Department of Defense Cyber Crime Center

The Defense Cyber Crime Center (DC3) is an United States Department of Defense agency that provides digital forensics support to the DoD and to other law enforcement agencies. DC3's main focus is in criminal, counterintelligence, counterterrorism, and fraud investigations from the Defense Criminal Investigative Organizations (DCIOs), DoD counterintelligence groups, and various Inspector General groups. The Air Force Office of Special Investigations is the executive agent of DC3.

History
DC3 is an agency that houses five government directorates including: Defense Computer Forensics Laboratory (DCFL), Defense Cyber Investigations Training Academy (DCITA), Defense Cyber Crime Institute (DCCI), DOD - Defense Industrial Base (DIB) Collaborative Information Sharing Environment (DCISE), and Analytic Group (AG)). However, from the onset, there was just the forensics lab and the training academy, both initiated by the Deputy Undersecretary of Defense, John Hamre in 1998. DC3 was constructed in October 2001 to house both DCFL and DCITA, and to support the creation of the Defense Cyber Crime Institute (DCCI).

Mission Statement: Deliver superior digital forensics and multimedia lab services, cyber technical training, research, development, testing and evaluation, and cyber analysis capabilities supporting cyber counterintelligence and counterterrorism, criminal investigations, intrusion forensics, law enforcement, intelligence community, critical infrastructure partners, and information operations for the Department of Defense.

Defense Computer Forensics Laboratory (DCFL)
The Defense Computer Forensics Laboratory (DCFL) is a world class accredited digital forensics laboratory. On 8 September 2005, the American Society of Crime Laboratory Directors/Laboratory Accreditation Board (ASCLD/LAB) accredited the DCFL as part of its nascent digital forensics regime. DCFL's mission is to provide the DoD with digital forensic services, as well as expert testimony. The DCFL has organized digital forensic examinations within an industrial process that is unmatched elsewhere in terms of its scope.

The laboratory provides forensics services to the Defense Criminal Investigative Organizations (DCIOs), and other partners, to analyze and report on digital media seized in investigations. The lab handles a variety of cases including:

Evidence (EV) Section

The Evidence Section handles all items of evidence and media submitted to DCFL for examination or analysis.

Intake (IN) Section

The Intake Section was formed in the fall of 2011 to provide customer support as soon as the laboratory request form is received.

Imaging & Extraction (I&E) Section

The I&E Section makes forensic copies of all media submitted to the lab. Media submitted ranges from computers and external media to unique devices such as gaming systems, cellular telephones, and GPS systems.

Major Crimes (MC) Section

The MC Section conducts the digital evidence analysis supporting criminal investigations. The case types supported include fraud, safety investigations, crimes against persons (sexual assault, child pornography, child exploitation, homicide, or other death-related cases) and crimes against property (arson, theft, property destruction, etc.).

Counterintelligence / Counterterrorism (CI/CT) Section

The CI/CT Section supports counterintelligence investigations at all classification levels which impact national security.

Intrusions (IN) Section

The IN Section conducts examinations and analysis on computer intrusions, malware, and malicious code-related inquires or investigations.

Litigation Support (LS) Section

The LS Section coordinates the travel and litigation requests for examiners to provide testimony at trials and courts martial proceedings.

Quality Assurance (QA) Section

The QA Section ensures that quality is of the highest priority in all DCFL products. QA activities range from quality review of technical examinations to technical writing and ensuring laboratory standards are maintained in the arena of digital and multimedia forensics.

Defense Cyber Investigations Training Academy (DCITA)
The Defense Cyber Investigations Training Academy (DCITA) is a nationally accredited educational academy that researches, develops, and delivers training in cyber investigations for the DoD, military counterintelligence groups, federal law enforcement, and other law enforcement organizations. DCITA's mission is to provide cyber investigation training to individuals and DoD elements that must ensure Defense information systems are secure from unauthorized use, counterintelligence, and criminal and fraudulent activities. DCITA students receive hands-on training in classrooms, as well as online distance learning. DCITA follows the COE and ACE accreditation standards leading towards DC3 certification.

