Docstoc

Building-FBI-computer-forensics-capacity-one-lab-at-a-time_2004_Digital-Investigation

Document Sample
Building-FBI-computer-forensics-capacity-one-lab-at-a-time_2004_Digital-Investigation Powered By Docstoc
					Digital Investigation (2004) 1, 177e182




                                                                                                 www.elsevier.com/locate/diin




Building FBI computer forensics capacity: one
lab at a time
Douglas A. Schmitknecht

FBI, USA


   The Federal Bureau of Investigation (FBI) is on                  Director Robert S. Mueller III calls the RCFLs, ‘‘.a
a mission: to strengthen law enforcement’s com-                     critical component in our efforts to support state
puter forensic capabilities throughout the United                   and local law enforcement agencies nationwide.
States. How are we fulfilling such a sweeping and                    By combining the extraordinary talents and re-
ambitious mandate? Through an innovative initia-                    sources of law enforcement agencies at all levels,
tive entitled the Regional Computer Forensic                        our ability to investigate criminals and detect and
Laboratory (RCFL) Program. RCFLs provide much                       prevent acts of terrorism becomes considerably
needed computer forensic expertise and training                     more robust.’’
to thousands of law enforcement personnel. Al-                         The actual RCFL ‘‘model’’ is based on the
though the demand remains high for skilled com-                     formula developed by the San Diego RCFL. The
puter forensic Examiners e a common challenge                       San Diego RCFL began as a test project in 1999,
facing law enforcement worldwide e RCFLs are                        where a coalition of law enforcement agencies in
doing their part to level the playing field. If                      Southern California pooled their personnel and
properly administered, the FBI believes that the                    funding resources to create an FBI-sponsored,
RCFL model can be duplicated from Prague to                         single-service computer forensics laboratory. The
Portland, with the same level of success.                           San Diego agencies looked to the FBI for training
                                                                    and technical support, and in response, the FBI’s
                                                                    Computer Analysis Response Team (CART) program
                                                                    was selected to provide training and certification
The RCFL ‘‘model’’                                                  to the RCFL Examiners. Moreover, the FBI assumed
                                                                    a majority of the start-up costs, while the other
The RCFL model is based on two guiding principles:                  coalition members donated personnel to staff the
cooperation and partnership. Although the Pro-                      new lab. Within a matter of months of becoming
gram is technical in nature, collaboration between                  operational, the San Diego RCFL established
an array of law enforcement agencies is the main                    a clear standard for the effective and efficient
driver behind the Program’s continued success. FBI                  examination of digital evidence, enabling them to




1742-2876/$ - see front matter ª 2004 Elsevier Ltd. All rights reserved.
doi:10.1016/j.diin.2004.07.007
178                                                                                              D.A. Schmitknecht




address the computer forensic needs of area law                  Existing and future RCFL sites
enforcement.
   With only eight Examiners serving a population                As with any new program, it is essential to have
of over seven million people, the FBI’s Dallas Field             a series of institutionalized procedures and pro-
Office and their local counterparts were working                  cesses in place to manage both the day-to-day
under similar circumstances as their San Diego                   operations and to guide future growth. In 2002, the
colleagues e too much casework and not enough                    FBI established the RCFL National Program Office
skilled computer forensic Examiners on hand. The                 (NPO) to assume this role and to facilitate the
FBI’s Dallas Field Office followed San Diego’s                    creation of new RCFLs. Additionally, the NPO
model and spearheaded a coalition of area law                    supports the laboratories by:
enforcement agencies with the goal of establishing
an RCFL in the North Texas region. In 2000, their                  Providing technical assistance to ensure con-
vision became reality when the North Texas RCFL                     sistent quality management of each laboratory.
opened for business with eleven Examiners de-                      Institutionalizing the policies, practices, and
tailed1 from eight participating agencies. Like                     legal processes regarding the establishment
their predecessors in San Diego, the North Texas                    and governance of RCFLs.
RCFL was a welcomed resource that quickly be-                      Cultivating working relationships between law
came a genuine success.                                             enforcement, the private sector, academia and
                                                                    other government agencies by serving as
                                                                    a national clearinghouse for the exchange and
A program emerges                                                   dissemination of information among these
                                                                    entities.
With the passage of the US Patriot Act in 2001, and                Serving as an advocate for the Program before
an impressive and growing list of accomplish-                       key constituent groups.
ments, the US Congress directed the FBI to launch                  Developing new digital evidence forensic tools.
more RCFLs across the country. Therefore, in                       Developing training curricula for digital evi-
addition to the facilities in San Diego and North                   dence Examiners and law enforcement officers.
Texas, RCFLs were established in Chicago, Illinois                 Coordinating and communicating training ini-
and Kansas City, Missouri in 2003. Nine more                        tiatives and tool development efforts for use
laboratories will join the Program over the                         by the law enforcement community.
2004e2005 time period, bringing the total number
of RCFLs to 13.                                                     The NPO is physically located at the FBI’s offices
                                                                 in Quantico, Virginia. Since the RCFLs are spread
  1                                                              across diverse, geographical locations, one of the
    Participating Agencies ‘‘detail’’ employees to serve in an
RCFL usually for two or three year terms. These individuals      NPO’s top priorities is to maintain communications
remain as employees of their home agencies, and return there     with the field. The NPO holds conference calls with
upon concluding their assignment.                                RCFL directors, organizes bi-annual meetings and
Building FBI computer forensics capacity: one lab at a time                                            179

