Jim Christy in ActiveCyber.net (2-11-19): Digital Forensics Pioneer

From working on the Hanover hackers’ case with Dr. Cliff Stoll as described in The Cuckoo’s Egg to re-exploring a nearly 50 year old cold case of the infamous hijacker – DB Cooper – and a lot in between, Jim Christy has been a leading pioneer in the field of digital forensics and computer crime investigations.

His foresight and leadership led to the creation of many “firsts” in the field, including the formation of the DoD digital forensics lab. His experience has given him unique perspectives on the evolution of digital forensics and what is needed to continue to move forward in the fight against computer crime and cyber attacks.  I met Jim over 20 years ago when he was chairing the Infrastructure Protection Task Force and I was an industry volunteer from IBM. Jim’s easy-going way and “can do” spirit led to the success of that initiative and to a friendly long-term association ever since. So read the interview below with Active Cyber^™ to learn more about how Jim put digital forensics on the map for DoD and his one-of-a-kind insights on the past, present and future of digital forensics. 

Chris Daly, Active Cyber^™: Jim, you had a hand in every major development in the digital forensics space for over 20 years and getting digital forensics started for DoD.  What were some of the big highlights and key challenges in getting computer forensics and later digital forensics on the map in the DoD?

Jim Christy, Special Agent (Retired); President & CEO The Christy Group LLC; Cyber Investigations & Digital Forensics Consultant: Unfortunately, military commanders and leaders really never made solving criminal activity a priority. Their mission was to be prepared to project force worldwide, not solve crimes. I used cyber intrusions as a way to get the leaders attention. A compromise of a critical system due to an intrusion could have a major impact on their ability to execute their mission. It took quite a while but they finally got it. Sadly, commanders started to get it before my own organization got it. To solve intrusions, you have to employ digital forensics, so I used intrusions to justify the creation of the AFOSI Lab and eventually the DOD Computer Forensics Labs.

This was all happening while DOD was being downsized due to the peace dividend in the late ‘80’s, early ‘90’s.  It was hard to grow a capability as the budget was going away.

Active Cyber^™: What were the biggest changes you oversaw in digital forensics during your time at DC3 and its predecessor agencies and how have digital forensics practices evolved from art to science or would you say digital forensics is still an art form?

Jim Christy: First of all, there is a lot of science involved in digital forensics but there is art as well.  The best investigators are creative and have an extra sense and intuition that tells them where and how to apply the science.

The biggest changes we’re going from zero to 180 miles an hour in a very short time frame (in government terms). Our organization, AFOSI, in the early ‘90’s went through a major reorganization at the headquarters level and everyone was required to physically move their offices and to redefine their mission with a focus on operations.  I was the Computer Crime Program Manager which focused on organizing, training and equipping our computer crime investigators in the field and only helped out my agents in the field when they needed it.

That’s when I came up with the idea for the AF Computer Forensics Lab. Consolidate the different specialized or unique computers and equipment in one location to support the agents in the field, specifically supporting intrusion investigations which commanders were starting to understand.

I had to put a plan together including mission, personnel, and budget. I had to brief my boss and get his buy-in from and then once he approved, brief the OSI Commander (who didn’t even know who I was).

Then it was my turn to brief the OSI Commander, his senior staff and my boss which was a very scripted and pre-approved briefing. When I made my case for an AF Computer Forensics Lab, I deviated from the script. I saw that they were all starting to buy into my concept so I added that we shouldn’t stop with just an AF Lab, we should create a DOD Computer Forensics Lab to support the Army CID and the NCIS which didn’t have Computer crime programs yet.  We all had the same challenges that weren’t being addressed. My boss was a little shocked and probably pissed but our Commander bought it and asked me to lead a research project.

I worked with our sister services and they were non-committal. I was asked to brief the DOD Counterintelligence staff on a couple of intrusion investigations we had been conducting.  Following that briefing, I had acquired a major advocate Mr. John Elliff, the Director of Counterintelligence for the Office of the Secretary of Defense. He had me attend meetings all over DOD with him and brief my concept of a DOD Computer Forensics Lab to support intrusion investigations.  It was still NOT an easy sell. I had a very senior counterintelligence official from OSI come up to me after one of these meetings and said, “Jim, aren’t you embarrassed to call this counterintelligence?”  This same official once told me when I previously had proposed a cyber counterintelligence operation that “computers and counterintelligence are mutually exclusive. This is what I had to deal with on a regular basis.

