Home
Contact Us
[Posted on Tue, January 13 2004]
This FBI-backed program is the cutting edge for collecting evidence from digital devices ...and it is totally free of charge to law-enforcement agencies in selected regions.Source: Evidence Technology Magazine
Written by Dale Garrison
Nov/Dec 2003 Magazine edition
Copyright 2003 The Gulick Corporation. All rights reserved. Posted here with permission.
A COLLABORATIVE EFFORT between federal, state, and local law-enforcement agencies has created a valuable new resource that is now available to agencies in many areas of the country.
The National Regional Computer Forensic Laboratory Program--an FBI-affiliated program--focuses entirely on the examination of digital evidence. Currently, there are FBI-affiliated Regional Computer Forensic Laboratories (RCFLs) in San Diego, California; Dallas, Texas; Kansas City, Missouri; and Chicago, Illinois. A lab is scheduled to open soon in San Francisco, California, and FBI Director Robert S. Mueller III recently announced five additional labs--to be located in Buffalo, New York; Newark, New Jersey; Houston, Texas; Portland, Oregon; and Salt Lake City, Utah--that will open within a year.
There are ten RCFLs currently either in operation or opening soon. The open facilites are: Chicago, IL; North Texas (Dallas-Fort Worth); San Diego, CA; and Heart of America RCFL (Kansas City, MO). The facilities that are soon to open are: Silicon Valley RCFL (San Francisco, CA); Buffalo, NY; Newark (Trenton), NJ; Houston, TX; Portland, OR; and Salt Lake City, UT.
Law-enforcement agencies that fall within the territory of one of these RCFLs (see map) will want to add its phone number to their list of critical resources. Here's why: These labs offer free analysis of nearly every digital source where a person suspected of terrorist activities, child pornography, or white-collar crime could leave behind vital, incriminating--or exonerating--information.
An example of the RCFL model
The lab in Kansas City, Missouri -- officially named the Heart of America RCFL--opened in July 2003. Serving a geographical territory that includes western Missouri and all of Kansas, this RCFL was built on a collaborative model that combines the resources of the U.S. Department of Justice, state agencies, and local law-enforcement agencies.
Heart of America RCFL Director Thomas J. Maiorana said the level of collaboration between these agencies is unusual. In order to participate in the program, the Heart of America RCFL needed the commitment of nine local agencies. Maiorana explained that RCFLs do not just utilize the cooperation of different agencies when they find it; they are built upon that cooperation. Staff members are shared among the participating federal, state, and local law-enforcement agencies.
The kind of evidence that these labs target is equally unusual: The RCFLs perform forensic analysis of almost any digital medium on which data can be stored. That naturally includes desktop computers (PCs), but also cell phones, laptops, personal digital assistants (PDAs), and digital cameras.
"Almost everything today is stored on a computer or some other digital medium," Maiorana said. "And if it has been stored, we can generally retrieve it."
Strength in numbers
Teamwork is a key to this pioneer effort. Each of the nine local agencies must be willing and able to contribute manpower. Kansas City was chosen as the location for one of the first FBI-affiliated computer forensic laboratories (it is only the third to become active) because the area demonstrated that it could easily win the cooperation of local agencies.
"That was an important criteria from the start," Maiorana explained. "We actually had more local agencies (in Kansas City) that wanted to join than we had a budget for."
The story behind the RCFL concept began in 1999 in San Diego, California. Federal and local officials created the first RCFL in response to the growing recognition that digitally-stored data is increasingly critical in modern criminal investigations. Though most often associated with high-profile crimes such as child pornography or terrorism, computer forensics is useful for combating white-collar crime, drug deals, and gang activity. Even information collected from sources other than desktop computers--such as PDAs--can provide a digital paper trail to help track activities in a criminal investigation.
San Diego's success led to formalization of RCFL operations and the establishment of standard procedures and practices. The field of computer investigation, like the field of DNA science and other forensic disciplines, had to establish its protocols, ensure creditability, and keep up with a constantly changing field.
