Thursday, January 10, 2013
Piecing Together Digital Evidence The Computer Analysis Response Team
In a case involving the round-up of dozens of suspects indicted on public corruption and other charges, investigators were faced with processing large numbers of seized cell phones, desktop computers, and laptops belonging to the suspects. In another case, key evidence against a terror suspect arrested for attempted use of a weapon of mass destruction included data found on his computer. And after a U.S. Congresswoman was wounded and six people killed in Arizona, vital evidence was found on security camera footage, computers, and cell phones.
Reflecting a trend that has become increasingly commonplace for law enforcement, all three of these cases involved the need to recover digital evidence. And our Computer Analysis Response Team, or CART, is the FBI’s go-to force for providing digital forensic services not only to our own investigators but also in some instances to our local, state, and federal partners.
CART consists of nearly 500 highly trained and certified special agents and other professional personnel working at FBI Headquarters, throughout our 56 field offices, and within the network of Regional Computer Forensics Laboratories across the nation. They analyze a variety of digital media—including desktop and laptop computers, CDs/DVDs, cell phones, digital cameras, digital media players, flash media, etc.—lawfully seized as part of our investigations.
During fiscal year 2012, CART—while supporting nearly 10,400 investigations—conducted more than 13,300 digital forensic examinations involving more than 10,500 terabytes of data. To put that last figure into perspective, it’s widely believed that the total printed content in the Library of Congress is equal to about 10 terabytes of data, so imagine the printed content of approximately 1,050 Libraries of Congress!
CART examiners are experts at extracting data from digital media…even when the media is damaged by the forces of nature or defendants attempting to prevent any data from being recovered.
The cases that CART examiners work span the gamut of FBI program areas: from cyber crimes and computer intrusions to violent crimes, financial crimes, organized crime, and national security matters. And once they have finished their forensic work, CART examiners are also available to testify in court as expert witnesses on their findings.
Because we come across computers and other digital media so often in the course of our investigative work, our CART examiners can’t possibly handle every piece of media. That’s why CART created a basic digital evidence training course and developed easy-to-use examination tools for field investigators—to give them the technical and legal knowledge they need to process simpler and more basic digital evidence from their cases without altering or damaging the data—which allows CART examiners to focus on more technically complex cases.
CART on the go. While much of CART’s work is done in stationary facilities in the field or back at our national Headquarters, we also have six mobile CART laboratories around the country. These mobile labs are especially valuable when time is of the essence, enabling digital evidence to be examined on the spot.
The Roots of CART
In 1989, the FBI—along with the Environmental Protection Agency and several state agencies—investigated multiple corruption and environmental allegations at the Rocky Flats nuclear weapons plant (above) just outside Denver. A search of the facility was conducted. Two days into that search, investigators realized that documentary evidence crucial to the case may have been stored on numerous computer systems. A call to the technical services division at FBI Headquarters resulted in an ad hoc group of computer experts being put together and flown out to Denver to assist with the computer searches. Ultimately, the company that ran the facility pled guilty to 10 criminal counts of environmental law violations and paid a multi-million dollar fine.
At the time of the Rocky Flats investigation, the question of how to deal with computer evidence had already been percolating at the Bureau. Congress had passed the Computer Fraud and Abuse Act in 1986, giving us the authority to investigate computer intrusions, and the FBI Laboratory had been receiving a growing number of requests from the field to examine digital evidence.
In 1991, an FBI working group began meeting to examine the investigative issues surrounding computer crime. One of its recommendations was to create a team of specially trained computer specialists capable of examining digital evidence. And in 1992, CART—the Computer Analysis Response Team—was officially created.