Active Cyber^™: How do you judge the state of the art of digital forensics technology today? Is it addressing customer needs? What is it missing? Do you believe it is keeping pace with counter-forensic tools, new cyber threat vectors, advances in steganography, etc.?

Jim Christy: The state of the art of digital forensics technology is and always will be behind where it needs to be. It’s the nature of the beast. The technological world is so rapidly and constantly changing, we will always be playing catch-up. Criminals are always looking for better, easier, safer ways to commit crimes and have always leveraged technology.  Think about it – every tool made by man in history to make jobs better, faster or more efficient have been turned around by criminals to commit crimes. Whether it’s a rock, stick, hammer, knife, golf club, car, bow & arrow, chisel, screw driver, gun, bat, bottle, hammer, animal, pepper, rope, or airplane, they have all been used as weapons. It certainly shouldn’t shock us that one of the most powerful tools created by man, the computer, would also be used for no good.

Computers also play the 3 traditional investigative roles in a crime:

• Victim – your computer could be held for ransom or victim of an intrusion,
• Witness – a server somewhere could innocuously hold evidence of a an intrusion because it was used as a pass through during a looping and weaving maneuver,
• And Subject – The  bad guy’s actual computer used for child pornography or the system used to launch an attack.

Just like we did with the other tools of crimes, we have to develop a forensic capability to uncover evidence to either prove or disprove a criminal allegation.

The largest deficit continues to be support for state and local law enforcement. They have the majority of crimes to solve and the least amount of resources to apply. There are over 18,000 different law enforcement agencies in the US alone.  The vast majority of these agencies don’t have anyone doing digital forensics or cyber crime investigations.

State legislators allocate the resources and still don’t get it. Digital forensics and cyber crime is extremely expensive and the folks responsible for allocating the resources don’t understand the crime. A recipe that is hard for us in the business to understand in the 21^st century.

Active Cyber^™: Is evidence reconstruction practices and technology keeping up with the complexity of how information is stored today – scattered among different physical or virtual locations, such as online social networks, cloud resources, and personal network–attached storage units. Do you believe that partially automating some collection and reconstruction tasks is okay or do you believe it would deteriorate the quality of the investigation?

Jim Christy: There are some pretty smart people working these issues but most are reacting to a specific, significant case. Research funding has to be applied to significant existing problems and there are so many, resources have to be prioritized. You have to get the biggest bang for your buck. That means many problems are not solved until they are a significant, systemic problem. Always playing catchup.

When I first started in the field, you would literally look at every byte on a piece of media. There is no possible way to do that today. Processes must be automated. That being said, you must find the actual evidence. How you find that needle in the hack stack is what needs to be addressed. More research dollars applied and better tools developed.

Active Cyber^™: What about digital forensics examiners – are there adequate opportunities for advancement in the field and opportunities to grow skills? Did “Abby” help or hurt the image of digital forensics examiners? How do you see the role of data scientists evolving in the field of digital forensics?

Jim Christy: The “Abby” factor is a complicating factor for the judges, juries, and lawyers. They expect speedy, accurate results and anything less may be considered incompetent. Hollywood does play a positive role as well as a negative role. I’ve tasked our developers to tackle problems that a Hollywood has solved.  I remember back in the early ‘80’s when I was a programmer at the Pentagon, being tasked by the Joint Chiefs of Staff to help build an operations center like the one in the movie War Games. Life imitates art and vice versa.  Judges and prosecutors need to learn what is possible and investigators need to set appropriate expectations.

Digital forensics is a multidisciplinary field already and as technology changes more specialties need to be created to focus research and development on the greatest challenges. Some of these specialties and challenge areas are:

• Computer Forensics
• Mobile Forensics
• Database Forensics
• Network Forensics
• Live Forensics

Active Cyber^™: In this emerging age of virtual reality, synthetic identities, and misinformation, what is your view on “deep fakes” and the ability of digital forensics to unmask them before serious damage is incurred? What are your opinions about the state of digital forensics practices for assessing attribution from a cyber attack?

