• United States



OIG audit finds potential for abuse in FBI forensic kiosks and FBI site hacked

Apr 12, 20155 mins
Data and Information SecurityMicrosoftSecurity

An Inspector General audit found potential for abuse of the FBI's forensic kiosks that could violate the Fourth Amendment and also mentioned the FBI’s Training Registration System was hacked in 2014.

Imagine if after one hour of training, you had access to a FBI digital forensic kiosk that could allow you to “quickly and easily” view and then extract data stored on cell phones, but you don’t have to hand over this “evidence” to an FBI Regional Computer Forensic Laboratory. You could also carry out digital forensics on hard drives and “loose files” to locate “deleted, encrypted, or damaged file information.” After an hour of training, you were supposed to “sign a Letter of Acknowledgment” that you had legal authority to use the kiosk for forensics on cell phones and loose media, but that wasn’t always enforced; there are no “sufficient” controls in place to ensure you used the kiosk for only law enforcement purposes and it is “possible for a user to use a Kiosk without proper legal authority, thereby engaging in a Fourth Amendment violation.” Do you think you might be tempted to misuse the forensic kiosk?

Those are some of the “weaknesses” identified by an Office of the Inspector General audit. As of July 2014, the FBI had 16 Regional Computer Forensic Laboratories (RCFLs) which “provide forensic expertise and training to thousands of law enforcement personnel.” The OIG audited the FBI’s Philadelphia, Pennsylvania, RCFL (PHRCFL).

Before we jump back into weaknesses of the FBI kiosk program, it’s interesting to note that the OIG audit (pdf) said the FBI’s Training Registration System (TRS) was hacked in 2014.

According to the FBI, in early 2014, TRS was compromised after an intruder gained unauthorized access and it was taken out of service until a more secure website could be deployed. The NPO [RCFL National Program Office] requested that RCFLs maintain class rosters locally; as a result, the PHRCFL continues to maintain a paper log. The FBI told us that the NPO is in the process of building and deploying a new training website. FBI officials also told us that security is a top priority in developing the new system because it will contain the names of law enforcement officers.

Regarding those forensic FBI regional computer forensic laboratory kiosks, the San Diego Reader pointed out that a previous FBI report explained, “Self-service kiosks for cellular telephones and loose media allow investigators to review the contents of mobile telephones and most types of loose media on their own.” The report added:

The process is simple: investigators make an appointment at [a regional computer forensics laboratory], bring their evidence, use the Loose Media Kiosk or Cell Phone Investigative Kiosk to view the contents, extract data of interest, save it to a report, and burn the report to a CD or DVD. All of this is accomplished without submitting the evidence to the RCFL.

However the OIG said the PHRCFL does not have “sufficient controls in place” to “ensure that users who did complete the acknowledgment forms did not use the Kiosk for non-law enforcement matters. For example, it was possible that a Kiosk user could use this tool to view private cell phone information for non-law enforcement purposes. It was also possible for a user to use a Kiosk without proper legal authority, thereby engaging in a Fourth Amendment violation.”

The report added that although “FBI policy requires Kiosk users to confirm they possess the proper legal authority for the search of data on cell phones or loose media,” the OIG “found that approximately 24% of the entries in the visitor’s log did not have a corresponding Acknowledgment Form and approximately 13% of the Acknowledgment Forms did not correspond with an entry in the PHRCFL visitor’s log.”

The OIG suggested the FBI needs to “promptly revise controls to ensure compliance with that policy and minimize the risk of inappropriate use of Kiosks.”

In total, the OIG audit resulted in six recommendations. For example, the OIG found discrepancies in the FBI’s annual reports and the Computer Analysis Response Team (CART) Database data.

The report states, “The Kiosk usage information uploaded to the CART Database did not accurately reflect the number of times the Kiosk was used for investigative purposes because, according to the PHRCFL Director, training participants at the PHRCFL were allowed to practice using the Kiosk by searching the data on their own cell phones.” Yet the “current process used to support the information found in the RCFL Annual Report is not adequate to ensure the accuracy of the information reported to Congress, FBI management, and the public.”

The OIG audit found that there were “no sign-in sheets for training that is conducted outside of the PHRCFL;” instead FBI training records included estimated stats for those training sessions.

OIG audit found FBI training records don't match

Additionally, the OIG found “material weaknesses in the Kiosk program that, if not addressed, could leave the Kiosk vulnerable to abuse at the PHRCFL and, possibly at other RCFLs if they do not have appropriate protections in place.”

IRS emails show Lois Lerner interfered with investigation

Speaking of an Inspector General investigation and report, if you are in the mood for more federal drama then emails of former IRS official Lois Lerner show that she interfered with a Treasury Inspector General for Tax Administration (TIGTA) investigation. Government watchdog group Judicial Watchdog obtained the emails via a Freedom of Information Act request; the obtained IRS documents show that Lerner knew that her “targeting criteria of nonprofit groups ‘might raise questions’.”

OIG’s Audit of the Federal Bureau of Investigation’s Philadelphia Regional Computer Forensic Laboratory Radnor, Pennsylvania, report findings, graphics and recommendations can be found here (pdf).

ms smith

Ms. Smith (not her real name) is a freelance writer and programmer with a special and somewhat personal interest in IT privacy and security issues. She focuses on the unique challenges of maintaining privacy and security, both for individuals and enterprises. She has worked as a journalist and has also penned many technical papers and guides covering various technologies. Smith is herself a self-described privacy and security freak.