Jim Christy, Special Agent ret

1

• Jim Christy, Special Agent (ret)
• Director, Futures Exploration (FX)
• Defense Cyber Crime Center

2
Overview

• Legal issues
• What is digital evidence
• How powerful is it
• Digital Forensics Evolving discipline
• Operations
• DoD Cyber Crime Conference
• Training
• DCISE
• NCIJTF

3
DC3 Mission Environment
Opposite of Nuclear Attack
4
DC3 Mission Environment
Cyber Attack
5
DC3 Mission Environment
US Law Enforcement Jurisdiction
Military Intel Community Exclusion Zones
6
First Part of Problem
Speed Counts!
7
The Second Part of Problem
The Legal Environment is Geo-Centric
8
The Internet Everybodys Using It
Company B
Company D
The Govts here to helpWhats that Im stepping
in?
Company A
Company C
Government A
Government B
Courtesy Mongabay Photo
9
The InternetAint it Beautiful !
Courtesy John H. Fields Photo
10
 But Its a Jungle Out There !!!!
11
Are They In Your Network?
12
Thats a Rhetorical Question..
13
DC3 Mission Environment
Confounds Traditional Investigations

Crosses
Jurisdictions

Exploits Policy Gaps
14
Digital Proliferation
Drives Requirements Policy, Staff,
Infrastructure, Training
15
DNA

• DNA analysis has made appearances in U.S.
  courtrooms since 1987
• Used in less than 1 of all criminal cases
• DNA can provide the WHO

Although it shows up in 90 of All TVs Cases
16
Power of Digital Forensics

• Digital Evidence can potentially provide
• Who?
• What?
• When?
• Where?
• Why?
• How?

Not Processed in 10 Minutes Like TV
17
Your Digital Trail

• When you left your house and set the alarm
• Your drive to work
• How you paid for your gas and how much
• When you paid for it
• Where you were when it was purchased
• Digital surveillance video of you and car
• Your bank
• Your financial status
• What ATM you used and how much you withdrew
• Digital surveillance video
• Credit card statements
• Your car
• When your car was serviced
• Maybe how fast you went (black boxes)
• GPS records where you went and when
• Red light cameras

18
Your Digital Trail

• Your job
• When you arrived and departed badge reader
• When you logged on and off network
• All of your email traffic
• What files you touched and when
• What websites you frequent and how often
• What you searched for with search engines
• Who you called and duration of phone calls
• Trade secrets
• Drive home
• What you purchased at the grocery store
• Detailed shopping list
• GPS provides actual route taken
• OnStar????

19
Your Digital Trail

• Your cell phone calls
• Who called you
• Who you called
• Your contacts info
• IMs sent received
• Pictures
• When you arrived home and deactivated alarm
• Who called you on home phone
• When you opened your refrigerator
• What your DVR/TiVo recorded for you
• Your taxes

Powerful Evidence
20
Your Digital Trail

• Your medical records
• Doctors notes
• Prescriptions
• Appointments
• Camera
• Pictures
• Videos
• PC
• When you checked you email
• What you deleted and when
• Who tried to access your system (firewall logs)

Powerful Evidence
21
Your Digital Trail

• Social Networking Sites
• Facebook
• MySpace
• Dating Sites
• eHarmony
• Match.com
• Chemistry.com
• Yahoo Personals
• Second Life

Powerful Evidence
22
Tools of the Trade

• Youre an Executive, Criminal, Spy, or Terrorist
• You need reliable communication
• You need your documentation/plans
• You need your partners contact information
• You need to be able to do business wherever you
  are
• You need to be mobile
• What tools would you select?
• Internet?
• Smart phones?
• Laptops?

