kwc.org Photos Spare Cycles MythBusters

Forum: Regional Computer Forensic Laboratory (RCFL)

PARC Forum
Silicon Valley Regional Computer Forensic Laboratory (RCFL)
Special Agent Chris Beeson
FBI San Francisco
Computer Analysis Response Team

05-08-03 FBI RCFL Forum Poster

Responsibility: preserve computer evidence

Computer forensics
- impartial examination/analysis of computer evidence
- extracting evidence w/o tampering
- ability to present evidence in a court of law (dumbing down evidence)

Digital paper trails
- internet
- online banking
- cell phones
- pda/digital camera, etc...
- network connected devices
- access control systems (work, FastTrak)

Result of digital paper trails
- traditional crimes producing lots of digital evidence
   - gangs
   - drug dealers
   - e.g. bank robber printed robbery note on printer, recovered from laptop
- cyber crimes producing complex digital evidence
- law enforcement (at all levels) unprepared for large amounts of digital data

Every law enforcement officer
- knows who will do the DNA, drug, firearms testing
- but they don't know who will do computer evidence testing/processing
- law enforcement officers often don't seize computer evidence b/c of they don't know how to handle

Growth in data processed by CART:
- FY '99: 13 TB
- FY '02: 475TB

Examples in data seizure/processing:
- 1993 trade bomb: two comptuers worth of data
- 1995 Okbomb: data would if printed would fit in foot looker
- 2001 Penttbom: more data seized than in Library of Congress

1 GB = 1 pickup filled with paper
1 TB = 50,000 trees made into paper and printed

Processing data
- Current backlog is about 3-6 months
- Giving to private industry to process is expensive

What is the RCFL?
- single service forensic lab for processing computer evidence
- law enforcement partnership
- available to any law enforcement officer in the area

George Takei video for RCFL

Q&A

Main challenge: locating information
- encryption
- steganography
- large volumes of data (needle in haysack)
- partial solution: use data reduction technologies
   - e.g. keep MD5 hash of common installation files (e.g. AOL install files) and remove those from data

Majority of work: personal computers
- some work with ISPs

Spam
- FBI does not do much with spam, except in cases of DoS where cost can be quantified
- most of spam untraceable

What ensures protection of evidence?
- FBI has traditional means of controlling evidence
- have to get new search warrants if they stumble upon evidence of other crimes while sorting through evidence

Patriot Act
- Removes limitations for surfing public Web sites
- Prior to Patriot Act couldn't peruse Web sites more than a certain number of times

Post a comment


tags.

related entries.

what is this?

This page contains a single entry from kwc blog posted on May 8, 2003 5:02 PM.

The previous post was Talk: Chaum, Secret Ballot Voting.

The next post is Sophtspheroid Week 2.

Current entries can be found on the main page.