Inside the DoD's Computer Forensics Lab: Searching for the Truth

Tucked away in a suburban-Maryland office park, the Department of Defense Computer Forensics Laboratory (DCFL) doesn't look like a place where murders are solved, airplane crashes are explained and global terrorism is battled.

Tucked away in a suburban-Maryland office park, the Department of Defense Computer Forensics Laboratory (DCFL) doesn't look like a place where murders are solved, airplane crashes are explained and global terrorism is battled. But that is just a sampling of the cases investigated inside this nondescript concrete building.

Since its creation in 1998, DCFL has provided the Defense Department with forensic investigative services, digital search-and-seizure assistance, and expert testimony in court. And though you might think the military would provide a relatively dull caseload for a forensic investigator, Lt. Col. Ken Zatyko, director and special agent with DCFL, insists that the DoD is just a microcosm of society at large. "The same offenses that occur in society occur here. The crime rates are just lower," he says. Like civilian investigators, DCFL is currently seeing many child-pornography cases. "We always have cases in the queue," says Zatyko, "and more work than we can handle."

To give you an idea of their workload, DCFL's 40 examiners sifted through 147 terabytes of data in 2003. If all that data were stacked up in paper form, it would be more than 18,000 times as high as the Washington Monument.

Inside, DCFL looks like almost any other office area, with open, spacious workstations that allow investigators and staff to consult freely with each other on cases. The only visual clues that indicate the kind of work that is done here are the dual computer stations set up on each desk so that investigators can work two cases simultaneously; the number of secured entry doors; and the blue lights that flash overhead to alert investigators that a visitor without clearance is walking the floor.

If a case involves a computeror almost any kind of electronic mediaDCFL is equipped to handle every step of the forensic process, from damaged media repair to the imaging and extraction of data from a device. But they have a broad array of cases on which to ply their talents. Recently, DCFL's Major Crimes and Safety division analyzed the media recovered from the wreckage of two military planes that collided in midair. Originally, the surviving pilot was blamed for the accident, but Supervisory Criminal Investigator Kenneth Laursen and his group determined from the cockpit videotapes (no black boxes exist on military aircraft) that, in fact, the other pilot was at fault. Those can be some of the most gratifying cases that the group handles. "The less publicized aspect [of forensics] is that, in many cases, you find evidence that someone did not do a crime," says Zatyko. "We're not out to put people in jail, we're there to find the truth in the evidence that's provided. Sometimes you can lose focus," he says. "It's not always about catching the bad guys."

DCFL also had a team deployed in Iraq to support the gathering of forensic data from any media that was uncovered in the war zone. Their job was not only to conduct forensic analysis, but also to educate the soldiers on the ground about the special skills required to seize electronic media. Before DCFL's people arrived, soldiers were taking a distinctly un-forensic approach to that task. "They were literally tearing the computer cases apart, throwing them on the ground, beating them with axes and in some cases shooting them up with guns in order to break the hard drive out," says Laursen. Needless to say, the hard drives often had little value at that point.

"Now, we're not just supporting criminal investigators, we're supporting the war-fighter, and that's a capability that the government hasn't had before," says Zatyko.

SUBSCRIBE! Get the best of CSO delivered to your email inbox.