The fictional characters in the show NCIS are a whiz when it comes to using forensics to find digital evidence. In the real world, very few law enforcement officials have those skills, but that’s changing as more officers go through training at the National Computer Forensics Institute.
Ever since the news of the massive data breach of Target Corporation, people across the country have been watching the details unfurl. Consumers want to know if their accounts are affected, IT and security professionals are waiting to learn precisely how the breach happened, and law enforcement agencies are hoping to get enough evidence to prosecute and convict someone.
With this being such a large case involving the integrity of electronic payments, both the FBI and the U.S. Secret Service are involved in the criminal investigation. Both agencies have experts with extensive training in digital forensics and how to gather evidence that can be used in legal courts to support a conviction.
But what about smaller, lower profile criminal cases that don’t warrant the resources of the FBI and Secret Service? Who investigates them, and what are the chances that the legal system can gather the digital evidence and present it in a way that judges and juries can understand it and return a conviction? Those are the burning questions behind the creation of the National Computer Forensics Institute (NCFI) in Hoover, Alabama.
I recently had the opportunity to meet with Barry Page, a prosecutor for the state of Alabama and the Deputy Director of the NCFI. He told me the story of how the federal government is providing training for state and local law enforcement officials, including judges and prosecutors, so our law enforcement system as a whole is better prepared to collect, handle and utilize digital evidence to convict criminals.
According to Page, digital evidence started to become important about 10 years ago. This evidence was not just of computer crimes such as malicious data breaches and identity theft, but also other types of situations – drug deals, murder, etc. – where digital evidence such as phone records or Internet searches could be helpful. For example, consider that geolocation data from a cell phone can help to reveal the location of a suspected criminal – or at least the location of his phone – at a particular time and date. Such information can corroborate an alibi or prove it to be false.
And so it was that investigators and prosecutors began to take notice of the potential of this type of evidence. However, few law enforcement officials knew enough about how to collect and handle this evidence such that it could legally be used to support the case work. Just as there are proper methods to work with fingerprints, DNA and other types of physical evidence, there are legally defensible ways to collect and preserve digital evidence. Unfortunately, few people across the country were properly trained in these methods, and their case loads were overwhelming.
The U.S. Department of Homeland Security stepped in with funding to establish the National Computer Forensics Institute in order to provide this sorely needed training. The institute provides training for various constituents in law enforcement and the criminal justice system.
Specialty agents from state and local police forces receive intensive computer forensics training where they learn how to extract evidence from computer systems and to detect network intrusions and virus/malware infection. They spend weeks at the institute learning how to use the tools and the proper techniques of their investigations. When these agents complete the course, they take home with them the hardware and software their agency needs to conduct their work. The equipment is actually owned by the Secret Service but it is allocated to the officer for as long as he or she is designated to perform this job.
There is a less-intensive training course for local officers to teach them the basics of digital forensics. They might learn, for example, how to legally request and search cell phone records to trace the whereabouts of a suspect over a period of time.
There are courses for prosecutors and judges, as well. It’s important that prosecutors learn how to present digital evidence during trials so juries can understand the significance of the evidence and determine its bearing on the case. And judges must make rulings from the bench as to whether digital evidence is admissible in court, and they are frequently asked to sign warrants to allow the collection of such evidence in the first place. The NCFI facility actually has a courtroom setting so that prosecutors and judges can practice their roles and hone their skills with expert trainers advising them along the way.
Since it started offering training in 2008, the NCFI has trained about 2,600 people representing all 50 states and three U.S. territories. There is a far greater demand for this unique training than there is budget to provide it. The institute is operating at only a quarter of its capacity due to budget constraints.
Deputy Director Page points out that one of the most valuable aspects of attending training at the institute is the personal network that students develop. This network includes fellow students, instructors and other professional contacts. When the former students have cases where they’re not sure how to do something, there are a lot of people they can reach out to for help. Everyone is trained on the same equipment and they learn the same protocols and how to do reports and such, so there is a consistent base on the language they speak and actions they take.
The curriculum originates from the Secret Service and is enhanced through real-world situations and investigations by the Electronic Crimes Task Force, which is co-located with the NCFI. Content is continuously updated to ensure that the students are learning what is current today.
All of this training has had a big impact on law enforcement in this country. According the Page, “Our capabilities are probably way ahead of what the resources are in terms of prosecuting people. Certainly now we are in a better position to prosecute cases that are happening domestically. When we have somebody in this country that is doing the crime, it is much easier to get our hands on them and prosecute them than it used to be.”
Linda Musthaler (LMusthaler@essential-iws.com) is a Principal Analyst with Essential Solutions Corp. which researches the practical value of information technology and how it can make individual workers and entire organizations more productive. Essential Solutions offers consulting services to computer industry and corporate clients to help define and fulfill the potential of IT.