Jim Christy: More research needs to be applied to determining what is a real photo or video and what has been digitally created or altered.  In child pornography cases, prosecutors advised that to successfully prosecute a child pornographer, they had to have a picture of a real victim. If we had an animated picture, you didn’t have a victim, therefore it was NOT child porn.

Laws need to be addressed. What if someone in Hollywood with access to all of the latest technologies, created an animated movie of children having sex with adults? What is legal and what is free speech?

As for attribution for cyber attacks continues to be the priority and technologies to evolve because that’s where the resources are applied.  It may not happen as quickly as it does on NCIS but attribution technologies continue to improve. The federal government has the ability to apply all-source investigative techniques and Intel to the attribution problem which makes them far more successful. Technology can’t solve the attribution problem by itself. State and local law enforcement don’t have any capability to conduct intrusion investigations today. If an intrusion doesn’t reach a significant monetary threshold for the federal law enforcement agencies, the case won’t be worked.

States and local law enforcement agencies need a capability.

Active Cyber^™: How do you see digital forensics evolving? Where do you see the most investment in digital forensics technology over the next 3-5 years being applied? Is there a particular type of digital forensics use case that needs investment more? Do you believe that digital forensics examinations can be performed in cloud-based environments?

Jim Christy: The greatest need for digital forensics community is in the realm of education. Colleges and universities need to up their game.  We have found that the few colleges and universities that actually had a digital forensics degree program were not producing a qualified digital forensics examiner.

I hired a very bright young lady for an outreach position. She had just graduated from a university with a bachelor’s degree in digital forensics.  After a year doing a superb job in outreach, she asked if she could transfer to the lab so she could use her degree. She came from a family of law enforcement professionals and wanted to follow. I facilitated the transfer to the lab and they had to put her through our DC3 cyber investigations courses.  

A year later she came down to my office to tell me she had gone back to school and had just received her master’s in digital forensics and was extremely frustrated because she said that nothing, she had learned getting those two advanced degrees could be applied to the real world of forensics. On top of that, the government had to spend about $200K plus salary to train her as a qualified digital forensics examiner.

The 2 top cyber crimes in the world are human trafficking and cyber intrusions.  Only the federal government has the resources to adequately address these high-tech crimes. Companies today need to have the resources to have in-house experts or be able to hire a qualified firm. Small business can’t do that.  State and local law enforcement can’t afford to do it either.

Active Cyber^™: As you know, digital forensics plays an increasingly important role in civil and criminal proceedings. Has the legal culture caught up with the reality of how modern technology can help unmask digital evidence? What cultural or technology shortcomings still exist in eDiscovery processes and how evidence is produced and presented through digital forensics? What improvement in standards do you believe are necessary for how digital evidence is developed and used in legal proceedings? Is there consistent application and acceptance of digital forensics approaches in international, cross-border cases? If not, what needs to change?

Jim Christy: When eDiscovery was added to the Federal Rules of Civil Procedure back in Dec 2006, I erroneously thought that eDiscovery would take off and make the mainstream fairly quickly. Twelve plus years later, most civil attorneys have no idea what it is and what it can do for them. They don’t know what metadata is and certainly not the power of it.  The cost of digital forensics is so prohibitive to the majority of law firms which are one or two attorney shops, they have remained ignorant of the power of digital forensics.

Digital forensics courses in colleges and universities are taught in computer science curriculum not in the criminal justice or legal curriculums. Digital forensics is a discipline that crosses traditional boundaries just as cyber does.

Digital Forensic standards? This is REALLY BIG!  The US DOJ/NIST, National Commission on Forensic Science recommended that the Attorney General should encourage, by all means possible, the universal accreditation of all non-DOJ forensic science services providers (FSSPs) with any available enforcement mechanisms.

The debate on this question continues: should Digital Forensics Labs– including federal, state and local law enforcement agency’s labs and private sector digital forensics providers– be required to have their labs accredited by an accrediting body such as the American Society of Crime Lab Directors, Laboratory Accreditation Board (ASCLD/LAB)?

What constitutes a lab?  One guy with a computer? Is the discipline of digital forensics an art or a science?  Can anyone perform digital forensics examinations and present them in criminal or civil court (e-discovery)?  Should there be a standard for the digital forensics discipline or can anyone with no training, no certifications, or standards present digital evidence exam reports in court?

