A recent article in the Washington Post
"FBI Agents Ill-Equipped to Prevent Terror Attacks" highlights
the FBI's current inability to analyze computer data leading up
to the attacks of Sept. 11.
Aside from the stunning lack of staff able to translate e-mails
written in Arabic, Farsi, and Pashto, comes these revelations:
"More than 13,000 FBI computers are four to eight years old,
meaning they cannot run today's basic software or allow agents
to move to different functions with a mouse."
MORE DISTURBING: "Most smaller FBI offices have low-speed
Internet access and agents cannot electronically store photographs,
graphics and charts...sensitive classified and criminal data
are available only on paper."
Ouch! Last week, I suggested there needs to be a greater partnership
between career law enforcement and members of the IT community.
But piecing together what happened on computers around the world
leading up to the Sept. 11 attacks requires specific knowledge,
and there is an acute need right now for computer forensics
experts--a need even the IT community is just beginning to recognize.
Gregory S. Miles of JAWZ, a security solutions company, defines
computer forensics as "the process of applying scientific and
analytical techniques to computer operating systems and file
structures in determining the potential for legal evidence."
WHAT CONSTITUTES legal evidence? That varies from jurisdiction
to jurisdiction, of course; basically, we're talking about something
that can hold up to scrutiny and can be verified independently.
Therefore, the forensic investigator must document everything,
and should enlist a second person as a witness. If you can program,
you can do forensics; you already have a logical, if not methodical,
Often a good computer forensic analyst will specialize, adopting
Windows 9x, Windows NT/2000, Linux, Mac, Unix, RAID systems,
and even software source code as an area of expertise to stay
up on the latest technology. It seems criminals either use very
old or very new technology, so investigators should be flexible
and thoroughly versed in their area.
Beginning a forensic investigation is like going into surgery;
every piece of equipment must not only be clean, but sterile.
The hard drive must be realigned (not just erased), and the
software loaded onto it must be virus-free. The software should
also be the very latest, with all known bugs documented and
(if available) patched, and legally owned by the investigator.
ANALYSIS IS NEVER DONE on the actual hard drive in
question, but on an image of the original. Court cases have
been lost when a thorough defense team finds fault with the
software or the methods used in the analysis. Equally damaging
is the forensic examiner's inability to explain his/her choice
of software or method.
Many computer forensic investigators are former law-enforcement
agents who have picked up computer skills along the way. Paul
Mobly, a former police officer and now a computer forensic investigator
with JAWZ, told me a computer forensic investigation proceeds
much like a beat cop's investigation.
When a break-in occurs, he's interested in knowing how the
intruder got in, how long the intruder was inside the system,
what the intruder did while there, and what got taken. With
the investigation of the Sept. 11 attack, the investigators
will be interested in passwords, remote accounts, and Web addresses
used by those who conspired to commit and/or execute this tragedy.
These can also be obtained through classic one-on-one interrogation
of a suspect.
To find out whether you can assist the FBI right now, see
the www.FBI.gov jobs Web site for more information. If you want
to get certified as a computer forensic investigator, there
are various certification programs, including those offered
through the International Association of Computer Investigative
Specialists (IACIS), and the National Center for Forensic Science
at the University of Central Florida. State and local law enforcement
agencies also need computer forensic help as well.