DCITA is nationally accredited by the Council on Occupational Education, and features multiple courses accredited by the American Council on Education, allowing them to be eligible for college credits. Due to its accreditation, the Academy changed its name on 1 October 2006 from its previous name of the Defense Computer Investigations Training Program (DCITP).

DCITA provides 33 courses that cover every aspect of cyber investigations. Topics include: incident response, Windows-based forensics, and network intrusions in Windows, Linux, and Solaris Unix environments. Niche topics are also provided for undercover Internet investigations, Macintosh forensic recovery, log analysis, large data set acquisition, and network exploitation.

Types of Training
 * Computer Search and seizure techniques
 * Network intrusions investigations
 * Forensic computer media analysis to support criminal, fraud, and counterintelligence investigations
 * Basic and advanced forensic examinations
 * Online undercover techniques

Certification Program

DCITA offers the following three levels of certification:

Certified Digital Media Collector Personnel who are the first to respond, secure, preserve, and/or collect digital evidence at crime scenes. Requirements include successful completion or test-out for both the Introduction to Networks and Computer Hardware and the Computer Incident Responders Course. To maintain certification, every two years personnel must conduct at least three acquisitions of digital media or information and attend a minimum of 40 hours of approved continuing education training.

Certified Digital Forensic Examiner Personnel for whom examination or analysis of digital media are major components of their routine duties. Requirements include successful completion or test-out for the Introduction to Networks and Computer Hardware, the Computer Incident Responders Course, and Windows Forensic Examinations. To maintain certification, every two years personnel must conduct at least three examinations of digital media or information and attend a minimum of 40 hours of DCITA-approved continuing education training.

Certified Computer Crime Investigator Credentialed law enforcement/counterintelligence personnel who investigate all elements of computer crime to include the examination and analysis of digital evidence. Personnel must also be graduates of a DCITA recognized law enforcement or counterintelligence training facility (e.g. Federal Law Enforcement Training Center (FLETC), Army Ft. Huachuca, etc.) Requirements also include successful completion or test-out for the following:


 * * Introduction to Networks and Computer Hardware
 * * Computer Incident Responders Course
 * * Windows Forensic Examination
 * * One elective course: Forensic and Intrusions in a Windows Environment; or Forensic and Intrusions in a Linux Environment; or Forensic and Intrusions in a Solaris Environment

To maintain certification, every two years personnel must conduct at least three acquisitions and examinations of digital media or information per year and attend a minimum of 40 hours of approved continuing education training.

Defense Cyber Crime Institute (DCCI)
The Defense Cyber Crime Institute (DCCI) was formed in May 2002 to establish legal and scientific standards for digital forensics. DCCI serves as a resource for sound research to produce unique tools and procedures for the DoD law enforcement and counterintelligence communities. DCCI's core mission is to:


 * Research & develop digital forensic tools & techniques
 * Test, evaluate & validate digital forensic tools & techniques

A critical mission of DCCI has been to support the Defense Computer Forensics Laboratory (DCFL) in its continued accreditation by the American Society of Crime Lab Directors/Laboratory Accreditation Board (ASCLD/LAB). One of the essential criteria for a digital crime lab is to have all of their forensic tools, both hardware and software, tested and validated.

Research & Development

DCCI serves as a knowledge resource in the area of cyber forensics and related technologies for the research and development of computer forensic tools and related technologies supporting DoD intelligence and federal law enforcement communities.