If there were standards, who sets them?  Who pays for the training and the accrediting of the labs both for the public sector and the private sector?  If you create a standard, all of a sudden you have the “haves” and the “have nots.”  The “have nots” would most likely would be 98% of the community! How does this affect current cases?

This has the potential to be a game-changer for the vast majority of state, local, and tribal law enforcement agencies not to mention virtually all private sector providers.  The federal government has the resources to make this happen for federal agencies and basically could put everyone else out of business if funding isn’t provided to everyone else.  Very few of the federal agencies today accredit their digital forensics labs and only a couple dozen of over 18,000 US law enforcement agencies accredit their digital forensics services.

Examples of functions that would be included are below, whether in public or private practice.

1. Crime scene (e.g., blood pattern analysis, fire investigation, crime scene reconstruction)
2. Identification examinations (e.g., latent Prints, ten Prints, tire impressions)
3. Document examinations
4. Firearms/Ballistics examinations
5. Toolmark examinations
6. Digital and Multimedia examinations
7. Drug or chemical identifications
8. Biological examinations
9. Trace Evidence examination

The DOD Computer Forensics Lab at DC3 where I worked for 12 years achieved ASCLD/LAB accreditation in 2005.  It was a painful, laborious process and very, very expensive. It took well over a year to prepare for the process and inspection.  This is most likely considered a great idea from the general public’s perspective, who would probably be shocked that this has not been the standard for 20 years.

Today, anyone can call themselves digital forensic experts. Just do a Google search.

Active Cyber^™: What important cases come to mind that reflects on the success of digital forensics or of significant milestones in the evolution of digital forensics from technology, practice and legal standpoi

Jim Christy: The first time that we actually used the term Digital Forensics was following a significant murder investigation in 1991. Prior to that it was simply Computer Forensics. In this murder investigation, the suspect cut two floppy diskettes into 23 pieces with pinking shears. 

No other government agency including the law enforcement and Intel community were able to recover any of the data until my deputy and I developed a technique for less than $150.  We were able to recover 85%-95% of the data from each piece of diskette.  The suspect when confronted with the evidence, confessed, pled guilty and was sentenced to life in prison.  This case was profiled on the “New Detectives” series on the Discovery Channel, 2 Jan 1999 and was on Court TV’s, Forensics Files (Shear Luck) in 2005.

Even a Cold Case like the 1971, DB Cooper, skyjacking has a cyber connection.

On Wednesday, 24 November 1971, 47 years ago, an American Legend was born. A man using the name Dan Cooper bought a plane ticket at the Northwest Orient Airlines’ Portland ticket counter. He purchased a ticket on Flight 305 from Portland, OR to Seattle WA. Cooper boarded the Boeing 727-100 with a briefcase (no airport security in those days. No Id checks. Just pay and fly). In flight, Cooper handed the stewardess a note that said he had a bomb which he showed to the stewardess. He demanded $200,000 and 4 parachutes in Seattle.  The FBI assembled the cash and the 4 parachutes.  Cooper released the passengers in exchange but kept the crew onboard. He demanded the crew fly to Mexico which required a re-fueling stop in Reno, NV.  The Boeing 727 took off from Seattle.  In flight Cooper demanded the stewardesses move to the cockpit with the pilots.  He also instructed the crew to fly at a certain speed and altitude. Still over Washington State, the crew noticed a warning light flashing indicating the aft stairwell under the aircraft tail had opened.

When the plane landed in Reno, Cooper, the bomb, 2 parachutes and the $200,000 were gone.  Cooper had disappeared and is responsible for the only unsolved airline hijacking in American history. Dan Cooper was misidentified by local media as D.B. Cooper and the AKA has stuck. There have been movies, songs, and books written about Cooper and there are still many amateur civilian investigators continuing to research and investigate this case today.

So why am I writing about it here?  In early Sep 2016, I was contacted by the lead investigator of the D.B. Cooper Cold Case Team, led by Tom Colbert.  Tom had put together over 40 retired federal agents, forensic psychologists, polygraphers, document examiners, police detectives, military Intelligence officers, and Assistant US Attorneys.  Tom’s team worked for over 5 years and believed they had uncovered the true identity of the infamous D.B Cooper to be Robert Rackstraw of San Diego, CA.  Much of their labor was aired in a 3-hour documentary by the History Channel in July 2016 where they tried to interview Rackstraw.

