Earlier this month, federal authorities announced the largest computer hacking case ever processed by the Justice Department: the indictments of 11 people who allegedly stole more than 40 million credit- and debit-card numbers from at least nine major U.S. retailers. Local law-enforcement agencies frequently are the first responders when individuals and organizations report credit-card fraud and identity theft. Von Welch and Randy Butler, the co-directors of the Cybersecurity Directorate at the U. of I.'s National Center for Supercomputing Applications, work with law-enforcement agencies in investigating crimes that occur in cyberspace. They discussed their work with News Bureau reporter Sharita Forrest.
What challenges do local law-enforcement officers face in investigating computer-related crimes?
Welch: The problem is that the patrol officers who are the first responders on these computer crimes don't have expertise (with computers). Like any other crime scene, that first moment of contact is critical, and they've got to gather as much evidence as possible. Usually there's someone back at police headquarters who knows something about computers, but by the time they're involved, it's too late to get the evidence. We're developing a tool called Live Computer Capture and Triage Tool that helps them do that.
How does the tool work and how does it help officers investigate cyber crimes?
Butler: It's a program on a USB drive that the officer plugs into the computer, and all the expertise they need is to be able to do that and to use the keyboard. The program runs and captures information on about 30 things, such as processes that are running, registry entries related to instant-messaging clients, software that's installed on the computer and open network connections. The information may or may not be relevant to each individual case but the cross correlation with other information that's gathered could be pretty valuable in the investigation. You have only one opportunity to get that information, so you need to get it early.
Welch: Once that's run, a graphical interface - or wizard - pops up that asks the officer what type of crime they're investigating, and then walks them through the process of gathering information, such as e-mail messages and saving them to the USB drive. It replicates the knowledge that a computer expert would have in that situation and lets the officer capture what they need. They then take the USB drive and data back to their computer expert to examine and decide if it's something they need to follow up on. This way, all that information from that initial contact isn't lost.
Butler: What we've found from interviewing law-enforcement agencies and working with them on investigations is that oftentimes the data they need to capture is sitting on a server somewhere else - it's Web-based e-mail or it's on a social networking site. Even a computer expert isn't going to be familiar with every possible scenario, so that's why law-enforcement agencies need a process that walks novice users through getting the information. We're trying to simplify that for them.
Are there similar products available, and how is this tool different?
Butler: I think the thing that differentiates this tool from related products is the wizard, which takes over and walks the first-responder through gathering evidence according to various scenarios: e-mail threats, instant-messaging or social networking.
Have you tested it with your users and, if so, what was their reaction?
Welch: We had a patrol officer and an investigator from the Urbana Police Department work through a couple of scenarios with a prototype. Now we're taking that feedback, and figuring out the priorities for improving the tool. We'll be repeating that a number of times with different law-enforcement agencies over the next year, when we plan to have the final product available.
Butler: The test with the Urbana police was a real success because we got great feedback. They were really excited about it and were asking when they could get access to it.
Did the tool evolve from working on cases with law enforcement or was it something they requested?
Welch: It was a combination of working day-to-day with colleagues in the FBI, particularly Special Agent Brad Sheafe, who has since retired, and currently with Special Agent Dominique Evans. Sheafe was one of the FBI's cyber agents, and he worked with a lot of colleagues who were not computer experts, so he knew the woes of investigating these types of cases after someone else had already made the first contact.
Butler: Part of the process of developing the tool was talking to law-enforcement agencies and understanding their needs and requirements. NCSA has always had the overall mission of delivering supercomputing to the nation's scientific and engineering communities and making it usable. Security is a microcosm of that. We're also taking scientific workflows and adapting them for use by law enforcement investigators, developing a secure environment that will allow law enforcement agents to investigate, collaborate, share data and communicate with each other remotely.