To advance state-of-the-art cyber forensics, DCCI partners with academic institutions, industry, and government organizations:
 * Education Partnership Agreements
 * Memorandum of Understanding
 * Non-Disclosure Agreements
 * Cooperative Research and Development Agreement

Develops digital forensic tools to increase the effectiveness and efficiency of DoD intelligence and federal law enforcement:
 * Intrusion Attribution
 * Image Analysis
 * Peer-to-Peer Log Analysis
 * Malware Analysis
 * Steganography Identification and Extraction

Research innovative digital forensic tools and ideas to provide DoD intelligence and federal law enforcement personnel with novel solutions:
 * Password Cracking
 * Image Authentication

Capabilities:
 * Quickly and accurately determine the extent and source of a network attack
 * Catalog contraband images for faster examination
 * Uncover hidden data not discovered with traditional forensic tools
 * Unbiased evaluation of digital forensic tool characteristics and performance

Testing & Evaluation/Validations

DCCI develops, analyzes, and tests cyber forensics related tools, techniques, and processes used in criminal and counterintelligence investigations, information assurance, and information operations. T&E assures validated tools, techniques, and processes are accurate, reliable, and repeatable.

DCCI Cyber Files

As DCCI completes hardware and software testing, summaries of the projects are listed within the DC3 Cyber Files, which is publicly accessible at www.dc3.mil. Governmental organizations can request a report by contacting FX at 410.981.1037.

DoD - Defense Industrial Base Collaborative Information Sharing Environment (DCISE)
The DOD-DIB Collaborative Information Sharing Environment (DCISE) was established in response to the critical need to improve information sharing between U.S. Government (USG) and private sector components of the Defense Industrial Base (DIB). DCISE is the operational arm of the DoD Cyber Security / Information Assurance program. DCISE works with DIB partners to safeguard DoD information residing on or transiting DIB controlled unclassified networks by providing actionable threat products, analysis, forensics diagnostics, and remediation consults in response to voluntarily reported network events.

DCISE PRODUCTS

DCISE products assist government and industry partners in strengthening security and protecting controlled unclassified information on DIB computer networks.

The CRF provides cyber situational awareness to the DIB, USG, and Critical Infrastructure /Key Resource (CI/KR) community on an event or incident reported by a DIB or CI/KR Partner through an Incident Collection Form (ICF). The CRF is produced within 72 hours of receiving an ICF and summarizes the event using incident details and malware analysis. The CRF also reports if activity can be attributed to Advanced Persistent Threats and the probability of compromise to DoD information. CRF’s are sanitized to remove information that may reveal the reporting source.
 * CUSTOMER RESPONSE FORM (CRF)

The DIB Alert is a time-sensitive product released to the DIB Partner community within 4 hours of a reported incident or security event derived from internal or external sources. The product contains indicators that help partners and community stakeholders identify potential compromised systems within their respective networks. The DIB Alert may be written at the classified or unclassified level.
 * DIB Alert

The TIP is a weekly report that notifies DIB Partners of possible threats to their network infrastructure. TIPs contain cyber indicators derived solely from reports on intrusion activity experienced in USG Stakeholder networks. TIPs do not contain attributable information.
 * THREAT INFORMATION PRODUCT (TIP)

The TAR is an in-depth analytic product that correlates technical activities and indicators from across the DIB, with activity identified in the broader Information Assurance community. TARs offer a larger set of indicators of related reporting and provide DIB Partners greater context into the network intrusion/events. TARs are produced within 10 working days of receipt of the ICF.
 * THREAT ACTIVITY REPORT (TAR)

The CTAR is a strategic-level, INFOSEC analytic report that provides DIB Partners with insight into technology targeting. CTAR analysis is derived from ICFs, CRFs, TARs, and other INFOSEC and Intelligence Community reporting. CTARs are produced within 30 working days of activity recognition.
 * CYBER TARGETING ACTIVITY REPORT (CTAR)

National Cyber Investigative Joint Task Force - Analytical Group (NCIJTF-AG)
DC3 resources and manages the Analytic Group (AG) of the NCIJTF, which operates under overall FBI stewardship, joined by other national LE/CI organizations. Focused on nation-state threat actors, AG leads a collaborative analytical and technical exchange with subject matter experts from LE/CI, CND, IC, and IA agencies to build a threat picture to enable proactive LE/CI cyber operations.