holds an annual RCFL conference, which is open to         an investigator is deemed an ‘‘expert’’ after
any law enforcement officer.                               taking a short course in computer forensics.
                                                         Protects evidence e ASCLD/LAB accreditation
                                                          focuses on evidence handling procedures, to en-
Standardization                                           sure that evidence is not damaged or misplaced.
                                                         Ensures accurate results e Accreditation can
To ensure uniformity throughout the Program, all          enhance forensic results by requiring suffi-
FBI-sponsored RCFLs must follow a well-defined             cient written protocols that serve as an
Quality Assurance Program, complete with FBI-             empirical basis for the most basic and complex
approved Standard Operating Procedures and                procedures.
Quality Assurance Manuals. These standards gov-
ern policies and procedures concerning evidence           The North Texas RCFL recently requested an
handling; search and seizure operations; the           ASCLD/LAB inspection and expects to become the
examination of seized electronic equipment, in-        first RCFL to obtain this prestigious accreditation.
cluding computers; and courtroom testimony. The        All RCFLs are expected to follow this lead.
notion of following a uniform set of procedures
also applies to data gathering. Throughout the         A powerful network
fiscal year (FY), the RCFLs enter case information
into a centralized database managed by headquar-       As new RCFLs are formed, they gain access to
ters. This information is used in part to create the   a powerful, and growing network of resources and
Program’s annual report, to track the Program’s        manpower. For instance, if a case is particularly
progress, to identify where resources are needed,      complex, or if a specific expertise is needed, an
and to measure the Program’s performance for the       RCFL Director can ask the NPO to identify what
year.                                                  resources are available to them within the Pro-
   Each RCFL facility prepares to seek accredita-      gram. The fact that all RCFL Examiners are CART
tion from the American Society of Crime Labora-        certified and proficient in the Program’s operating
tory Directors/Laboratory Accreditation Board          procedures qualifies them to step into national
(ASCLD/LAB). The benefits of accreditation,             service at a moment’s notice. The Pentagon
including:                                             bombing investigation illustrates this point, and
                                                       most recently, an Examiner assigned to the Chica-
  Improves quality e Accreditation will heighten      go RCFL provided expert computer forensics sup-
   the quality of the RCFLs services because an        port for an investigation involving a suspected
   independent, impartial and objective team of        terrorist. While examining the five computers
   experts will review the laboratory’s findings        associated with the case, he used Netcase as one
   and operations.                                     of the primary forensic tools. Although all the text
  Strengthens operations e Accreditation en-          was in a foreign language (Arabic), he successfully
   sures that an RCFL is abiding by criteria that      identified several documents that pertained to
   are designed to assess performance, while also      terrorist activities. The suspected terrorist was
   strengthening operations.                           indicted by a federal grand jury this past June
  Establishes standards e With accreditation,         for providing material support to al Qaeda, and for
   the general public and the users of the RCFL        obtaining and using fraudulent travel documents.
   are assured that the laboratory is following           Finally, all RCFL Examiners must obtain a Top
   established and widely accepted standards.          Secret clearance, which the NPO facilitates upon
  Enhances quality control e Accredited labora-       their hiring. This allows the immediate sharing
   tories must follow appropriate quality controls     of personnel without constraints and enables
   and quality assurance procedures.                   RCFL Examiners to assist with any Federal, state,
  Guarantees Examiner qualifications e ASCLD/          or local investigation. In today’s post-9/11
   LAB requires that laboratories have certified        environment, having this capability is especially
   Examiners on staff. All RCFL Examiners must         critical.
   undergo the FBI’s CART certification process,
   and may not perform examinations indepen-
   dently until doing so. (Trainees may need           RCFLs in action
   anywhere from six months to a year of training
   before they are certified.) Certification implies     Any law enforcement agency within the RCFL’s ser-
   that an individual has a certain body of            vice area may request digital evidence technical
   knowledge, and counters a recent trend where        support, on-site collection assistance, or training.
180                                                                                    D.A. Schmitknecht

