By William Jackson
The discipline of digital forensics is quickly becoming more
professional as standards are established and courts are beginning to
require that evidence be processed only in certified laboratories.
But professionalism does not come cheap. In fact, its tremendously
expensive, said Jim Christy of the Defense Departments Cyber Crime
Center, which runs the nations largest certified digital forensics lab.
Christy told an audience of security professionals Wednesday at the
Black Hat Federal Briefings in Arlington, Va., that keeping up
certification for the lab, its personnel and its hardware and software
accounts for up to 40 percent of the labs overhead. Faced with these
requirements and the challenge of processing rapidly growing volumes of
data, the Cyber Crime Center needs industrys help.
One of the reasons Im here is to appeal to the vendors to crate the
tools and processes to help us process the evidence in a timely manner,
One of the greatest needs is tools for testing and evaluating hardware
and software used in the lab.
Digital forensics is the discipline of analyzing and preparing digital
evidence in criminal investigations. Christy is a pioneer in computer
crime investigation, with more than 30 years experience in the field.
When he began, there were no standards or guidelines for how to gather
and handle this data. Today it is a structured and increasingly
regulated field. In 2003, the American Society of Crime Lab Directors
set standards for certifying digital forensics labs.
All tools used in the lab have to be certified to these standards, and
all personnel have to be tested and evaluated annually. All work on
evidence done by an analyst must be reviewed by other certified
analysts. The failure of an analyst could jeopardize any convictions in
recent trials for which the analyst testified or prepared evidence.
The accreditation program still is in its infancy. There are 327
accredited general forensics labs in the country, Christy said, but only
12 accredited digital forensics labs. With more than 19,000 law
enforcement agencies in the country, most with fewer than 25 officers,
demands on certified labs are growing.
The Cyber Crime Center lab has 90 analysts. But its workload is growing
faster than its workforce. The number of digital devices from which
evidence can be gleaned is growing rapidly, and now includes iPods and
X-Box game consoles as well as PCs, GPS devices and cellular phones. The
volume of data gathered in a single investigation can rapidly amount to
The Cyber Crime Center lab handled about 12 terabytes of data in 2001,
Christy said, and 156 terabytes in the 700 cases it handled last year.
At the same time, the turnaround time for each case has decreased, from
89 days in 2003 to 41 days in 2006.
You need bigger and better tools, to handle that volume of data, Christy
Christy recently retired as a special agent from the Cyber Crime Center
and now heads up the centers newly formed Futures Exploration division,
an outreach program to seek support from industry and academia. As part
of that outreach, the center announced the DC3 challenge at last Augusts
Black Hat Briefings in Las Vegas. The contest was a set of 11 challenges
on data recovery and analysis. Twenty-one teams entered and the winner,
a team from Access Data, won a trip in January to the Defense Cyber
Crime Conference in St. Louis.
One of the challenges was to recover data from a broken CD, a problem
for which the lab had no solution. Eleven of the teams solved that
problem, Christy said. And they all had different techniques. So now
when a damaged CD comes in as evidence, analysts have 11 techniques to
use on it.
The challenge will be repeated this year. One of the tasks likely to be
included will be recovery of data from the BitLocker encryption feature
in Microsofts Vista operating system.
Visit the InfoSec News Security Bookstore!