Well, Tom called me and asked me to join the team and run the cyber operations for the Cold Case Team. I was a little perplexed.  What possible cyber nexus could the DB Cooper case possibly have today? In 1971, no one had a personal computer, The Internet was used by military and scientists only, there was no GPS, no digital surveillance videos, no computerized phone records. No one had ever heard of “cyber”.

It seems that after the History Channel’s documentary aired, a few new users on DB Cooper research and investigative websites (there’s bunch of them) showed up and these new users’ knew facts about the case that no one except the Cold Case Team knew. Evidence that hadn’t been aired. It was suspected that the Cold CaseTeam’s suspect, Robert Rackstraw had joined these Cooper sites using aliases to plant information to see how much the “Cooperites” actually knew and to eavesdrop on their conversations.

I was asked to try to identify the actual identities of the new users suspected to be the real D.B. Cooper or his surrogates. I put together a volunteer team, comprised of cyber investigators, network intrusion and digital forensics experts with over 85 years of criminal and counterintelligence cyber-investigative experience with the DOD. 

Shortly after initiating our online undercover operation, Tom asked me if it would also “handle” a CONFIDENTIAL INFORMANT (CI) that had contacted him. After viewing the Cooper documentary, the CI claimed he hunted down Robert Rackstraw on Facebook and “catfished” him; he had forwarded several of their private Facebook message exchanges as proof.

So, on 10 October 2016, I took on running this rogue “Catfisher” as well.

Urban Dictionary definition of a Catfisher: A catfisher is the name coined to a bottom-dwelling human who spends a great deal of time on the net in various locations, luring people into a falsely-based romance. The catfisher uses fake pictures and bogus info, often because he or she has low self-esteem or simply is not happy enough with their image to present it to people that they deem out of their league. Playing people they’d otherwise not even get to speak to, in turn, boosts a catfisher’s self-confidence.

I decided to keep these two cyber operations separate and distinct. The original Op we had planned, coordinated and knew all of the players. The second was a possible opportunity but not under our total control, so we needed to test our source. CI’s come with their own sociopathic baggage; they do bring access to the target, but they also have their own motivations that may not be in sync with yours. One of the first things you want to do is to make sure they follow instructions, so you improvise a test to verify the CI conforms to your directions and you can manage them.

In our first telecom, we wanted to know more about the CI’s background and motivation. He told me he was married with children, then sent a picture of himself with his family. But he also admitted his wife had divorced him once because of his use of Facebook, but were back together – that’s why he no longer had his own profile. Now he was secretly using the fictitious Facebook profile of a 52-year-old female nurse persona, “Kelly Young,” to “snoop around” – and that’s what led up to his search for Rackstraw.

There’s definitely a scary, deceitful side to this guy. With my radar up, I asked one of our veteran private investigators to do a detailed background report on the CI. All other facts seemed to be correct, but with a catfisher, you never know. We did discover our catfisher was also a local pastor and so was his father.

The CI said he located Rackstraw in early September, then sent a Facebook message from his catfisher nurse account – sexy photo, alluring lingo and all. On 5 Oct 2016, the 73-year-old target finally responded. A cordial exchange of private chit-chat began, along with non-threatening probes about the Cooper case – but that all changed, 4-5 days prior to our team’s phone call.

“Kelly” and Rackstraw had turned from Facebook messaging to text-messaging, leaning toward “sexting.” Rackstraw first sent his lady friend some Vietnam-era photos, certificates and pictures of his medals, as well as pictures of his family members. He then ramped it up by forwarding a private selfie, working out in the gym, which was followed by both exchanging much racier nude photos. Finally, Rackstraw sent a web address displaying a variety of pictures of his 45-foot yacht named “Poverty Sucks” in San Diego – then he invited her to come stay.

The unsolicited trove of forwarded military history was impressive and a great deal was false, but we directed the CI to just keep it all friendly – the sexting was not necessary nor helpful. When he ignored my instruction and continued, I gently let the CI know on 13 Oct 2016 that we were parting ways, but if he discovered anything about the identity of D.B. Cooper to let me know.

