U.S. Secret Service First Responder Computer Forensics

Can I Pull the Plug Now…?

  • Mick Walsh, Special Agent, Miami Electronic Crimes Task Force
  • 29 pages
  • October 21, 2009



Investigates . . .

Counterfeit currency
Fraud involving U.S. financial obligations and securities
Crimes affecting other federally insured financial institutions
Threats against the President & other government officials
Telecommunications fraud
Access Device fraud
Identity fraud
Computer fraud

3 Levels of Training in the Secret Service
– Computer forensic examiners
– Network intrusion investigators
– Other agents who’ve taken a basic
course in computer crime investigations

This is what we need…
1. Image RAM
2. Detect encryption
3. Detect networked data storage
This is what we want…
– Fewest number of tools possible to cover every situation
– Reliable
– Easy to use
– Small “footprint”
– Only trusted files are executed
– Can be run from different types of media

Lots of RAM imaging tools available…
My forensic lab uses FastDump Pro by HBGary, Inc.
– Supports all versions of Windows, all service packs, 32 & 64 bit
– Images up to 64 GB of RAM
– Relatively easy to use
– Small “footprint” in memory
– Also acquires the pagefile
– Loads its own trusted drivers & services
– Low cost for Pro version
– “Community Edition” is less capable, but it’s free

CryptHunter by the CERT Software Engineering Institute at Carnegie
Mellon University detects whole disk encryption, as well as encrypted
volumes and encrypted virtual disks.
– Works on Windows NT, 2000, XP, 2003 and Vista
– Relatively easy to use
– Easy to understand output
– Small “footprint”
– Creates a detailed log of files “touched” by CryptHunter
– It’s free for use by law enforcement!

Nmap is an open source utility for network mapping & security
auditing. It shows hosts available on the network, what services the
hosts are offering, operating systems, open ports, devices, etc.
– Runs on Windows NT, ME, 2000, XP, 2003 and Vista
– Not exactly easy to use, but the basics can learned fairly quickly
– Straightforward output
– Small “footprint”
– Downside – free version must install WinPcap & MS Visual C++
– Can buy a version that runs directly from CD or USB

Share this: