[tptacek]

I don't think the IT skill required to reliably extract evidence from an arbitrary hosting operation (of potentially arbitrary complexity) is simply "on tap" for the FBI.

If you want to say "tough luck that's just what it costs to collect evidence in 2011", fine, but it's probably not fair to say that the FBI should just naturally have that capability.

[m0nastic]

In general the FBI is still operating in a pre-datacenter mindset when it comes to evidence acquisition.

It wasn't until 2007 that they updated the Handbook of Forensic Services[1] to no longer require seizing peripherals of suspected evidence. Think about that for a second, that means mice, keyboards, monitors, etc.

The team who worked on this raid ironically is part of the DOD CCC, which is a joint forensic lab setup between the DOD and the FBI (they have two labs, one in Maryland, who would have been involved in this raid, and one in California). That team certainly has some smart folks on it (they're the subject-matter-experts for forensic acquisition at the FBI), but if they've devised special procedures for dealing with datacenter or cloud forensics, they haven't been codified yet into the HFS.

[1] http://www2.fbi.gov/hq/lab/handbook/forensics.pdf

[protomyth]

How is the DOD allowed to work on civilian law enforcement in any capacity?

[m0nastic]

I'm not sure exactly what you mean, but the Defense Department works with other government agencies and non-governmental agencies; and has for quite a long time.

One of these collaborations is responsible for you being able to type that comment and have it be readable by someone on another computer.

As to the specifics of the DOD CyberCrime center, it was set up in 98 to offer training/services to other law enforcement and counterintelligence agencies.

Basically, someone figured that instead of having to have each seperate agency stumble around in the dark dealing with cyber crime, they could pool resources and try to standardize. It's actually a pretty good example of getting rid of beaurocracy.

[protomyth]

I was wondering about the interaction and how it fits with the Posse Comitatus Act.

[m0nastic]

My guess is that it is exempted by the Military Cooperation with Civilian Law Enforcement Agencies Act[1]

[1]http://www.law.cornell.edu/uscode/usc_sup_01_10_10_A_20_I_30...

[mrcharles]

Yeah well, actions like this give the image of fat guys in suits who hunt and peck at the keyboard and move icons around on the desktop to find where they are hiding that dang data.

[tptacek]

Should they get better forensics people? Absolutely.

But, steel yourself: a very good forensics pro would probably have them acquiring expansive warrants for hardware seizures, because very good forensics pros are paid to foresee all the crazy things colluding providers and criminals can do to hide evidence.