Powerful Evidence
23
Steganography
Steganography the art and science of writing
hidden messages Covert communication
Hard to Detect Harder to Extract
24
Steganography
25
Steganography
Systems Administrator Encrypts and stegs
document In website picture
26
Steganography
Sys Adm Replaces Original Picture On
Website With Loaded Picture
27
Steganography
Bad Guy Goes to Website And Right Clicks
on Picture to Copy Image To Their System
28
Steganography
Bad Guy Extracts And Decrypts Payload
Hard to Detect Harder to Extract
29
Steganography
Literally Hundreds of Freeware Steg Programs
Available
30
Technological Challenges

• Encryption

• Steganography

31
Power of Digital Forensics

• Our
• Challenge

VOLUME!!!!!
32
Common Frame of Reference

• Legend
• 1 Page (pure text) 4800 characters
• 80 character per line
• 60 lines per page
• Ream (500 pages 2,400,000 characters)
• File cabinet drawer (10 reams or 24,000,000
  characters)
• 5 drawer file cabinet (120,000,000 or 120 GB)

33
Media Volume
Volume Continues to Grow Dramatically Each Year
34
PC Hard Drive Capacities
Size Continues to Shrink Each Year
35
Typical Household Plus Work Site?
Over 1 Terabyte
or 8333 File Cabinets  
36
DC3 Mission Environment Digital Fingerprints
37
DC3 Operations - Synergistic Capabilities

• Defense Computer Forensics Laboratory (DCFL)
  Accredited Digital Forensics Laboratory
• Defense Cyber Investigations Training Academy
  (DCITA) Cyber Investigative Training
  Certification
• Defense Cyber Crime Institute (DCCI) Digital
  Forensics RDTE
• National Cyber Investigative Joint Task Force
  Analytical Group (NCIJTF-AG) All Source Cyber
  Analytical Fusion for Cyber Investigations /
  Operations
• DoD-DIB Collaborative Information Sharing
  Environment (DCISE) Protection of the Defense
  Industrial Base info on unclassified networks

38
DC3 - Confluence of Many Key Communities
CNA
Law Enforcement
Homeland Defense
Information Assurance
Safety
CNE
Intelligence
CND
Forensics
Counterintelligence
Counterespionage
Counterterrorism
Critical Infrastructure Protection
And Many Lanes in the Road.
39
DC3 Present - DoD People Processes
DCFL
Supports ALL Investigations Operations (Complex
Targeted)
Computer Crime Investigator
Supports Complex Cyber Investigations
DCCI RDTE
DCITA - Training
Conduct Investigations
AGENTS
DC3 CCI Digital Examiner Certifications
40
Forensic Ops 101

• MEDIA IMAGING
• High Speed
• Integrity
• Hash Verification

0110001010
Mirror Image
Multiple Copies
Seized Media In Every Format

• Admissible
• Evidence
• Clues
• Leads
• Forensic
• Report
• Testimony

SCIENCE APPLIED FOR LEGAL PURP0SE

• Filtering
• Known Files
• Deleted Files
• Hidden Files
• Slack Space
• Unallocated Space
• Cross-Linked Files
• Encryption
• Meta Data

• Analysis of Suspicious Data
• Content Review
• String Search
• Data File Recovery
• Password Cracking
• Decryption
• ??

41
DC3 Background - A Cyber Center

• World class accredited digital forensics lab
  FY08 789 exams 221 terabytes 100 people
• Accelerated exams for Natl Security cases
• Best choice for authoritative, deep digital
  analyses
• Superior cyber inves / digital examiner training
• 8,200 trained cyber inves / forensic analysts /
  NSA
• DoD Certification Program launched Jun 06
• Not sterile lecture tool exploitation to solve
  cyber scenarios exam reqd, college credit
  eligible
• Natl benchmark software test validation
• Crucial predicate for valid / reliable /
  repeatable forensic results sustains DoD
  objectives

