department networks. 
    
    "Our first job is to find out how the computer was intruded upon and 
    what data was accessed by the intruder," says "Sig," who was recruited 
    from his job as head of information security  for a university. "For 
    the information assurance part, we tell our client agencies what their 
    entry point was and what needs to be patched to protect from future 
    hacks." 
    
    Sig pulls up an advanced tool named Starlight. A multi-colored, 
    three-dimensional map pops up: Each of its lines represent a separate 
    connection made into the defense network and each color representing a 
    different protocol. 
    
    "We've had entire underground hacker ISPs coming at us," Sig explains. 
    Color-coding protocols makes it easier to determine which computer is 
    sending which attack. "For example, the exploit in this case ran over 
    HTTPS, so we color-coded all the HTTP proxy traffic in red. Then we 
    can see that three of these IPs coming at us are involved in that type 
    of traffic," he says. 
    
    In this case, the hackers were caught and prosecuted, and the entire 
    hacking group disappeared from the Internet underground, he says. 
    
    As examiners trace hackers back to different hops and examine those 
    boxes, they run into new variants of hacker tools stored on those 
    computers that haven't been reported by tracking services such as CERT 
    and Bugtraq. 
    
    The new hacker tools are added to the unit's malicious logic database, 
    which will then detect them if they're used in future cases. 
    
    Furthermore, the database helps analysts spot similarities when 
    multiple attacks are hitting different Defense Department networks at 
    the same time, indicative of a large-scale attack by one source. Such 
    cases are then reported to the Joint Task Force on Computer Network 
    Operations. 
    
    In recent months, law enforcement agents from Australia, Canada, 
    Germany, Hong Kong, Singapore, the U.K. and other nations have toured 
    the facility to better develop their own cybercrime units. U.S. 
    attorneys, judges and law enforcement agencies also frequently call 
    for technical clarification. (For example, a recent call came in from 
    a judge who needed to know the difference between evidence recovered 
    from a cached memory vs. evidence found in a file on the hard drive.) 
    
    As more cases involve digital evidence, the need for sophisticated 
    digital forensics capability throughout the legal system will continue 
    to grow, says Gail Thackery, U.S. Attorney for the state of Arizona. 
    Thackery has prosecuted a number of computer-related crime cases and 
    teaches at ACIS International Association of Computer Investigative 
    Specialists. 
    
    "Police used to worry about guns and blood and chemical evidence, but 
    now every case in America has a computer involved in it. The legal 
    system is hungry for experts at digital evidence," she says. 
    
    "So computer forensics training and careers are going to be hot for a 
    long time," she adds.
    
    -=-
    
    Radcliff is a freelancer writer in California. She can be reached at 
    deb@private 
    
    
     
    *==============================================================*
    "Communications without intelligence is noise;  Intelligence
    without communications is irrelevant." Gen Alfred. M. Gray, USMC
    ----------------------------------------------------------------
    C4I.org - Computer Security, & Intelligence - http://www.c4i.org
    ================================================================
    Help C4I.org with a donation: http://www.c4i.org/contribute.html
    *==============================================================*
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomo@private with 'unsubscribe isn'
    in the BODY of the mail.
    



    This archive was generated by hypermail 2b30 : Wed Mar 10 2004 - 08:21:20 PST