Every FBI-sponsored RCFL offers the following          which was named after the terrorist attacks
range of services.                                     against the Pentagon, the World Trade Center,
                                                       and the crash in Pennsylvania. The San Diego RCFL
                                                       processed over 29 separate service requests, and
Computer forensics expertise                           examined over 40 computers and hundreds of
                                                       pieces of loose media. Concurrently, the Lab pro-
Computer forensics expertise may fall into the         vided technical and operational assistance to the
following categories:                                  FBI’s Newark Division, which was inundated at that
                                                       time. Meanwhile, the North Texas RCFL single-
  Pre-seizure consultation                            handedly processed over 50% of the digital evi-
  On-site seizure collection                          dence involving the aftermath of September 11.
  Duplication, storage and preservation of digital    Thanks to the operational capabilities of all the
   evidence                                            RCFL Examiners, every request was processed in
  Impartial examinations of digital evidence          record time, providing key FBI personnel with
  Documenting the work and nature of requests         results, at times, in a matter of hours.
   in preparation for testimony
  Courtroom testimony                                 Reclaimed data from melted computer terminal
                                                       A suspect rang the doorbell of his victim, fatally
   In FY 2003, the RCFL Program accepted 1444          shot him five times in the face, and then set
requests for service, participated in 196 search       a computer in the victim’s house on fire. The Dallas
and seizure operations, and conducted 987 com-         Police Department brought the once smoldering
puter forensic examinations. To request an RCFL’s      mound of plastic that was a computer, to the North
assistance, a law enforcement agency must com-         Texas RCFL for examination. The Examiners re-
plete and submit a simple form to the RCFL. This       placed the computer’s melted circuit board with
process is extremely convenient, as each RCFL has      the same exact model. As if that wasn’t enough of
a dedicated website with a specific section de-         a challenge, they next had to retrieve a floppy disk
voted to requesting assistance.                        that was now shaped like an ‘‘S.’’ After removing
   RCFLs support a variety of white collar, violent,   the casing, putting it into a new sleeve, and
and cyber crimes. These investigations include         repeatedly cleaning the disk, it finally yielded
fraud, child pornography, terrorism, computer in-      the valuable digital evidence that the Examiners
trusions and Internet crimes just to name a few.       so meticulously searched for. In this case, high
Examples of some of the RCFL success stories follow.   technology took a back seat to perseverance,
                                                       patience, and fierce determination.
Internet stalking case
In 1999, the state of California enacted one of the    Training
toughest cyber stalking laws in the US. Shortly
after the law’s passage, the San Diego RCFL            Training is the cornerstone of the RCFL Program,
supported an Internet stalking case that was           and as such, is one of the most sought after, highly
brought to trial. An ex-husband impersonated his       regarded offerings of the Program. This training
ex-wife over the Internet by engaging in ‘‘cyber’’     takes two forms:
relationships with several men. He gave the men
his ex-wife’s phone number and urged them to call      1) Training law enforcement personnel in a
her. When authorities seized the suspect’s com-           region e Each RCFL is equipped with a modern
puter and provided it to the San Diego RCFL for           computer classroom where they train law
examination, at first, the Examiners found no              enforcement personnel regarding handling sen-
direct evidence in the active files. In time, they         sitive electronic equipment that becomes
unearthed over 500 ‘‘chat’’ logs in the unused            evidence, computer investigation techniques,
portions of the hard drive detailing the ex-              and computer forensics. In FY 2003, the RCFL
husband’s illicit activities on the Internet. When        Program trained 1541 law enforcement officers
this information was presented at trial in 2000,          in these techniques. The benefits of having
the suspect was convicted of felony stalking              a knowledgeable workforce in computer foren-
charges.                                                  sics are immeasurable. A highly trained work
                                                          force will enhance the preservation of digital
September 11 terrorist attack                             evidence, and will help prosecutors convict
Examiners from both the San Diego and North Texas         those individuals who use computer technology
RCFLs supported the ‘‘PENTTBOM’’ investigation,           to facilitate a crime.
Building FBI computer forensics capacity: one lab at a time                                           181

