SC Biz News


Subscribe to Our Digital Newsletters

SPAWAR forensics lab recovers data, solves crimes

  • Share

A SPAWAR lab in Hanahan helps the Navy and other federal government agencies recover data and solve criminal cases. IT specialists and computer engineers find and analyze data found on computers and cellphones. On the data recovery side, employees often work to recover information on drives by replacing parts. (Photo/Kim McManus)

Nicholas Butner holds an encased SIM card with a pair of pliers, slowly rotating it under the light from a machine.

Within a few minutes, the memory card heats up, loosens and drops from its damaged container, its contents ready to be discovered on a card reader.

Butner, a cyberforensics data recovery expert, is among the 16 computer engineers, computer scientists and IT specialists who work at Space and Naval Warfare Systems Center Atlantic’s forensics and data recovery lab in Hanahan.

Nicholas Butner, a cyberforensics data recovery expert at SPAWAR, slowly burns off a casing to access the SIM card inside. (Photo/Kim McManus)

The SPAWAR lab’s mission is to help the Navy and other federal government agencies recover data and solve criminal cases. Digital interactions almost always leave a trace, officials said.

Cases can take months and cost several thousand dollars, depending on the scale of the project, said Robin Corkill, the lab’s director and cyberforensics competency lead.

Lab customers — which include the Naval Criminal Investigative Service and departments of Veterans Affairs, Defense and Homeland Security — send laptops, computer drives, memory cards and cellphones for service. 

The data recovery teams work to retrieve lost or damaged information: laptops that have been dropped; drives that were not backed up or have been infected with malware; software that has crashed.

Some lab workers are hunched over their desks as they deconstruct drives and replace parts in an attempt to salvage the data. Others are interacting with data on chip readers.

One machine, which looks like a small, metal suitcase, is made for cell phone data recovery. The machine’s technology prevents someone from wiping a phone remotely, enabling analysts to connect the phone to their computer and pull in the data.

In one case the lab handled, two drives had failed on a system and none of the work had been backed up. The agency sent the entire server to the lab, which employees rebuilt, recovering six months’ worth of operational data that would have been lost, said Bill Littleton, who leads the lab’s cyberforensics integrated product team.

The lab is currently working on ways to retrieve data from water-damaged computer parts.

“Our main goal is to protect Navy networks and assets, whether it’s from malware incidents or human interaction,” Corkill said.

‘Find the evidence’

The rest of the team works in the classified data forensics lab — officially called the Cyber Forensics Criminal Investigation Laboratory — to help federal agencies and the Navy solve crimes.

Bill Littleton, the lab’s cyberforensics integrated product team lead, shows how a cellphone data recovery machine works. Once the machine’s door closes, no one can wipe the phone remotely, but lab  analysts can extract the data into their computers for further investigation. (Photo/Kim McManus)

Last year, the federal lab received accreditation to do criminal investigations, specifically digital and multimedia evidence testing. It is the first lab in the Navy to earn the sanction of the American Society of Crime Laboratory Directors/Laboratory Accreditation Board

Federal agencies send in computer drives and cellphones of employees under investigation or those who have been victims of a cyberattack. They also provide details on what they know and what they hope to find out for internal and external investigations.

SPAWAR forensics specialists search and analyze data, files and communications. The information found can solve cases involving inappropriate, illegal or adversarial behavior; financial issues; or inappropriate use of government equipment, officials said.

Some cases involve determining whether an employee spends an excessive amount of government time, resources and equipment to do work for an outside employer.

The lab often investigates employees who are suspected of using a government computer to view or download pornography. One digital forensics investigation revealed the suspect often viewed and stored child pornography on a work computer.

Pornographic websites pose a threat to a network’s security because they are often loaded with malware, officials said. Child pornography viewing has the added layer of being illegal.

Some of the cases go beyond investigating federal employees, such as one agency that endured a cyberattack by a foreign government.

The SPAWAR forensics lab helped determine the extent and cause of the breach, as well as ways to prevent such an attack in the future.

“We want to know what actually happened on a system. ... It’s like when a police officer arrives on a crime scene and gets the evidence,” Littleton said. “The computers and phones that get sent here then get assigned to analysts who work to find the evidence.”

IT specialists use machines and card readers in the lab to extract data. (Photo/Kim McManus)

The forensics lab is also capable of investigating threats from within an organization, such as an attempt to hack an agency or damage intellectual property. No such cases have come to the lab yet.

“From an investigative side, we will probably start seeing more mobile devices come in because people are tied between their mobile device and their laptop ... and a lot of that data is all synced,” Littleton said.

Growing demand

Corkill and Littleton were the only employees when they co-founded the lab in 2008. They worked on one machine.

The lab has since augmented its capabilities, equipment, personnel and square footage. Two of the three existing labs will soon consolidate into a new building, now under construction nearby on SPAWAR’s campus in Hanahan.

Constantly changing technology and ever-updating mobile apps make cases increasingly difficult, Corkill said, and finding the highly specialized employees needed to perform the data recovery and forensics work also proves challenging. 

But the demand for the work they do has ballooned over the past eight years. The lab now provides preventive solutions and training to Navy commands and federal agencies, in addition to solving cases, including ways to create more secure networks or improve incident responses.

“We are also working on testing networks and trying to identify weakness in networks of other commands,” Corkill said. “We help our own command keep our network strong and safe.”

Officials expect to hire more computer engineers and IT analysts in the coming years, and they envision employees working on both the data recovery side and the forensic investigations. The data recovery process sometimes yields information that requires an investigation and follow-up cases.

“We often find connections we weren’t expecting,” Littleton said.

Reach Liz Segrist at 843-849-3119.

  • Share
Write a Comment