This last point is one area where the work is clearly a pioneer effort. For every new computer program or hardware advancement announced by manufacturers, RCFLs must devise procedures to retrieve and safely analyze data. It may be easy to forget that widespread use of the Internet and personal computers is barely 15 years old. That has been long enough, however, to make digital devices a part of everyday lives. And that means evidence can be extracted from almost any digital device--if you have the skill, knowledge, and experience to know where to look.
Beyond the San Diego RCFL
After the prototype RCFL opened in San Diego, a second site went online in Dallas in early 2001. Then, led by FBI Special Agent in Charge Kevin Stafford, Kansas City was the first of three additional RCFL sites that were scheduled to open in 2003.
Local law-enforcement personnel should appreciate the results because they have free access to all of this ability and experience. For example, any agency located in Kansas and Western Missouri (the territory that is served by Heart of America RCFL) can receive free help and analysis--literally with a simple phone call.
"We want them to use us," said Maiorana during a recent facility tour.
If the help includes physical analysis of a digital device, the work will probably take place in the RCFL analysis laboratory. A computer geek's wildest dream, the Heart of America RCFL's analysis laboratory is a large room spanning one entire side of the modern office building. Large cubicles are formed by open, metal-framed dividers that serve as shelves and wiring conduits. Each cubicle contains sets of computers, hard drives, monitors, printers, and other devices in various states of assembly. Several have stacks of new equipment--some of which are still in their original packaging--including the latest hardware that is just now reaching consumers.
Each set of cubicles is the home for a team of examiners. The examiners bring unique areas of expertise, experience, and background. One member may be the lab's resident Macintosh expert, while another may focus on the Unix operating system. One may know how to track messages on a network and another how to read the guts of a digital camera.
A person could spend his or her entire career specializing in just one of these areas. In the single area of hard drives--or computer storage--there are numerous standards, such as SCSI, IDE, and others. Each requires different connections, protocols, and techniques. Then there are the wide range of operating systems including various Windows platforms, Unix, Linux, Macintosh, and more. And all of this doesn't even begin to include other digital components, such as PDAs, cell phones, and digital cameras.
The lab's network involves similar specialization. A total of seven separate internal networks are used in the RCFL, each carried over its own high-speed fiber-optic cable. "We have one separate network we use for Internet connections," Maiorana explained.
The procedures and techniques are sometimes surprising. For example, analysts generally do not simply plug in a seized personal computer and begin analyzing the data. Instead, standard protocol involves working from hard-drive "images" rather than from the originals.
The term hard-drive image is more than just professional jargon for copy. "An image of a computer hard drive will include more than just a copy of the files," Maiorana said. "An image will also contain all of the underlying data--even partially erased or overwritten material. So this image can be crucial to our work."
Free advice
RCFL assistance can also involve more than analyzing the data on a suspect's computer hard drive. The most important service the RCFLs provide may begin with free advice. For example, the personnel at the RCFL may explain how a police officer or sheriff's deputy should proceed to properly bag and tag digital equipment. Indeed, Maiorana and the 13 other certified analysts in this office would much prefer that they receive calls for help rather than see potential evidence compromised by a lack of training.
"We're happy to walk people through a process, even on the phone if necessary," he said. "Knowing when you need help is very important. The biggest mistake is to assume you know how to handle information stored on a computer, and then damage your evidence and a potential case. If you're not trained, give us a call. We want everyone to know that as soon as they are investigating anything involving computer evidence, they can give us a call. We'll talk you through it. We may also be available to travel on-site to collect the digital evidence."
It is surprisingly easy to compromise complex and often confusing digital evidence. For example: Simply walking across a carpeted room can generate enough static electricity to damage the electronics of an open hard drive when it is touched.
Not all of this was obvious when the RCFL model began to evolve in 1999, and the knowledge has been hard-earned by these pioneers. Today, the RCFLs are working to share some of that knowledge with others in the law-enforcement community. The Heart of America RCFL features a large training area which contains 16 computers, each with its own modern LCD monitor. "We host national training here," Maiorana noted. "And we provide training to other agencies in our service area. That orientation and training is free, of course."
Setting priorities
Although RCFL services are free, they may not be instantly available at your regional RCFL installation. A predetermined order of priority is an obvious necessity. And that priority order is based on the seriousness and immediacy of the crime or potential threat. Not surprisingly, the highest priority is given to an immediate threat to national security. Nearly as high would be an immediate individual threat such as a child abduction.
