Continuing an ongoing, effective, and symbiotic partnership, the CERT Forensics team worked with CERT’s resident law enforcement liaisons on a number of successful projects in 2009. These projects involved a wide range of activities, including password cracking, hard-drive analysis of evidence forwarded to the liaisons by law enforcement agents in the field, and on-site technical support to law enforcement during the execution of search warrants across the country. Collaborations with the CERT Forensics team allow law enforcement to tap CERT’s technical expertise on cases with a cyber component. In turn, the CERT team learns firsthand what challenges confront law enforcement and what technical gaps must be bridged to effectively address computer-based crimes.

“CERT Forensics’ collaboration with law enforcement enables it to draw from a variety of perspectives to identify emerging trends and build solutions,” notes CERT Forensics team member Cal Waits. “Our collaborative efforts with law enforcement agencies have been instrumental in bringing a successful conclusion to some of the country’s largest identity theft and credit card theft cases.” The kind of real-world experience that only comes from working side-by-side with law enforcement is what drives and informs the CERT Forensics team’s research and development efforts. The goal of this research and development is to produce state-of-the-craft tools and practices to provide an immediate positive impact on the ability of agents to carry out their mission in the field.

The goal of this research and development is to produce state-of-the-craft tools and practices to provide an immediate positive impact on the ability of agents to carry out their mission in the field.

CERT is building on the field success of tools like LiveView (a tool for examining disk images or physical drives using virtualization technology), Crypto Hunter (a screening tool that will alert the user to the presence of whole-disk encryption and/or volume-based encryption on live systems), and Aperio (a tool used to scan a hard drive for the presence of “wiped files” and which has identified unique signatures left behind by counter-forensics tools). Currently, the Forensics team is at work on SPIDA, a system of hardware acquisition drones that allow parallel acquisition of suspect drives. SPIDA represents the CERT Forensics team’s effort to tackle quantities of digital evidence collected during search warrants that exceed current law enforcement processing methods. SPIDA is currently being field tested by law enforcement.

Tom Dover, United States Secret Service liaison to CERT, appreciates the interactions that lead to these advances. “Through its resident affiliates at the SEI, the Secret Service has continually endeavored to take advantage of the breadth and depth of technical talent, expertise, and experience that resided within the SEI,” says Dover. Its collaborative relationship with the Forensics team and other CERT and SEI teams has allowed the Service to bridge gap areas in its ability to successfully investigate highly complex and technically challenging electronic crimes.

In addition to supporting investigations, the SEI also lends its expertise to support the agency’s responsibility for protecting the nation’s critical financial infrastructure from electronic theft, disruption, and attack. Dover adds that “the SEI continues to be an integral partner in the Secret Service’s efforts to combat cybercrime and protect the nation’s critical financial infrastructure.”