Feds eye private forensics help

Faced with understaffed offices and a growing case backlog, federal agencies sifting through computers for evidence of crime may find relief with the opening last week of what observers believe to be the first private-sector computer forensics laboratory.

Many agencies, from the FBI to the U.S. Postal Service, have computer forensics labs, where they pluck digital evidence from computers seized at crime scenes. But these agency labs are usually sparsely staffed, and the larger ones are still months behind in examining computer-based evidence, said Lewis Larson, managing director of secure solutions for Per-Se Technologies, a unit of Atlanta-based Medaphis Corp.

With the opening of the new lab, federal agencies will be able to hand off more of their computer forensics work to the private sector, alleviating investigation backlogs, Larson said. "Basically, [agencies] are very overloaded. They just don't have the time, the space, the manpower to expand what they have," said Larson, who claims the FBI faces an 18-month backlog of computers to examine for evidence.

FBI spokesman Paul Bresson said Larson's estimate for his agency sounded high and that it is difficult to gauge the agency's backlog because computer forensics operations are highly decentralized within the FBI. The agency has computer forensics investigators at 45 of it 56 field offices, according to Bresson. He also said he doubts the agency would do much outsourcing of computer forensics work, and if it did, the outsourcing would be for technical reasons, not to alleviate a backlog.

"The only way we'd outsource is if there were some sort of technical issue that we would want to consult with," Bresson said.

But Eugene Illovsky, assistant U.S. attorney for the eastern district of California, said computer-based evidence is becoming more and more prominent in criminal cases. He estimated that about 20 percent of cases he sees today involve digital evidence, whereas only about 10 percent of cases would have involved computer evidence five years ago. "I think that what we're seeing with personal computers becoming less expensive [is that] people use them more— not only for legitimate purposes. They use them for illegitimate purposes as well," he said. "You find situations where more and more drug dealers who used to keep their records of transactions on paper now keep their transactions on laptop computers."

The evidence that investigators are looking for on computers runs the gamut from narcotics dealers' supplier lists to stolen top-secret documents. But the criminals— whether high-tech street thugs or federal employees who are pilfering data— often digitally disguise information they do not want others to see.

Per-Se's lab analysts— some of whom have served with the National Security Agency, the CIA and the Air Force's special investigations branch— will use a series of tools to sift through data on hard drives and other digital media to find files that a suspect thought he had disguised or deleted, said lab director James Holley. Although a criminal may think he has deleted a file, such as an image of child pornography or sensitive information gleaned from an agency's systems, analysts still can find the data on the hard drive or disk that the criminal used.

At the Per-Se lab, analysts make an exact copy of the software on which a federal investigator suspects digital evidence may reside. The analysts then can use software tools to sift through the copy to determine whether documents are what they appear to be. Common off-the-shelf applications are of known sizes, and if one of Per-Se's software tools determines that an application is bigger than it needs to be, chances are the criminal may have hidden information in the application itself.

The Per-Se lab opened last week against a backdrop of increased awareness of computer crimes from hacking to data theft. Federal officials involved in untangling the data that resides on suspect computers showed some interest in the lab.

Federal agencies "are ripe targets for computer espionage because we have copyrighted and sensitive data," said Randy Bishop, a Pacific Northwest Laboratory worker assigned to the Energy Department as a senior security program manager. "This is definitely a capability that we would want to look into.... Outsourcing, I think, is the way to go." Bishop said DOE now investigates computer-related crimes on an ad hoc basis at an agency lab.

Patrick Schambach, chief information officer for the Bureau of Alcohol, Tobacco and Firearms, said his agency has only one full-time staff member performing computer forensics work and faces a backlog of nearly two months' worth of work. And ATF officials encourage agents to seize computers as evidence because agencies are finding that criminals are increasingly relying on computers to commit crimes.

But not all of the computer evidence must be examined immediately, Schambach said, explaining that court dates often influence how soon evidence is inspected. He also said outsourcing computer forensics work is "not out of the question" for his agency, but ATF is more apt to focus on training more of its people to sift through computer evidence.

Schambach also said ATF would have to sort through questions of who has access to and control of evidence before deciding to outsource computer forensics work to a lab. The Per-Se lab offers tight security, which includes a specially built ceiling and ventilation system that were designed to rebuff would-be burglars. Per-Se officials also have battened down the lab door with three locks, and they keep evidence tucked away in safes.

The cost may dissuade agencies from outsourcing their computer forensics work, said Christopher Stippich, supervisor of the computer crime section at the National White Collar Crime Center.

Stippich said that although computer forensics will become an increasingly important field as more criminals become technologically literate, the cost of computer forensics work is high. "At about $200 to $500 per hour, that's out of the reach of an awful lot of agencies to spend on cases," he said. Outsourcing forensics might prove to be a worthy investment for an agency's high-profile or urgent investigations, he said.

John Cross, director of law enforcement solutions for Per-Se, said lab costs to agencies will vary based on the difficulty and size of a forensics task. He said an agency that has a 2G hard drive to be analyzed could pay a General Services Administration schedule rate of about $800 for one day's worth of initial lab work.