The role of computers and portable media devices (e.g. cell phones, GPS devices) in criminal and terrorist activity has increased significantly in recent years. Criminals are utilizing digital media in all forms of criminal activity. As such, devices frequently contain vital evidence, including user information, call logs, location, text messages, email, images and audio and video recordings.
In the area of cyber forensics, a significant barrier for law enforcement is keeping abreast of technology changes. New technology, both hardware and software, is released into the market at a very rapid pace and used in criminal and terrorist activity almost immediately. The large volume of information contained on digital devices can make the difference in an investigation and law enforcement investigators require updated tools to address the changing technology.
Since its inception in November 2008, project requirements have come directly from the Cyber Forensics Working Group (CFWG). Run by the S&T Directorate's Cyber Security Division, CFWG is composed of representatives from Federal, State and local law enforcement agencies. Members meet bi-annually to provide requirements, discuss capability gaps and prioritize the areas of most immediate concern to focus technology development, and participate as test and evaluation partners of resultant solutions.
Current Cyber Forensics Efforts
Disposable Phone Forensics - Mobile phones with pre-pay service are frequently utilized in criminal and terrorist activities largely due to their ease of procurement, lower upfront cost, ability to purchase with cash, and lack of personal identification required. These “burner” or “throw-away” phones are typically used for a relatively short periods of time before being tossed aside. When acquired by law enforcement however, these phones can contain valuable information regarding criminal activities. Acquiring this data is challenging because burner phones largely run on proprietary embedded operating systems and frequently have limited connection options or disabled universal serial bus (USB) ports. To address this issue, the effort is researching model-specific procedures for data acquisition and analysis.
Solid State Drive Forensics: The increasing popularity and presence of solid state drives (SSD) in consumer computer products such as laptops, netbooks, and other portable devices, presents challenging problems for law enforcement forensic investigators. Traditional forensic approaches utilizing write-blocking tools to image a magnetic hard drive, do not effectively translate to investigations involving NAND flash memory-based SSDs. This effort is researching novel approaches for forensic analysis of SSDs.
Cyber Forensics Tool Testing: Providing funding the Cyber Forensics Tool Testing Program at the National Institute for Standards and Technology (NIST), the project offers a measure of assurance that the tools used by law enforcement in the investigations of computer-related crimes produce valid results. The implementation of testing based on rigorous procedures provides impetus for vendors to improve their tools to provide consistent and objective test results to law enforcement that results will stand up in court. NIST test reports may be found published on the CyberFETCH website (www.cyberfetch.org).
Vehicle and Infotainment System Forensics: This effort is researching capabilities to forensically acquire data from information and entertainment systems found in vehicles seized during law enforcement investigations.
Enabling Law Enforcement with Open Source Digital Forensics Software: Adding capabilities to the existing open source digital forensic tool, Autopsy, this effort is developing a low cost solution for law enforcement that can be extended by additional developers. Specifically, this effort is focused on some of the most time consuming and least automated parts of forensic processing: picture/video analysis and timeline analysis.