Computer Network Security
Timothy P. Kosiba
Program Manager/Forensic Examiner
What is CART?
What is Digital Evidence?
What is Computer Forensics?
What Crimes involve Digital Devices?
How can CART or a Computer Forensic
Examiner help the Investigator?
What training is available?
What is an RCFL?
CART is a team of law enforcement
individuals trained in Computer
Forensics. Their task is to examine
digital evidence in criminal matters
and provide testimony with respect
to such evidence in a court of law.
To provide digital forensics and technical
capabilities, services and support to the FBI,
Intelligence Organizations and other Law
Providing the highest quality digital forensic services which are prompt
accurate, impartial and usable.
Maintaining a leadership role in the field of digital forensics.
Development and application of validated, state of the art, multi-platform
hardware and software tools, practices and procedures.
is information of
or transmitted in
Digital Evidence is Volatile
Simply starting a computer alters or
destroys data and reduces chances of data
Viewing, copying or printing likewise can
Malicious or hidden code can also cause
Regardless of the role computer
/digital device played, it is still:
Acquire, Preserve, Examine and the
Presentation of forensic examination results
Application of science and engineering
to the legal problem of digital evidence.
Requires expertise, training and tools
Forensic Examination Tools
Safeback, DD, Drive Duplicators
ILook, Forensic Toolkit, Misc. Specialty Tools
CART Territory Map
Chicago Detroit Albany
Omaha Cleveland New Heaven
Indianapolis Pittsburgh Philadelphia
Sacramento Salt Lake City Springfield Cincinnati Newark
San Francisco Kansas City St Louis Washington, DC
Las Vegas Richmond
Los Angeles Oklahoma City Little Rock
Phoenix Albuquerque Columbia
San Diego Atlanta
El Paso Mobile
Houston New Orleans Jacksonville
Crimes Involving Computers
E-mail Extortion Threats On-
On-line Child Pornography
On-line Narcotic Sales
On- Computer Component Theft
Offshore Money Laundering Viruses/Worms
Websites Telecommunication Fraud
Organized Crime Chip Fraud
Civil Rights Crimes Securities Fraud
Hate Crimes Theft of Intellectual Property
Domestic Terrorism Homicides
Medical Fraud Kidnapping
Is the computer a tool, target, or
Contents of a 3.2 Gigabyte Hard Drive
Would build a Stack of Paper as High as
The Washington Monument (555 ft)
responsibilities for examination
What are you looking for?
Define Filter for Target Data
Time (1 Computer can take up to over 40 hours)
Review Output and discuss with AUSA
Digital Evidence Processing
Desktop Yearly upgrade cost
SCSI Card, approximately $12,500
2 Hard Drive
Removable drive bays
Laptop (Extra Hard Drive) Yearly Supply Budget for
CDRW expendable items
Magneto Optical Drive
Palm Pilot Zips
Travel Cases Jaz
Cost Approximately Floppy Disks
Computer Analysis Response Team
Digital Evidence Processes
* Physical Copy Internet Processing
Image History Files
Logical Copy Email
Write Protecting Buddy List
Working from a copy Screen Names
* Data Reduction PDA Processing
Recovering Deleted Files Hash Comparison
File type Standard Format
File name HTML
How can AUSAs help?
Help define examination requirements.
Keep CART updated on digital evidence
Provide critical dates/deadlines
Brief CART for testimonial purposes
What is the DOJ / FBI doing to
enhance the digital evidence
Regional Computer Training
Forensics Laboratory TAG -n- BAG
More CART FE’s
DOD Joint Forensics National Computer Training
Regional Lab Structure
Both sworn and non-sworn law enforcement
Organized Separation of Duties:
imaging, analysis, and research and development
Rotate examiners between these
assignments, allowing each to develop a
variety of skills.
Data Storage procedures
Regional Computer Forensic
Laboratories - RCFL
San Francisco Kansas City