Driving hard on hard drives
- By Bill Murray
- Apr 09, 2001
To ensure that investigators have a clue about computer crimes, Greg Redfern bridges the gap between gun-carrying law enforcement personnel and information technology.
Redfern is director of the Department of Defense Computer Investigations Training Program (DCITP), where investigators learn how to gather evidence for child pornography cases, hacker attacks, fraud and other crimes.
Given the way that computers have permeated nearly all aspects of American life, vital clues reside on hard drives and floppy disks. But investigators have to learn how to find them. That's where the DCITP, Linthicum, Md., comes in.
Launched by former deputy Defense secretary John Hamre under the Defense Reform Initiative in 1998, DCITP has trained more than 1,500 investigators with a $5 million annual budget. The Navy handles DCITP training, while the Army leads the program's distance- learning initiative, and the Air Force runs a forensics laboratory in the same building as DCITP.
The starting point at DCITP—Introduction to Networks and Computer Hardware—is what Redfern calls a "basic bag and tag" course. Regardless of an officer's knowledge coming into the class, each student must take apart and assemble a computer and connect it to a TCP/IP network.
"We take the magic out if it," he said, referring to taking a computer apart. "With each time, the confidence builds." But DCITP training goes beyond the basics. As Redfern put it: "How do you make [special agents] conversant with SCSI drives and god-awful subnets?"
Instructors train students how to nab a criminal who has tried to erase evidence from a computer's hard drive, and they learn how to ship damaged disks to the forensics laboratory for investigation.
Investigators also learn how to testify about computer evidence in court, with DCITP legal counsel available for advice. Redfern also admonishes students not to forget basic investigative techniques when examining computers for evidence, such as dusting keyboards for fingerprints.
And because not all criminals or their victims use Microsoft Corp.'s Windows, investigators learn to use versions of Apple Computer Inc.'s Macintosh, Linux and Sun Microsystems Inc.'s Solaris, among other operating systems.
Classes run from two days to six weeks, and instructors also travel to Andrews Air Force Base, Md., and Fort Leonard Wood, Mo., to teach classes to DOD law enforcement personnel.
DOD investigators get priority, but state and local law enforcement officers can also take classes at no charge, Redfern said. He showed particular pride in working with the state and local officers and beamed when talking about the informal networking opportunities and information sharing that DCITP can help create. Alan Paller, a research director at the SANS Institute, which offers computer, security courses, called DCITP a "wonderful" idea for a program. "The problem you encounter with doing these sorts of courses is that you usually have teachers teaching the courses, rather than practitioners," Paller said. "The rule must be that you can't teach up-to-date security skills without being a practitioner" because technology changes so quickly.
Redfern has been a special agent at the Naval Criminal Investigative Service since leaving the active-duty Navy in 1978, and he served in the Naval Reserve through 1995. His introduction to computers came when he bought a Commodore 128 in 1984 at a Navy Exchange store in Alaska. He eventually switched to an Apple Macintosh SE. "It's not every day a gumshoe gets to start an organization from scratch," Redfern said of his current assignment. Despite the tight job market, he has hired a dozen instructors. With eight instructor jobs unfilled, he uses contractor Computer Sciences Corp. to fill in any gaps.