PARC Forum
Silicon Valley Regional Computer Forensic Laboratory (RCFL)
Special Agent Chris Beeson
FBI San Francisco
Computer Analysis Response Team
Responsibility: preserve computer evidence
Computer forensics
- impartial examination/analysis of computer evidence
- extracting evidence w/o tampering
- ability to present evidence in a court of law (dumbing down evidence)
Digital paper trails
- internet
- online banking
- cell phones
- pda/digital camera, etc...
- network connected devices
- access control systems (work, FastTrak)
Result of digital paper trails
- traditional crimes producing lots of digital evidence
- gangs
- drug dealers
- e.g. bank robber printed robbery note on printer, recovered from laptop
- cyber crimes producing complex digital evidence
- law enforcement (at all levels) unprepared for large amounts of digital data
Every law enforcement officer
- knows who will do the DNA, drug, firearms testing
- but they don't know who will do computer evidence testing/processing
- law enforcement officers often don't seize computer evidence b/c of they don't know how to handle
Growth in data processed by CART:
- FY '99: 13 TB
- FY '02: 475TB
Examples in data seizure/processing:
- 1993 trade bomb: two comptuers worth of data
- 1995 Okbomb: data would if printed would fit in foot looker
- 2001 Penttbom: more data seized than in Library of Congress
1 GB = 1 pickup filled with paper
1 TB = 50,000 trees made into paper and printed
Processing data
- Current backlog is about 3-6 months
- Giving to private industry to process is expensive
What is the RCFL?
- single service forensic lab for processing computer evidence
- law enforcement partnership
- available to any law enforcement officer in the area
George Takei video for RCFL
Q&A
Main challenge: locating information
- encryption
- steganography
- large volumes of data (needle in haysack)
- partial solution: use data reduction technologies
- e.g. keep MD5 hash of common installation files (e.g. AOL install files) and remove those from data
Majority of work: personal computers
- some work with ISPs
Spam
- FBI does not do much with spam, except in cases of DoS where cost can be quantified
- most of spam untraceable
What ensures protection of evidence?
- FBI has traditional means of controlling evidence
- have to get new search warrants if they stumble upon evidence of other crimes while sorting through evidence
Patriot Act
- Removes limitations for surfing public Web sites
- Prior to Patriot Act couldn't peruse Web sites more than a certain number of times
