1 / 31

Digital Evidence Standards

Digital Evidence Standards. Don Cavender Computer Analysis Response Team FBI Laboratory. Why standards?. A scenario…. Dagestan separatists. Supported by Islamic fundamentalists. Washington. London. Send two teams:. Paris. Rome. Wire transfer funds from:. By means of PC banking.

sandra_john
Download Presentation

Digital Evidence Standards

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Digital Evidence Standards Don Cavender Computer Analysis Response Team FBI Laboratory

  2. Why standards? • A scenario…

  3. Dagestan separatists • Supported by Islamic fundamentalists

  4. Washington London Send two teams:

  5. Paris Rome Wire transfer funds from: By means of PC banking

  6. Simultaneously explode two devices

  7. The crime scenes • Subjects identified • Computers recovered • Reveal communications links • Requests for investigations • Additional digital evidence collected • Digital evidence became the glue

  8. Digital Evidence Trail

  9. Critical issues… • How do we ask for what evidence? • Do we get what we thought we asked for? • Can we use what we received?

  10. Why standards? • Trans-jurisdictional • Exchange • Digital evidence

  11. What standards? • Definitions • Principles • Processes • Outcomes • Common language

  12. How it started • 1993 - 1st International Conference on Computer Evidence • 1995 - International Organization on Computer Evidence formed • 1997 - IOCE & G-8 independently decide to develop standards

  13. How it started - continued • 1998 - G-8 asks IOCE to undertake this initiative • 1998 - SWG-DE formed to pursue U.S. participation • 1998 - ACPO, FCG and ENSFI agree to participate • 1998 - INTERPOL is briefed on progress

  14. Where we are now • UK Good Practice Guide (ACPO) • ENSFI Working Group • SWG-DE draft standards • www.for-swg.org/swgdein.htm (under construction) • October 4-7, 1999 • IOCE, ACPO, FCG & ENSFI meet on European standards • www.ihcfc.com - results forthcomming

  15. Where we are going • First you must crawl… • Create foundation • definitions • principles • processes • Durable • Universal • all digital evidence types • mutually understood

  16. SWG-DE Definitions:Digital evidence - • is information of probative value stored or transmitted in digital form (SWG-DE 7/14/98) • is acquired when information and/or physical items are collected and stored for examination purposes. (SWG-DE 8/18/98)

  17. SWG-DE Principle:Evidence Handling • ANY action which has the potential to alter, damage or destroy any aspect of original evidence must be performed by qualified persons in a forensically sound manner (SWG-DE 3/12/99)

  18. SWG-DE Definitions:Evidence types • Original digital evidence - physical items and all the associated data objects at the time of acquisition

  19. SWG-DE Definitions:Evidence types cont. • Duplicates - an accurate reproduction of all data objects independent of the physical item • Copy - an accurate reproduction of the information contained in the data objects independent of the physical item.

  20. In Summary... • Nearly all computer crime is trans-jurisdictional • Standards for collection & processing evidence required to share evidence • Adopt standards - compare standards • DE Forensics is a specialty, distinct from computer investigations • Forensic Laboratories encouraged to lead effort to develop standards

  21. Questions? • Don Cavender • Supervisory Special Agent • dlcavender.cart@fbi.gov • Mark M. Pollitt • Unit Chief • mpollitt.cart@fbi.gov • Computer Analysis Response Team • Room 4315 • 935 Pennsylvania Ave, NW • Washington, DC 20535 USA • 202.324.9307

  22. Computer Investigative Skills • Digital Evidence Collection Specialist • First Responder • 2-3 days training • Seize & Preserve Evidentiary Computers/Media • Computer Investigator • Above experience + • Understanding of Internet/Networks/Tracing computer communications, etc. • 1 to 2 weeks specialized training • Computer Forensic Examiner • Examines Original Media • Extracts Data for Investigator to review • 4 - 6 weeks specialized training

  23. Digital evidence = Latent evidence: • Is invisible • Is easily altered or destroyed • Requires precautions to prevent alteration • Requires special tools and equipment • Requires specialized training • Requires expert testimony

  24. Quality Assurance Equipment People Protocols Forensic Model

  25. Services Provided by Computer Forensic Examiners • Exams • Computer and diskette exams • Other media - Jaz, Zip, MO, Tape backups • PDA’s • On site support of search warrants • Consultation with investigators and prosecutors • Expert testimony for results and procedures

  26. Additional Services • Recover deleted, erased, and hidden data • Password and encryption cracking • Determine effects of code • such as malicious virus

  27. CART Field Examiner (FE) Certification • 4-5 weeks specialized in-service training • 4 weeks commercial training • Lab internship if desired or necessary • One year for certification process • $25,000 to train & equip a new examiner • Also, annual re-certification and commercial training for FE’s - 3 year commitment

  28. Other Computer Forensic Certifications • SCERS - Treasury version of CART • also offered to Local LEA through FLETC • IACIS - LEA non profit association • Local LEO’s • State Labs • Some commercial and academic programs in early development

  29. Computer Forensic Training • IACIS - International Association of Computer Investigative Specialists - http://www.cops.org/ • Federal Law Enforcement Training Center (FLETC) Financial Fraud Institute - (SCERS Training) http://www.treas.gov/fletc/ffi/ffi_home.htm • HTCIA - High Technology Crime Investigation Association - http://htcia.org/ • SEARCH Group - http://www.search.org/ • National White Collar Crime Center - http://www.cybercrime.org

  30. Examination Desktop $3,000 Highest performance affordable SCSI, DVD, Super Drive Additional Large Hard Drive $ 500 Printer $ 500 - $1500 Search & Examination Notebook $ 3,000 PCMCIA SCSI & Network Cards $ 300 Additional Large Hard Drive $ 500 External Backup (MO, Jaz or Tape Drive) $ 500 - $ 2,000 Parallel to SCSI Adapter $150 CD Writer $ 500 Forensic Software $ 1,500 - $2,500 Cables/Adapters $ 200 - $ 300 Cases $ 150 - $ 300 PC Tool Kit $ 10 - $ 300 Media $ 20 - $500 per examination Range Total $ 10, 000 - $ 15,000 prior to media Computer Forensic Equipment

  31. Common challenges faced by Computer Forensic Programs • Volume of Exams • Proliferation of computers • Training & Staffing • Enhancements to Computer Crime Investigations w/o enhancements to Computer Forensic Program • Equipment • 3 years to obsolescence • Supplies • Back up media, CD’s, hard drives, misc. hardware, viewing stations • Space • Secure work/storage area • Request for assistance by Other Agencies • Travel

More Related