FBI Adds Two Digital Forensic Labs

coondoggie sends us a story from NetworkWorld.com, as is his wont, this one on the FBI opening two new US Regional Computer Forensics Laboratories this week. In these laboratories examiners conduct a growing number of forensic examinations of digital media in support of the investigation and/or prosecution of a federal, state, or local crime. With the addition of the new facilities in Los Angeles and Albuquerque, the FBI will have 16 RCFLs nationwide. And they are needed: "During 2007, RCFL experts conducted 4,634 exams, processing 1,288 terabytes of information. A total of 76,581 digital devices were examined (the most popular media by far — CDs, coming in at 37,424; followed by hard disk drives at 17,378; floppy disks at 11,781; and DVDs at 4,374). The number of CDs, cell phones, and flash media devices examined doubled from the previous year."

Mmmm.

[Apiakun]

Check out the huge DFLs on that one...

Does it explain the /.out ?

[dascritch]

Slashdot raided ???

Are these going to do actual forensic work?

Or are they just storage warehouses for all those CDs, harddrives, cameras, DVDs and so on that they're never going to return, even if they fail to find anything incriminating?

Crazy math

[dj245]

I sincerely doubt there was 1288TB of data. Thats 284GB per article. If significant numbers of them were CDs or flash storage the numbers start looking fishey very fast.

Its hard to believe they examined that much storage capacity, let alone that much data.

Re:Crazy math

[mikael]

Do the arithmetic. Assuming that the average size hard disk drive is 60-80 Gigabytes, then the totals add up:

CD's: 37,424 x 650 Megabytes = 24325600 Megabytes
HD's: 17,378 x 70 Gigabytes = 1245655040 Megabytes
Floppy's: 11,781 x * 1.4 Megabytes = 16493.4 Megabytes

DVD's: 4374 x 4 Gigabytes = 17915904 Megabytes

Total = 1287913037.4 Megabytes

            = 1287913.0374 Gigabytes

            = 1287.9130374 Terabytes

Re:Crazy math

[CowTipperGore]

I sincerely doubt there was 1288TB of data. Thats 284GB per article. If significant numbers of them were CDs or flash storage the numbers start looking fishey very fast. Not to suggest that the FBI would never lie about details, but I fail to see your mathematical concerns here. How exactly did you come up with your numbers? The summary says that 76,581 digital devices were examined, including 37,424 CDs, over 17,000 hard drives, and 4,300 DVDs. That averages out to only 16 to 17 GB per device. CDs account for almost 30 TB of the data. Taking them out leaves you at about 32 GB per device, which seems reasonable considering that over half of the remaining devices are hard drives.

Re:Crazy math

[ColdWetDog]

Well I'd be concerned about the veracity of TFA. 11000 Floppy disks? Are criminals using PCs from the 1990's? Or are they just backlogged to hell?

Seems odd.

Re:Crazy math

[mikael]

Looks like they are just adding up the raw theoretical capacity of every device. They would have to perform a complete scan of every disk block to see if anything was there or not.

From the article, there were 4634 exams, and 11,781 floppy disk. That amounts to just under 3 floppy disks per case. It wouldn't be too difficult to imagine that anyone with a computer might just have a few floppy disks lying around which originally came from hardware purchases (device drivers, software upgrades, freebie applications from magazines, AOL subscriptions).

Mobile phones are coming with 1,2 and 4 Gigabytes of flash memory storage now, so that is no surprise.

Re:Crazy math

[megaditto]

On the upside, the number of magnetic tapes examined is 0.

Re:Crazy math

Total = 1287913037.4 Megabytes

                        = 1287913.0374 Gigabytes

                        = 1287.9130374 Terabytes Actually, using multiples of 1024 to get the real count:
Total = 1287913037.4 MB = 1257727.5755 GB = 1228.2495 TB

Still close, but you might need larger hard drive estimates.

Alternatively, one could use drive manufacturer's counting methods:
Total = 1287913037.4 MB = 1290000 GB = 1300 TB = 1400 TB (because 13 is seen as unlucky, and that might hurt sales)

Why L.A., huh?

[elrous0]

I'm sure they're locating to L.A. because it's a great place to fight kiddie porn, not because the MPAA and RIAA are headquartered there.

Edited for truth

[DJRikki]

"During 2007, ROFL experts conducted 4,634 exams, processing 1,288 terabytes of information."

What are all these forsenic labs being used for?

[QCompson]

In the article they provide a short list of some high profile cases in which digital forensics played a role, but I'd like to see a rough breakdown on what type of investigations the FBI was scanning through 1,288 terabytes of information for.

I know it is routine now for investigators to seize computer equipment even in drug arrests, and I wonder how much taxpayer money is being wasted so federal agents can look through internet histories and MSN buddy lists.