Lab, Training Academy, RD Creates Synergy
42
Defense Computer Forensics Laboratory
Worlds Largest Accredited Digital Forensics
Lab ASCLD/LAB
43
DC3 Operations DCFL Terabytes, Time, Totals
UNCLASSIFIED - FOUO
of Cases Days
(Eff 30 Sep 08)
UNCLASSIFIED - FOUO
44
Disk and Tape Repair

• Repair of torn or cut Floppy Disks
• Technique developed by AF Lab in 1991
• Murder Case
• Technique has been improved over the last 10
  Years
• About 4-5 cases per year
• Media Dryer (No Heat)

Homicide Case
45
Disk and Tape Repair
Victim Stabbed 42 Times
46
Disk and Tape Repair
Put 2 Disks Together Like Jigsaw Puzzle
47
Iron Wrinkles From Platters

• To remove wrinkles a modified soldering iron used
  with a piece of brushed aluminum tubing.

Ironing the Disk Fragments
48
Spray Platters

• To reveal tracks and sectors spray each piece
  with a Magnetic Tape Developer.

Make Tracks Sectors Visible
49
Find Starting Index

• The starting index is a single line preceding two
  small lines which indicates the starting point of
  the first sector.
• The arrows indicates the location of a starting
  index on a disk platter.

3 ½ inch Disk
50
Top Side and Bottom Side

• Magnetic Tape Developer used to determine the
  sides of a disk
• The sides of a disk are not directly aligned over
  each other but are offset 4 to 8 tracks.

Top Bottoms Different
51
Court TVs - Forensics Files
Documentary - 2005
52
Hard Disk Repair
53
Audio and Video Enhancement

• Audio
• Reduce Noise
• Identify Voice
• DTMF Telephone Numbers Dialed
• Decode Fax Transmissions
• Video
• Reduce Noise
• Image Stabilization
• Increasing Size of Image
• Frame Averaging
• Recover Damaged Media

54
Damaged Media - Aircraft Mishap
55
Damaged Media - Aircraft Mishap
F-18 Video Recorder
56
Damaged Media - Aircraft Mishap
F-18 Video Recorder
57
Damaged Media - Aircraft Mishap
F-18 Video Recorder
58
Recover Information from Damaged Video
F-18 Video Recorder
59
Recover Information from Damaged Video
F-18 Heads-Up Display (HUD)
60
Recover Information from Damaged Video
F-18 Heads-Up Display (HUD)
61
Safety Support
F-15 Fleet Grounded - November 2007
62
Special Operations Support

• Analyzed the first computer media of Operation
  Iraqi Freedom
• DC3 was the first computer forensics team in
  Baghdad

Iraqi Theatre
63
Special Operations Support

• DC3 seized and analyzed several hundred
  gigabytes of information
• Team conducted multiple sensitive site
  exploitation missions

Iraqi Theatre
64
On Site Support

• Support Operations
• Court Appearance
• Searches Seizures
• Task Forces
• CI/CE Ops
• Special Ops

65
Futures Exploration
66
8th Annual DoD Cyber Crime Conference

• When 23-30 January 2009
• Where St Louis, MO
• Who - Systems Administrators Info Assurance
• - LE/CI Investigators/Forensic Examiners
• - Prosecutors

www.dodcybercrime.com
67
Hand-on Training
Exporting 250 Node Training Network
68
The Best Cheapest Training Around
2-Day 150 2-2-Day 300
69
Conference Stats
Total Attendance 1,079 Speakers 175 Tracks
14 Hand-on Training 400 Classified
Session 169
70
Jeff Moss Dark Tangent
71
We Finally Got Him!
72
Mock Trial
73
Mock Trial
74
DC3 Dispatch

• Categories
• Cybercrime
• Intrusions
• Law
• New Technology
• Viruses/Vulnerabilities

To Subscribe to the FX DISPATCH Send Email
Dispatch_at_dc3.mil
75
(No Transcript)
76
Purpose
DC3 Digital Forensic Challenge

• Solve current trends and issues facing the
  digital forensics community
• To develop new tools, techniques, and
  methodologies for the Digital Forensics' community

