search menu icon-carat-right cmu-wordmark

Digital Forensics: Advancing Solutions for Today's Escalating Cybercrime

As cybercrime proliferates, CERT researchers help law enforcement investigators process digital evidence by providing skills, methodologies, and tools. We also create and offer courses that help them advance their digital analysis skills.

The Challenge of Learning at the Pace of Cybercrime

Malicious cyber activity continues to grow in size and sophistication. Law enforcement is not always able to keep up with such advances. Our work with agents who analyze digital assets typically focuses on gap areas where investigators may have less experience than we do.

Our Solution: Tools and Training

Our digital investigation methodology is rooted in the “3 Ts”: tools, training, and techniques. We develop tools where there are gap areas. We develop techniques for mining information from computer systems. We deliver these tools and techniques to the people who need them through training.

We provide law enforcement with tools and techniques for processing digital evidence. Our nimble team has the expertise to figure out almost anything quickly. If enforcement agents come across a piece of evidence, for example, in gear they’ve never seen before, we can acquire that type of gear, dismantle it, learn how to extract the evidence, and turn over the tool and techniques we develop so that they can proceed.

The Appliance for Digital Investigation and Analysis (ADIA)

ADIA delivers many tools helpful to the analysis of digital assets. It is an open source virtual computer system and includes tools such as Autopsy, the Sleuth Kit, the Digital Forensics Framework, log2timeline, Xplico, and Wireshark.

New Courses for Law Enforcement

The Cyber Investigation Certificate Program is our newest training offering. We created three courses, funded by the FBI, that are offered for free to law enforcement and available through the Law Enforcement Enterprise Portal (LEEP).

The first course is geared to first responders to crimes involving digital assets such as computers, cell phones, and tablets. Trainees learn the importance of computer equipment such as these with respect to the crime.

About 1,500 officers around the country have taken the six-hour course so far. We foresee it benefiting many more of the 780,000 U.S. police offers who need to learn about digital devices from a criminal investigative perspective. We worked with a Hollywood director and screenwriter to develop a five-part scenario that shows a crime and how it is investigated. This method shows first responders how to respond to crimes that include digital assets.

Our second course is geared to beginning-to-intermediate detectives. The 100 training hours of this course include exercises that focus on what a detective must do in the process of investigating a digital crime—such as gleaning data from the IP address of the computer involved and leveraging social media to gather information about a person of interest. As with the first responders course, we also worked with a Hollywood director and a screenwriter to develop four one-hour television shows.

We also worked with a local studio to create scenarios that depict onscreen crime and investigation. This training has been very well received because it presents the context of the analysis of digital asset tasks and demonstrates how investigations are typically carried out.

The third course being developed will be designed for advanced detectives, covering the increasingly sophisticated techniques that intruders use. It will involve about 80 training hours.

The skills that investigators gain through these courses, combined with the knowledge they acquire through experience with our tools and techniques, help close the gaps in their expertise. Our objective is to reduce those gaps as much as possible.

Looking Forward

In striving to serve all law enforcement members, we’re developing a 36-hour course for new FBI agents or agents returning to the cyber world after completing protection assignments. These returning agents can benefit from a refresher course on malware and how intruders are currently attacking computers.

Learn More

A New Approach to Cyber Incident Response

A New Approach to Cyber Incident Response

February 23, 2014 Blog Post
Anne Connell

According to a report issued by the Government Accountability Office (GAO) in February 2013, the number of cybersecurity incidents reported that could impact "federal and military operations; critical infrastructure; and the confidentiality, integrity, and availability of sensitive government, private sector,...

read
Digital Investigation Workforce Development

Digital Investigation Workforce Development

March 01, 2012 White Paper
Dennis M. Allen

In this paper, the authors describe an approach for deriving measures of software security from well-established and commonly used standard practices.

read
Forensics Case Studies

Forensics Case Studies

November 01, 2010 White Paper

Team members from the Software Engineering Institute assist the U.S. Secret Service in investigating the TJX/Heartland and Iceman cases.

read
Computer Forensics: Results of Live Response Inquiry vs. Memory Image Analysis

Computer Forensics: Results of Live Response Inquiry vs. Memory Image Analysis

August 01, 2008 Technical Note
Cal WaitsJoseph A. AkinyeleRichard Nolan

In this 2008 report, the authors compare various approaches and tools used to capture and analyze evidence from computer memory.

read
First Responders Guide to Computer Forensics: Advanced Topics

First Responders Guide to Computer Forensics: Advanced Topics

September 01, 2005 Handbook
Richard NolanMarie BakerJake Branson

In this 2005 handbook, the authors help technical staff members who are charged with administering and securing information systems and networks.

read