A recent article in the Washington Post titled "FBI Agents Ill-Equipped to Prevent Terror Attacks" highlights the FBI's current inability to analyze computer data leading up to the attacks of Sept. 11.
Aside from the stunning lack of staff able to translate e-mails written in Arabic, Farsi, and Pashto, comes these revelations: "More than 13,000 FBI computers are four to eight years old, meaning they cannot run today's basic software or allow agents to move to different functions with a mouse."
MORE DISTURBING: "Most smaller FBI offices have low-speed Internet access and agents cannot electronically store photographs, graphics and charts...sensitive classified and criminal data are available only on paper."
Ouch! Last week, I suggested there needs to be a greater partnership between career law enforcement and members of the IT community. But piecing together what happened on computers around the world leading up to the Sept. 11 attacks requires specific knowledge, and there is an acute need right now for computer forensics experts--a need even the IT community is just beginning to recognize.
Gregory S. Miles of JAWZ, a security solutions company, defines computer forensics as "the process of applying scientific and analytical techniques to computer operating systems and file structures in determining the potential for legal evidence."
WHAT CONSTITUTES legal evidence? That varies from jurisdiction to jurisdiction, of course; basically, we're talking about something that can hold up to scrutiny and can be verified independently. Therefore, the forensic investigator must document everything, and should enlist a second person as a witness. If you can program, you can do forensics; you already have a logical, if not methodical, mind.
Often a good computer forensic analyst will specialize, adopting Windows 9x, Windows NT/2000, Linux, Mac, Unix, RAID systems, and even software source code as an area of expertise to stay up on the latest technology. It seems criminals either use very old or very new technology, so investigators should be flexible and thoroughly versed in their area.
Beginning a forensic investigation is like going into surgery; every piece of equipment must not only be clean, but sterile. The hard drive must be realigned (not just erased), and the software loaded onto it must be virus-free. The software should also be the very latest, with all known bugs documented and (if available) patched, and legally owned by the investigator.
ANALYSIS IS NEVER DONE on the actual hard drive in question, but on an image of the original. Court cases have been lost when a thorough defense team finds fault with the software or the methods used in the analysis. Equally damaging is the forensic examiner's inability to explain his/her choice of software or method.
Many computer forensic investigators are former law-enforcement agents who have picked up computer skills along the way. Paul Mobly, a former police officer and now a computer forensic investigator with JAWZ, told me a computer forensic investigation proceeds much like a beat cop's investigation.
When a break-in occurs, he's interested in knowing how the intruder got in, how long the intruder was inside the system, what the intruder did while there, and what got taken. With the investigation of the Sept. 11 attack, the investigators will be interested in passwords, remote accounts, and Web addresses used by those who conspired to commit and/or execute this tragedy. These can also be obtained through classic one-on-one interrogation of a suspect.
To find out whether you can assist the FBI right now, see the www.FBI.gov jobs Web site for more information. If you want to get certified as a computer forensic investigator, there are various certification programs, including those offered through the International Association of Computer Investigative Specialists (IACIS), and the National Center for Forensic Science at the University of Central Florida. State and local law enforcement agencies also need computer forensic help as well.