Birmingham,
Alabama has a certain appeal for those of us living in the northern part of the
country, especially this time of year when one day we could be looking at tornadoes, and the next thirty plus inches of snow.

I
learned something else during my trip to Birmingham. The city has a propensity
for digital crime fighting. Facebook learned this firsthand when staff and
students in the university’s computer-forensic program played a significant role
in determining the key players behind Koobface, a computer
worm that stole millions of dollars from Facebook members.

Digital crime-fighting efforts in Birmingham do not stop there; drive south from
downtown Birmingham on Highway 65 to the sprawling suburb of Hoover. Exit on
Valleydale Road, and before long, a well-kept modern-looking building appears
on the right.

Figure
A

Once
inside, the reason we stopped at this particular location became apparent—The
National Computer Forensics Institute (NCFI)—another Birmingham organization
that’s making life difficult for computer savvy criminals.

Figure
B

Barry
Page, NCFI Deputy Director, met our group at the institute’s imposing double
doors and acted as our tour guide for the facility. “The purpose of NCFI is
simple; get state and local officials from across the country up to speed on
the proper handling of digital evidence, cybercrime investigations, and
judicial procedures related to digital crime.”

In
addition to Page’s explanation, the official NCFI mandate states: “[T]o
provide state and local law enforcement, legal, and judicial professionals a
free, comprehensive education on current cybercrime trends, investigative
methods, and prosecutorial and judicial challenges.”

Page then pointed out that the United States Secret Service’s Criminal Investigative
Division and the Alabama Office of Prosecution Services jointly run NCFI—the
only training facility of its kind in the United States, which has been in
operation since 2008. 2600 students from more than 500 agencies have taken
classes there already.

Digital evidence training for the legal
profession and law enforcement

NCFI
has three multipurpose classrooms, two network investigation classrooms, a mock
courtroom, and an operational forensics lab dedicated to the Birmingham
Electronics Crimes Task Force. NCFI offers thirteen classes under the
following categories:

  • Deadbox
    Forensics
  • Network
    Intrusion
  • Mobile Device
    and Social Networking Examination

A member of the tour asked
about equipment. Page said NCFI considers it
important for agencies to standardize on equipment and methodology as a way to
enhance cross communications and eliminate mistakes. To that end, each student
receives a Forensic Recovery Device and notebook. Software is dependent upon the student’s class—for
example, students enrolled in Deadbox Forensics would receive Encase and
WriteBlocker.

Next,
we moved past three packed classrooms on our way to the mock courtroom. As we
entered, Page said besides being Deputy Director of NCFI, he is an Alabama
state prosecutor. So, he works closely with the instructors teaching the Computer
Forensics in Court classes.

The
following points are addressed during the judge’s class:

  • Understand the
    significance of how data is stored on computers
  • Understand the
    base differences between popular operating systems
  • Understand the
    role that the Internet and networks play in computer crimes
  • Understand the
    entire forensic process performed by investigators
  • Better
    understand legal obstacles present in computer crimes
  • Understand how
    to better evaluate computer crime cases in court

Figure
C

Page also pointed out the mock courtroom, which is designed to accommodate digital discovery
so as not to break the chain of custody, yet still guarantee a fair and
impartial hearing. For that reason alone, the courtroom itself receives
significant attention from people wanting to incorporate similar features into
their courtrooms.

As
we left the mock courtroom, I asked what defense attorneys do to stay current. Page explained that defense lawyers most often specialize. And since people
accused of a crime get to pick their defense attorney, they will more than
likely retain an attorney experienced in litigating cases involving digital
evidence.

But,
unfortunately, assigning cases involving digital evidence and or digital crime
to prosecutors or judges with experience is not always an option. So, the
logical approach is to provide a way similar to NCFI for prosecutors and judges
to become familiar with court procedures involving digital crime and digital
evidence.

Final thoughts

The
university’s computer forensics team includes an archeologist and psychologist.
The team has an enviable string of successes including eliminating Koobface.
The NCFI promotes a similar ideology to normally non-cooperating legal
entities. They also are showing positive results from their effort. I see a
common thread—that of getting normally disparate groups talking and working
together to solve big issues.

If
I may, I would like to take a moment to thank all of you who have emailed your
kind condolences on the passing of my father. The messages are much
appreciated.

[All
images courtesy of the NCFI.
]