High Tech Lab Ties Computers to Crimes
By Douglas J. Gillert
American Forces Press Service
LINTHICUM, Md., Nov. 2, 1999 The airman was accused of hiring a hit man to kill his wife. He thought he would get away with murder when he literally cut the evidence to pieces.
As two Air Force Office of Special Investigations agents interrogated the suspect, he reached into his back pocket and jerked his arm forward as if drawing a concealed handgun. The agents backed off, but instead of a gun, the suspect produced a pair of pinking shears and began smugly cutting two 5 1/4-inch floppy diskettes into a pile of useless plastic. Or so he believed it was useless.
After searching for months for a means to retrieve data from the ruined diskettes, one agent suggested taping them back together. Using a magnetic spray that made the tracks more visible, the agents reassembled the diskettes.
"They retrieved 80 percent of the data," said Karen Matthews, deputy director of the Defense Computer Forensics Lab. On the disks: A letter the airman had written to his girlfriend outlining plans for his wife's murder, including when and where it would occur. The evidence helped prosecutors convict him.
Piecing together diskettes crime perpetrators have tried to destroy is one of the forensics lab's specialties. Today, examiners use microscopes to view the denser lines of the smaller, 3.5-inch diskettes. If the diskettes can be located, the lab most likely can retrieve the information. The examiners here also are adept at retrieving data "erased" from hard drives and defeating other attempts to conceal information.
Formerly involved in analyzing only Air Force crime data, the lab took on the job for all the services this year after the Air Force Office of Special Investigations became DoD executive agent for providing counterintelligence, criminal and fraud computer evidence processing and analysis. The lab supports military law enforcement agencies that increasingly find computers involved in breaking Uniform Code of Military Justice and civil statutes.
"We're a neutral party as far as an actual investigation goes," said David Ferguson, lab director. "Evidence comes in, we look and it and tell the investigators what it means. We aren't here to say whether the evidence is good or bad. Our place is purely to assist the investigating agency in coming to the truth."
The lab analyzes evidence only on those subject to military investigations. These subjects are active duty service members, on-duty reservists and anyone residing or working on a military installation or on DoD systems. This includes family members, civilian employees and contractors.
The lab relies on alert field investigators to provide the computer hardware, drives and diskettes for analysis. A separately functioning training program collocated with the lab in the middle of an airport business park near Baltimore is now training field investigators to always look for computer ties to crimes.
Ferguson sees computers being involved in more and more crimes, from intrusions by hackers and others intent on committing computer fraud to criminals who unintentionally leave information trails on their computers.
"We're in a growth industry," he said. "Everybody's got a computer at home or at least at work. Computers are becoming more prevalent, and our investigators are being trained to recognize that evidence. So, I think we're going to see more and more computer evidence showing up here for us to evaluate."
The lab currently handles about 30 cases at a time and is building toward a capacity of 60 active cases in-house and 400 a year. Depending on the complexity of the evidence to be analyzed, most evaluations last anywhere from a few hours to two months.
Ferguson said the simplest cases can and should be handled by field investigators -- those getting their training here in the Defense Computer Investigations Training Program. The program, he said, includes five courses and will add six more. Topics include computer search and seizure, field forensics and an overview of network and computer hardware. Future courses will include network investigations, lab forensics, intrusion techniques, intrusion analysis and a management course for supervisors of computer investigations.
Although the lab's primary customers are law enforcers, the lab also can let commanders know where their computer systems may be vulnerable to intrusions.
"If we detect vulnerabilities, we can get that information back to the commander," Ferguson said. "We can give them an analysis that lets them know what people are going after."
One area of computer use Matthews sees as particularly vulnerable to misuse is electronic commerce.
"My personal opinion is that we will see more fraud committed by computer users," she said. "You can now do 'e-commerce' over the Internet. That lends itself to abuse. More records are being stored on computers every day. So if a fraud is going to be committed, it will have to involve computer data."
"You've got all of this electronic 'stuff' that used to be on paper," Ferguson said. "Now, it's all in digits somewhere -- it's all binary. So, as more and more people have this 'stuff' on computers, more and more evidence is going to come in digital, and they're going to need a lab like this to get to it."
All that 'stuff' doesn't necessarily go away when it's erased, Ferguson added.
"It depends on how good they are at erasing," he said. "If they're real good with a computer, they can hide it. If not, they may think it's gone but we can still recover it."
Matthews said the evidence the lab produces stands up well in court, including military courts.
"We have not had a whole lot of challenges," she said. "I think the reason for that is thorough training and procedures. We try to be very careful in our forensic procedures, and we keep the thought foremost in our minds when we're doing a process that someday it's going to be in court and we have to defend that process.
"DoD takes those things very seriously, and whether it's a military court or federal court, there should be no difference in our practices. The analysis we provide should stand up in either judicial system."
For more information, visit the Defense Computer Forensics Lab Web site.