National Computer Forensics Institute: Demystifying cybercrime

A lire sur:  http://www.techrepublic.com/blog/it-security/national-computer-forensics-institute-demystifying-cybercrime/

By Michael Kassner in IT Security, October 7, 2013, 10:56 AM PST

 

Knowing how to handle digital evidence and discovery correctly prevents costly mistakes. A federal facility in Birmingham, Alabama is working hard to improve that situation.

Birmingham, Alabama has a certain appeal for those of us living in the northern part of the country, especially this time of year when one day we could be looking at tornadoes, and the next thirty plus inches of snow.
I learned something else during my trip to Birmingham. The city has a propensity for digital crime fighting. Facebook learned this firsthand when staff and students in the university’s computer-forensic program played a significant role in determining the key players behind Koobface, a computer worm that stole millions of dollars from Facebook members.
Digital crime-fighting efforts in Birmingham do not stop there; drive south from downtown Birmingham on Highway 65 to the sprawling suburb of Hoover. Exit on Valleydale Road, and before long, a well-kept modern-looking building appears on the right.

Figure A

Once inside, the reason we stopped at this particular location became apparent—The National Computer Forensics Institute (NCFI)—another Birmingham organization that’s making life difficult for computer savvy criminals.

Figure B

Barry Page, NCFI Deputy Director, met our group at the institute’s imposing double doors and acted as our tour guide for the facility. “The purpose of NCFI is simple; get state and local officials from across the country up to speed on the proper handling of digital evidence, cybercrime investigations, and judicial procedures related to digital crime.”
In addition to Page's explanation, the official NCFI mandate states: “[T]o provide state and local law enforcement, legal, and judicial professionals a free, comprehensive education on current cybercrime trends, investigative methods, and prosecutorial and judicial challenges.”
Page then pointed out that the United States Secret Service’s Criminal Investigative Division and the Alabama Office of Prosecution Services jointly run NCFI—the only training facility of its kind in the United States, which has been in operation since 2008. 2600 students from more than 500 agencies have taken classes there already.

Digital evidence training for the legal profession and law enforcement

NCFI has three multipurpose classrooms, two network investigation classrooms, a mock courtroom, and an operational forensics lab dedicated to the Birmingham Electronics Crimes Task Force. NCFI offers thirteen classes under the following categories:

• Deadbox Forensics
• Network Intrusion
• Mobile Device and Social Networking Examination

A member of the tour asked about equipment. Page said NCFI considers it important for agencies to standardize on equipment and methodology as a way to enhance cross communications and eliminate mistakes. To that end, each student receives a Forensic Recovery Device and notebook. Software is dependent upon the student’s class—for example, students enrolled in Deadbox Forensics would receive Encase and WriteBlocker.
Next, we moved past three packed classrooms on our way to the mock courtroom. As we entered, Page said besides being Deputy Director of NCFI, he is an Alabama state prosecutor. So, he works closely with the instructors teaching the Computer Forensics in Court classes.
The following points are addressed during the judge’s class:

• Understand the significance of how data is stored on computers
• Understand the base differences between popular operating systems
• Understand the role that the Internet and networks play in computer crimes
• Understand the entire forensic process performed by investigators
• Better understand legal obstacles present in computer crimes
• Understand how to better evaluate computer crime cases in court

Figure C

Page also pointed out the mock courtroom, which is designed to accommodate digital discovery so as not to break the chain of custody, yet still guarantee a fair and impartial hearing. For that reason alone, the courtroom itself receives significant attention from people wanting to incorporate similar features into their courtrooms.
As we left the mock courtroom, I asked what defense attorneys do to stay current. Page explained that defense lawyers most often specialize. And since people accused of a crime get to pick their defense attorney, they will more than likely retain an attorney experienced in litigating cases involving digital evidence.
But, unfortunately, assigning cases involving digital evidence and or digital crime to prosecutors or judges with experience is not always an option. So, the logical approach is to provide a way similar to NCFI for prosecutors and judges to become familiar with court procedures involving digital crime and digital evidence.

Final thoughts

The university’s computer forensics team includes an archeologist and psychologist. The team has an enviable string of successes including eliminating Koobface. The NCFI promotes a similar ideology to normally non-cooperating legal entities. They also are showing positive results from their effort. I see a common thread—that of getting normally disparate groups talking and working together to solve big issues.
If I may, I would like to take a moment to thank all of you who have emailed your kind condolences on the passing of my father. The messages are much appreciated.
[All images courtesy of the NCFI.]