How good are these guys?

How good are these guys, really? If I've got a couple of (say) aes encrypted loopback filesystems named back1.dat and back2.dat, can they brute-force the keys? Can they read under re-written disk blocks? Or is this basically get the windows passwords with a keyboard tap?

Re:How good are these guys?

[sirket]

They are incompetent- completely and utterly incompetent. They know only what encase or another piece of forensic software tells them. If the disk blocks have been rewritten a couple of times- they're not going to find it. They're not going to break AES unless you've done something stupid and left the key laying around.

The real bitch of it is- these guys never get challenged properly- especially in child porn cases. (Thank John Walsh- Adam's Law is absurd). They can claim whatever they want and the defense is basically helpless. The defense is not allowed to have their own copy of the drive to do forensic analysis on. They have to do it at the FBI lab with FBI equipment and with FBI goons hanging over their shoulders. If the FBI finds "overwritten" evidence- there is no good way to challenge that. It's your word against theirs.

Chain of custody? HAH! I've watched these guys leave crime scenes with drives under their arms, I've watched them run programs and click around a system they suspect of containing illegal material. No effort made to prevent trojans or other programs from covering their tracks. No effort made to preserve the state of the system. It's laughable.

And no- I wasn't a target. I did "forensic" analysis for years and got sick of watching these people make a mockery of my profession. (I put forensic in quotes because there is nothing scientific about these analyses- they are the best guesses of someone who may or may not be even remotely qualified to give an opinion).

Re:How good are these guys?

"They are incompetent- completely and utterly incompetent" I have to disagree. My brother in law is one of these Incompetent guys you are talking about. He has 8 certifications from comptia and is one of a handful of people in the U.S. that is a Certified Computer Examiner. He is very intelligent and honest. You are correct about how they can only get information from an unencrypted drive and they use a set of software packages to gather data. This profession is doomed due to encryption. Next time you might want to proof read your posts because you come off sounding like a law enforcement hater vs someone who is skeptical of the tools of this particular trade.

Re:How good are these guys?

[G00F]

I have several certifications from comptia and other places (Sun, Cisco, MS), and I would not consider myself competent for this kind of forensic work. Got a nasty virus or think you've been hacked, format and re-install.

Best they could do is pass their educated guesses on to people who say them as fact in court.

Re:How good are these guys?

[Kjella]

They are incompetent- completely and utterly incompetent. They know only what encase or another piece of forensic software tells them. If the disk blocks have been rewritten a couple of times- they're not going to find it. They're not going to break AES unless you've done something stupid and left the key laying around. I figure you recover DoD wiped data without breaking a sweat and has AES cracked by midnight then, eh?

I put forensic in quotes because there is nothing scientific about these analyses- Well while a few of the examples you pull up sound outright sloppy, this isn't a science project either. Time and money spent in the lab is money that could be used patrolling streets, going door-to-door, interviewing witnesses, following up leads, doing surveilance or a million other good uses. Forensic analysis is about doing it cost-effective in volume, which is more like McDonalds than a fine restaurant. Sure you need some geniuses to work on the really hard and important cases, but for the most part basic knowledge of a good tool is the adequate solution. Most aren't that tech savvy and those tools have the ability to run smart searches others have thought up. As long as they work on a copy (Forensics kindergarten knowledge) they can't really do anything wrong and at worst they won't find anything. But there's countless other crimes that slip past the radar too, it's all a matter of effectiveness.

Remember that even if you're way above average skilled and interested, remember that most people are average. Would you quit your developer job because so many others suck at it? Would you quit your sysadmin job because most sysadmins are MSCE point-and-clickys? Would you quit your management job because most managers are PHBs? Smart people are a scarce resource, and in anything but niche fields in science you can be pretty sure to meet average people. Script kiddies might not be all that "cool" in the community but they do get things done with their tools they barely understand. Same with script cops, they're probably not "cool" with the people that eats bits and bytes for breakfast but they do get things done. At least as well as the rest of the police and society in general.

Re:How good are these guys?

Certified Computer Examiner? That's not a particularly difficult exam. That's not a CompTIA cert and that's ignoring the fact that CompTIA certs -- while good for what they are (entry-level, resume-fodder and a foot-in-the-door) -- are not paragons of rigorous testing. I've got a few CompTIA certs myself and am not slagging them at all; they're good at what they do, and they do what they say they will, but they're not the be-all/end-all you seem to imply in your post. They're slightly less respected than more vendor-specific certs (e.g. MCSA/MCSE) and way less respected than more advanced vendor-specific certs (e.g. the MS certs above MCSE, Sun certs, the RHCE certs, Cisco's everything-beyond-CCNA) or management certs (CISSP, PMP, CISA, etc). For this kind of work, you'd want someone with a GIAC cert, or serious training and history with CERT. But those folks usually tend to demand the money they're worth, which tends to be more than government is willing to pay (except as contractors...)