About a week after cutting all ties with the CI, we discreetly noticed that he had joined one of the Cooper websites that my team was operating undercover on – as his true male self not as “Kelly”. After some nonsensical and bizarre blog exchanges with Cooper-case strangers on 20 Oct, he appeared to have a personal meltdown. He then started dumping all the military-related pictures Rackstraw had sent him, without any explanation, and confessed that he had catfished Rackstraw, until we had the website’s SysAdm kicked him off the site for good. The CI continues to investigate Cooper on his own and still sends me information he thinks is pertinent today.

The team sued the FBI to get access to the closed FBI case file and won.  Slowly the FBI is releasing never before seen evidence to our team. To learn more about the case, Rackstraw and the newly released FBI case file notes go to DBCooper.com.

Who would have thought a 45-46-year-old cold case could possibly have a cyber nexus today? Cyber investigations and digital forensics are extremely powerful tools that should be considered in almost any investigation.  I’m now waiting for a call to join the Lincoln Assassination Cold Case Team.

Active Cyber^™: Some experts see the need to design more holistic cyber-forensic techniques and unified standards that take into account the entire digital system, and not just a single piece of evidence that investigators happen to find. They call for a paradigm shift in the way people think about cyber forensics and the employment of community approaches – for example in the provisioning of a unified metainterface for IoT forensics covering a spectrum of different devices

Jim Christy: The Intelligence Community has created many different Intelligence Disciplines:

1. SIGINT           – Signal Intelligence
2. HUMINT        – Human Intelligence
3. ELININT         – Electronic Intelligence
4. IMINT             – Image Intelligence
5. MASINT         – Measurement & Signature Intelligence

I have been advocating for a new Intelligence discipline: DFINT – Digital Forensics Intelligence

There are 3 major sectors that play a significant role in our society today.

• National Security – Military & Intelligence Communities
• Public Safety – Federal, state & local law enforcement
• Private Sector – Retail, financial, academic, manufacturing, and service providers

I believe that Digital Forensics Intelligence plays a significant role in these 3 sectors. Where these 3 sectors overlap is what I call Digital Forensics Intelligence.

The tactics, tools and procedures used by the bad guys are the same whether they are applied by child pornographers, credit card thieves, or spies.  You need to apply digital forensics to determine the answers to the traditional investigative questions: Who? What? When? Where? Why? and How?

DFINT is the intelligence on the tradecraft used by the bad guys against the 3 major sectors. That intelligence needs to be collected, analyzed, and disseminated just as the Intel from the other disciplines are.

---

Thanks Jim for sharing some of your perspectives on digital forensics yesterday, today and tomorrow. It has been quite a journey from the time of the Hanover hackers to now and there is still so much more to do. It is easy to see that without your leadership digital forensics would still be a backwaters speciality rather than being on the cusp of a thriving and essential discipline in the fight against computer crime and cyber attacks. I hope that the ideas you expressed in this interview on creating the next generation digital forensics capabilities will be heard and acted on by our key national, state, and local decision makers and influencers. And thanks again for your help to me along the way as well.

Thanks for checking out ActiveCyber.net! Please give us your feedback because we’d love to know some topics you’d like to hear about in the area of active cyber defenses, PQ cryptography, risk assessment and modeling, autonomous security, digital forensics, securing the Internet of Things, or other security topics. Also, email marketing@activecyber.net if you’re interested in interviewing or advertising with us at Active Cyber™.

