Oct. 5, 1999

By James Gordon Meek

James Gordon Meek/APBnews.com
Defense Computer Forensics Laboratory director David Ferguson

WASHINGTON (APBnews.com) -- Uncle Sam has drafted the Department of Defense into the nation's battle against cybercrime.

The Defense Department has opened a new $15 million computer crime lab and training facility near Baltimore that will work military cases and assist domestic law enforcement efforts aimed at catching hackers and others who may leave behind digital evidence.

The facility, strategically located near the National Security Agency, is intended to be a high-tech sleuthing operation that will train military investigators in how to handle computers and other data-collection devices such as electronic organizers as forensic evidence.

Under the control of the U.S. Air Force Office of Special Investigations, the new Defense Computer Forensics Laboratory (DCFL) was conceived of less than two years ago -- "light speed" was how one official described its incubation -- to keep pace with criminals who use computers in the commission of crimes.

Gets the 'strange and large' cases

	Defense Department video explaining the program

Interviewed in his office stocked with computers and video gear, lab director David Ferguson told APBnews.com that his military and civilian team assists "strange and large" cases.

"A lot of [federal] agencies have computer crime investigators," he said. "We get cases they can't handle."

One of the major problems the government is trying desperately to overcome is the threat of cyberterrorism and intrusions into sensitive computer systems.

High-level government officials have admitted that it is nearly impossible to identify the source of an attack by hackers or data thieves. And while the United States knows of several foreign powers with offensive information warfare programs -- they cite Russia, China, India and Israel -- they do not know who America's cyber-enemies really are.

A staff of security experts

DCFL officials said they have been asked, in part, to improve intruder identification, and they acknowledged that the lab and adjoining Defense Computer Investigations Training Program were created as a direct response to the troubling failure of federal law enforcement and the intelligence community to identify the adversaries in cyberspace.

	Defense Department video primer on digital evidence collection.

As for pinpointing who the hackers are who ping U.S. corporate and government networks every day, Ferguson said: "Our first goal is national security. But we're also concerned about building a case against [those who launch a computer attack or intrusion]."

The facility is stocked with technicians culled from all branches of the armed services and computer security experts with experience in online hunting. The FBI has some of its own experts in a neighboring office, and officials said the DCFL will help the bureau with some special computer crime cases.

"The intrusion [detection] capability we have are the people we have," Ferguson said. "We produce much better reports than anybody else does."

One reason for that, said Special Agent Karen Matthews, the DCFL deputy director, is that "the Air Force has been looking at intrusion investigations longer than the FBI has -- we just have more experience in that area."

Ferguson said the DCFL's own computer network is scanned several times a week by would-be intruders probing the lab's "perimeter."

Smashed disks are no problem

Besides tracking hackers, the DCFL specializes in "media analysis." That doesn't mean watching CNN and reading daily newspapers, as it would to the NSA or Central Intelligence Agency, but instead picking through bytes of electronic data in seized computers or on removable media -- floppy disks, CDs, zip disks and the like.

	Related Stories: Cyberterror: Thing That Goes Bump in the Net? CIA Officer Warns of Foreign Y2K 'Trap Doors' Report Warns of Cybercrime, Terrorism Global Cyberconference Focuses on Crime Reno Unveils Anti-Hacking Program FBI Hunts Hackers Who Hit Federal Web Sites

The lab cleans up badly distorted video or photographs and analyzes them, and it can mine files from erased hard drives that owners thought were deleted.

They also reconstruct fragments of removable disks recovered from criminals or crime scenes, and data can be taken off even the smallest piece of tape visible to the human eye.

Forensic examiner Dave Lang happily demonstrated the technicians' skill at retrieving bits of data off tiny fragments -- a floppy disk, say, that was cut up or badly mangled by a crook trying to conceal illicit material like child pornography.

A disk could be melted, Lang said, but if an intact portion of the disk is salvageable, it can be spliced into a clean disk and examined. "If it can be picked up with tweezers, we can read what's on it," he said.

Training investigators

Downstairs, computer investigations training director Greg Redfern, a naval investigator, said he will train approximately 750 investigators from the Army, Navy, Air Force and Defense Department.

The criminal investigators taking three-week courses will arrive with varying levels of computer sophistication -- from the novice to the expert.

They will learn how to properly "bag and tag" computers found at crime scenes, and how to examine them like any other piece of forensic evidence.

James Gordon Meek/APBnews.com
Technician "irons" ruined computer disc.

The classrooms, still under construction, are stocked with PC towers wired with every imaginable removable media and can even toggle between operating systems like Windows and Linux.

"What we're doing here is pretty unique," Redfern said. "If you want to bring somebody in to be an computer investigator, we have a path they can take."

Small budget, by comparison

Redfern said he plans to eventually open the training center to federal law enforcement agents, but they are already struggling with meeting just one-quarter of the demand from military detectives.

The cost to build the entire training and lab facility was about $15 million -- pocket change to Pentagon budget planners accustomed to spending $1.3 billion on just one B-2 stealth bomber. The operating budget for fiscal year 2000 is slated at an equally economic $11 million, which includes anticipated costs for keeping up with advances in technology.