It all began with the Iceman case. A former computer security consultant, Max Ray Butler (also known as “Iceman”), was allegedly attacking computers at financial institutions and credit card processing centers, stealing account information, and selling the data to others. The U.S. Secret Service (USSS), which was leading the investigation into Butler’s activities, knew of the CERT forensics team’s expertise in cracking sophisticated techniques used by cybercriminals, such as encrypting data to hide evidence. The team assisted the USSS in acquiring and decrypting the Iceman’s data, thus providing critical evidence for the government’s case.

Through word of mouth and presentations the team gives to law enforcement groups, demand for the team’s skills and tools spread to state police departments and other law enforcement agencies from coast to coast. “We are providing operational support to the United States Secret Service, to high-profile intrusion and identity theft investigations, and to investigations of other general computer crimes,” said team leader Rich Nolan, a former Drug Enforcement Administration agent. This support work enables the team to see problems in the field first hand and then refine their tools or develop new tools and techniques to solve those problems.

One tool that was developed for a specific case is CCFinder. In cases in which investigators were trying to discover compromised credit card and financial account numbers, the existing tools produced many false positives. CCFinder does a better job of finding and validating account numbers and eliminating duplicate numbers. It also maintains a “pedigree” that shows all the locations in which each number was found. The pedigree reveals how stolen numbers were traded (after an initial theft, financial account numbers are often shuffled, split into chunks, and sold) and can
aid in tracing the source of the original theft. CCFinder also handles the problem of the sheer size of recent financial crimes, which had overwhelmed existing tools. “CCFinder was a big deal when we were working with 3 million account numbers,” said team member Matthew Geiger. “Then we quickly went from there to 45 million in the TJX case.”

“Our primary work is research, but the application of it in real-world cases is what’s really gratifying,” said Nolan. “A white paper is nice, but locking people up is better.

The “TJX case” was the investigation of 11 people who were charged in August 2008 with the theft of more than 40 million credit and debit card numbers from T.J. Maxx, Marshall’s, Barnes & Noble, OfficeMax, and other major retailers. The forensics team participated in an electronic crimes task force along with USSS agents and state and local law enforcement. “It was an eye-opening experience participating in a law-enforcement action of that scale, with well-organized simultaneous searches,” said Geiger.

U.S. Representatives John Murtha, Mike Doyle, and Jason Altmire recognized the team’s efforts on TJX during a visit to Carnegie Mellon University in September 2008. “CERT’s role in this landmark case underscores its importance in computer security over the past 20 years,” said Murtha.

Forensics team members Nolan, Geiger, Cal Waits, Kristopher Rush, and Larry Rogers have multiplied their effectiveness by training the USSS, the FBI, the Department of Defense cyber crime lab, and other law enforcement groups in their tools and techniques. The training is done live on site at the SEI and also via CERT’s Virtual Training Environment (VTE), a secured, self-paced, web-based training lab. Authorized members of law enforcement groups can access a number of forensics tools developed by the team on VTE.

“Our primary work is research, but the application of it in real-world cases is what’s really gratifying,” said Nolan. “A white paper is nice, but locking people up is better.