Digital Forensics: Advancing Solutions for Today's Escalating Cybercrime
Created December 2017
As cybercrime proliferates, CERT researchers help law enforcement investigators process digital evidence by providing skills, methodologies, and tools. We also create and offer courses that help them advance their digital analysis skills.
The Challenge of Learning at the Pace of Cybercrime
Malicious cyber activity continues to grow in size and sophistication. Law enforcement is not always able to keep up with such advances. Our work with agents who analyze digital assets typically focuses on gap areas where investigators may have less experience than we do.
Our Solution: Tools and Training
Our digital investigation methodology is rooted in the “3 Ts”: tools, training, and techniques. We develop tools where there are gap areas. We develop techniques for mining information from computer systems. We deliver these tools and techniques to the people who need them through training.
We provide law enforcement with tools and techniques for processing digital evidence. Our nimble team has the expertise to figure out almost anything quickly. If enforcement agents come across a piece of evidence, for example, in gear they’ve never seen before, we can acquire that type of gear, dismantle it, learn how to extract the evidence, and turn over the tool and techniques we develop so that they can proceed.
The Appliance for Digital Investigation and Analysis (ADIA)
ADIA delivers many tools helpful to the analysis of digital assets. It is an open source virtual computer system and includes tools such as Autopsy, the Sleuth Kit, the Digital Forensics Framework, log2timeline, Xplico, and Wireshark.
New Courses for Law Enforcement
The Cyber Investigation Certificate Program is our newest training offering. We created three courses, funded by the FBI, that are offered for free to law enforcement and available through the Law Enforcement Enterprise Portal (LEEP).
The first course is geared to first responders to crimes involving digital assets such as computers, cell phones, and tablets. Trainees learn the importance of computer equipment such as these with respect to the crime.
About 1,500 officers around the country have taken the six-hour course so far. We foresee it benefiting many more of the 780,000 U.S. police offers who need to learn about digital devices from a criminal investigative perspective. We worked with a Hollywood director and screenwriter to develop a five-part scenario that shows a crime and how it is investigated. This method shows first responders how to respond to crimes that include digital assets.
Our second course is geared to beginning-to-intermediate detectives. The 100 training hours of this course include exercises that focus on what a detective must do in the process of investigating a digital crime—such as gleaning data from the IP address of the computer involved and leveraging social media to gather information about a person of interest. As with the first responders course, we also worked with a Hollywood director and a screenwriter to develop four one-hour television shows.
We also worked with a local studio to create scenarios that depict onscreen crime and investigation. This training has been very well received because it presents the context of the analysis of digital asset tasks and demonstrates how investigations are typically carried out.
The third course being developed will be designed for advanced detectives, covering the increasingly sophisticated techniques that intruders use. It will involve about 80 training hours.
The skills that investigators gain through these courses, combined with the knowledge they acquire through experience with our tools and techniques, help close the gaps in their expertise. Our objective is to reduce those gaps as much as possible.
In striving to serve all law enforcement members, we’re developing a 36-hour course for new FBI agents or agents returning to the cyber world after completing protection assignments. These returning agents can benefit from a refresher course on malware and how intruders are currently attacking computers.
February 23, 2014 Blog Post
According to a report issued by the Government Accountability Office (GAO) in February 2013, the number of cybersecurity incidents reported that could impact "federal and military operations; critical infrastructure; and the confidentiality, integrity, and availability of sensitive government, private sector,...read
August 01, 2008 Technical Note
In this 2008 report, the authors compare various approaches and tools used to capture and analyze evidence from computer memory.read
September 01, 2005 Handbook
In this 2005 handbook, the authors help technical staff members who are charged with administering and securing information systems and networks.read