2) Training RCFL detailees e The NPO coordinates      by all of the laboratories in the Program. Some of
   the training of all RCFL Examiners and Exam-       these technologies include the following:
   iner candidates. These individuals receive six
   weeks of standard FBI-approved computer            Write blocker technology e The San Diego RCFL
   forensics training during their first year, and     tested the write blocker technology that allows
   up to three weeks of training in computer          the user to read all the files on a computer’s hard
   techniques and tools thereafter. Many Exam-        drive without the risk of damaging or altering any
   iners cite this training and certification as one   of the stored information. Today, every RCFL and
   of the major benefits of participating in the       the FBI’s CART are applying this technology with
   Program. In FY 2003, 56 RCFL Examiners             great success.
   received FBI-sponsored training, and six Exam-
   iners returned to their home agencies, further     Storage area network (SAN) e The North Texas
   building computer forensics capacity in the San    RCFL developed the ‘‘SAN’’ or storage area
   Diego and North Texas regions. Former Exam-        network. A SAN is a single repository that contains
   iners can still access the FBI’s prestigious       data for an individual case, and enables the
   training and certification resources thanks to      Examiner to load large amounts of data to a single
   the ‘‘Associate Examiner Program.’’ This pro-      location for examination and review by investiga-
   gram is critical in helping former Examiners       tors. After being sufficiently tested in FY 2003, the
   hone their skills and to stay abreast of new       SAN technology was exported to other RCFLs
   technologies.                                      throughout the Program and the FBI.

                                                        The write blocker and SAN technologies
                                                      both reflect the collaborative spirit of the
 Image Scan                                           RCFL Program. By taking the lead in developing
                                                      new technologies, the Program is producing
 The FBI’s CART program developed this Linux-         cutting-edge tools that benefit all of law
 based software tool to assist investigators with     enforcement.
 identifying potential evidence of crimes. This
 tool protects valuable computer evidence by
 booting up the computer using the Linux              Future plans
 operating system. Image Scan mounts the hard
 drive in a read only manner, and then prompts        The NPO has identified two major goals aimed at
 the investigator to search for pictures files only.   strengthening the Program. They are:
 During this process, the tool logs every step
 taken by the investigator during this consent          Growing the program while maintaining qual-
 search process. Because Image Scan is primarily         ity e Nine RCFLs are scheduled to join the
 used during the investigative stage, it can             Program over the 2004e2005 time frame. The
 determine if contraband is present on a seized          NPO, in coordination with the representatives
 computer. Currently, each RCFL assigns an               of each new RCFL, are establishing standard-
 Examiner to teach investigators how and when            ized procedures, quality controls, and pro-
 to apply this tool. To date, it has been used on        cesses for each facility.
 hundreds of cases, and has helped bring child          Increasing agency participation e In FY 2003,
 predators to justice.                                   38 law enforcement agencies participated in
                                                         the RCFL Program. In order to keep pace with
                                                         the casework, the RCFL Program has made
                                                         a commitment to increase the number of
                                                         participating Examiners and agencies involved
Research and development                                 with each facility. Increased involvement will
                                                         continue to build capacity and capabilities for
Each RCFL has a number of activities and services        the regions served by each RCFL.
they perform, with research and development
being one of them. Each RCFLs has its own unique
needs, therefore, each laboratory is pursuing         Conclusion
different technologies to meet specific require-
ments. Once a technology is sufficiently tested and    The Program’s continued growth and long list of
approved, the application is recommended for use      accomplishments are a testament to the original
182                                                                                      D.A. Schmitknecht

RCFL model. This pilot project, which started        To request an RCFL information package, send
in San Diego, has evolved into America’s premier   an email to info@nationalrcfl.org, or visit our
computer forensic laboratory network. As the       website on www.rcfl.gov.
great football coach Vince Lombardi once said,
                                                   Douglas A. Schmidtknecht is a nineteen-year veteran of the
‘‘The achievements of an organization are          FBI. Prior to becoming the Chief of the RCFL National Program
the results of the combined effort of each         Office, he was a member of the FBI’s elite Computer Analysis
individual.’’                                      Response Team.

				
DOCUMENT INFO
Categories:
Tags:
Stats:
views:26
posted:5/16/2011
language:English
pages:6