77
Prize
DC3 Digital Forensic Challenge

• The winning team won a free trip to the DoD Cyber
  Crime Conference in St. Louis, Missouri
• Airfare
• Lodging
• Meals
• Conference Fees
• A Plaque

Prize St Louis in the Winter
78
2006 Challenges
DC3 Digital Forensic Challenge 2006

• Steganography Using S-Tools
• Audio Steganography
• Password Cracking
• Image Analysis Real vs. CG
• Data Carving Linux LVM Interpretation
• Data Acquisition Boot a dd Image
• Data Acquisition Boot a Split dd Image
• Media Recovery Compact-Disc
• Media Recovery Broken Floppy-Diskette
• Keylog Cracking
• Metadata

79
Results
DC3 Digital Forensic Challenge 2006

• Damaged CD Challenge was solved by 11 Teams
• Team AccessData
• Team 0x28 Thieves
• Team The Professionals
• Team HoyaHaxa
• Team Hacker Factor
• Team SRS
• Team CodeMonkeys
• Team NUCIA
• Team DFAT
• Team Backbone Security
• Team Pirate

80
2008 Challenge
81
DC3 Digital Forensic Challenge 2008

• 2009 Challenge Timeline

• 1 Feb Start Accepting applications
• 1 Mar Shipping Challenge packages
• 1 Nov Submissions due
• 1 Dec Winners announced
• Jan 2010 - Awards presented at 2010 DOD Cyber
  Crime Conference

The DC3 Challenge Team Tel (410)
981-1169 challenge_at_dc3.mil www.dc3.mil
82
DC3 Digital Forensic Challenge 2008
Approved Team Affiliation
Approved Team Affiliation
The DC3 Challenge Team Tel (410)
981-1169 challenge_at_dc3.mil www.dc3.mil
83
DC3 Digital Forensic Challenge 2008
Approved Team Affiliation
Participating Countries - 24
Countries US, ES, CH, IN, BE, UK, AU, AR, CL,
NZ, TN, CA, MX, RU, UY, CN, IT, FR, GB, BR, SG,
KR, FX, DE
Participating States - 39
States AL, AR, AZ, CA, CO, CT, DC, DE, FL, GA,
IA, ID, IL, KS, KY, LA, MA, MD, ME, MI, MN, MO,
MS, NC, NJ, NY, OH, OK, PA, SC, TN, TX, UT, VA,
VT, WA, WI, WV, WY
The DC3 Challenge Team Tel (410)
981-1169 challenge_at_dc3.mil www.dc3.mil
84
2008 Challenge Awards
85
DC3 Digital Forensic Challenge 2009
Approved Team Affiliation
Registered Team Affiliation
The DC3 Challenge Team Tel (410)
981-1169 challenge_at_dc3.mil www.dc3.mil
86
2008 Challenge
Now Co-Sponsoring
87
(No Transcript)
88
DCITA FY-09 Course Map
DoD Certified
Basic Computer Crime Investigator
DoD Certified Basic Digital Forensic Examiner
DoD Certified Basic Digital Media Collector
Computer Incident Responders Course CIRC - 10
days
Introduction to Networks and Computer Hardware
INCH - 10 days
Basic Cyber Investigations Course BCIC - 5 days
Network Monitoring Course NMC - 5 days
Large Data Set Acquisitions LDSA - 5 days
Wireless Technology WT - 5 days
Deployable Forensics DEF - 10 days
Network Exploitation Techniques NET - 5 days
Managing Computer Investigations MCI - 3 days
Advanced Log Analysis ALA - 5 days
Advanced Deployable Forensics ADEF - 5 days
CE-Online Linux CEOL Self Paced
Intro to Computer Search and Seizure ICSS - 3
days
Live Network Investigations LNI - 10 days
Macintosh Forensic Examinations McFE - 10 days
LEGEND

