1、Why standards?A scenarioDagestan separatists Supported by Islamic fundamentalistsSend two teams:Washington LondonWire transfer funds from:Paris RomeBy means of PC bankingSimultaneously explode two devicesThe crime scenes Subjects identified Computers recovered Reveal communications links Requests fo
2、r investigations Additional digital evidence collected Digital evidence became the glueDigital Evidence TrailCritical issues How do we ask for what evidence?Do we get what we thought we asked for?Can we use what we received?Why standards?Trans-jurisdictional Exchange Digital evidenceWhat standards?D
3、efinitions Principles Processes Outcomes Common languageHow it started 1993-1st International Conference on Computer Evidence 2019-International Organization on Computer Evidence formed 2019-IOCE&G-8 independently decide to develop standardsHow it started-continued 2019-G-8 asks IOCE to undertake th
4、is initiative 2019-SWG-DE formed to pursue U.S.participation 2019-ACPO,FCG and ENSFI agree to participate 2019-INTERPOL is briefed on progressWhere we are now UK Good Practice Guide(ACPO)ENSFI Working Group SWG-DE draft standards for-swg.org/swgdein.htm(under construction)October 4-7,2019 IOCE,ACPO,
5、FCG&ENSFI meet on European standards ihcfc-results forthcommingWhere we are going First you must crawl Create foundation definitions principles processes Durable Universal all digital evidence types mutually understoodWhat will the impact be?Evidence will be collected Cases will be made Evidence is
6、the foundation of criminal justice Law enforcement will assume its proper role The world will be a little saferA Brief History of CART Protocols.1st Gen.-“The Big Book”(shotgun)Problem-out of date the day it came out 2ed Gen.-Checklist(linear)combined w/the Big Book as a reference Problem-do 1,do 2,
7、do 3-what if 2 doesnt work?3rd Gen.-Descriptions&Flow Chart,the Big Book becomes an independent reference Based on DE Principals,independent of application or OS (link)SWG-DE Definitions:Digital evidence-is information of probative value stored or transmitted in digital form(SWG-DE 7/14/98)is acquir
8、ed when information and/or physical items are collected and stored for examination purposes.(SWG-DE 8/18/98)SWG-DE Principle:Evidence Handling ANY action which has the potential to alter,damage or destroy any aspect of original evidence must be performed by qualified persons in a forensically sound
9、manner(SWG-DE 3/12/99)SWG-DE Definitions:Evidence types Original digital evidence-physical items and all the associated data objects at the time of acquisitionSWG-DE Definitions:Evidence types cont.Duplicates-an accurate reproduction of all data objects independent of the physical item Copy-an accur
10、ate reproduction of the information contained in the data objects independent of the physical item.In Summary.Nearly all computer crime is trans-jurisdictional Standards for collection&processing evidence required to share evidence Adopt standards-compare standards DE Forensics is a specialty,distin
11、ct from computer investigations Forensic Laboratories encouraged to lead effort to develop standardsQuestions?Mark M.Pollitt Unit Chief mpollitt.cartfbi.gov Don Cavender Supervisory Special Agent dlcavender.cartfbi.gov Computer Analysis Response Team Room 4315 935 Pennsylvania Ave,NW Washington,DC 2
12、0535 USA 202.324.9307Computer Investigative Skills Digital Evidence Collection Specialist First Responder 2-3 days training Seize&Preserve Evidentiary Computers/Media Computer Investigator Above experience+Understanding of Internet/Networks/Tracing computer communications,etc.1 to 2 weeks specialize
13、d training Computer Forensic Examiner Examines Original Media Extracts Data for Investigator to review 4-6 weeks specialized trainingDigital evidence=Latent evidence:Is invisible Is easily altered or destroyed Requires precautions to prevent alteration Requires special tools and equipment Requires s
14、pecialized training Requires expert testimonyForensic ModelPeopleEquipmentProtocolsServices Provided by Computer Forensic Examiners Exams Computer and diskette exams Other media-Jaz,Zip,MO,Tape backups PDAs On site support of search warrants Consultation with investigators and prosecutors Expert tes
15、timony for results and proceduresAdditional Services Recover deleted,erased,and hidden data Password and encryption cracking Determine effects of code such as malicious virusCART Field Examiner(FE)Certification 4-5 weeks specialized in-service training 4 weeks commercial training Lab internship if d
16、esired or necessary One year for certification process$25,000 to train&equip a new examiner Also,annual re-certification and commercial training for FEs-3 year commitmentOther Computer Forensic Certifications SCERS-Treasury version of CART also offered to Local LEA through FLETC IACIS-LEA non profit
17、 association Local LEOs State Labs Some commercial and academic programs in early developmentComputer Forensic Training IACIS-International Association of Computer Investigative Specialists-cops.org/Federal Law Enforcement Training Center(FLETC)Financial Fraud Institute-(SCERS Training)treas.gov/fle
18、tc/ffi/ffi_home.htm HTCIA-High Technology Crime Investigation Association-htcia.org/SEARCH Group-search.org/National White Collar Crime Center-cybercrime.orgComputer Forensic EquipmentExamination Desktop$3,000 Highest performance affordable SCSI,DVD,Super Drive Additional Large Hard Drive$500 Printe
19、r$500-$1500Search&Examination Notebook$3,000 PCMCIA SCSI&Network Cards$300 Additional Large Hard Drive$500External Backup(MO,Jaz or Tape Drive)$500-$2,000 Parallel to SCSI Adapter$150CD Writer$500Forensic Software$1,500-$2,500Cables/Adapters$200-$300Cases$150-$300PC Tool Kit$10-$300 Media$20-$500 pe
20、r examinationRange Total$10,000-$15,000 prior to mediaCommon challenges faced by Computer Forensic Programs Volume of Exams Proliferation of computers Training&Staffing Enhancements to Computer Crime Investigations w/o enhancements to Computer Forensic Program Equipment 3 years to obsolescence Supplies Back up media,CDs,hard drives,misc.hardware,viewing stations Space Secure work/storage area Request for assistance by Other Agencies Travel
