The Computer Crime Investigative Unit

The Computer Crime Investigative Unit – CCIU

Carl W. Hunt

Since computers were incorporated into the mainstream Army equipment inventory about 10 years ago, criminals have been finding ways to use them inappropriately. As computers have been networked to share information, criminals have evolved and the “hacker” emerged. Computers and networks are critical components of the Army information technology and knowledge management infrastructure that supports how we communicate. Its protection is key to Army success–in the garrison and the field. The Army has built a major program called information assurance (IA) that seeks to protect its systems from a variety of problems, including–

* System misconfiguration.

* Failure to install security patches.

* Operator-error issues.

* Criminal behavior.

The figure shows the growth of the Army’s computer-intrusion crime problem and how hackers are increasingly successful in spite of innovative attempts to limit their access. The incidents shown include multiple port scans, attempted intrusions, and other events short of actual computer-integrity compromise, while the intrusions involve hackers actually taking control of computers in one form or another.

In March 2000, the U.S. Army Criminal Investigation Command (USACIDC) activated the CCIU. It is a component of the 701 st MP Group (CID) and is comprised of specially trained personnel who investigate hackers and their crimes, seeking to jail these criminals. CCIU is broken into several sections to include–

* Command and control (C2).

* Criminal intelligence (CI).

* Security.

* Legal.

* Intrusion and technical teams.

* Liaison office.

The CID and CCIU are critical players in the IA program as the principal enforcers of the law and regulations that protect this important area of potential vulnerability.

C2 Team

The CCIU’s C2 team oversees all office operations conducted by the other sections. The team is based in Fort Belvoir, Virginia, and includes the commander, operations officer, and operations assistant. Some of its duties include ensuring that the office personnel are receiving appropriate training and have the tools they need to fulfill their duties in the most expeditious and accurate manner.

CI and Security Manager

The CI and security manager is responsible for the overall management of the automated CI system for the CCIU. He analyzes factual or suspected situations of criminal behavior in significant criminal violations, determines certain patterns and trends of these criminal activities, and prepares analytical reports. He makes independent decisions regarding areas of investigative jurisdiction and responsibility and recommends appropriate CI actions to the commander and operations officer. The manager also evaluates commercially available programs and databases for use by the CCIU.

The CI manager conducts official liaison with federal law enforcement and intelligence organizations– such as the National Infrastructure Protection Center and Joint Task Force Computer Network Operations, and other national law enforcement and intelligence organizations. In addition, the CI manager is also the CCIU security manager, coordinating intelligence-related activities for CCIU personnel.

Legal Advisor

CCIU also has an in-house attorney, trained and experienced in the technical knowledge of the workings of computers, networks, and programs. She is also an expert in the constantly evolving area of cyberand high-tech crime and works in full-time support of the CCIU mission. She is the principal advisor to the USACIDC on computer crime issues and is a computer law consultant to the U.S. Army Office of the General Counsel. The CCIU legal advisor is instrumental in obtaining computer search warrants, subpoenas, and foreign sources of evidence through U.S. State Department and U.S. Department of Justice procedures.

Intrusion Team

The intrusion team is responsible for identifying and pursuing leads generated by the forensic evaluation of victims’ and suspects’ computers. Each team member must be familiar with the technical aspect of the investigations and be able to view technical data through the eyes of a criminal investigator. These investigators must be able to understand the gigabytes of data thrust at them on a daily basis and the implications of that data and how to react to it. Each member is well versed in the technical jargon used by system administrators; they must be equally well versed in the hacker slang used on what is known as the Undernet–the “dark side”–of the Internet. CCIU special agents receive approximately 6 months of preparatory technical training before undertaking independent intrusion investigations.

Beyond being technically proficient and skilled investigators, members of the intrusion team also have to be skilled diplomats. Since nearly every investigation crosses through multiple jurisdictions, CCIU agents are required to deal with several different investigative agencies in each case. Moreover, since many intrusion investigations involve suspects in other countries, intrusion team members must know how to obtain information from foreign governments as well. The agents assigned to work intrusion investigations must be technically well versed, savvy investigators with the ability to improvise in a changing legislative environment. They must be independent, flexible, and creative, but above all, relentless.

Tech/Forensic Team

The technical/forensic team is primarily responsible for all computer forensic examinations. During the course of an Internet-instrution investigation, it obtains the affected computer system involved in an Army-related criminal computer intrusion. The forensic team collects the evidence–the computer hard-drive data–on compatible media (CD-ROM and hard drive), which is further processed in the evidence room. The media is used to restore the data for further analyses. The team generates a forensic report, documenting the analyses of the media, and then provides the report to the case agent investigating the intrusion to further assist in locating and capturing the culprits. The technical knowledge necessary to analyze computer media takes months of specialized training and mentorship from experienced forensic examiners.

To capture intruders, the forensic team employs and monitors Network Intrusion Detection Systems placed on warrant-authorized networks. This team also staffs the Information Assurance Vulnerability Assessment Program with the U.S. Army G-6. The program targets Army installations for computer vulnerabilities and provides the commander with an electronic computer-vulnerability assessment. This assessment out-lines the vulnerabilities discovered within the supported commander’s network and advises the best course of correcting the vulnerabilities. Some forensic team members also teach forensic training at the Federal Law Enforcement Training Center and other computer forensic organizations.


Finally, the CCIU has established the first, of what it hopes are many, liaison offices co-located with the continental United States (CONUS) regional computer emergency response team (RCERT) and the CONUS Theater Network Operations and Security Center (TNOSC), at Fort Huachuca, Arizona. The Fort Hua-chuca liaison officer is not only fully integrated in the Army information assurance effort at the RCERT and TNOSC but also works a variety of computer intrusion criminal investigations. The establishment of this office has been very successful and acclaimed as a great success for CID by many of the Army’s IA partners. The CCIU hopes to be able to establish these liaison offices throughout the Army where RCERTs or TNOSCs are located.


Lieutenant Colonel Carl Hunt is the commander of the CClU. He holds a Ph.D. in information technology from George Mason University. His e-mail is

COPYRIGHT 2002 U.S. Army Maneuver Support Center

COPYRIGHT 2004 Gale Group