Here's a thought

[Extremepredjudice]

 No disrespect, sir. I am going to be blunt in this post.  :angel: :angel:


In a 2002 book Computer Forensics authors Kruse and Heiser define computer forensics as involving "the preservation, identification, extraction, documentation and interpretation of computer data."

A) happen to be living in the mid-late 1990's

No. Dude, seriously do you have a grasp of what you are talking about? Computer Forensics is data recovery. You need a clean room or you will destroy the drive.

or B) are acting as a contractor to preserve original devices for LE

Why do you need a clean room to store SEALED HDDs? Seems dumb and a waste of Clean Room space.

Not really even remotely close to what I was suggesting actually.

Then figure out the actual name of it. Stop calling it Computer Forensics. It is something different.

I'm not talking about pulling fingerprints off of keyboard.

I don't recall anyone saying this.

Anymore, what generally happens is the OE is stored someplace as evidence, images of the hardware are made (by images I mean exact bit-by-bit copies are made onto virtual devices) and the entire image is shipped as a Virtual Machine to a contractor who performs analysis of the evidence and send a report back to the investigating agency - the forensics team for the investigating agency will then digest that report and incorporate the findings into evidence. Nothing is done with the OE except in very extreme circumstances to reduce the risk of destroying the evidence.

No. Most of the time, if they hire a contractor they send the physical drive to them. How else do they get the data off of the disc? Overwritten data can only be recovered using the physical disc. Not an image.

There is a slim possibility that the contractor who performed the forensic analysis can be called by either the defense or prosecution team as an expert witness, but generally contracting organizations will have a specific person assigned to the expert role who testifies if the need arises.

OH GAWD. SM Bagodoughtnuts with no background in the field and no certifications ain't no expert witness. He is some random guy of the street. NO WAY CAP can do this.

Please realize that, like many other aspects of forensics work - CSI is only a TV show. Real forensic scientists don't carry a gun and chase bad guys - they live in a lab and lion's share don't even work directly for the LE Agencies but rather a contractor to the agencies.

Correct.

Again, this was just one aspect of my suggestion - but appears to be the one that everyone is using as ammo for shooting the idea down which is fine. The reason I suggested it in the first place is because Forensics is now a part of CP and there is a national need for expertise in the field (which is *why* it is part of CP)

False. It is part of DC3's forensic challenge. Cyber Patriot is only "find vulnerabilities."

Cyber is a really big area with no solid definition yet. There are plenty of areas where CAP can make an impact and not only provide a service in the industry but also help to develop the industry.  Regardless of whether it is Training and Education or Forensics R&D, Defense R&D or specialties therein.

I'm sorry, but I started laughing. You are kidding right? CAP can't provide **** in the cyber realm. Look at the average site! Do you know what US-CERT does? Can you provide briefings? What about the 67th NWW? On site personnel aren't trusted with the permissions to fix stuff. The 67th NWW does it all.

CAP doing R&D... No. Just no. How could we afford the equipment, have NDAs, have people show up consistently, etc. Oh, and we'd need that clean room we discussed before, too.

Btw

cy·ber   /ˈsībər/
Adjective:   
Of the culture of computers, information technology, and virtual reality: "the cyber age".

Civil Air Patrol already does cell phone and radar forensics in support of Search and Rescue.

Cite. Radio forensics comes up as this.

No possible way we provide Cell Phone forensics... (see:http://en.wikipedia.org/wiki/Mobile_device_forensics)

[Eclipse]

CAP has been a leader in deciphering NTAP data and cell phone tracking for years.  When the AFRCC needs that
information, they go to a small group of CAP members.

[krnlpanick]

I have absolutely no problem with bluntness - but it seems perhaps I should resign from my current employer and the Open Web Application Security Project as I apparently have no idea what I am talking about. Again, I jest.

Just to clarify - I also never said "Computer Forensics" - as a matter of fact I specifically referenced "Digital Forensics" several times which is NOT a synonym for Computer Forensics (at least since the 90's)

http://en.wikipedia.org/wiki/Digital_forensics

As mentioned in the heading "Forensic Process" - The first step is Imaging the drive. Why do you need a clean room to work with a copy of the evidence? If you muck it up, you restore to the last snapshot prior to doing so and redo whatever you did to muck it up (pref. without the mucking up part)

As mentioned in the heading "Application" - Digital Forensics is used for a lot of things outside of criminal investigations.

How is collecting forensic data and analyzing it for intelligence (or simply just gathering it and passing it on) any different then taking aerial photographs for DHS?

In some cases the collected evidence is used as a form of intelligence gathering, used for other purposes than court proceedings (for example to locate, identify or halt other crimes)

Lastly, FWIW - the 2002 definition of Computer Forensics does not simply equate to "Data Recovery" any more than Emergency Services equates to strictly "Air Search and Rescue Ops". Data Recovery is a singular aspect of Computer Forensics and again, this data recovery is rarely, if ever performed against the original equipment. I wouldn't expect people to be shipping hardware to us that had been subjected to a thermite burn-thru - however it is realistic that we could work with images of a device that had already been recovered via a thermite burn-thru.

[krnlpanick]

CAP has been a leader in deciphering NTAP data and cell phone tracking for years.  When the AFRCC needs that
information, they go to a small group of CAP members.

I was not aware of that - that is pretty cool!

[Eclipse]

CAP has been a leader in deciphering NTAP data and cell phone tracking for years.  When the AFRCC needs that
information, they go to a small group of CAP members.

I was not aware of that - that is pretty cool!

It looks like the 2006 presentation that discusses the infancy of the software has been taken down, but it was mentioned in the 70th anniversay proclamation: 

"WHEREAS, in the past year alone, many of Civil Air Patrol's professional volunteers, backed by CAP's own experts in cell phone forensics and radar tracking experts, left their families and their homes, often in adverse weather conditions, to participate in 1,016 search and rescue missions in which they were credited with saving 113 lives..."

...and the AFRCC made a pretty big deal of the fact that the program is very effective and a CAP initiative.

[sardak]

CAP is not performing cellphone and radar "forensics" in the sense of "forensics" being bandied about in this thread, particularly the Wikipedia definition referenced in an earlier post "Mobile device forensics is a branch of digital forensics relating to recovery of digital evidence or data from a mobile device under forensically sound conditions."

Our "radar forensics" is taking government furnished radar data, plotting it in specialized software and analyzing the tracks for the target we're looking for. The current software was created by Guy Loughridge at ERM, Inc.  http://www.tacticalmapping.com/Software.html  His original software was for wildland fire and search and rescue resource mapping. Guy got involved in analyzing radar data in the mid 1990s when the original program CAP had been using become more or less obsolete. That program, Radar ViewPoint, was created by Lance Robinson in California in the Windows 3.11/95 era. At some point he stopped updating it but the website still exists  http://airwaystech.com/rvp/index.htm  FYI, there is now a National Radar Team, made up of Guy and several CAP members, FAA and USAF personnel, which provides the radar analysis. The radar information we get from AFRCC on a search doesn't come just from Guy.

Justin Ogden performs the CAP "cellphone forensics." He gets cellphone log data, which includes tower and sector information, time, coordinates, etc. from the cellphone providers and like Guy, plots and analyzes it using specialized software. Justin gets the same data local law enforcement agencies can get. No one in CAP is tearing apart phones or taking information directly from SIM cards or raw phone information.

The term "forensics" in what CAP is doing with cellphones and radar could just as easily be applied to Sarsat data, but no one talks about CAP doing Sarsat or distress beacon "forensics."

Mike

[Eclipse]

CAP performs the types of "forensics" which are applicable to its mission, and does it very well.

The word has more than one meaning.

[krnlpanick]

CAP is not performing cellphone and radar "forensics" in the sense of "forensics" being bandied about in this thread, particularly the Wikipedia definition referenced in an earlier post "Mobile device forensics is a branch of digital forensics relating to recovery of digital evidence or data from a mobile device under forensically sound conditions."

The way forensics has been used is probably my own fault, since I specified Forensics for LE in my original post, I should have been more abstract and left it at just Forensic Analysis (although I think it would have resulted in the same train of thought for many).

Justin Ogden performs the CAP "cellphone forensics." He gets cellphone log data, which includes tower and sector information, time, coordinates, etc. from the cellphone providers and like Guy, plots and analyzes it using specialized software. Justin gets the same data local law enforcement agencies can get. No one in CAP is tearing apart phones or taking information directly from SIM cards or raw phone information.

This is a great example of the kinds of forensics that CAP can provide. As I said, I wasn't aware that we were already doing this so the fact that we are is awesome and encouraging!

