| Defense Cyber Crime Center | |
|---|---|
| Seal | |
| Agency overview | |
| Formed | 1998 |
| Headquarters | Linthicum, Maryland |
| Parent agency | Department of Defense |
| Website | |
| www.dc3.mil | |
The Department of Defense Cyber Crime Center (DC3) is an United States Department of Defense agency that provides digital forensics support to the DoD and to other law enforcement agencies. DC3's main focus is in criminal, counterintelligence, counterterrorism, and fraud investigations from the Defense Criminal Investigative Organizations (DCIOs), DoD counterintelligence groups, and various Inspector General groups. The Air Force Office of Special Investigations is the executive agent of DC3.[1]
DC3 is an agency that houses six government directorates including: Defense Computer Forensics Laboratory (DCFL), Defense Cyber Investigations Training Academy (DCITA), Defense Cyber Crime Institute (DCCI), DOD - Defense Industrial Base (DIB) Collaborative Information Sharing Environment (DCISE), National Cyber Investigative Joint Task Force - Analytic Group (NCIJTF-AG) and Futures Exploration (FX). However, from the onset, there was just the forensics lab and the training academy, both initiated by the Deputy Undersecretary of Defense, John Hamre in 1998.[2] DC3 was constructed in October 2001 to house both DCFL and DCITA, and to support the creation of the Defense Cyber Crime Institute (DCCI).
Mission Statement:[3] To deliver superior digital forensics and multimedia lab services, training, research, development, testing and evaluation capabilities supporting cyber counterintelligence and counterterrorism, criminal investigations, intrusion forensics, and information operations for the Department of Defense.
Vision Statement: Dominate mission space with technical innovation and standards for DoD digital forensics while delivering superior digital forensics capabilities to DoD criminal investigative, counterintelligence, counterterrorism, intelligence, safety, information assurance, and critical infrastructure protection communities. Develop a reputation for collaboration and excellence that will gain partners from U.S. federal agencies, international allies, academia and private professional organizations.
The Defense Computer Forensics Laboratory (DCFL) is a world class accredited digital forensics laboratory.[4] On 8 September 2005, the American Society of Crime Laboratory Directors/Laboratory Accreditation Board (ASCLD/LAB) accredited the DCFL as part of its nascent digital forensics regime.[5] DCFL's mission is to provide the DoD with digital forensic services, as well as expert testimony. The DCFL has organized digital forensic examinations within an industrial process that is unmatched elsewhere in terms of its scope.[4]
The laboratory provides forensics services to the Defense Criminal Investigative Organizations (DCIOs), and other partners, to analyze and report on digital media seized in investigations. The lab handles a variety of cases including:
Major Crimes and Safety
The Major Crimes and Safety Section performs forensic exams that involve cyber crimes and fraud committed against people and property.
Counterintelligence/Counterterrorism
The Counterintelligence/Counterterrorism Section specializes in cases that involve security violations, laptop loss on control investigations, espionage, steganography, classified information and support for the war on terrorism.
Intrusions and Information Assurance
The Intrusions and Information Assurance section performs forensic exams on computers involved in "hacker: investigations and provides case agents with relevant leads to identify intruder, tradecraft and damage.
Imaging and Extraction
The Imaging & Extraction section performs forensic imaging (copying) on all original types of electronic media. This includes hard drives, floppy diskettes, CD, PDA, mobile phones, GPS, and all tape formats. They also have the capabilities to repair hard drives, and in some cases repair mutilated diskettes.
Audio/Video Enhancement
The Audio/Video Enhancement section performs A/V forensics support for DoD Law Enforcement and the DoD Safety Community that investigates mishaps and accidents.
During its 2007 fiscal year, the lab processed 758 cases, resulting in over 171 terabytes of examined media.[6]
The Defense Cyber Investigations Training Academy (DCITA) is a nationally accredited[7] educational academy that researches, develops, and delivers training in cyber investigations for the DoD, military counterintelligence groups, federal law enforcement, and other law enforcement organizations. DCITA's mission is to provide cyber investigation training to individuals and DoD elements that must ensure Defense information systems are secure from unauthorized use, counterintelligence, and criminal and fraudulent activities.[8] DCITA students receive hands-on training in classrooms, as well as online distance learning. DCITA follows the COE and ACE accreditation standards leading towards DC3 certification.
