LINTHICUM, Md.: For many, cyberspace is a vast and intangible place. A land of green ones and zeros floating on a sea of black, where an e-mail originated in Switzerland can travel to a server in Mozambique within a matter of seconds.
In the ever-changing landscape of cyberspace, information can be hidden anywhere and information can be passed in a variety of ways. Criminals and terrorists can disguise themselves as friends and break into vital information systems and even the personal lives of anyone who ventures into the realm.
That’s where the men and women of the Defense Cyber Crime Center Defense Computer Forensics Laboratory step in. Servicemembers and civilians here are trained to find the clues in cyberspace to solve crimes.
“DC3 is the national center of excellence for digital forensics, digital investigations (and) cyber crime investigations,” said Jim Christy, the DC3 director of future exploration. “Almost every crime has a digital nexus. You have wrist watches that can store data, your cell phone. Just about everything you have in your life today in your office, your home or your car now collects a lot of data and captures it digitally. We need digital forensic examiners to be able to find what’s relevant to an investigation forensically so it’ll stand up in court.”
DC3 comprises the Defense Industrial Base Collaborative Information Sharing Environment, Defense Cyber Crime Institute, Defense Cyber Investigations Training Academy, National Cyber Investigative Joint Task Force Analytical Group and Defense Computer Forensics Laboratory.
In 2010, analysts from DC3 have combed through almost 300 terabytes of information. That’s 13 Libraries of Congress worth of information: more than 144,500,000 items including books, photos, audio CDs, pamphlets, newspapers, sheet music and more.
One recent triumph for the Air Force Office of Special Investigations and DC3 analysts was their involvement in an investigation that led to the trial and conviction of a spy for the Chinese government, Nashir Gowadia. He is now facing multiple life sentences.
Air Force officials and the DC3 team often work hand-in-hand on a variety of cases.
“The Air Force and (Department of Defense) are a microcosm of society,” Mr. Christy said. “Unfortunately, we’re going to have criminals in the Air Force and people outside the Air Force that victimize us. Whether it be a fraud case, espionage or terrorism. We (also) work with the aircraft mishap program to recover the digital video or audio tapes for the safety boards.”
And when the proper technologies aren’t available, DC3 teams create them.
Mr. Christy said, in 1991 he and his deputy at the time, were working on a case where they needed to retrieve some information from cut up floppy disks, but there was no process to do it at the time, so they created it.
Their innovation led to the suspect being convicted of homicide.
Just as in other forensic specialties, when a search warrant is executed cyber evidence must be handled carefully to maintain its integrity.
“The academy trains investigators . . . to maintain the integrity of that evidence,” Mr. Christy said. “Then it will come here to the lab and it’s processed. There’s always a chain of custody, it’s always under control. Unlike other forensic disciplines, we can clone evidence. We can make as many scientific clones as we need to work on. Then we do our forensic examination on that clone.”
Analysts must ensure their findings follow a repeatable and sustainable process. To help with that, there are laboratory support staff members like Master Sgt. Monty St. John who works as the quality assurance chief.
“As the QA chief I have a couple different roles. My primary one is for the laboratory,” Sergeant St. John said. “As our analysts and forensic scientists work through a case and they finish it, the last step before we send it to our customer is to make sure that everything is in order and also that we’ve met with everything they’ve requested. Additionally, I look at it to make sure that what we’re giving them complies with the policies that we’ve put together both from DC3 and Air Force wise. Of course what the court requires is very important as well, so we want to make sure we meet their requirements as well.”
Teams at DC3 also handle a more tangible side of cyber crimes. Agents at the center received a computer hard drive that had been thrown into the Potomac River and lay in there in the murky water for months before it was recovered. The credulous suspect thought the information on the computer would not be retrievable from the water-logged machine. But the experts at DC3, after months of gently removing debris using an alcohol bath and sonic vibration machine, are almost ready to be put the drive into a new machine to retrieve the information.
But the mission of the team at DC3 is not to prove people guilty. It’s to unveil the truth.
“What we do is more than looking for the ‘bad guy’, to coin a term,” Sergeant St. John said. “We’re also trying to make sure that the people that we’re looking at, there’s not a chance that we can exonerate them, that they’re actually innocent of everything that’s being put against them as a charge. We scrutinize to a very detailed level that that’s actually the case. So if there’s an allegation against someone, we make sure there’s evidence to back that up.”