About Jim Christy Jim Christy is a retired Special Agent who has specialized in cyber crime investigations and digital forensics for over 32 years with the Air Force Office of Special Investigation, the Department of Defense Cyber Crime Center (DC3) and now the private sector. Jim left the government in July 2013 after 42 years of public service and has started his own consulting firm, The Christy Group, LLC. Jim retired in Nov 2006 as a Special Agent and immediately returned to the federal service as a senior appointed by the Secretary of the Air Force. He retired from federal service in 2013. In the Fall of 2016, Jim was asked to join and lead the D.B. Cooper Cold Case Team’s cyber investigative effort to identify the real identity of D.B. Cooper. The D.B. Cooper case is the only unsolved US airline hijacking which occurred in November 1971. Jim consulted with David Marconi (writer of the movies Enemy of the State, Mission Impossible 2 & Live Free or Die Hard) and contributed technical advice on critical infrastructure attacks (Fire Sale) used in the movie Live Free or Die Hard with Bruce Willis. Jim was also featured in 2013 in the Smithsonian Channel’s documentary on the movie; The Real Story: Live Free or Die Hard. In May 2011, the Air Force graduated the first NCO’s for a new AF career field, Cyber Defense Operations, at Keesler AFB, MS. The staff of the course honored Jim by creating and presenting the top graduate of the class with the “Jim Christy Award.” In Oct 2003, the Association of Information Technology Professionals awarded Jim the 2003 Distinguished Information Science Award winner for his outstanding contribution through distinguished services in the field of information management. The award was originally called the “Computer Man of the Year” award. The first winner was Admiral Grace Hopper. Other previous recipients of this prestigious award include Gene Amdahl, H. Ross Perot, General Emmett Paige, Bill Gates, Lawrence Ellison, David Packard and Mitch Kapor. From Nov 2003 – Nov 2006, Special Agent Jim Christy, was the Director of the Defense Cyber Crime Institute (DCCI), DC3, responsible for research & development and test & evaluation. From 17 Sep 2001 – 1 Nov 2003, Jim was the Deputy Director/Director of Operations, Defense Computer Forensics Lab, DC3, the world’s largest accredited computer forensics lab. Christy testified before a Florida Select Committee on Terrorism in Dec 2001 at their request, as a result of the 911 attack to start the discussion of cyber terrorism. From May 1998 – Sep 2001, Jim was assigned to the Defense-wide Information Assurance Program, Assistant Secretary of Defense for Command, Control Communications and Intelligence (ASDC3I) as the Law Enforcement & Counterintelligence Coordinator and Infrastructure Protection Liaison. SA Christy served as the DoD Representative to the President’s Infrastructure Protection Task Force (IPTF) from Sep 1996 – May 1998 at the FBI HQ. The President signed Executive Order, 13010 on 15 Jul 96 which was announced in Sen. Sam Nunn’s hearings, creating the IPTF to protect the Nation’s critical infrastructure from both physical and cyber attacks. Prior to the IPTF, Jim was detailed to Senator Sam Nunn’s staff on the US Senate, Permanent Subcommittee on Investigations as a Congressional Fellow, Jan – Aug 1996. Senator Nunn specifically requested Jim’s assistance for the Subcommittee to prepare for hearings in May – Jul 1996, on the vulnerability and the threat to National Critical Infrastructure from cyberspace. Jim provided testimony to the subcommittee on two occasions and was responsible for preparing the Senators and their staffs for the hearings as well as authoring the Committee’s Investigative Report. From 1986-1998, Jim was the Director of Computer Crime Investigations, and Information Warfare for AFOSI and established the first computer forensics lab in DOD which became the DoD Computer Forensics Lab at DC3. In 1986, Jim obtained notoriety as the original case agent for the “Hanover Hacker” case. This case involved a group of German hackers who electronically penetrated DOD computer systems all over the world and sold the information to the Soviet KGB. The case was detailed in the best seller, “The Cuckoo’s Egg”, by Dr. Cliff Stoll. The Cuckoo’s Egg has become THE Cyber security book for students and new practitioners to the field of cyber investigations and cyber security. Some of SA Christy’s notable firsts in Computer Crime Investigations: 1st civilian computer crime investigator in the U.S. Government 1st computer espionage investigation (Hanover Hacker Case), case agent 1st Logon Warning banner for network (for double agent operation) 1st DoD investigator to go undercover on pedophile bulletin boards 1st to distribute wanted poster on the Internet (triple homicide case) 1st to develop forensic technique to recover data from cutup diskette (homicide investigation) 1st psychological profiling study of computer criminals’ program 1st to create the Air Force Computer Forensics Lab 1st to create a DOD Computer Forensics Lab 1st to create a DOD Computer Intrusion Squad 1st computer crime investigator to testify before the U.S. Senate 1st Clearinghouse for Intelligence Media Exploitation (CHIME) to support digital media exploitation and sharing of results from media acquired in GWOT 1st Computer Forensics team to support Special Operations (Operation Iraqi Freedom)