"A majority of cases currently involve child pornography," Maiorana said. "But we also work on just about everything you can imagine."
What is hard to imagine are the increasing number of "non-desktop-computer" areas of the RCFL investigations. With today's digital world and information-age technology, almost everything involves computers. That obviously includes PDAs, as well as cell phones and digital cameras.
All of the RCFL analysts are FBI certified and the lab will be seeking accreditation from the American Society of Crime Laboratory Directors/Laboratory Accreditation Board. At the Heart of America RCFL, the staff includes analysts as well as Maiorana and the deputy director, both of whom are also certified. In addition to FBI training, some of the staff members are computer-science majors, although raw talent is recognized as well. Some have no formal advanced training--just an unusual level of computer savvy and the ability to continually learn more.
Greater than the sum of its parts
After a while, it becomes obvious that the RCFL concept is one of those phenomena that become much larger than their individual parts would suggest. The physical features of the lab is a good example, but the staffing is probably the best illustration.
"Our teamwork is really the key," Maiorana said. "No one has expertise in every area. But with our team system, we can cover specialties. That's why these RCFLs are so significant. It is not just the sharing of supplies and it is not just sharing equipment. It is the sharing of personnel, training, experience, and specialization." At the Heart of America RCFL, members of the staff are equipped with the very latest computer software and hardware.
Anyone who has ever stumbled over a new Windows upgrade or spent time cursing while trying to install a new hard drive knows that standardization simply does not exist in the computer world. When you add in the growing range of digital electronics, the challenge becomes almost overwhelming. Again, the team system helps tremendously.
"One result is a level of expertise and capabilities far beyond what an individual department might have," Maiorana said. "This is especially true for small departments, but even large municipal or county agencies would find it difficult to duplicate both the equipment and expertise available at a regional lab. And they don't need to." Part of the mission of each of the RCFLs is the training of personnel from surrounding law-enforcement agencies. This training room in the Heart of America RCFL provides course or seminar attendees with individual computer terminals and connections to the facility's network.
An even bigger advantage is the potential nationwide connection. If necessary, Maiorana and other RCFLs can bring an almost unprecedented level of computer analysis to a particular problem by contacting other RCFLs across the country, as well as various federal and state organizations.
"That brings a speed to the work that is unmatched," Maiorana said. "If necessary, we can apply the expertise of all 14 examiners at this lab. That's a lot of manpower. We could also call on dozens, even hundreds, of experts across the country--for a single case."
That can be critical if a child is abducted, for example. And perhaps even more critical in cases of violent terrorism. "Speed is especially important with terrorism," Maiorana said.
Ultimately, that reach can go even higher. "If we had a national security incident, we could quickly get whatever resources we needed. We can make available the resources of the federal government. That's a tremendous advantage for the agencies in our service area."
The system is not perfect. Indeed, as with any pioneer effort, Maiorana and others are constantly struggling to stay abreast of not only the legal challenges to their technology, but also the tricks devised by "the bad guys."
"One of the great challenges is encryption. We don't see it that much right now, but we're working hard to stay ahead of the curve. One of our biggest challenges is to always ask ourselves the question: What will come next? We need to stay ahead."
Training at the RCFLs--whether in-depth work for future analysts or a broad overview for police officers--often includes scenarios based on real-life events. Trainees will learn how to start and finish a search where the suspect's premises include computers--what to do and what not to do. A lot of the training for both the experts and the beginners focuses on what not to do.
"We really stress that you should not assume you know what to do," Maiorana said. "With computers, it's almost always better to be cautious because if you damage the data, you can lose it. We'll work directly with the investigators to enhance their process. We'll come in and meet with them. Whatever it takes."
That passion for doing things right becomes obvious in almost everything Maiorana discusses about the Heart of America RCFL. He admitted it is probably an occupational hazard.
"We have a passion for this work," he agreed. "That's really the most important thing."
Dale Garrison is a freelance writer who works in Liberty, Missouri.
[ Original Article on the Evidence Technology Magazine site ]