February 9, 2015
A Glimpse Into NCFI
As the third "anniversary" of our BCERT (Basic
Computer Evidence Training ) class graduation from the National ComputerForensic Institute (NCFI) in Hoover, AL draws near, it dawned on me that since
I've attended BCERT, I've received a number of inquiries about the course and
about NCFI in general. Being that available
the information about NCFI is quite limited and there seem to be no real
hands-on descriptions of the course, the facility or the surrounding area, I
thought I'd provide a little insight into those areas for future prospective
students of BCERT or any other course NCFI has to offer.
It should be noted that it has been 3 years since I've
attended BCERT and NCFI, so it is quite possible some of these things have
changed a bit. And while I'll often
refer to BCERT as the benchmark for my comments, many of the same circumstances
apply regardless of the course taught at NCFI.
Admission into the Course
I would never suggest that any one attend any digital
forensic courses without first researching the content of the course and, if
possible, who is teaching the course. So
prior to application into any courses at NCFI, do some homework. What are the
prerequisites, if any? What are the core competencies that are covered? How long is the course? What is the cost and what do you get for that
cost? All of these considerations are
key, but some of them, most notably cost, are not an issue with regard to NCFI.
If you don't already know, the NCFI is operated by the US
Secret Service. Most of their programs
are geared toward local and state law enforcement and evidence handlers. In our BCERT class, there were no federal
agents except the proctors for the class.
And while your local impression of the feds may not be the highest, I
can assure you everyone at NCFI, not to mention everyone involved in the
application process, was top-notch, down-to-earth and very cooperative.
To be accepted into NCFI, you first need the nomination of
your local Secret Service Field Office.
And while the nomination itself is fairly simple, the selection process
depends greatly on your geographical location and the worthiness your local
Secret Service office places on computer forensics in general. For example, if you are in the New York area,
you may be competing with several others for slots in NCFI courses. What's more, if the SAIC of the New York
Field Office isn't a big believer in the local law enforcement ability to
assist in their cases, they may not be very enthusiastic about your candidacy
in the course(s). Conversely, if work
nearest to the Anchorage, Alaska Field Office and your local SAIC is a vehement
believer in the effectiveness of computer forensics, then you may have the
opportunity to attend many courses by virtue of the fact that your competition
is low and your support is high.
Mid-way through the selection process, a local agent will
contact you and ask several basic questions and possibly have you sign a
release to do a background investigation (I don't remember a background being a
part of my process, but a recent candidate told me it is now). They'll also ask you if you want to fly or
drive to the facility. If you are
located within a reasonable driving distance to Hoover, AL, they will allow you
to drive and reimburse your mileage at the going rate. More on that later.
A skewed view of the U.S. The pins indicate past NCFI students (PhotoCourtesy: Billy Gordon)
To say that there is no politics at play with regard to the
selection process at NCFI would be naive.
Indeed, both a co-worker and I were selected for 2 different courses (BCERT
and MDE) in great part because our agency had a very good relationship with a
heavy-hitter in the ICAC world.
Regardless, your commitment to the digital forensic program and
willingness to assist the Secret Service also play big roles in your
acceptance.
The Give-and-Take
As mentioned earlier, one of the best selling points to
police administration to allow their examiners and investigators to attend
anywhere from 2-5 weeks in Hoover, Alabama on a working vacation is all of the
expenses, training, materials and equipment are free and you bring them back to
your agency at the completion of training.
For BCERT, this amounted to about $25,000 worth of equipment that a
small, rural agency would probably not have been able to afford otherwise. Add in the cost of training, travel, lodging,
and per diem and it's a very high-return, low investment relationship for most
agencies.
So what does the
Secret Service get in return? Your
agency head must sign an MOU agreeing that, for a period of 36 months: 1) they will allow you (the examiner) to assist
on any US Secret Service digital forensic cases, as needed and 2) if the individual candidate leaves the agency
within the 36 months, all of the equipment will be returned to the Secret
Service. After the 36 month period, the
equipment is turned over to the inventory of the candidate's agency. See, that's not s bad, is it? I can honestly say that in the time I was
employed by my agency after attending BCERT, I was never called upon by the
Secret Service to help out on an examination, but I was able to use the
equipment & training to become a better examiner on several cases and put
some pretty bad suspects in prison for a long time.
Getting there & Living there
In case you don't know, BCERT is one of NCFI's longer
courses. It encompasses 5 weeks of
fairly intensive study covering basic computer hardware, file systems, all
sorts of useful forensic artifacts and highlights of the two primary forensic
tools on the market (at the time), EnCase and FTK (Forensic ToolKit). Other courses are not quite as long, but may
be just as intense. Regardless, the
format is the same. NCFI, via your local
Secret Service office, will arrange your travel to and from Hoover
(Birmingham), AL, and a shuttle to and from the airport on your arriving and
departing days. They provide lodging at
one of two nearby hotels of suites wherein you have a fully functional kitchen,
full-size refrigerator and a living room area (as well as bed and bathroom) to
yourself. They also provide a shuttle to
and from class every day for those who chose not to drive. The shuttle will also provide transportation
to shopping venues, dinner outings, leisure activities on the weekend, etc.