EnCase Examinations ENCASE - 3 days
Online Undercover Techniques OUT - 5 days
DoD Certifications

Technology Track
Basic Digital Media Collector INCH, CIRC
Responders Track
Forensic Tool Kit FTK - 3 days
Forensic Track
Basic Digital Forensic Examiner INCH, CIRC, WFE-E
or WFE-FTK
Network Investigations Track
Data Recovery DR - 5 days
Basic Computer Crime Investigator INCH, CIRC,
WFE-E or WFE-FTK, BCIC, (1) F-Course, FLETC (or
equivalent)
Red Border No Prerequisites
89
Are They In Your Network?
90
Nations Critical Infrastructures

• Communication
• Information Technology
• Banking Finance
• Commercial Facilities
• Government Facilities
• Water
• Energy
• Dams
• Nuclear

• Food Agriculture
• Healthcare and Public Health
• Chemical
• Emergency Services
• Defense Industrial Base
• Transportation Systems
• Postal Shipping
• National Monuments Icons
• Manufacturing

91
Comprehensive National Cybersecurity Initiative
(NSPD 54/HSPD23)
92
DoD/DIB Collaborative Info Sharing Environment -
DCISE
UNCLASSIFIED - FOUO

• Front door for DIB partners
• Fusing law enforcement/CI, CND, intelligence data
  for threat information products
• Unique all source deconfliction process
• Leverages expertise of analysts collocated with
  NCIJTF-AG Lab
• Protection of Department of Defense information
  held on Defense Industrial Base unclassified
  networks
• Products shared within interagency (i.e. JTF-GNO,
  NSA/NTOC etc)

UNCLASSIFIED - FOUO
Fusion Center for Cyber Investigative - Intel -
CND Info
93
DCISE Role Support DHS Crit Infra Protect
Reporting Response Process
Defense Cyber Crime Center (DC3)
DIB Collab Info Sharing Env (DCISE)
Investigative Op Gp Chantilly VA
Analytical Gp DC3
Natl Cyber Investigative JTF (NCIJTF)
UNCLASSIFIED - FOUO
94
NCIJTF

• 2005 CIJTF concept proposed by DoD and accepted
• Engaged FBI and accepted
• Two parts
• Operational FBI lead
• Analytical DC3 lead
• Now called Nation Cyber Investigative Joint Task
  Force (NCIJTF)

National Cyber Investigative Joint Task Force
95
NCIJTF

• Now joined by gt 20 agencies
• Emphasis on CI investigations/operations
• Focused on all US national security threats posed
  by cyber
• Not limited in scope to 1 agency or department
• LE/CI Lead
• Information gleaned via LE/CI authorites
• Search warrants, subpoenas, etc
• Bridges gap between intel, net defense and LE/CI
• LE/CI case operational coordination

National Cyber Investigative Joint Task Force
96
DC3 - Confluence of Many Key Communities
Law Enforcement
Homeland Defense
Information Assurance
Safety
CNA
CNE
Critical Infrastructure Protection
CND
Intelligence
Forensics
Counterintelligence
Counterespionage
Counterterrorism
And Many Lanes in the Road.
97
Closing the Gaps - Suite of Capabilities
Legal Community
Net Defenders
Legal Community
NetDefenders
DC3
Warfighters
SpecialAgents
SpecialAgents
Warfighters
Confluence of Key Communities
98
Contact Information
Defense Cyber Crime Center www.dc3.mil

DoD Cyber Crime Conference www.dodcybercrime.com
To Subscribe to the DISPATCH Send Email
Dispatch_at_dc3.mil
Digital Forensics Challenge Send Email
Challenge_at_dc3.mil
Jim Christy, Special Agent (Ret)
410-981-6699 James.Christy_at_dc3.mil
99
Jim Christy, Special Agent (Ret) Director,
Futures Exploration 410-981-6699 James.Christy_at_dc3
.mil