Forensic Sciences

Computer Forensic Reference Data Sets (CFREDS)

Goals

To provide a readily accessible Internet site that can be used by computer forensic analysts and management to obtain mock case examples for in-house evaluation. These case examples can be used to test examiners skills as part of accreditation requirements or to evaluate/calibrate equipment prior to use.

Customer Needs

The burgeoning number of crimes committed with the aid of the computer is overwhelming the nation's crime laboratories. To assist with the "controls" and evaluation of analyst's expertise, management desires a quick and assured method for evaluation. In general, they need test sets that have been validated and are freely available for use to determine the functionality of equipment as well as the skill set of an analyst.

Technical Strategy

The project participants will continue to converse with individuals knowledgeable in the fi eld to determine the type of test sets needed and in what format. The received suggestions will then be evaluated, verified, and if necessary, used to create an appropriate story line. This includes determining what features to include in the data sets, such as; target strings in files, slack space, unallocated space, file system metadata. The tests will be available through the web site, easily accessible by any individual seeking this type of assistance.

Deliverables

• Active web site; http://www.cfreds.nist.gov

Computer Forensics Tools Testing (CFTT)

Goals

To verify the operation and output of software and hardware that is used to examine digital evidence and to provide documentation on the findings for use in judicial proceedings.

Customer Needs

Computer forensic investigators and analysts require documented evaluation of currently available software/hardware (tools) that advertise forensic capabilities. This step is essential to support collection, examination, analysis, and court testimony of digital evidence. NIST is highly suited to provide an unbiased determination of a tool's capability and therefore to verify the results produced by these tools. NIST was asked to provide expertise in developing test suites and a testing framework to structure the testing of the products in use. The information provided by NIST as a neutral party is used to determine several factors: whether specific tools should be used in forensic examinations; how the tools should be used; and the limitations of the tools' capabilities.

Technical Strategy

To assist the computer forensic community NIST has conducted functionality tests on specific software and hardware products. The selection of a specific software/hardware product and its functionality (e.g., imaging) is accomplished through specific listserv announcements and input from select federal agencies. The actual test results are provided in a report form and posted on two different Web sites: http://www.cftt.nist.gov and http://www.ojp.usdoj.gov/nij/sciencetech/welcome.html.

Deliverables

• Published documents describing the overall concept and framework for testing computer forensics tools. Details for the Law Enforcement agency on how to use this information is also provided. Electronic documentation can be found at: http://www.cftt.nist.gov.

DNA Related Projects

Goals

To provide technical support to state and local forensic DNA laboratories regarding the underlying science of available DNA products and STR-based research. To conduct direct instructional support to state and local forensic DNA laboratories through workshops, training sessions and presentations and through continued population of the NIST STRbase web site.

Customer Needs

State and local forensic DNA analysts do not have the time or the funds to conduct research into new technologies or evaluate newly released products.

In addition, the incorporation of non-evaluated products into a laboratory's standard protocol requires that laboratory to conduct a lengthy validation. To advance the state-of-the-art and alleviate associated time and cost constraints, NIST undertakes the necessary research, development and evaluation tasks.

Technical Strategy

NIST provides ready access to reference material, new technology and tutorials through a service called strbase, which can be found at http:// www.cstl.nist.gov/biotech/strbase/NISTpub.htm. Through this service analysts have resources at their fingertips. NIST will continue research in such areas as: analysis of degraded DNA through the use of miniSTRs, continue evaluating the applicability of Y-chromosome analysis through the use of Y-SNP markers and Y-STR markers and evaluate and improve tools that will aid state and local crime laboratories in the areas of quality assurance and quality control software, equipment upgrades and variant allele cataloging and characterization.

Deliverables

• To continue to provide service to all state and local DNA laboratories through SRM production, presentations, publications, Web site postings, NIST developed software (i.e., AutoDimer, mixSTR, Multiplex_QA) and release of new technologies.

Ion Mobility Spectrometry (IMS) Trace Drug Detection Devices

Goals

To research the utilization of the IMS method as applied to contraband drugs to characterize detection efficiency and to develop methods to characterize and standardize swipe-based and portal-based collection efficiencies of contraband drug particles.

Customer Needs

Detection of contraband drugs is a high priority for a large number of law enforcement organizations. A promising technology for screening for trace amounts of contraband drugs is Ion Mobility Spectrometry (IMS), which is also used nationally for the detection of traces of explosives at airports and other points of entry. However, there exists a number of deficiencies, including high false positive alarm rates for some drugs and high false negative rates (lack of detection) for other drugs. Agencies require a general understanding of detection limits, reliability, and false alarm rates for IMS-based systems.

Technical Strategy

To study an immunoassay instrument marketed for law enforcement applications that should have a similar sensitivity to IMS, but better selectivity. In addition, to study a IMS-based portal detector, and two new desktop IMS instruments. This will require the design of a multivariate experiment that includes at least two desktop instruments and tests for a number of factors including temperature, humidity, sample preparation, and sample matrix. Solid phase microextraction (SPME) used in conjunction with IMS will also be studied. The SPME-IMS approach has the potential to provide a faster, easier, and more portable method of drug analysis in biological samples than those commonly used today.