The hotel where we stayed not only provided breakfast every
morning and dinner every night, but for two hours had an open bar, providing
beer & wine from 5-7 pm during the week. They did not have a very large gym
on-site, so they contracted with a nearby gym for use of their facilities for
longer-term residents.
Some of the notable reimbursements that took place within
the first week at NCFI were the mileage (I chose to drive from Virginia to
Alabama) and per diem for meals. I don't
recall the specific amount allotted for per diem, but I do recall getting a
very large check toward the beginning of week 2 which was nice. There is no tracking of the per diem
expenditures, just a flat rate multiplied by however many days you're in the
training and a direct deposit issued into your account. As the course goes along, you are also
reimbursed for laundy/dry cleaning expenses. A brief caveat about the mileage, however -
DO NOT ask for reimbursement for mileage if you are driving a government
vehicle. There's a word for that: fraud.
I'll say that it appeared to me that the folks at NCFI set
all of this up to make a 5-week stay away from home as pleasant as possible for
us. I will also add that I was glad I
drove my own vehicle because it allowed me a little more freedom of movement in
the evenings and on the weekends. I
would recommend driving, unless you're attending the course from Anchorage,
Alaska.
There are several local highlights in the Hoover area, if
you are interested. Naturally, the
entire region is known for great golf courses, but cops love food and the food scene is actually
pretty darn good there, too. Three standouts in
my mind were the Cajun Steamer in Hoover, Flip Burger Boutique in Birmingham
and Saw's Barbecue in Homewood. Cajun
Steamers is a no-frills Cajun place that serves up Creole food by the pound,
some of it family-style Authentic and
fun, we had a great time as a huge group of us went there for dinner early on
in the class and it was a great ice-breaker to get to know some people aside
from the classroom setting. Flip burger
was a gem that two compadres and I found in the Summit Mall in Birmingham. The Mall itself is pretty high-class, but
Flip Burger is a futuristic-looking diner with an amazing variety of burgers,
sides & shakes (my favorite was the Chorizo burger). We went there several times once we found it
and I'm definitely going back if I ever get into the area again. Finally, Saw's barbecue is a legendary BBQ
joint that is only open for lunch. They cook a set amount for the day and once
they're out of food, they're done. We
tried to pull up their website before we went, but it seemed to have been
hijacked by Ruskies (not joking), so when we got there, we told the owner and
he thanked us with a heaping sampler platter.
As if the portions weren't big enough already, we were treated with some
of the most succulent smoked meats I've ever eaten. Simply delicious. Sadly, we found out about this hot spot on
the very last full day of class, so no return trips for yours truly.
Space Age Burger Boutique: Flip Burger in Birmingham
Aside from food, the Talladega International Speedway is not
far, as well as the Barber Motorsports Park & Museum. The Museum is legendary and consists of 4
floors of motor vehicles from all eras.
From early to modern, WWI, WWII, motorcycles, race cars... you name it,
they have it (see pictures below). It's
a great place to burn a random Saturday while you're there. Barber also offers a motorsports experience,
which we did not partake in because we were all cheap, destitute cops. Other fairly nearby attractions are the NASAMarshall Space Flight Center in Huntsville, the University of Alabama and other attractions in
Birmingham. I have to say, I was hoping
to find a good Irish pub in downtown Birmingham, but could not. In fact, downtown Birmingham was somewhat
disappointing overall. But in general, I
was pleased with the variety of things to do in an area I had frankly never
heard of before.
Yes, we were all still cops at this point (Photo Courtesy: Billy Gordon)
The Course(s)
Now here's where I'm going to mainly concentrate on BCERT in
that it was my only exposure to NCFI thus far.
BCERT is 5 weeks long. The course
is designed to take the novice and mold them into a competent computer forensic
examiner using some industry standard tools.
On day 1, we were provided our brand new 17" Macbook Pro laptops, a
full copy of Windows 7 Ultimate and the MS Office Suite. We were guided through
the Bootcamp process to install Windows onto the Macbooks and that was about
all we did with the Macs the entire time.
They are provided simply to have access to forensic tools in the field,
for conducting evidence triage, etc. Some
of the other equipment & tools we were provided were:
- Tableau Forensic Ultrakit in Pelican case (full assortment of write-blockers & adapters)
- A basic tool kit suitable for working on computers
- Full 2-year licenses for EnCase, Xways and FTK
- A digital camera for scene documentation
- Two large manuals for the course
- Backpack & tackle box for storage & portability
- Monitor, keyboard, etc. for FRED (Forensic Recovery of Evidence Device)
- *Digital Intelligence FRED - complete with Windows 7 Ultimate, 6TB RAID array, several hot-swap bays, Tableau ultra bay, USB 3.0 ports, 16 Gb of RAM installed (upgradable to 32) and two internal HDDs. Several additional internal HDDs were provided for storage as well.
o
*I have been told our class was (one of) the
last in which NCFI was issuing the Digital Intelligence FRED machines and has
since switched to Mac towers, but that is unconfirmed at this point
All in all, I estimate around $25,000 worth of equipment
& software. Not bad for
"free"! At the end of the
course, you may arrange to ship the equipment to your agency (at USSS cost) or,
if you drove, you can haul the equipment back with you. Bear in mind, that the USSS tracks all of the
costly equipment and maintains an inventory of who has what and where for the
entire 36 months. In the following year
after BCERT, they made two trips to my agency for the purposes of inventory, so
don't lose, lend, sell or otherwise misplace any of the expensive stuff.