DC3 Challenge
The annual DC3 Digital Forensics Challenge is a FREE, online, international competition consisting of individual progressive-level exercises. This particular challenge serves as a call to the digital forensics community to cultivate new cyber professionals and pioneer new investigative tools, techniques, and methodologies. DC3, its partners, and sponsors together bring the DC3 Digital Forensics Challenge to the public.

2006 DC3 Digital Forensics Challenge
The 2006 Challenge provided unique tests that included: Audio steganography, real vs. computer generated image analysis, Linux LVM data carving, and recovering data from destroyed floppy disks and CDs. With 140 teams total, and 21 submissions entered, AccessData won the 2006 event.

2007 DC3 Digital Forensics Challenge
The 2007 Challenge introduced new topics, such as: Bitlocker cracking and recovering data from destroyed USB thumb drives. With 126 teams competing, and 11 entries submitted, a team of students from the Air Force Institute of Technology won the event.

2008 DC3 Digital Forensics Challenge
Beginning with the 2008 Challenge, the contest was broken into four skill levels: Novice, Skilled, Expert, and Genius. New challenges included: detection of malicious software, partition recovery, file header reconstruction, Skype analysis, and foreign text identification and translation. With 199 teams competing, and 20 entries submitted, the competition was won by Chris Eagle and Tim Vidas of the Naval Postgraduate School. The 2008 Challenge also marked the first time that all results were released publicly.

2009 DC3 Digital Forensics Challenge
A total of 1,153 teams from 49 states and 61 countries applied to enter the 2009 DC3 Challenge. This is an increase from 223 teams from 40 states and 26 countries entered in 2008. Of that number of teams in 2009, 44 teams submitted solution packets back to FX for grading. The 2009 Challenge marked the first time that multiple agencies provided their own prizes to specialized winning participants, such as high school students and International teams.

2009 Winners' Circle

With the four available prizes for 2009, the official winners of the Challenger were:

2010 DC3 Digital Forensics Challenge
A total of 1010 teams from 51 states and 53 countries applied to enter the 2010 DC3 Challenge. This is a 12% decrease in team applications from 1,153 teams from 49 states and 61 countries entered in 2009. Of that number of teams in 2010, 70 teams submitted solution packets back to FX for grading. This is a 59% increase in the number of submissions returned to the DC3 Challenge from 2009 with 44 submissions returned.

2010 Winners' Circle

2011 DC3 Digital Forensics Challenge
A total of 1147 teams from 50 states and 52 countries applied to enter the 2011 DC3 Challenge. This is a 3% increase in team applications from 1,110 teams from 48 states and 53 countries entered in 2010. Of that number of teams in 2011, 174 teams submitted solution packets back to FX for grading. This is a 149% increase in the number of submissions returned to the DC3 Challenge from 2010 with 70 submissions returned.

2011 Winners' Circle

2012 DC3 Digital Forensics Challenge
The 2012 DC3 Digital Forensics Challenge saw a great year of participation from 1,209 teams from 49 US states and 53 countries. DC3 received 1,356 exercise submissions, a dramatic increase from 850 submissions the previous year. In 2012, the US took seven of the top ten spots.

2013 DC3 Digital Forensics Challenge
The 2013 DC3 Digital Forensics Challenge is underway! Please visit the website for more information and to register your team.

Published tools
To assist the DoD in cyber investigations, various tools and utilities have been written by agencies within DC3, and some have been released publicly. One of the most prominent of these tools is dcfldd, a modification of the Unix dd utility to include a progress bar, pattern-based disk wiping, and inline data hashing. The dcfldd utility is maintained by Nick Harbour, who had previously worked at DCFL while developing the tool.

DC3 continued development of the dcfldd utility with a new effort, dc3dd. This new version is based upon standard modifications to the existing dd application, instead of continually rewriting the utility for each dd release. This development style allows dc3dd to simply plug in its functionality into the latest dd version.