DCITA is nationally accredited by the Council on Occupational Education,[9] and features multiple courses accredited by the American Council on Education, allowing them to be eligible for college credits.[10] Due to its accreditation, the Academy changed its name on 1 October 2006 from its previous name of the Defense Computer Investigations Training Program (DCITP).
DCITA provides 25 courses that cover every aspect of cyber investigations.[11] Topics include: incident response, Windows-based forensics, and network intrusions in Windows, Linux, and Solaris Unix environments. Niche topics are also provided for undercover Internet investigations, Macintosh forensic recovery, log analysis, large data set acquisition, and network exploitation.
Types of Training
Certification Program
DCITA offers the following three levels of certification:
Certified Digital Media Collector Personnel who are the first to respond, secure, preserve, and/or collect digital evidence at crime scenes. Requirements include successful completion or test-out for both the Introduction to Networks and Computer Hardware and the Computer Incident Responders Course. To maintain certification, every two years personnel must conduct at least three acquisitions of digital media or information and attend a minimum of 40 hours of approved continuing education training.
Certified Digital Forensic Examiner Personnel for whom examination or analysis of digital media are major components of their routine duties. Requirements include successful completion or test-out for the Introduction to Networks and Computer Hardware, the Computer Incident Responders Course, and Windows Forensic Examinations. To maintain certification, every two years personnel must conduct at least three examinations of digital media or information and attend a minimum of 40 hours of DCITA-approved continuing education training.
Certified Computer Crime Investigator Credentialed law enforcement/counterintelligence personnel who investigate all elements of computer crime to include the examination and analysis of digital evidence. Personnel must also be graduates of a DCITA recognized law enforcement or counterintelligence training facility (e.g. Federal Law Enforcement Training Center (FLETC), Army Ft. Huachuca, etc.) Requirements also include successful completion or test-out for the following:
To maintain certification, every two years personnel must conduct at least three acquisitions and examinations of digital media or information per year and attend a minimum of 40 hours of approved continuing education training. [12]
The Defense Cyber Crime Institute (DCCI) was formed in May 2002 to establish legal and scientific standards for digital forensics. DCCI serves as a resource for sound research to produce unique tools and procedures for the DoD law enforcement and counterintelligence communities. DCCI's core mission is to:
Research & Development
DCCI serves as a knowledge resource in the area of cyber forensics and related technologies for the research and development of computer forensic tools and related technologies supporting DoD intelligence and federal law enforcement communities.
To advance state-of-the-art cyber forensics, DCCI partners with academic institutions, industry, and government organizations:
Develops digital forensic tools to increase the effectiveness and efficiency of DoD intelligence and federal law enforcement:
Research innovative digital forensic tools and ideas to provide DoD intelligence and federal law enforcement personnel with novel solutions:
Capabilities:
Testing & Evaluation/Validations
DCCI develops, analyzes, and tests cyber forensics related tools, techniques, and processes used in criminal and counterintelligence investigations, information assurance, and information operations. T&E assures validated tools, techniques, and processes are accurate, reliable, and repeatable.
DCCI Cyber Files
As DCCI completes hardware and software testing, summaries of the projects are listed within the DC3 Cyber Files, which is publicly accessible at www.dc3.mil. Governmental organizations can request a report by contacting FX at 410.981.1037.
The DoD - Defense Industrial Base Collaborative Information Sharing Environment, DCISE, is a focal point and clearing house for referrals of intrusion events on Defense Industrial Base (DIB) unclassified corporate networks. The DCISE is a collaborative operational information sharing environment among multiple partners that produces threat information products for industry partners with reciprocal responsibilities providing notice of anomalies and sharing of relevant media.
The National Cyber Investigative Joint Task Force - Analytical Group (NCIJTF-AG) mitigates, neutralizes, and disrupts cyber intrusions presenting a national security threat. The Analytical Group (AG) synthesizes a common operating picture of hostile intrusion related activity to aid investigations, review all source data, and deliver timely reporting. NCIJTF-AG also works to develop a common operating picture to shrink the cyber counterintelligence OODA Loop.