The course itself is broken down into two parts. The first
part is two weeks and quite intense. It
starts with setup of the forensic box, basic computer components (with a
practical) and dives right into file systems, bits, bytes etc. The first two weeks ends with a written exam,
which requires some study and isn't a total piece of cake. I'll freely admit I should have studied more. Allegedly, if you do not pass the written
exam with a minimum score, you are sent home, although no one in my class was
sent home. After the conclusion of the
first two weeks, the class lets out early on Friday and you are afforded the
opportunity to fly/drive home (at your expense) to meet your loved ones for a
little bit longer weekend.
Fixing the FRED during week 1 of BCERT (Photo Courtesy: Billy Gordon)
Weeks 3 and 4 are divided almost evenly by working hands-on
in FTK and EnCase. Our lead instructor
was Glynn LeBlanc, a former Deputy & Investigator from Louisiana who is
extremely knowledgeable about forensics in general and FTK in specific. NCFI has/had a contract with AccessData to
provide a good part of the training, so to say the weeks were evenly divided
between FTK and EnCase is somewhat inaccurate, but I found the added time with
FTK useful because I was already a primary EnCase user. The tools are covered in fairly decent detail
(as much as you can in 1 week) and the final week is a series of practical
exercises, some group and some individual.
It culminates in a practical exercise wherein the class participants
have to work a forensic case from seizure through reporting. It's not overly difficult, but it is something
you should concentrate on, pay attention to and use the build-up practical
exercises earlier in the week to prepare for.
I would imagine it may take more time and effort to complete for the
novice than for the experienced examiner, but if memory serves, they give you
around 2 days to complete it.
The Intructors & Staff
Like I said, NCFI contracts with AccessData, but also has
other instructors come in to assist for part or all of the course. Glynn LeBlanc was our lead instructor and did
an outstanding job. Rob Andrews was our
civilian representative and took his fair share of ribbing for never having been
a cop, but he is also an extremely knowledgeable instructor and a helluva guy. At last check, Rob still teaches the NITRO
(Network Intrusion) Course at NCFI and may also be assisting with BCERT. Glynn
has moved on as Director of Training at NUIX and, while he still stays in touch
with our class as a group, he does not teach at NCFI currently.
Glynn LeBlanc trying to explain forensics to a bunch of cops (photo courtesy: Billy Gordon)
For a very long time prior to and during our course, Alex
Monsma was the Secret Service Agent coordinating all of the classes at NCFI.
Alex was a wealth of knowledge about anything you wanted to know with regard to
the area, activities, administrative issues and, of course, restaurants. I was told recently that Alex had to rotate
up to the DC area for his Executive Protection assignment, so I'm not sure who
is coordinating the activities at NCFI currently. The rest of the staff should be the same and
are also very helpful and friendly.
The other benefit to classes like BCERT are the proctors. We
had several USSS Special Agents proctor our course during the 5 weeks and most
of them were not only knowledgeable, but just fun guys to hang out with. One in particular was from the Chicago area
and when I went to Chicago some time later, he was able to guide me into
Wrigley Field on my badge, which was great.
I always feel sorry for those guys when stories come out about
extra-curricular behavior at the Secret Service because I have honestly not met
a USSS Agent I didn't like and for a time, I even aspired to join their ranks,
but I got too old (37).
Wrapping it Up (finally)
All in all, I thought my time at NCFI was an amazing
opportunity coupled with some very solid, worthwhile instruction. Top it off with some "free"
equipment, great food and making some good friends, it was very well worth it.
While I'm sure 5 weeks away from my family (we did have a weekend together in
there) wasn't a great time for my wife, I'm grateful for her support in letting
me go to BCERT. And while 5 weeks is
certainly a long time, I would say that one needs almost twice that to get a
real grip on what digital forensics is, how to incorporate it into different
cases and where it's going. Unfortunately I'm not in law enforcement
currently, but I would see it as an honor and a privilege to return to NCFI for
any of their other courses.
Check out their online catalog here and feel free to email
me any questions or comments, especially if you have updated information with
regard to equipment, software, etc. that would be helpful for readers of this
article. It's my hope that the programs continue to grow and perhaps
incorporate some instruction on other tools such as Xways Forensics because of
growing popularity in the field.
Regardless, everything I learned at BCERT still serves me well today and
I'm grateful for the instruction and relationships I've built through
participation in the course.
Class Picture, BCERT 11-03 (Photo courtesy: Bill Fleming)
Author:
Patrick J. Siewert, SCERS, BCERT, LCE
Owner, Lead Forensic Examiner
Professional Digital Forensic Consulting, LLC
Based in Richmond, Virginia
Available Globally
Google Plus: +ProDigitalConsulting
