Jim Christy has spent most of his adult life chasing computer criminals and in his 30 years on the job, he has seen suspects try every conceivable trick to hide their digital tracks, including cutting floppies in half with pinking shears.
But nothing has made life more difficult for Christy and his colleagues than the rapid evolution and proliferation of technology in the last 10 years.
In the 1970s and 1980s, when Christy was a special agent with the Air Force Office of Special Investigations, a routine seizure of computer equipment might include one PC, a box of 5.25-inch floppies and perhaps some records of the suspect's activity on a bulletin board or early online service. A couple of agents could process that amount of data in short order. Now, in an era when RAM is cheaper than bottled water and mobile devices such as PDAs and smart phones can store several gigabytes of data, investigators often find themselves combing through 250-Gb hard drives on each of three or four PCs, files backed up online or on DVDs and untold amounts of email and IM traffic for a single case.
Christy retired from the Department of Defense in December but has not given up his hunt for computer criminals. He's now the director of Futures Exploration at the Defense Cyber Crime Center (DC3) and has helped build the largest digital forensics laboratory in the world.
But even with the seemingly limitless budget of the Department of Defense behind him, Christy used his keynote speech at the Black Hat DC conference this week to enlist the help of the security experts and vendors in the audience. The amount of data he and his agents get from the DC3's customers -- who include any number of three-letter agencies, military agencies and other law enforcement agencies -- is simply overwhelming, even for a lab that employs 90 full-time forensic specialists.
"I'm here to appeal to the private sector to help us develop better tools to process all of this information," he said. "We're hoping some of you guys will come to us and say, we have a tool to help you."
This might seem like an odd request, coming from a former federal agent. But Christy is well-known in the security community as a straight-shooter and is respected even by the Black Hat attendees who may have fractured a law or two in their time. Jeff Moss, Black Hat's founder and a former hacker and security consultant, said even as a teenager haunting bulletin board sites he had hears of Christy.
"Even back then I knew that Jim Christy was one of the two or three guys you didn't want to come kick in your door," Moss said. "Everyone knew who he was."
Christy and digital forensics both have come a long way since the 1986 Hanover Hacker case in which several Germans compromised a network at the University of California at Berkeley and several U.S. government and military sites and then sold the data they stole to the KGB. Christy helped investigate that case and had little to go on beside the work done by Cliff Stoll, a Berkeley astronomer who had stumbled upon the hackers' trail in the university's network.
He had even less to go on it seemed in the 1991 case of an Air Force airman accused of killing his wife. When OSI agents walked into the man's office to interview him about the murder, he grabbed a pair of floppy disks and began cutting them into pieces. The agents gathered all the pieces they could find and sent them to Christy, who took them on a grand tour of the Beltway, looking for anyone who could help him recover the data. Neither the National Security Agency nor the CIA could help, so Christy and one of his agents eventually ended up painstakingly putting the disks together with tape and got nearly all of the data—including a letter from the airman to his girlfriend which led to his confession and conviction.
Digital forensics has become much more of a science now, but Christy said it is still effectively in its infancy. There are only 12 accredited digital forensics labs in the country, and only three states have laws on the books requiring that any digital evidence introduced at trial come from an accredited lab. DC3 agents spend much of their time testifying in trials, and nearly half of those cases these days involve child pornography, a crime that Christy said is only made easier by the easy availability of technology.
"This is an epidemic and a plague and I believe this a crime where technology is an enabler," he said. "In the old days, the transfer mechanism for this stuff was the postal service and most of it was coming from overseas. Now, if you have a digital camera and an Internet connection, you can be a worldwide distributor of child porn in no time."
But the challenges haven't discouraged Christy -- not yet, anyway. After so many years, he said he still enjoys seeing the bad guys go down. And, thanks to the Internet, there won't be a shortage of targets anytime soon.