Digital-Evidence-Standards---Information-Systems-and-Internet-數(shù)字證據(jù)標(biāo)準(zhǔn)的信息系統(tǒng)與互聯(lián)網(wǎng)-PPT課件

1、Why standards?A scenarioDagestan separatistsSupported by Islamic fundamentalistsSend two teams:WashingtonLondonWire transfer funds from:ParisRomeBy means of PC bankingSimultaneously explode two devicesThe crime scenesSubjects identifiedComputers recoveredReveal communications linksRequests for inves

2、tigationsAdditional digital evidence collectedDigital evidence became the glueDigital Evidence TrailCritical issuesHow do we ask for what evidence?Do we get what we thought we asked for?Can we use what we received?Why standards?Trans-jurisdictionalExchangeDigital evidenceWhat standards?DefinitionsPr

3、inciplesProcessesOutcomesCommon languageHow it started1993 - 1st International Conference on Computer Evidence2019 - International Organization on Computer Evidence formed2019 - IOCE & G-8 independently decide to develop standardsHow it started - continued2019 - G-8 asks IOCE to undertake this initi

4、ative2019 - SWG-DE formed to pursue U.S. participation2019 - ACPO, FCG and ENSFI agree to participate2019 - INTERPOL is briefed on progressWhere we are nowUK Good Practice Guide (ACPO)ENSFI Working GroupSWG-DE draft /swgdein.htm (under construction)October 4-7, 2019IOCE, ACPO, FC

5、G & ENSFI meet on European standards ihcfc - results forthcommingWhere we are goingFirst you must crawlCreate foundationdefinitionsprinciplesprocessesDurableUniversalall digital evidence typesmutually understoodWhat will the impact be?Evidence will be collectedCases will be madeEvidence is the found

6、ation of criminal justiceLaw enforcement will assume its proper roleThe world will be a little saferA Brief History of CART Protocols.1st Gen. - “The Big Book” (shotgun)Problem - out of date the day it came out2ed Gen. - Checklist (linear) combined w/the Big Book as a referenceProblem - do 1, do 2,

7、do 3 - what if 2 doesnt work? 3rd Gen. - Descriptions & Flow Chart, the Big Book becomes an independent referenceBased on DE Principals, independent of application or OS (link)SWG-DE Definitions:Digital evidence -is information of probative value stored or transmitted in digital form (SWG-DE 7/14/98

8、)is acquired when information and/or physical items are collected and stored for examination purposes. (SWG-DE 8/18/98)SWG-DE Principle:Evidence HandlingANY action which has the potential to alter, damage or destroy any aspect of original evidence must be performed by qualified persons in a forensic

9、ally sound manner (SWG-DE 3/12/99)SWG-DE Definitions:Evidence typesOriginal digital evidence - physical items and all the associated data objects at the time of acquisitionSWG-DE Definitions:Evidence types cont.Duplicates - an accurate reproduction of all data objects independent of the physical ite

10、mCopy - an accurate reproduction of the information contained in the data objects independent of the physical item.In Summary.Nearly all computer crime is trans-jurisdictionalStandards for collection & processing evidence required to share evidenceAdopt standards - compare standardsDE Forensics is a

11、 specialty, distinct from computer investigationsForensic Laboratories encouraged to lead effort to develop standardsQuestions?Mark M. PollittUnit CDon CavenderSupervisory Special AComputer Analysis Response TeamRoom 4315935 Pennsylvania Ave, NWWashi

12、ngton, DC 20535 USA202.324.9307Computer Investigative SkillsDigital Evidence Collection SpecialistFirst Responder2-3 days trainingSeize & Preserve Evidentiary Computers/MediaComputer InvestigatorAbove experience +Understanding of Internet/Networks/Tracing computer communications, etc.1 to 2 weeks sp

13、ecialized trainingComputer Forensic ExaminerExamines Original MediaExtracts Data for Investigator to review4 - 6 weeks specialized trainingDigital evidence = Latent evidence:Is invisibleIs easily altered or destroyedRequires precautions to prevent alterationRequires special tools and equipmentRequir

14、es specialized trainingRequires expert testimonyForensic ModelQuality AssurancePeopleEquipmentProtocolsServices Provided by Computer Forensic ExaminersExamsComputer and diskette examsOther media - Jaz, Zip, MO, Tape backupsPDAsOn site support of search warrantsConsultation with investigators and pro

15、secutorsExpert testimony for results and proceduresAdditional ServicesRecover deleted, erased, and hidden dataPassword and encryption crackingDetermine effects of codesuch as malicious virusCART Field Examiner (FE) Certification4-5 weeks specialized in-service training4 weeks commercial trainingLab

16、internship if desired or necessaryOne year for certification process$25,000 to train & equip a new examinerAlso, annual re-certification and commercial training for FEs - 3 year commitmentOther Computer Forensic CertificationsSCERS - Treasury version of CARTalso offered to Local LEA through FLETCIAC

17、IS - LEA non profit association Local LEOsState LabsSome commercial and academic programs in early developmentComputer Forensic TrainingIACIS - International Association of Computer Investigative Specialists - /Federal Law Enforcement Training Center (FLETC) Financial Fraud Institute - (SCER

18、S Training) /fletc/ffi/ffi_home.htmHTCIA - High Technology Crime Investigation Association - /SEARCH Group - / National White Collar Crime Center - Computer Forensic EquipmentExamination Desktop $3,000Highest performance affordableSCSI, DVD, Super DriveAdditional Large Hard Drive $ 500Printer $ 500 - $1500Search & Examination Notebook $ 3,000PCMCIA SCSI & Network Cards $ 300Additional Large Hard Drive $ 500External Backup (MO, Jaz or Tape Drive) $ 500 -