Futures Exploration is the outreach function of DC3 that works to increase organizational potential by marketing the capabilities and activities of DC3 and its people to external audiences and communities. FX works to build strategic partnerships for the development and sharing of better digital forensic tools and techniques among Department of Defense organizations, federal agencies, state and local law enforcement, international partners, the private sector, and academic institutions. The Futures Exploration (FX) mission is to take DC3 and its subordinate organizations into the future seamlessly and continuously, branding the DC3 name in the larger community to keep DC3 on the leading edge, recognized as the Center of Excellence for digital forensics, cyber investigations, and cyber security. This is accomplished through the application of knowledge management and development of strategic relationships with other government agencies, private sector, academia and international partners by pioneering digital forensics intelligence, and by expanding outreach and information sharing among law enforcement communities.[14]
Futures Explorations coordinates the following:
DC3 develops and hosts an annual Cyber Crime Conference.[15] This conference covers all aspects of computer crime and incident response: intrusion investigations, cyber crime law, digital forensics, information assurance, as well as the research, development, testing, and evaluation of digital forensic tools. The conference has changed location multiple times since its inception in 2001, but it is usually held in January. In 2011, the conference moved to Atlanta, Georgia to host the 10th annual Cyber Crime Conference. The conference had over 1220 attendees, approx. 220 speakers, anywhere fro 16-20 concurrent tracks, 530 people trained and an offsite classified session with 225 individuals in attendance. Plenary Session speakers were Hon Howard Schmidt, Cybersecurity Coordinator and Special Assistant to the President; Mr Alan Paller, SANS; Mr Ovie Carroll, Director, CCIPS Cybercrime Lab, US Department of Justice; Mr. Jeffrey Troy, Deputy Assistant Director, FBI for Cyber; and Mr. John T. Lynch, Principal Deputy Chief of the Computer Crime and Intellectual Property Section (CCIPS).
Who Can Attend
The 2012 DoD Cyber Crime Conference will return to Atlanta, Georgia January 24-27 with pre-conference training January 20-23 at the Hyatt Regency in Downtown Atlanta, GA.
The DC3 Digital Forensics Challenge is an annual contest, launched in 2006, that allows for public competition to solve many challenging forensic issues. Each team is given a window of approximately eight months to determine solutions to as many of the issues as possible. The total solutions and efforts are graded to determine the winning entry. The winning team is awarded with a paid trip to the Defense Cyber Crime Conference.
The 2006 Challenge provided unique tests that included: Audio steganography, real vs. computer generated image analysis, Linux LVM data carving, and recovering data from destroyed floppy disks and CDs. With 140 teams total, and 21 submissions entered, AccessData won the 2006 event.[16]
The 2007 Challenge introduced new topics, such as: Bitlocker cracking and recovering data from destroyed USB thumb drives. With 126 teams competing, and 11 entries submitted, a team of students from the Air Force Institute of Technology won the event.[17]
Beginning with the 2008 Challenge, the contest was broken into four skill levels: Novice, Skilled, Expert, and Genius. New challenges included: detection of malicious software, partition recovery, file header reconstruction, Skype analysis, and foreign text identification and translation. With 199 teams competing, and 20 entries submitted, the competition was won by Chris Eagle and Tim Vidas of the Naval Postgraduate School. The 2008 Challenge also marked the first time that all results were released publicly.[18]
A total of 1,153 teams from 49 states and 61 countries applied to enter the 2009 DC3 Challenge. This is an increase from 223 teams from 40 states and 26 countries entered in 2008. Of that number of teams in 2009, 44 teams submitted solution packets back to FX for grading. [19]
2009 Sponsors
SANS Institute for the U.S. High School and U.S. Undergraduate prizes
The SysAdmin, Audit, Network, Security (SANS) Institute is the most trusted and by far the largest source for information security training and certification in the world. It also develops, maintains, and makes available at no cost, the largest collection of research documents about various aspects of information security, and it operates the Internet's early warning system - Internet Storm Center. SANS is also a sponsor in the Center for Strategic & International Studies US Cyber Challenge.
IMPACT for the Non-U.S. prize
The International Multilateral Partnership Against Cyber-Threats (IMPACT) and the Department of Defense Cyber Crime Center have partnered to provide a Digital Forensic Challenge opportunity for non-U.S. entries. This opportunity will provide an international aspect to a previously U.S.-based event and allow additional insight into global methods to fight cyber crime.
2009 Winners' Circle
With the four available prizes for 2009, the official winners of the Challenger were:
| Prize | Team | Points |
|---|---|---|
| DC3 Prize (U.S. Winner) | Little Bobby Tables | 1,772 |
| SANS Prize - High School (U.S.) | pwnage | 1,309 |
| SANS Prize - Undergraduate (U.S.) | WilmU | 1,732 |
| IMPACT Prize (International & Overall) | DFRC | 2,014 |
A total of 1010 teams from 51 states and 53 countries applied to enter the 2010 DC3 Challenge. This is a 12% decrease in team applications from 1,153 teams from 49 states and 61 countries entered in 2009. Of that number of teams in 2010, 70 teams submitted solution packets back to FX for grading. This is a 59% increase in the number of submissions returned to the DC3 Challenge from 2009 with 44 submissions returned.[20]
2010 Sponsors
New in 2010, several new sponsors provided additional prizes to allow for multiple winners:
SANS Institute for the U.S. High School and U.S. Undergraduate prizes
The SysAdmin, Audit, Network, Security (SANS) Institute is the most trusted and by far the largest source for information security training and certification in the world. It also develops, maintains, and makes available at no cost, the largest collection of research documents about various aspects of information security, and it operates the Internet's early warning system - Internet Storm Center. SANS is also a sponsor in the Center for Strategic & International Studies US Cyber Challenge.
IMPACT for the Non-U.S. prize
The International Multilateral Partnership Against Cyber-Threats (IMPACT) and the Department of Defense Cyber Crime Center have partnered to provide a Digital Forensic Challenge opportunity for non-U.S. entries. This opportunity will provide an international aspect to a previously U.S.-based event and allow additional insight into global methods to fight cyber crime.
The winner(s) of the International category from an IMPACT-member country will be eligible to fly to Malaysia for a tour of the IMPACT facility in Cyberjaya, official presentation of a commemorative plaque and potential grants of EC-Council and SANS courses.
EC-Council for US Government, US Military, Commercial, and Civilian individual prizes
The International Council of Electronic Commerce Consultants (EC-Council) is a world leader in Information Security Certification and Training. With over 450 training locations for it’s information security courses in over 60 countries, it is a world leader in technical training and certification for the Information Security community. It is a trusted source for vendor neutral Information Security training solutions. EC-Council and DC3 have partnered to expand prize awards opportunities for our DC3 Digital Forensic Challenge. EC-Council will sponsor the categories of:
The winning teams of the Civilian, Commercial, Government, and Military categories will receive the following prizes for up to 4 members from the EC-Council:
JHU for Community College Participants
The John Hopkins University (JHU) Carey School for Business as part of CyberWatch will be awarding a prize for the team with the highest score that is also enrolled in a community college.
The Johns Hopkins/CyberWatch (JHU/CW) winning team will be recognized as the academic leader at the U.S. Community College level. The winning team members will also be presented with an award to mark their outstanding achievement.
UK Cyber Security Challenge
Cyber Security Challenge UK and DC3 have partnered together to provide an opportunity for teams consisting of all UK citizens residing in the UK. The UK Challenge winning team will be offered two prizes from Cyber Security Challenge UK:
2010 Winners' Circle
| Prize | Team | Points |
|---|---|---|
| DC3 Prize (U.S. Winner) | Williams Twin Forensics | 1,470 |
| SANS Prize - High School (U.S.) | Crash Override | 361 |
| SANS Prize - Undergraduate (U.S.) | Team Name | 1,129 |
| IMPACT Prize (International) | DFRC | 3,297 |
| EC-COUNCIL Prize (US GOVT) | LBPDCCID | 409 |
| EC-COUNCIL Prize (US Military) | Batcheej | 88 |
| EC-COUNCIL Prize (Commercial) | Little Tree | 1,791 |
| EC-COUNCIL Prize (Civilian) | William Twins Forensics | 1,470 |
| JHU Prize (Community College) | PWNsauce | 84 |
| UK Cyber Security Challenge | Mine Inc | 352 |
The 2011 Challenge, currently underway, has more than doubled its sponsors. Sponsor announcements will be rolled out in the near future. As of 11 May 2011, 779 teams from 44 countries (including the United States) have registered since the challenge kickoff on 15 December 2010.[21]
To assist the DoD in cyber investigations, various tools and utilities have been written by agencies within DC3, and some have been released publicly. One of the most prominent of these tools is dcfldd,[22] a modification of the Unix dd utility to include a progress bar, pattern-based disk wiping, and inline data hashing. The dcfldd utility is maintained by Nick Harbour, who had previously worked at DCFL while developing the tool.
DC3 continued development of the dcfldd utility with a new effort, dc3dd.[23] This new version is based upon standard modifications to the existing dd application, instead of continually rewriting the utility for each dd release. This development style allows dc3dd to simply plug in its functionality into the latest dd version.