Re:How good are these guys?

I don't know your brother but my sister-in-law's brother is the target of one of these "investigations" and his experience has been consistent with everything the parent alleges:

was the computer immediately halted and the drive checksummed? no...
is there documentation of chain of custody? no...
was the defense given an image of the drive for independent examination? no...
was the system checked for any sort of malware, port scanned or sniffed? not that's been disclosed to the defense...
think any of the above matters to the judge? if so I've got some beach property in Utah for sale...

I don't know what practices/protocols your brother follows but that sure sounds like incompetent boobs to me...

Re:How good are these guys?

One 400 seat software "upgrade" of digital detective...

https://www.fbo.gov/index?s=opportunity&mode=form&id=3620fd22f124699d7e375b887ab3995a&tab=core&_cview=0

Re:How good are these guys?

"Chain of custody? HAH! I've watched these guys leave crime scenes with drives under their arms, I've watched them run programs and click around a system they suspect of containing illegal material."

I've seen this too... and I was a target. They clicked around on one of my active machines.

I actually gave them the keys to my encrypted volumes. They had tens of thousands of files of porn, but it was legit, adult porn, not kiddie porn. I was cleared, and even got my equipment back, though with a stern warning.

Likly for the RMKT

I just hope that these are for real crime, like murder, fraud, and corporate tax evasion and not just for RIAA/MPAA/Kiddie-porn/Terrorism scaremongering.

Re:Likly for the RMKT

[Sensi]

I just hope that these are for real crime, like murder, fraud, and corporate tax evasion and not just for RIAA/MPAA/Kiddie-porn/Terrorism scaremongering. I don't know about you but all of those "RIAA/MPAA/Kiddie-porn/Terrorism" sound like criminals to me.

Re:What are all these forsenic labs being used for

[vertinox]

I know it is routine now for investigators to seize computer equipment even in drug arrests, and I wonder how much taxpayer money is being wasted so federal agents can look through internet histories and MSN buddy lists.

Speaking of which, on my latest Equifax report there was a big bold scary headline that says FBI reports that identity theft is the largest growing crime.

Rather than using these vast resources to combat IP Infringment and "Think of the Children" issues, wouldn't it be better devoted to actually fighting what more people actually have their lives ruined by?

Some guy talking nasty in a chat room or a guy hocking pirated DVDs on the corner is no where as near as a threat to me and you as someone who is going to use the lax social security and credit system to open thousands of dollars worth of loan accounts in your name forever damaging your ability to buy a house, get a job, or even get a cell phone without a $1000 security deposit ever again.

The thing is most of these types of crimes are low tech and simply going through people's trash and mailbox so this multi-million dollar system of scanning data is worthless to the real threat the average joe faces.

It's not IDE?

Just don't ask them to take a case involving a SCSI drive - true story.

Re:What are all these forsenic labs being used for

[phaggood]

To resurrect lost White House emails, natch.

We don't have money for this...

[Vitriol+Angst]

There is no funds or agents available to check our food supply, not enough to examine bridges and buildings, not enough, apparently, to investigate crimes of politicians and arrest them.

But hey, we have Billions of $ for making sure that people don't pirate MP3 files.

I can understand that there are a lot more computers seized in drug raids. For one -- why are we still making drugs illegal? Are they dealing with identity theft or something that I as a citizen actually are about? Is kiddie p0rn going to magically appear on a drive if someone "wants to get this guy" no matter what? Please, I'm failing to trust the methods and goals of these government organizations anymore.

Who do these FBI people work for, again?

Oh, and have you found the people responsible for sending Anthrax to our elected representatives? -- it appears that there are only a few US labs and people that this could be tracked to, should be a piece of cake.

If they need to hire help...

[kericr]

Gary Dourdan might be looking for a new job pretty soon.

Floppy disks?

I store my data on reel-to-reel tapes and wax cylinders.

has the WhiteHouse called them in yet .. :)

[rs232]

Whitehouse Emails Were Lost Due to "Upgrade"

Suspicious DOJ edits of Wikipedia

Reiser trial proves their incompetence.

[chris_sawtell]

During the recent Hans Reiser trial it was absolutely obvious that the "expert" examiner was completely lost when it came to discovering what was in Hans's Reiser4 file-system. All for want of a boot disk costing $0.89, and the ability to use the mount, find, and grep commands. It's laughable, and it's told be never ever to set foot in that jurisdiction as long as I live.