Deliverables

• Test instrument response using desktop IMS instruments. Submit Report of Analysis.
• Evaluate use of PLM/FT-IR spectrometer system for analysis of fingerprints.
• Complete study of effect on false positive rates from common contaminants, adulterants, and excipients.

National Software Reference Library (NSRL)

Goals

To provide several library attributes; a collection of actual commercial-off-the-shelf (cots) software products and a validated database of known software, file profiles, and file signatures ("fingerprints") in different hash formats.

Customer Needs

The computer forensic analyst is confronted with the examination of an increasing expanse of files per hard drive and in many instances numerous hard drives per forensic case. In addition, all methods and tools utilized in an examination must meet stringent accreditation and judicial requirements.

Technical Strategy

To support the computer forensic investigator or analyst, a validated automated filter program has been created that will either assist in the elimination of thousands of legal files that have no intrinsic forensic value, or provide a quick identification of a specific file of interest. This capability can significantly reduce the amount of examination time required on behalf of the analyst.

Legal requirements may also dictate that the computer forensic analyst produce the basis for the hash values used in an examination, or the specific software version used to obtain the hash. To meet this, NIST retains the actual commercial product that was tested in an in-house library.

Deliverables

• The master database is the primary deliverable (see http://www.nsrl.nist.gov for further information).
• An extracted database that is available to users in CD format. The CD can be purchased through the NIST SRD Office on a subscription basis.
• The compilation of the commercial product library.

Standard Casing Reference Material

Goals

To provide virtual signature standards and NIST Standard Reference Materials (SRMs) standards for casings to be used with equipment that captures images for comparison purposes.

Customer Needs

Firearm analysts currently utilize in-house standards for equipment calibration and inter-laboratory evaluation. Laboratory accreditation requirements and federal mandates are dictating the use of traceable reference materials in an effort to establish measurement uniformity.

Technical Strategy

Utilizing an electroforming process on casings from actual test fires, a set of master casings has been produced. For maximum signature reproducibility, the decay factor for these masters will be determined. Each casing produced will be evaluated through topography measurements to ensure maximum cross correlation factor (CCF).

Deliverables

• Standard Reference Material (SRM), standard casing.
• Report stating the CCF for all casings produced.

Real Time Forensics Imaging for Analog and Digital Video Tapes

Goals

To provide forensic analysts with state-of-the-art, nano-engineered magnetic imaging methods for screening data and recovering data from media that is damaged or was tampered with. This will greatly increase the accuracy of criminal investigations through identification of specifi c types of machines used, whether or not the tapes are original, and to allow investigators to recover data from catastrophic events.

Customer Needs

Law Enforcement and criminal investigators require to "see" signs of tampering in analog audio tapes – erasing, overdubbing and other alterations – while listening to the tapes. It is also important that law enforcement has systems that can evaluate the authenticity of both analog and digital videotape as well as audio recordings. Because magnetic data storage tape is ubiquitous in surveillance and monitoring devices, it is expected that it will remain a challenge to law enforcement forensics teams. The sheer amount of tape (miles on a single roll) and the high density (down track resolution higher than 0.1 micrometer) renders existing techniques, based on magnetic fluids, obsolete. Real-time magnetic scanners will solve this problem.

Technical Strategy

To develop a high resolution (1600 pixels/inch) imaging system that operates in real-time. This allows investigators to see signs of tampering in analog audiotapes — erasing, overdubbing and other alterations — while listening to the tapes. In FY04-05 we fabricated three complete systems. One of these systems is built around an audiocassette system, and will be deployed at the FBI Audio Laboratory in Quantico, Virginia. The other two systems are modular, and can be connected to a cassette deck, a VHS video player, or a DAT (digital audio tape) player. The two modular systems will be kept at NIST and used for testing and characterizing the sensor arrays and validating this technology for use and presentation in court cases. In addition, for the LOC, NTSB, and NARA it is necessary to explore the efficacy of these systems for both routine and emergency data recovery from damaged and aged magnetic data storage tape media.

In order for this technique to have an impact, it is necessary to do blind and double blind testing of altered and original tapes. These tests will be conducted in close collaboration with the FBI. Validation work in this study will focus on the videotape area.

Deliverables

• Forensics – Complete validation report for the VHS & DAT tape.
• Data recovery – Reel-to-Reel tape, test up to 10 kHz
• Data recovery – Reel-to-Reel tape, test up to 10 kHz

Reractive Index Glass Standard Reference Material

Goals

To replenish the depleted NIST standard reference material stock, which is utilized by forensic laboratories that conduct glass analysis.

Customer Needs

To meet quality assurance and accreditation requirements, traceable reference materials must be used when analyzing forensic evidence. The depletion of the NIST glass refractive index standard reference material (SRM) caused some laboratories to seek other options to meet accreditation requirements. Therefore, the forensic community needs a new glass refractive index SRM.

Technical Strategy

Glass samples have been specially annealed to remove residual stress birefringence to ensure uniform optical quality. 5-decimal place index of refraction values will be extracted from the measurements and glass prism samples (7 in total) will be subjected to index of refraction measurements. This portion of the process has been completed. The remaining aspect in the process is density measurement determination.

Deliverables

• A glass standard reference material available for purchase, which, when completed, can be found at https://srmors.nist.gov or http://ts.nist.gov/ts/ htdocs/230/232/232.htm.