AI Boosts DOD Cyber Crime Center Digital Forensics

A new program at the Defense Department Cyber Crime Center (DC3) is incorporating artificial intelligence and machine learning to help its analysts parse through enormous amounts of sensor data and better analyze cyber threats and forensics.

“We’re going out there, we’re putting sensors out there, and then we’re using artificial intelligence and machine learning to help us analyze that data,” said DC3 Chief Scientist Lam Nguyen at the AFCEA TechNet Indo-Pacific conference in Honolulu Wednesday. “If you work in the cyber field, you understand that it is a vast and almost unmanageable amount of data.”

Nguyen referenced the Enhanced Network Sensor and Intelligence Threat Enumeration (ENSITE) framework it developed with its mission partners to enhance how it analyzes, collects and curates data to detect and analyze cyber threats.

Nguyen explained how the amount of data generated from its activity around cyber forensics investigations is a product of what he calls “thinking outside the box,” or extracting digital evidence from unexpected sources.

“If you have a Tesla and an iPhone, we can’t break into the phone, but we can get data from the car’s telematics,” he explained.

Analysts also look at data from internet-connected devices like smart home speakers and fitness trackers to build a more comprehensive picture of an investigation.

“If you’re wearing a smart watch, and I invite you into my house, and you decide to murder me, you’re leaving digital traces behind,” he said.

DC3 also has a Damaged Media Recovery (DMR) capability that allows the team to recover data from black boxes and other damaged devices where others might give up.

On the threat-detection side, some of the center’s more recent work is its Vulnerability Disclosure Program that employs professional hackers. The program is a product of the successful “Hack the Pentagon” program that crowdsourced vulnerability reports from hackers in the broader community.

“The hackers are already hacking our systems. If they get our permission, then we call them researchers,” he said. “They’re white hat hackers.”

Some of the best information often comes from voluntary reporting, Nguyen said. DC3’s Defense Collaboration Information Sharing Environment (DCIS) anonymizes and shares this data across the community to enhance overall security.

“DC3 takes the data from your company and anonymizes it, and then shares it across the community,” he said.

The center features a notable role within the Defense Industrial Base as a service partner supporting law enforcement and counterintelligence operations. This function also supports activity like recovering data from cloud servers in the event of major data breach incidents.

“We built a culture of service to support our mission partners,” he said. “We are there to support them, that’s our goal in life.”