Here's a thought

[krnlpanick]

With CAP taking CyberPatriot for the last 2 years (go Colorado Wing!) it seems that maybe there is an opportunity for CAP to expand our missions to include CyberSecurity. There are a great deal of areas we could turn this in to an offering - Education? Forensics for Law Enforcement? What else can you think of?

[Extremepredjudice]

We can't provide forensics. No way

[krnlpanick]

Why exactly? There are plenty of private firms that provide digital forensics for local, state, and federal agencies - there is absolutely no reason that if we developed training and credentialing to do so that we could not provide forensic services.

[Extremepredjudice]

We don't have the equipment.

Those firms have paid staff. With NDAs. Big difference.

[krnlpanick]

My point is that we didn't have the equipment to do DHS missions at one point either - There are federal grant programs specifically designed to provide funding for cyber security initiatives that could be leveraged to fill out the budget and even the possibility to provide further support to the AF Mission in their own Cyber Programs if it were approved. I'm just trying to say that I think we are doing ourselves a disservice by not pursuing this as an extension to our own mission.

[a2capt]

Forensics is not quite defensive in nature. CyberPatriot is a defensive exercise.

Just because "CAP" has won it, doesn't reflect on the entire CAP being able to offer that type of mission/support.

What goes on with CyberPatriot is *nothing* like what goes on out there in the real world intensity wise.

[Extremepredjudice]

Assuming you are talking about computer forensics. We'd need clean rooms, expensive data recovery equipment, "bunny" suits, courriers, phone service, etc.

I wouldn't trust CAP with sensitive legal information. I wouldn't trust CAP to do a CP case.

This is my college major. No way CAP could execute this.

While the Aur Force cyber security program is horrid, using CAP members would just hinder it. The 67th NWW doesn't need CAP members. It needs AD computer people.

CAP members wouldn't be able to keep the tools, infrastructure, and response methods secret.

[krnlpanick]

I am *well aware* of what goes on in the "real-world" as the Chief Architect for an Application Security Firm, Project Leader for the OWASP Enterprise Security API and regular speaker at InfoSec conferences

Also, what you are learning about in college barely scratches the surface of what happens in the "real-world" - not trying to be a jerk, just stating a fact.

The thread got a little hi-jacked, so I want to bring it back around - Forensics was just one aspect (and I still posit that it is possible, there are many different types and aspects to  - even without bunny suits, that's what drive images are for)

I specifically think there is a lot of opportunity in the education sector, the fact that CAP requires OPSEC prior to using eServices is a lesson itself that a lot organizations (public and private) could learn from.

I am also familiar with CyberPatriot, and I am in the process of putting together a team for 2013

Other areas I can think of off-hand are Research, Social Engineering Education and User Security (OPSEC Lite if you will)

[Spaceman3750]

Krnl,

I like the concept, but I'm not sure we have enough IT pros in CAP to pull it off. As it stands many of our members can't figure out how to turn on a computer, and many of the pros are too busy with their own projects.

[a2capt]

Many of them ... ask you for a "Powerpoint Projector" ;-)

(and what, it won't show anything else?)

[krnlpanick]

There is truth in that statement SpaceMan - but it also opens up the recruiting pool a bit. Last year in Las Vegas, DefconKids was among the most successful programs and has since generated a ton of interest. CP itself has grown exponentially over the last several years. I think that expanding and updating our missions is paramount in not only retaining membership but also attracting new members who may not be interested in Flying or ES. While our current membership may not be "up to snuff" per-se, there is a whole slew of potential cadets that we could tap in to.

[AirDX]

The man has a point.  The Air Force mission now takes place in "Air, Space, and Cyberspace".  Should CAP not follow?  I'm not saying it's easy, I'm not saying anything, becasue frankly, I'm not qualified in the cyber world in any capacity.  CyberPatriot is an excellent initiative, perhaps we need to look at folding more Cyberspace training into the cadet program in some fashion.  It's an attractant for cadets.

Not offering a solution, just a suggestion.  I'm sure them new-fangled nose wheel airplanes and radios that didn't have a coffee grinder crank got pooh-poohed at the beginning, too.

[spacecommand]

Sure, CAP should get hand-me down ICBMs to help build it's fledgling model rocketry program to support the USAF in it's space missions.

Seriously though.  Cadet Program wise, we use programs such as model rocketry, cyberpatriot etc to give some exposure to cadets in those particular fields (space, rockets, cyber-security etc) and hopefully some might think this is a particular field they might want to get into in the future.  Just because it is an Air Force mission, our mission is not to actually do cyber-security, nor is it to monitor North Korean missile tests either.

[bflynn]

It would probably be a good start to make sure our own website is secure first...

[krnlpanick]

It would probably be a good start to make sure our own website is secure first...

+1 - word of advice however would be to not go poking through any holes you may run across. The legal and ethical approach is to notify CAP that "Hey I noticed on page X that we are not applying contextual output encoding to data Y which comes from the user - this could leave the site open to XSS attacks. Can you please look into this?

Just because it is an Air Force mission, our mission is not to actually do cyber-security, nor is it to monitor North Korean missile tests either.

The point was that the mission should be updated to include cybersecurity - not that it somehow fit into the existing mission. I'm pretty sure aerial surveillance missions weren't always a part of the mission either but there was an opportunity to provide a service and CAP adapted to provide said service.

[flyingscotsman]

I don't see how CAP could provide any real value to any organization providing information security or forensics services. No offense, but it seems like another solution in search of a problem.

I do, however, see a real opportunity for CAP to take advantage of the interest in this topic that the CP program has generated to help educate it's members on basic InfoSec principles they can use in their CAP work and personal lives. This would tie in nicely with OpSec. A few examples would be:

Risk mitigation strategies for social media
Wireless network security concepts
Email safety (phishing, attachments, spam reduction/prevention)
Overview of proper firewall & anti-virus use
Password security (uniqueness, changing them, secure tools to keep track of them, keeping them private, etc.)

I'm sure others can come up with a host of other interesting and relavent topics for our members.

[Flying Pig]

For computer forensics, who would our customers be?  You mentioned LE.  Now you have issues with testifying in court.  What kind of services would we provide to LE in the way of forensics?  Recovering child porn off of hard drives? Retrieving financial data from some drug dealers lap top?  Researching social media sites, Youtube and everything else to establish flow charts for organized crime connections? The forensics people we have in my agency are all cops.  And they spend days, sometimes weeks in court detailing every key stoke they made in recovering data.   Not trying to turn this into a legal forum.

I specifically think there is a lot of opportunity in the education sector, the fact that CAP requires OPSEC prior to using eServices is a lesson itself that a lot organizations (public and private) could learn from.

I would hardly consider an online OPSEC course where you hit "Agree" anything to brag about.  Thats pretty darn sad if CAP OPSEC has somehow developed a standard in that area!
As far as "surveillance" missions.  I was pretty involved in CD, border missions, training LE in CAP CD.  I never did any surveillance.  In law enforcement, surveillance has a very specific meaning that is often taken out of context. I do surveillance for a living.  We dont do it in CAP. 

Your obviously a computer guy.  I dont know anything about forensics, although I have seen first hand what is involved on the LE side.  If you think there is a niche for CAP, explore it.  I dont think there is in the LE world unless your members are prepared to spend hours volunteering for cases that are very time sensitive, meaning "get here now and do this, we have 48hrs before our suspect gets released" and then resulting in possibly spending weeks in trial testifying several years  later, being called back 5 years after that for an appeal case.....with no pay.  No thanks. 

I think someone would be better off approaching an LE agency as a contractor vs getting CAP involved. 

[manfredvonrichthofen]

Biggest issue here is that while there are private companies that do forensics, we simply cannot. It is against the law for us as CAP to engage in police investigations. A missing person is one thing we go out, perform our mission and if we find the subject deceased the. Law enforcement comes on scene. If they deem it a murder investigation, we are completely hands off.

Talking about computer forensics is a whole other matter, for computer forensics to be needed in the first place a crime has to have occurred.

[Flying Pig]

My point is that we didn't have the equipment to do DHS missions at one point either - There are federal grant programs specifically designed to provide funding for cyber security initiatives that could be leveraged to fill out the budget and even the possibility to provide further support to the AF Mission in their own Cyber Programs if it were approved. I'm just trying to say that I think we are doing ourselves a disservice by not pursuing this as an extension to our own mission.

I cant imagine the nightmare of being a SqCC with forensic equipment assigned to it.  One beat up old 182 and some hand held radios was bad enough!

[krnlpanick]

For computer forensics, who would our customers be?  You mentioned LE.  Now you have issues with testifying in court.  What kind of services would we provide to LE in the way of forensics?  Recovering child porn off of hard drives? Retrieving financial data from some drug dealers lap top?  Researching social media sites, Youtube and everything else to establish flow charts for organized crime connections? The forensics people we have in my agency are all cops.  And they spend days, sometimes weeks in court detailing every key stoke they made in recovering data.   Not trying to turn this into a legal forum.

You make some valid points here, the time-sensitive issue and legal aspects are a completely different ball-game. I suppose we don't generally run into those types of issues during DHS missions - at least the legal side?

I would hardly consider an online OPSEC course where you hit "Agree" anything to brag about.  Thats pretty darn sad if CAP OPSEC has somehow developed a standard in that area!

What did you have to do for your bank when you signed up to use their online banking application? I hardly think that it is completely sufficient, but it is parsecs ahead of where the majority of online applications are (including gov applications).

I do, however, see a real opportunity for CAP to take advantage of the interest in this topic that the CP program has generated to help educate it's members on basic InfoSec principles they can use in their CAP work and personal lives. This would tie in nicely with OpSec. A few examples would be:

Risk mitigation strategies for social media
Wireless network security concepts
Email safety (phishing, attachments, spam reduction/prevention)
Overview of proper firewall & anti-virus use
Password security (uniqueness, changing them, secure tools to keep track of them, keeping them private, etc.)

How are those issues *not* valuable to people outside of CAP - what about training members to go out to schools and do basic security awareness training at schools, or how about establishing a research "division" for a wing that specializes in identifying risks in the tools and processes that we have internally, or as a service provided to the air force to audit a defense contractor application or system? I could go on and on, and I think that the topics you highlighted here are all good candidates for a general security awareness training program but I completely disagree with the "solution searching for a problem" analysis - the problem is quite obviously already here, the decision is whether CAP decides to develop solutions to the existing problem.

And here's yet another idea - Cyber-Surveillance, Social Profiling, etc.  FWIW, the identification and eventual capture of Lulzsec Sabu was a direct result of a citizen using a clever combination of social profiling, digital-foorprint forensics, and a little creative trolling then silently releasing the information discovered on the internet for the FBI to find. He was not required to testify (as a matter of fact I highly doubt that the feds even know his identity) - with some proper training, CAP could have easily provided a similar service in a JO with the FBI or anyone else - or even as a CAP Specific Mission and simply provided the information to the authorities.

Our usefullness is only limited by our own imaginations and reservations.

[jks19714]

In some cases, there are government regulations involved.  We (CAP) do not have the training (generally), accreditation and security clearances to begin to do that job.  And insurance is becoming more of an issue.

Dream on.  You won't get past the guard at the front door in a lot of industries (I work in the electrical power utility business in data security and continuity of operations - coming on 35 years).

john

[abdsp51]

There are plenty of alphabet agencies out there to do what you are pitching.  Not to mention the number of legalities involved in conducting any type of audit for or on a govt agency.  And I'll bet you that the FBI knows who said party was since they have an entire section devoted to cyber issues.  Well out our purvue on many aspects.  We need to focus on our core missions and fix/update those.

[Flying Pig]

The things your suggesting have very good applications........  for individuals.  I don't see Cyber-anything as a mission CAP needs to be involved in. 

If we have members capable of those skills, there are plenty of places to use your skills.  I dont see our DHS missions expanding into computer forensics and cyber security, nor do I see CAP members conducting security training to corporations and government agencies. 

Security awareness at schools?  What school?   Good grief Charlie Brown.......I show up to high schools in a flight suit, wearing a gun and a badge,  a very masculine frame and a booming voice flying a turbine helicopter and I cant keep anyones attention!   (   ha...I said masculine frame)

Again....run with it.  I see validity and a niche for everyone of your reasons.  I just dont believe (based on my 20yrs in CAP) that CAP is the spring board for it.  But get a hold of your wings HS, IT and IG people and see where you can take it.

[Eclipse]

How are those issues *not* valuable to people outside of CAP - what about training members to go out to schools and do basic security awareness training at schools, or how about establishing a research "division" for a wing that specializes in identifying risks in the tools and processes that we have internally, or as a service provided to the air force to audit a defense contractor application or system? I could go on and on, and I think that the topics you highlighted here are all good candidates for a general security awareness training program but I completely disagree with the "solution searching for a problem" analysis - the problem is quite obviously already here, the decision is whether CAP decides to develop solutions to the existing problem.

External IT training is not a part of our our mission, or the USAF's.

And here's yet another idea - Cyber-Surveillance, Social Profiling, etc.  FWIW, the identification and eventual capture of Lulzsec Sabu was a direct result of a citizen using a clever combination of social profiling, digital-foorprint forensics, and a little creative trolling then silently releasing the information discovered on the internet for the FBI to find. He was not required to testify (as a matter of fact I highly doubt that the feds even know his identity) - with some proper training, CAP could have easily provided a similar service in a JO with the FBI or anyone else - or even as a CAP Specific Mission and simply provided the information to the authorities.

Surveillance is a Law Enforcement function.  We are not allowed to perform law enforcement functions, nor is the USAF.  The kinds of thing you're
suggesting would bring negative attention to us for no gain, not to mention the potential civil and criminal liabilities and penalties for illegally
investigating people without legal cause or warrant.

[lordmonar]

While I'll applaud your desire to expand our mission base.
Cyber Secuirty as an ongoing mission beyond just the education/awareness phase....is a lot to chew on.

There are a lot of hoops to jump through.

1) Who would our customers be?   That is...who would be calling for CAP to help secure their network.
2) Legal issues....as soon as you talk forensics...you are talking LE....which brings up Posse Commutatus...which would need to be worked out.
3) Time/effort.....being an on call computer security service would mean that we would have to have lot of people in each wing trained, willing and able to respond.
4) MONEY, MONEY, MONEY, MONEY.......starting up something like this and expanding it to a national leve will mean a lot of money.  Just providing your team with a simple lap top would cost (assuming 50 wings with 50 team members) $1.5M and that's for a low end $500 lap top!
5) Training, Training, Training!  Computer Security is not like SAR....SAR skills have not really changed since we started looking for lost planes....Compute Secuiryt is always changing....so not only will you have to initial training and constantly upgradeing that training....you are going to have manage that training (that is someone at NHQ constantly updateing the training as the subject field evolves)....that means more over head in keeping this mission up than we currently expend on our ES missions.
6) Secuirty Clearances.....even if we do some cheap ole local back ground checks....when we start asking customers to open their data centers to us.....WE HAVE TO DEAD SURE that we are not letting in any bad guys...that means money spent to really check out our people BEFORE the enter the training pipe line.

So.....like I said...it would be cool.  But I don't think it is really feasable.  By all means push it....maybe I'm totally wrong....If you think you can make it work.....do a white paper on it....find some local customers, field a test team....and see what happens. 

[Flying Pig]

^Id be interested to see the types of people we would recruit who show up wanting to get into the Cyber Surveillance specialty track? Mad boyfriends, scorned house wives......   "Hello, I want to join and get into surveillance.  Ummmm, can I start in the next hour while my wife is still at work?"

The cyber guys I work with in LE are ALWAYS going to updated training almost monthly to keep up with changing technology and strategies.  And that training AINT cheap!

krnlpanick:
"Our usefullness is only limited by our own imaginations and reservations."

Well, and the law, the USAF, the constitution.......

[flyingscotsman]

I do, however, see a real opportunity for CAP to take advantage of the interest in this topic that the CP program has generated to help educate it's members on basic InfoSec principles they can use in their CAP work and personal lives. This would tie in nicely with OpSec. A few examples would be:

Risk mitigation strategies for social media
Wireless network security concepts
Email safety (phishing, attachments, spam reduction/prevention)
Overview of proper firewall & anti-virus use
Password security (uniqueness, changing them, secure tools to keep track of them, keeping them private, etc.)

How are those issues *not* valuable to people outside of CAP - what about training members to go out to schools and do basic security awareness training at schools, or how about establishing a research "division" for a wing that specializes in identifying risks in the tools and processes that we have internally, or as a service provided to the air force to audit a defense contractor application or system? I could go on and on, and I think that the topics you highlighted here are all good candidates for a general security awareness training program but I completely disagree with the "solution searching for a problem" analysis - the problem is quite obviously already here, the decision is whether CAP decides to develop solutions to the existing problem.

And here's yet another idea - Cyber-Surveillance, Social Profiling, etc.  FWIW, the identification and eventual capture of Lulzsec Sabu was a direct result of a citizen using a clever combination of social profiling, digital-foorprint forensics, and a little creative trolling then silently releasing the information discovered on the internet for the FBI to find. He was not required to testify (as a matter of fact I highly doubt that the feds even know his identity) - with some proper training, CAP could have easily provided a similar service in a JO with the FBI or anyone else - or even as a CAP Specific Mission and simply provided the information to the authorities.

Our usefullness is only limited by our own imaginations and reservations.

Don't you think that CAP has enough of a problem with self-inflicted scope-creep to be adding yet another "mission" to it's portfolio? What you bring up here is interesting to me personally, I have a soft spot for this kind of stuff (I have a grad degree in Information Security), but this isn't close enough to be a natural extension of one of our existing missions that we already pretty spotty on executing sometimes. This isn't a core competency for us. Sure you might have a small number of like-minded members who would be interested in playing cyber-warrior, but there are other industry associations/organizations out there that those individuals could get involved in that a better focused on the areas that comprise "cyber-security" as you put it. There are plenty of organizations that provide educational materials and volunteers to speak to schools, business, etc. on the subjects I've outlined and more, but I'm not saying CAP couldn't do that eventually.

All this blue-sky talk of cyber "surveillance", social profiling, etc., what's the point of making this a CAP-wide mission as opposed to you acting as a private individual? I'm not a lawyer, but surveillance has some legal consequences, which I'm sure would be challenging given our on/off aux status. As others have stated here, we could be dragged in to testify in court, possibly years down the road. What sort of liability protections would we have personally or at the organizational level for our new "mission?" What would our status be in relation to the Posse Comitatus Act?

Now, internally to CAP, as a business leader (and we're a non-profit business after all) I would be somewhat turned off by the idea of developing a cyber-army of volunteers to protect my organizations critical information systems, however well-meaning those volunteers may be. It's the old problem again, you get what you pay for. Now I'm not involved at the NHQ level, and there may very well be volunteers already assisting paid employees with this work, but I'm sure they are small trusted group.

It's too much of a niche...and we have too many of those as it is.

[Extremepredjudice]

4) MONEY, MONEY, MONEY, MONEY.......starting up something like this and expanding it to a national leve will mean a lot of money.  Just providing your team with a simple lap top would cost (assuming 50 wings with 50 team members) $1.5M and that's for a low end $500 lap top!

I believe you mean $39,720,000 for the smallest clean room in each wing. That is what you will need for computer forensics work.


Plus the other equipment, and on going costs such as dry ice, bunny suits, filters, etc. Probably a million + a year to operate.

[Eclipse]

krnlpanick:
"Our usefullness is only limited by our own imaginations and reservations."

Looks great on a T-Shirt, not so simple in practice.

[bosshawk]

Any way that we can turn this into a uniform discussion?

[johnnyb47]

Any way that we can turn this into a uniform discussion?

What would the Cyber Security patch look like?
I vote for a Black Shield with neon-green Mtn Dew Bottle and a pack of cheetos.

In the not too distant future I can see us delving into basic computing and basic programming as part of our AE mission.

[krnlpanick]

I believe you mean $39,720,000 for the smallest clean room in each wing. That is what you will need for computer forensics work.

Plus the other equipment, and on going costs such as dry ice, bunny suits, filters, etc. Probably a million + a year to operate.

Yes, you need all those things if you A) happen to be living in the mid-late 1990's or B) are acting as a contractor to preserve original devices for LE. Not really even remotely close to what I was suggesting actually. I'm not talking about pulling fingerprints off of keyboard. Anymore, what generally happens is the OE is stored someplace as evidence, images of the hardware are made (by images I mean exact bit-by-bit copies are made onto virtual devices) and the entire image is shipped as a Virtual Machine to a contractor who performs analysis of the evidence and send a report back to the investigating agency - the forensics team for the investigating agency will then digest that report and incorporate the findings into evidence. Nothing is done with the OE except in very extreme circumstances to reduce the risk of destroying the evidence. There is a slim possibility that the contractor who performed the forensic analysis can be called by either the defense or prosecution team as an expert witness, but generally contracting organizations will have a specific person assigned to the expert role who testifies if the need arises. Please realize that, like many other aspects of forensics work - CSI is only a TV show. Real forensic scientists don't carry a gun and chase bad guys - they live in a lab and lion's share don't even work directly for the LE Agencies but rather a contractor to the agencies.

Regardless, this is not the type of forensics work I am talking about - there are many aspects to forensics work, some are investigation centered and the majority are research centered especially in the budding field of digital forensics.

Again, this was just one aspect of my suggestion - but appears to be the one that everyone is using as ammo for shooting the idea down which is fine. The reason I suggested it in the first place is because Forensics is now a part of CP and there is a national need for expertise in the field (which is *why* it is part of CP)

Really I'm just throwing ideas out at the wind here - if nothing else this thread has sparked some interesting conversation that had nothing to do with uniforms or hot sauce.

Now let's talk about what the official CAP Cyber Army Uniform looks like! I vote for all black vinyl with sunglasses and trench coats, like the Matrix (I Jest!)

[johnnyb47]

Any way that we can turn this into a uniform discussion?

What would the Cyber Security patch look like?
I vote for a Black Shield with neon-green Mtn Dew Bottle and a pack of cheetos.
Edit: Which leads me to believe there will be a run on BBDU's the second we establish a CYBER-Mission in CAP.

In the not too distant future I can see us delving into basic computing and basic programming as part of our AE mission.

[krnlpanick]

Any way that we can turn this into a uniform discussion?

hahah! Great minds..

[abdsp51]

And how is forensics now part of CP?

[tsrup]

And how is forensics now part of CP?

CP- CyberPatriot


There is a forensics portion of the competition at the national level. 

Some team from Brookings South Dakota took first that portion in the All Services division this year 




But on topic:

This is a terrible idea.  I can see the headline now:

"Suspected Child Molester Acquitted: CAP blamed for evidence mishandling"

the liability is too grave to even think about stepping into this arena. 

[Eclipse]

Forensics is not a "part of the CP" - it's part of an optional activity, and only in the most laboratory / academic sense.

We're shooting at the idea because it's not a good idea.

CAP needs to concentrate and stabilize it's core missions and competencies, not add things on like a Sears store trying for one last
grab at market share.

[abdsp51]

And how is forensics now part of CP?

CP- CyberPatriot


There is a forensics portion of the competition at the national level. 

Some team from Brookings South Dakota took first that portion in the All Services division this year 




But on topic:

This is a terrible idea.  I can see the headline now:

"Suspected Child Molester Acquitted: CAP blamed for evidence mishandling"

the liability is too grave to even think about stepping into this arena.

When I see CP I see cadet programs not cyber patriot.  The is not a very fiscally sound idea or practical to our chartered missions.

[krnlpanick]

FWIW CP == CyberPatriot, not Cadet Program in this case. Apologies for the confusion on the matter.

I think it is also about staying relevant in a changing world. We aren't in the WWII Era anymore, SAR as it has been for decades (at least as far as Air Ops is concerned) is changing. My suggestion is simply a means to remain a valuable asset as an organization. AE is an exciting mission, but I don't see us being too heavily involved in actual space programs outside of a purely theoretical and/or introductory role. As more time passes we lose relevance b/c our mission(s) do not reflect modern needs.

Cadet Programs is a viable mission and will always be relevant (IMHO)
Aerospace Education is viable, but as the industry continues to grow that relevance may drop off unless the mission is updated
Emergency Services is viable for some things, but losing viability in the SAR space due to updates to other areas in the industry (ie UAV)

Cyber is a really big area with no solid definition yet. There are plenty of areas where CAP can make an impact and not only provide a service in the industry but also help to develop the industry.  Regardless of whether it is Training and Education or Forensics R&D, Defense R&D or specialties therein.

Maybe Forensics is a bad idea, but it was a small part of a much larger idea that I suggested.

[N Harmon]

Civil Air Patrol already does cell phone and radar forensics in support of Search and Rescue.

[Extremepredjudice]

 No disrespect, sir. I am going to be blunt in this post.  :angel: :angel:


In a 2002 book Computer Forensics authors Kruse and Heiser define computer forensics as involving "the preservation, identification, extraction, documentation and interpretation of computer data."

A) happen to be living in the mid-late 1990's

No. Dude, seriously do you have a grasp of what you are talking about? Computer Forensics is data recovery. You need a clean room or you will destroy the drive.

or B) are acting as a contractor to preserve original devices for LE

Why do you need a clean room to store SEALED HDDs? Seems dumb and a waste of Clean Room space.

Not really even remotely close to what I was suggesting actually.

Then figure out the actual name of it. Stop calling it Computer Forensics. It is something different.

I'm not talking about pulling fingerprints off of keyboard.

I don't recall anyone saying this.

Anymore, what generally happens is the OE is stored someplace as evidence, images of the hardware are made (by images I mean exact bit-by-bit copies are made onto virtual devices) and the entire image is shipped as a Virtual Machine to a contractor who performs analysis of the evidence and send a report back to the investigating agency - the forensics team for the investigating agency will then digest that report and incorporate the findings into evidence. Nothing is done with the OE except in very extreme circumstances to reduce the risk of destroying the evidence.

No. Most of the time, if they hire a contractor they send the physical drive to them. How else do they get the data off of the disc? Overwritten data can only be recovered using the physical disc. Not an image.

There is a slim possibility that the contractor who performed the forensic analysis can be called by either the defense or prosecution team as an expert witness, but generally contracting organizations will have a specific person assigned to the expert role who testifies if the need arises.

OH GAWD. SM Bagodoughtnuts with no background in the field and no certifications ain't no expert witness. He is some random guy of the street. NO WAY CAP can do this.

Please realize that, like many other aspects of forensics work - CSI is only a TV show. Real forensic scientists don't carry a gun and chase bad guys - they live in a lab and lion's share don't even work directly for the LE Agencies but rather a contractor to the agencies.

Correct.

Again, this was just one aspect of my suggestion - but appears to be the one that everyone is using as ammo for shooting the idea down which is fine. The reason I suggested it in the first place is because Forensics is now a part of CP and there is a national need for expertise in the field (which is *why* it is part of CP)

False. It is part of DC3's forensic challenge. Cyber Patriot is only "find vulnerabilities."

Cyber is a really big area with no solid definition yet. There are plenty of areas where CAP can make an impact and not only provide a service in the industry but also help to develop the industry.  Regardless of whether it is Training and Education or Forensics R&D, Defense R&D or specialties therein.

I'm sorry, but I started laughing. You are kidding right? CAP can't provide **** in the cyber realm. Look at the average site! Do you know what US-CERT does? Can you provide briefings? What about the 67th NWW? On site personnel aren't trusted with the permissions to fix stuff. The 67th NWW does it all.

CAP doing R&D... No. Just no. How could we afford the equipment, have NDAs, have people show up consistently, etc. Oh, and we'd need that clean room we discussed before, too.

Btw

cy·ber   /ˈsībər/
Adjective:   
Of the culture of computers, information technology, and virtual reality: "the cyber age".

Civil Air Patrol already does cell phone and radar forensics in support of Search and Rescue.

Cite. Radio forensics comes up as this.

No possible way we provide Cell Phone forensics... (see:http://en.wikipedia.org/wiki/Mobile_device_forensics)

[Eclipse]

CAP has been a leader in deciphering NTAP data and cell phone tracking for years.  When the AFRCC needs that
information, they go to a small group of CAP members.

[krnlpanick]

I have absolutely no problem with bluntness - but it seems perhaps I should resign from my current employer and the Open Web Application Security Project as I apparently have no idea what I am talking about. Again, I jest.

Just to clarify - I also never said "Computer Forensics" - as a matter of fact I specifically referenced "Digital Forensics" several times which is NOT a synonym for Computer Forensics (at least since the 90's)

http://en.wikipedia.org/wiki/Digital_forensics

As mentioned in the heading "Forensic Process" - The first step is Imaging the drive. Why do you need a clean room to work with a copy of the evidence? If you muck it up, you restore to the last snapshot prior to doing so and redo whatever you did to muck it up (pref. without the mucking up part)

As mentioned in the heading "Application" - Digital Forensics is used for a lot of things outside of criminal investigations.

How is collecting forensic data and analyzing it for intelligence (or simply just gathering it and passing it on) any different then taking aerial photographs for DHS?

In some cases the collected evidence is used as a form of intelligence gathering, used for other purposes than court proceedings (for example to locate, identify or halt other crimes)

Lastly, FWIW - the 2002 definition of Computer Forensics does not simply equate to "Data Recovery" any more than Emergency Services equates to strictly "Air Search and Rescue Ops". Data Recovery is a singular aspect of Computer Forensics and again, this data recovery is rarely, if ever performed against the original equipment. I wouldn't expect people to be shipping hardware to us that had been subjected to a thermite burn-thru - however it is realistic that we could work with images of a device that had already been recovered via a thermite burn-thru.

[krnlpanick]

CAP has been a leader in deciphering NTAP data and cell phone tracking for years.  When the AFRCC needs that
information, they go to a small group of CAP members.

I was not aware of that - that is pretty cool!

[Eclipse]

CAP has been a leader in deciphering NTAP data and cell phone tracking for years.  When the AFRCC needs that
information, they go to a small group of CAP members.

I was not aware of that - that is pretty cool!

It looks like the 2006 presentation that discusses the infancy of the software has been taken down, but it was mentioned in the 70th anniversay proclamation: 

"WHEREAS, in the past year alone, many of Civil Air Patrol's professional volunteers, backed by CAP's own experts in cell phone forensics and radar tracking experts, left their families and their homes, often in adverse weather conditions, to participate in 1,016 search and rescue missions in which they were credited with saving 113 lives..."

...and the AFRCC made a pretty big deal of the fact that the program is very effective and a CAP initiative.

[sardak]

CAP is not performing cellphone and radar "forensics" in the sense of "forensics" being bandied about in this thread, particularly the Wikipedia definition referenced in an earlier post "Mobile device forensics is a branch of digital forensics relating to recovery of digital evidence or data from a mobile device under forensically sound conditions."

Our "radar forensics" is taking government furnished radar data, plotting it in specialized software and analyzing the tracks for the target we're looking for. The current software was created by Guy Loughridge at ERM, Inc.  http://www.tacticalmapping.com/Software.html  His original software was for wildland fire and search and rescue resource mapping. Guy got involved in analyzing radar data in the mid 1990s when the original program CAP had been using become more or less obsolete. That program, Radar ViewPoint, was created by Lance Robinson in California in the Windows 3.11/95 era. At some point he stopped updating it but the website still exists  http://airwaystech.com/rvp/index.htm  FYI, there is now a National Radar Team, made up of Guy and several CAP members, FAA and USAF personnel, which provides the radar analysis. The radar information we get from AFRCC on a search doesn't come just from Guy.

Justin Ogden performs the CAP "cellphone forensics." He gets cellphone log data, which includes tower and sector information, time, coordinates, etc. from the cellphone providers and like Guy, plots and analyzes it using specialized software. Justin gets the same data local law enforcement agencies can get. No one in CAP is tearing apart phones or taking information directly from SIM cards or raw phone information.

The term "forensics" in what CAP is doing with cellphones and radar could just as easily be applied to Sarsat data, but no one talks about CAP doing Sarsat or distress beacon "forensics."

Mike

[Eclipse]

CAP performs the types of "forensics" which are applicable to its mission, and does it very well.

The word has more than one meaning.

[krnlpanick]

CAP is not performing cellphone and radar "forensics" in the sense of "forensics" being bandied about in this thread, particularly the Wikipedia definition referenced in an earlier post "Mobile device forensics is a branch of digital forensics relating to recovery of digital evidence or data from a mobile device under forensically sound conditions."

The way forensics has been used is probably my own fault, since I specified Forensics for LE in my original post, I should have been more abstract and left it at just Forensic Analysis (although I think it would have resulted in the same train of thought for many).

Justin Ogden performs the CAP "cellphone forensics." He gets cellphone log data, which includes tower and sector information, time, coordinates, etc. from the cellphone providers and like Guy, plots and analyzes it using specialized software. Justin gets the same data local law enforcement agencies can get. No one in CAP is tearing apart phones or taking information directly from SIM cards or raw phone information.

This is a great example of the kinds of forensics that CAP can provide. As I said, I wasn't aware that we were already doing this so the fact that we are is awesome and encouraging!

[Nathan]

I think we should really focus on doing what we are already supposed to be doing well, rather than trying to find new parties to go to.

[caphornbuckle]

What's the difference between assisting the LE in this type of endeavor and the CD missions we provide?

With a proper background check, OPSEC, and other specialized training, I might be inclined to believe that it may be possible.  Maybe not probable, but possible. 

[AirDX]

I think we should really focus on doing what we are already supposed to be doing well, rather than trying to find new parties to go to.

We still be cruising the Atlantic & Gulf, looking for U-boats then.

[Flying Pig]

What's the difference between assisting the LE in this type of endeavor and the CD missions we provide?

With a proper background check, OPSEC, and other specialized training, I might be inclined to believe that it may be possible.  Maybe not probable, but possible.

Because in CD we are just providing the platform.  The LEO is the one searching.  The CAP crew isnt going to get called into court.  If CAP members were doing the forensics, they ARE the one doing the job.

[Nathan]

I think we should really focus on doing what we are already supposed to be doing well, rather than trying to find new parties to go to.

We still be cruising the Atlantic & Gulf, looking for U-boats then.

Except that kind of mission isn't really necessary anymore.

The missions we're doing now haven't really gone out of style quite yet. Until we're managing the workload we have more than sufficiently, or we no longer are assigned some of those missions, it's hard to argue that we should be opening up to yet another responsibility that is already being covered by numerous other agencies.

[Extremepredjudice]

What's the difference between assisting the LE in this type of endeavor and the CD missions we provide?

With a proper background check, OPSEC, and other specialized training, I might be inclined to believe that it may be possible.  Maybe not probable, but possible.

No. We would need NDAs. OPSEC isn't a substitute.

[flyingscotsman]

As interesting as InfoSec is, it's not a core competency for CAP. CyberPatriot has done a very nice job of introducing CAP and AFJROTC cadets to this career field, but thats no different than other initiatives CAP has leveraged to broaden the horizon's of cadets. It's raised awareness amongst our membership, which can't be bad. It isn't a call to action for CAP to suddenly start expanding it's mission to include this sort of work.

If you're truly interested in volunteering for this sort of work, there are many other ways to contribute on your own. If you have the qualifications, perhaps you should think about trying to join InfraGard, or contribute to the security areas of ISC, ACM, IEEE, ISOC that interest you the most.

The ES side of CAP flies planes, fields ground crews, and keeps a radio network running, we do that relatively well for an eclectic bunch of unpaid people, let's try to keep our eye on the ball.

[krnlpanick]

As interesting as InfoSec is, it's not a core competency for CAP. CyberPatriot has done a very nice job of introducing CAP and AFJROTC cadets to this career field, but thats no different than other initiatives CAP has leveraged to broaden the horizon's of cadets. It's raised awareness amongst our membership, which can't be bad. It isn't a call to action for CAP to suddenly start expanding it's mission to include this sort of work.

If you're truly interested in volunteering for this sort of work, there are many other ways to contribute on your own. If you have the qualifications, perhaps you should think about trying to join InfraGard, or contribute to the security areas of ISC, ACM, IEEE, ISOC that interest you the most.

The ES side of CAP flies planes, fields ground crews, and keeps a radio network running, we do that relatively well for an eclectic bunch of unpaid people, let's try to keep our eye on the ball.

I already contribute to the industry as the leader of the single most-widely used application security library - OWASP Enterprise Security API as well as serving on the Global Projects Committee and speaking regularly at security conferences (I have spoken at OWASP Conferences across the US from CA to DC, been part of Application Security working groups in 3 countries and presented at Blackhat Vegas)

While what we currently do is admirable, as I stated already the topic has sparked some interesting conversation and as a direct result of CAPs success in CyberPatriot I would not be surprised to see more programs aimed at InfoSec, CyberSec, OPSec, AppSec or any other security field.

[flyingscotsman]

While what we currently do is admirable, as I stated already the topic has sparked some interesting conversation and as a direct result of CAPs success in CyberPatriot I would not be surprised to see more programs aimed at InfoSec, CyberSec, OPSec, AppSec or any other security field.

If there are any more programs aimed at these areas, I could see CAP trying to educate members on it (in particular cadets as an extension of Cyberpatriot) but I'm pretty confident we won't be supplying any contract work to outside agencies nor would we have hands on missions in that area.