[Nathan]

I think we should really focus on doing what we are already supposed to be doing well, rather than trying to find new parties to go to.

[caphornbuckle]

What's the difference between assisting the LE in this type of endeavor and the CD missions we provide?

With a proper background check, OPSEC, and other specialized training, I might be inclined to believe that it may be possible.  Maybe not probable, but possible. 

[AirDX]

I think we should really focus on doing what we are already supposed to be doing well, rather than trying to find new parties to go to.

We still be cruising the Atlantic & Gulf, looking for U-boats then.

[Flying Pig]

What's the difference between assisting the LE in this type of endeavor and the CD missions we provide?

With a proper background check, OPSEC, and other specialized training, I might be inclined to believe that it may be possible.  Maybe not probable, but possible.

Because in CD we are just providing the platform.  The LEO is the one searching.  The CAP crew isnt going to get called into court.  If CAP members were doing the forensics, they ARE the one doing the job.

[Nathan]

I think we should really focus on doing what we are already supposed to be doing well, rather than trying to find new parties to go to.

We still be cruising the Atlantic & Gulf, looking for U-boats then.

Except that kind of mission isn't really necessary anymore.

The missions we're doing now haven't really gone out of style quite yet. Until we're managing the workload we have more than sufficiently, or we no longer are assigned some of those missions, it's hard to argue that we should be opening up to yet another responsibility that is already being covered by numerous other agencies.

[Extremepredjudice]

What's the difference between assisting the LE in this type of endeavor and the CD missions we provide?

With a proper background check, OPSEC, and other specialized training, I might be inclined to believe that it may be possible.  Maybe not probable, but possible.

No. We would need NDAs. OPSEC isn't a substitute.

[flyingscotsman]

As interesting as InfoSec is, it's not a core competency for CAP. CyberPatriot has done a very nice job of introducing CAP and AFJROTC cadets to this career field, but thats no different than other initiatives CAP has leveraged to broaden the horizon's of cadets. It's raised awareness amongst our membership, which can't be bad. It isn't a call to action for CAP to suddenly start expanding it's mission to include this sort of work.

If you're truly interested in volunteering for this sort of work, there are many other ways to contribute on your own. If you have the qualifications, perhaps you should think about trying to join InfraGard, or contribute to the security areas of ISC, ACM, IEEE, ISOC that interest you the most.

The ES side of CAP flies planes, fields ground crews, and keeps a radio network running, we do that relatively well for an eclectic bunch of unpaid people, let's try to keep our eye on the ball.

[krnlpanick]

As interesting as InfoSec is, it's not a core competency for CAP. CyberPatriot has done a very nice job of introducing CAP and AFJROTC cadets to this career field, but thats no different than other initiatives CAP has leveraged to broaden the horizon's of cadets. It's raised awareness amongst our membership, which can't be bad. It isn't a call to action for CAP to suddenly start expanding it's mission to include this sort of work.

If you're truly interested in volunteering for this sort of work, there are many other ways to contribute on your own. If you have the qualifications, perhaps you should think about trying to join InfraGard, or contribute to the security areas of ISC, ACM, IEEE, ISOC that interest you the most.

The ES side of CAP flies planes, fields ground crews, and keeps a radio network running, we do that relatively well for an eclectic bunch of unpaid people, let's try to keep our eye on the ball.

I already contribute to the industry as the leader of the single most-widely used application security library - OWASP Enterprise Security API as well as serving on the Global Projects Committee and speaking regularly at security conferences (I have spoken at OWASP Conferences across the US from CA to DC, been part of Application Security working groups in 3 countries and presented at Blackhat Vegas)

While what we currently do is admirable, as I stated already the topic has sparked some interesting conversation and as a direct result of CAPs success in CyberPatriot I would not be surprised to see more programs aimed at InfoSec, CyberSec, OPSec, AppSec or any other security field.

[flyingscotsman]

While what we currently do is admirable, as I stated already the topic has sparked some interesting conversation and as a direct result of CAPs success in CyberPatriot I would not be surprised to see more programs aimed at InfoSec, CyberSec, OPSec, AppSec or any other security field.

If there are any more programs aimed at these areas, I could see CAP trying to educate members on it (in particular cadets as an extension of Cyberpatriot) but I'm pretty confident we won't be supplying any contract work to outside agencies nor would we have hands on missions in that area.