UNITED24 - Make a charitable donation in support of Ukraine!

Homeland Security

The Best Kept Secret in the Navy: SPAWAR Systems Center Atlantic's Cyber Forensics Capabilities

Navy News Service

Story Number: NNS180409-07
Release Date: 4/9/2018 11:00:00 AM

By Susan Piedfort

CHARLESTON, S.C. (NNS) -- Critical data that could prove a suspect is defrauding the government is located on a hard drive that has been submerged in water. Naval Criminal Investigative Service (NCIS) agents need access to information on a suspect's cell phone, which was intentionally destroyed.

Two challenges, one solution: Space and Naval Warfare Systems Center (SSC) Atlantic's Digital Media Criminal Forensics Investigations (CFIX) Laboratory. The lab, the Navy's first and only of its kind to earn the prestigious American Society of Crime Laboratory Directors (ASCLD/LAB) International accreditation, serves as a base of operations from which SSC Atlantic's cyber forensics team performs its mission of helping the Navy and other federal agencies recover data and solve criminal cases using its unique operational cyber forensics capabilities. Their customers include NCIS, the Department of Justice, Department of Veterans Affairs, Department of Homeland Security and the Marine Corps.

Making full use of the CFIX Lab capabilities, the team conducts data recovery, responds to cyber forensics incidents, performs mal ware analysis and reverse engineering of mal ware and helps protect the Navy's network infrastructure.

The CFIX Laboratory also contains a Data Recovery Laboratory with physical rebuilding and submerged hard drive recovery capabilities, which the team uses to perform Redundant Array of Independent Disks reconstruction, mobile device data extraction, chip-off, Joint Test Action Group and bad sector recovery. They can also perform advanced memory analysis, extract hidden data with steganography and other processes, analyze firmware, and recover data from solid state drives and Flash media.

SSC Atlantic's cyber forensics capability started in 2008 with one machine and two people - Robin Corkill, now cyber forensics competency lead, and Bill Littleton, cyber forensics integrated product team lead. From these meager beginnings the team has grown to 15 computer engineers, computer scientists, forensics analysts and IT specialists, more equipment, a new building on the SSC Atlantic campus, and greatly increased capabilities. The demand for the work they do has increased over the past 10 years and continues to grow as customers learn of SSC Atlantic's cyber forensics capabilities.

More Department of Defense (DoD) and Navy emphasis on cybersecurity, incident response and data recovery has led to the growth and recognition of the team, according to Corkill. "We can grow as needed to respond to our caseload," he said, adding that the data recovery lab averages more than 100 hard drive recoveries a year for SSC Atlantic employees, and has served multiple DoD organizations with a more than 95 percent success rate.

Two members of the team have master's degrees in digital forensic science, six others have masters in computer science, cyber or math, and many have advanced certifications. All told there are more than 20 certifications, some in specialized areas like smart phones and mobile apps, Windows, Mac, Linux or memory forensics, and even vehicle forensics.

"We also do lots of research, and go to advanced schools to stay current on data recovery, mal ware analysis and digital forensics criminal lab processes," added Littleton. The research they do while solving casework often spawns into new research areas with different artifacts.

"With technology growing exponentially, there is constant learning," Corkill added.

When not helping to solve crimes, recovering data and responding to cyber incidents, the team provides cyber training to SSC Atlantic and other commands on how to prevent breaches minimize system failure and prevent catastrophic loss of data. That training includes cyber defense tracks in response, forensics, intrusion and detection to show how to prepare for attacks and how to respond to an incident and secure evidence. The team also covers how criminals get access, hide data on a system and cover their tracks to help students better understand, prepare for, respond to, and even prevent cyber attacks."

"The fact that we are an all-government team, all Sensitive Compartmented Information -cleared, with strict standards on how we handle data helps us maintain trust with our DoD customers and other agencies," Corkill said. "Our Air Force, Navy and other DoD customers have specifically mentioned the value of working with all-government team," he added. The SSC Atlantic team's technical and analytical expertise, problem solving and out-of-the-box-thinking are also often lauded. Both local and federal law enforcement agencies have consistently provided positive feedback about the CFIX laboratory capabilities, and have commented on the team's efficiency, depth of information provided, and the outstanding quality of the final product.

That praise is the result of a team effort, Corkill emphasized. Having a drive to dig deeper and look at a problem from a number of angles, to use an analytical approach and follow the "cyber bread crumbs" makes for a sharp and effective cyber forensics team.

"It's easy to wake up every day and be excited about what we're doing here," Corkill said. "You never know what you might be facing. Finding information, solving a problem ... it's always a challenge," he added.

"That's probably why most of us on the team enjoy participating in STEM outreach events such as the Palmetto Cyber Defense Challenge (PCDC) and Cyber Summer Camps," Littleton said. "It stretches us to be creative and generate scenarios, then analyze and develop solutions for them."

The lab's outreach activities not only increase interest and proficiency in the cyber forensics domain for the next generation, but their hugely successful Cyber Summer Camp is being used as a model by the Office of the Secretary of Defense.
The team's outreach has also attracted students who want to work alongside Corkill and Littleton as career cyber forensics professionals. Sage Glidewell was a PCDC and cyber camp participant, then a mentor, and now an intern with Corkill's team as she pursues a degree in computer science at the College of Charleston. Two interns who will be hired this summer were hand-picked by Corkill and Littleton through SSC Atlantic's involvement in the Office of Naval Research's cybersecurity outreach with Historically Black Colleges and Universities. "They are computer science and cybersecurity majors with a focus on forensics," Littleton said, "and we are excited about what they will bring to the team."

"What we offer DoD and other federal agencies is a full service and advanced digital forensics capability that has matured over the past 10 years into a cutting-edge answer to the most critical cyber defense needs of today. Our customer feedback is that our quality is unmatched," Corkill said.

"World-class data recovery, advanced digital forensics, a top quality criminal media forensics laboratory, a highly skilled malware analysis and incident response team arguably provide one of the most advanced overall cyber forensics capabilities in the DoD," he said. "Customers often identify us as the 'Best kept secret in the Navy,' " he added.

SSC Atlantic Commanding Officer Capt. Scott Heller praised the team as a valuable asset to the Navy's cyber defense capabilities. "We all know too well that the threat is real. The urgency to answer these threats is real," he said. "I'm excited and proud that we have been able to apply the intellect, energy and ideas found here at SSC Atlantic in new and exciting ways to respond to these ever-evolving threats."

SSC Atlantic provides systems engineering and acquisition to deliver information warfare capabilities to the naval, joint and national warfighter through the acquisition, development, integration, production, test, deployment, and sustainment of interoperable command, control, communication, computers, intelligence, surveillance, reconnaissance (C4ISR), cyber and information technology (IT) capabilities.

Join the GlobalSecurity.org mailing list