《Digital-Evidence-Standards---Ination-Systems-and-Internet-数字证据标准的信息系统与互联网-PPT课件》由会员分享,可在线阅读,更多相关《Digital-Evidence-Standards---Ination-Systems-and-Internet-数字证据标准的信息系统与互联网-PPT课件(33页珍藏版)》请在金锄头文库上搜索。
1、Why standards?A scenarioDagestan separatistsSupported by Islamic fundamentalistsSend two teams:WashingtonLondonWire transfer funds from:ParisRomeBy means of PC bankingSimultaneously explode two devicesThe crime scenesSubjects identifiedComputers recoveredReveal communications linksRequests for inves
2、tigationsAdditional digital evidence collectedDigital evidence became the glueDigital Evidence TrailCritical issuesHow do we ask for what evidence?Do we get what we thought we asked for?Can we use what we received?Why standards?Trans-jurisdictionalExchangeDigital evidenceWhat standards?DefinitionsPr
3、inciplesProcessesOutcomesCommon languageHow it started1993 - 1st International Conference on Computer Evidence2019 - International Organization on Computer Evidence formed2019 - IOCE & G-8 independently decide to develop standardsHow it started - continued2019 - G-8 asks IOCE to undertake this initi
4、ative2019 - SWG-DE formed to pursue U.S. participation2019 - ACPO, FCG and ENSFI agree to participate2019 - INTERPOL is briefed on progressWhere we are nowUK Good Practice Guide (ACPO)ENSFI Working GroupSWG-DE draft standardsfor-swg.org/swgdein.htm (under construction)October 4-7, 2019IOCE, ACPO, FC
5、G & ENSFI meet on European standards ihcfc - results forthcommingWhere we are goingFirst you must crawlCreate foundationdefinitionsprinciplesprocessesDurableUniversalall digital evidence typesmutually understoodSWG-DE Definitions:Digital evidence -is information of probative value stored or transmit
6、ted in digital form (SWG-DE 7/14/98)is acquired when information and/or physical items are collected and stored for examination purposes. (SWG-DE 8/18/98)SWG-DE Principle:Evidence HandlingANY action which has the potential to alter, damage or destroy any aspect of original evidence must be performed
7、 by qualified persons in a forensically sound manner (SWG-DE 3/12/99)SWG-DE Definitions:Evidence typesOriginal digital evidence - physical items and all the associated data objects at the time of acquisitionSWG-DE Definitions:Evidence types cont.Duplicates - an accurate reproduction of all data obje
8、cts independent of the physical itemCopy - an accurate reproduction of the information contained in the data objects independent of the physical item.In Summary.Nearly all computer crime is trans-jurisdictionalStandards for collection & processing evidence required to share evidenceAdopt standards -
9、 compare standardsDE Forensics is a specialty, distinct from computer investigationsForensic Laboratories encouraged to lead effort to develop standardsQuestions?Mark M. PollittUnit Chiefmpollitt.cartfbi.govDon CavenderSupervisory Special Agentdlcavender.cartfbi.govComputer Analysis Response TeamRoo
10、m 4315935 Pennsylvania Ave, NWWashington, DC 20535 USA202.324.9307Computer Investigative SkillsDigital Evidence Collection SpecialistFirst Responder2-3 days trainingSeize & Preserve Evidentiary Computers/MediaComputer InvestigatorAbove experience +Understanding of Internet/Networks/Tracing computer
11、communications, etc.1 to 2 weeks specialized trainingComputer Forensic ExaminerExamines Original MediaExtracts Data for Investigator to review4 - 6 weeks specialized trainingDigital evidence = Latent evidence:Is invisibleIs easily altered or destroyedRequires precautions to prevent alterationRequire
12、s special tools and equipmentRequires specialized trainingRequires expert testimonyForensic ModelPeopleEquipmentProtocolsServices Provided by Computer Forensic ExaminersExamsComputer and diskette examsOther media - Jaz, Zip, MO, Tape backupsPDAsOn site support of search warrantsConsultation with inv
13、estigators and prosecutorsExpert testimony for results and proceduresAdditional ServicesRecover deleted, erased, and hidden dataPassword and encryption crackingDetermine effects of codesuch as malicious virusCART Field Examiner (FE) Certification4-5 weeks specialized in-service training4 weeks comme
14、rcial trainingLab internship if desired or necessaryOne year for certification process$25,000 to train & equip a new examinerAlso, annual re-certification and commercial training for FEs - 3 year commitmentOther Computer Forensic CertificationsSCERS - Treasury version of CARTalso offered to Local LE
15、A through FLETCIACIS - LEA non profit association Local LEOsState LabsSome commercial and academic programs in early developmentComputer Forensic TrainingIACIS - International Association of Computer Investigative Specialists - cops.org/Federal Law Enforcement Training Center (FLETC) Financial Fraud
16、 Institute - (SCERS Training) treas.gov/fletc/ffi/ffi_home.htmHTCIA - High Technology Crime Investigation Association - htcia.org/SEARCH Group - search.org/ National White Collar Crime Center - cybercrime.orgComputer Forensic EquipmentExamination Desktop $3,000Highest performance affordableSCSI, DVD
17、, Super DriveAdditional Large Hard Drive $ 500Printer $ 500 - $1500Search & Examination Notebook $ 3,000PCMCIA SCSI & Network Cards $ 300Additional Large Hard Drive $ 500External Backup (MO, Jaz or Tape Drive) $ 500 - $ 2,000Parallel to SCSI Adapter $150CD Writer $ 500Forensic Software $ 1,500 - $2,
18、500Cables/Adapters $ 200 - $ 300Cases $ 150 - $ 300PC Tool Kit $ 10 - $ 300 Media $ 20 - $500 per examinationRange Total $ 10, 000 - $ 15,000 prior to mediaCommon challenges faced by Computer Forensic ProgramsVolume of ExamsProliferation of computersTraining & StaffingEnhancements to Computer Crime Investigations w/o enhancements to Computer Forensic ProgramEquipment3 years to obsolescenceSuppliesBack up media, CDs, hard drives, misc. hardware, viewing stationsSpaceSecure work/storage areaRequest for assistance by Other AgenciesTravel
