Special Report: State Department's computer crime investigations go global

In 2003, in a former Soviet republic, several people were tried and convicted of terrorism, and two of them received the death penalty.For national security reasons, many details of the case are not available. But what is known is that the State Department assisted in gaining the convictions, thanks to the work of its computer crimes unit.'There was an attempted terrorist attack and the target was U.S. interests,' said David Trosch, branch chief for the Computer Investigations and Forensics (CIF) unit in the Diplomatic Security Service, a division of the department.The country caught a man with a bomb and learned from him the location of the terrorist safe house, he said.'As they were going through the door, [a] co-conspirator smashed the computer on the floor,' Trosch said. 'Their security service tried to work it over,' but it was too damaged for their expertise and the country asked the U.S. embassy for assistance.Analysts from Trosch's unit went there and tried to duplicate the contents of the hard drive, but could not because it was so damaged.The case was urgent, so the embassy arranged to divert a military airplane to the country, so the CIF agents could bring the drive back to the U.S. and use a 'clean room' to dismantle the drive.'We never were able to mirror the drive, but we replaced the damaged head and mechanically manipulated the drive to recover about 75 percent of the data,' Trosch said. 'Based on that re- covery, the foreign government convicted several people.'Much of the work that CIF carries out is not as urgent as that example, but the unit is on track to handle more than 200 cases this year.Trosch estimated that a quarter of those cases involve counterintelligence, another quarter are criminal cases investigating passport and visa fraud, and a quarter are miscellaneous investigations.The remaining 25 percent are related to internal affairs matters'Diplomatic Service employees using government computers for illegal or unethical activities, he said.When a State Department employee turns on his or her computer, the first thing they see on the screen is a warning that the machine is the property of the U.S. government and everything on it is subject to search at any time.But people forget that all the time, said Anthony Adkison, the former branch chief for CIF, who recently moved on to another assignment in the department.'It's not that they use computers to do something they wouldn't otherwise do,' he said. 'It's that the computer is a new venue for them to indulge habits they already have,' whether it's gambling over the Internet or conducting personal business.[IMGCAP(2)]Over the past three years, CIF has grown from three people to 25 full-time staff members. Ten of them are State Department employees; the other 15 are contractors, Trosch said.That mix is necessary in part because of the expense of finding trained analysts, but in part because the Diplomatic Service rotates staff to new posts, overseas and stateside, every two years. Adkison stayed in his post for three years to help the unit take shape, but he had to request a one-year extension to do so.Trosch has been brought in to head the team from the Defense Department. As a civil-service employee, he's not subject to the rotation rule.'I'll be here for a while,' he said. 'It's becoming more high profile. ... They [department chiefs] have made significant investments, in both money and manpower.'CIF is broken down into two lines of work, Trosch said. Several agents provide support services for search and seizures, going on-scene to handle the securing of computers and other digital devices, while the remainder provide the forensic analysis to support cases.As the terrorism example shows, the unit provides its services to many outside interests, including other governments and other U.S. agencies. CIF also handles the computer forensics examinations for schemes against the State Department's computer networks, such as phishing, where the department itself is the victim, he said.In passport and visa fraud cases, CIF is not the lead investigating unit. Overseas, personnel in the embassies and consulates conduct the investigations, and in the United States, field offices handle the investigations. But CIF can provide appropriate language for search warrants, log in the evidence and handle media analysis.CIF creates a CD or DVD with hyperlinks that is turned over to the case agent, Trosch said.The department is making a significant new investment in its computer forensics capabilities. CIF is scheduled by the end of the year to move into much larger offices, with dedicated lab space for analysts' workstations, juiced-up cooling capabilities to deal with the heat generated by all the equipment, and even 'safe' access to the Internet, so connections can't be traced back to the State Department, he said.'It's several million dollars' of investment, Trosch said. 'I'm in the process now of trying to project lifecycle replacement costs' for the unit's very high-end computers.At the same time, he has to look ahead to new technology challenges.'There are several areas we're going to have to pay attention to,' such as RFID. The department has mandated that passports'both American and those of other countries'will have to include microchips to facilitate checking individuals' credentials.Fortunately, 'there's always a bit of lead time when new technology comes out,' Trosch said.