acm-header
Sign In

Communications of the ACM

Next-generation cyber forensics

State and Local Law Enforcement Is Not Ready For a Cyber Katrina


After witnessing such a dismal response to Hurricane Katrina last September, a hurricane of a different dimension still hovers over the infrastructure of U.S. computer networks. Cyber Katrina, if you will, is posed to hit the U.S. and authorities are indeed not ready [2, 5] to handle the aftermath. Today there are simply not enough law enforcement officers at the state level with appropriate computer forensics and computer crime investigative skills to protect their part of the infrastructure.

This report is based on the non-classified portion of our work to develop and implement a state-based computer security incident response involving computer forensics. In a survey of 530 law enforcement agencies in the Midwest U.S. states, we found that only a handful of personnel in each of the surveyed states have even a basic understanding of the computer forensics (see the accompanying table). As a result, there is an average of 6–12 month backlog within the states and major cities.

The National Strategy to Secure Cyberspace plan makes improvements to the nation's response to cyber incidents and reducing potential damage the top priority [9]. But at the state level, the response is handled by different agencies that do not necessarily coordinate. Moreover, the blueprint for the response is predominantly only technical (related to how to bring the computer networks back online).

Multistage Intelligence and Analysis Sharing Center (MSISAC) is a state-level organization set up to serve as a critical point of contact between the states and the federal government. MSISAC focuses primarily on technical responses without any consideration to computer forensics and computer-crime investigation needs [8].

Individual organizations responsible for responding to a statewide computer network incident affecting the infrastructure find it difficult to implement a response with computer forensics as the main focus due to the following reasons:

  • Knowledge of computer forensics within the law enforcement community is very limited. None of the key elements of computer forensics—identification, preservation, analysis, and presentation—are done uniformly by law enforcement. It causes an uncertainty in the basic need of the investigators to ensure digital evidence to withstand judicial scrutiny if the matter goes to trial [4].
  • There is limited legal support trained in computer forensics law. For admissibility in court, the computer forensics evidence should possess a chain of custody to show that no inadvertent or purposeful contamination occurred. Due to a lack of legal experts in state services who are trained to prosecute computer crimes using the results of computer forensics, law enforcement officers find themselves working on non-prosecutable cases [4].

Back to Top

Possible Solution

The solution we are implementing to this problem takes a two-pronged approach:

Organization. According to the Homeland Security Presidential Directive [3], any incident should be managed by establishing a single comprehensive national incident management system (NIMS). As a result of this directive, all federal departments, agencies, state, local, and tribal governments are required to fully comply with NIMS by FY 2007 (Oct. 1, 2006) in order to be eligible to apply for federal preparedness assistance. This can be accomplished by setting up an Incident Command System (ICS)- based crisis management plan for each response [6].

A Computer Security Incident Response Team (CSIRT) is a viable ICS-based organization to support computer forensics, computer crime investigation processes, as well as technical aspects of a response [7]. It is characteristically a cross-functional team with personnel from law enforcement, academic, and private and public organizations. It can be instrumental in using the limited personnel with computer forensics and forensics law knowledge to support a statewide response and escalation. This resolves two main issues, mentioned earlier, when including computer forensics in any statewide response.

Processes. In our work with a particular state, we have determined specific investigatory processes that can be operational by a CSIRT (see Figure 1).

In the "identify and notify" step, initial forensics analysis is done to decide the level and kind of response, and notification is sent to the organizations that can support a cohesive response. This is followed by the "collation and classification" of the new information. In the next step, "response and escalation" strategy is decided, which may include ultimately involving the U.S. National Guard and Department of Defense. Computer forensics is used extensively to "analyze, store, and enhance" any evidence obtained in the process. The whole process is undertaken while keeping an overall focus on traditional law enforcement duties like safety of life and property.


A serious shortage of law enforcement officers trained in computer forensics presents a significant challenge to any computer security response plan.


We have found that these processes are effective and well received because they are based on traditional crime investigation processes, as shown in Figure 2 [1]. In traditional processes, targeting suspects is followed by the collection of data about the suspect, which is then used to evaluate and analyze this information. At every step of the process, the prosecutorial aspects are kept in focus by the crime investigators.

The initial response to the statewide rollout of the plan has drawn very positive feedback from the federal, state, local, and tribal law enforcement and infrastructure organizations.


A combination of processes based upon traditional investigative procedures supported by a computer security incident response team can utilize the limited resources available and effectively protect citizens from a possible Cyber Katrina.


Back to Top

Conclusion

A serious shortage of law enforcement officers trained in computer forensics presents a significant challenge to any computer security response plan. A combination of processes based upon traditional investigative procedures supported by a computer security incident response team can utilize the limited resources available and effectively protect citizens from a possible Cyber Katrina.

Back to Top

References

1. Bhaskar, R. and Pendharkar, P.C. Wisconsin Division of Narcotics uses multi-agent information system for drug crime investigation. Interfaces, INFORMS (May–June 1999).

2. Cohn L. et al. Hurricane of criticism. Business Week (Sept. 19, 2005), New York.

3. Homeland Security Presidential Directive/HSPD5. Feb. 2003; www.whitehouse.gov/news/releases/2003/02/20030228-9.html (accessed Nov. 2005).

4. The FBI Bulletin. Computer forensics: Characteristics and preservation (2003, accessed from www.findarticles.com Sept. 2005).

5. Gartner Group. Teleconference on Computer Security (Oct. 2004, accessed Oct. 2005 from www.gartner.com).

6. Incident Command System (accessed from www.osha.gov, Sept. 2005).

7. Killerece, G. et al. State of Practice of Computer Security Incident Response Teams (accessed from www.sei.org on May 15, 2005)

8. MSISAC: Mission and Goals (accessed Sept. 2005 from www.cscic.state.ny.us/msisac/).

9. The National Strategy to Secure Cyberspace (Feb. 2003, accessed Sept. 2005 from www.dhs.gov).

Back to Top

Author

Rahul Bhaskar ([email protected]) is director of Forum for Advanced Security Technologies, ISDS Department, College of Business and Economics, California State University–Fullerton, CA.

Back to Top

Figures

F1Figure 1. Law enforcement computer forensics and computer crime investigation process.

F2Figure 2. Traditional steps in the law enforcement investigation process.

UF1Figure. Survey of local law enforcement results.

Back to top


©2006 ACM  0001-0782/06/0200  $5.00

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. To copy otherwise, to republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee.

The Digital Library is published by the Association for Computing Machinery. Copyright © 2006 ACM, Inc.


 

No entries found

Sign In for Full Access
» Forgot Password? » Create an ACM Web Account
Article Contents: