digital evidence standards l.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
Digital Evidence Standards PowerPoint Presentation
Download Presentation
Digital Evidence Standards

Loading in 2 Seconds...

play fullscreen
1 / 31

Digital Evidence Standards - PowerPoint PPT Presentation


  • 336 Views
  • Uploaded on

Digital Evidence Standards. Don Cavender Computer Analysis Response Team FBI Laboratory. Why standards?. A scenario…. Dagestan separatists. Supported by Islamic fundamentalists. Washington. London. Send two teams:. Paris. Rome. Wire transfer funds from:. By means of PC banking.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Digital Evidence Standards' - sandra_john


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
digital evidence standards

Digital Evidence Standards

Don Cavender

Computer Analysis Response Team

FBI Laboratory

why standards
Why standards?
  • A scenario…
dagestan separatists
Dagestan separatists
  • Supported by Islamic fundamentalists
wire transfer funds from
Paris

Rome

Wire transfer funds from:

By means of PC banking

the crime scenes
The crime scenes
  • Subjects identified
  • Computers recovered
  • Reveal communications links
  • Requests for investigations
  • Additional digital evidence collected
  • Digital evidence became the glue
critical issues
Critical issues…
  • How do we ask for what evidence?
  • Do we get what we thought we asked for?
  • Can we use what we received?
why standards10
Why standards?
  • Trans-jurisdictional
  • Exchange
  • Digital evidence
what standards
What standards?
  • Definitions
  • Principles
  • Processes
  • Outcomes
  • Common language
how it started
How it started
  • 1993 - 1st International Conference on Computer Evidence
  • 1995 - International Organization on Computer Evidence formed
  • 1997 - IOCE & G-8 independently decide to develop standards
how it started continued
How it started - continued
  • 1998 - G-8 asks IOCE to undertake this initiative
  • 1998 - SWG-DE formed to pursue U.S. participation
  • 1998 - ACPO, FCG and ENSFI agree to participate
  • 1998 - INTERPOL is briefed on progress
where we are now
Where we are now
  • UK Good Practice Guide (ACPO)
  • ENSFI Working Group
  • SWG-DE draft standards
    • www.for-swg.org/swgdein.htm (under construction)
  • October 4-7, 1999
    • IOCE, ACPO, FCG & ENSFI meet on European standards
    • www.ihcfc.com - results forthcomming
where we are going
Where we are going
  • First you must crawl…
  • Create foundation
    • definitions
    • principles
    • processes
  • Durable
  • Universal
    • all digital evidence types
    • mutually understood
swg de definitions digital evidence
SWG-DE Definitions:Digital evidence -
  • is information of probative value stored or transmitted in digital form (SWG-DE 7/14/98)
  • is acquired when information and/or physical items are collected and stored for examination purposes. (SWG-DE 8/18/98)
swg de principle evidence handling
SWG-DE Principle:Evidence Handling
  • ANY action which has the potential to alter, damage or destroy any aspect of original evidence must be performed by qualified persons in a forensically sound manner (SWG-DE 3/12/99)
swg de definitions evidence types
SWG-DE Definitions:Evidence types
  • Original digital evidence - physical items and all the associated data objects at the time of acquisition
swg de definitions evidence types cont
SWG-DE Definitions:Evidence types cont.
  • Duplicates - an accurate reproduction of all data objects independent of the physical item
  • Copy - an accurate reproduction of the information contained in the data objects independent of the physical item.
in summary
In Summary...
  • Nearly all computer crime is trans-jurisdictional
  • Standards for collection & processing evidence required to share evidence
    • Adopt standards - compare standards
    • DE Forensics is a specialty, distinct from computer investigations
  • Forensic Laboratories encouraged to lead effort to develop standards
questions
Questions?
  • Don Cavender
  • Supervisory Special Agent
  • dlcavender.cart@fbi.gov
  • Mark M. Pollitt
  • Unit Chief
  • mpollitt.cart@fbi.gov
  • Computer Analysis Response Team
  • Room 4315
  • 935 Pennsylvania Ave, NW
  • Washington, DC 20535 USA
  • 202.324.9307
computer investigative skills
Computer Investigative Skills
  • Digital Evidence Collection Specialist
    • First Responder
    • 2-3 days training
    • Seize & Preserve Evidentiary Computers/Media
  • Computer Investigator
    • Above experience +
    • Understanding of Internet/Networks/Tracing computer communications, etc.
    • 1 to 2 weeks specialized training
  • Computer Forensic Examiner
    • Examines Original Media
    • Extracts Data for Investigator to review
    • 4 - 6 weeks specialized training
digital evidence latent evidence
Digital evidence = Latent evidence:
  • Is invisible
  • Is easily altered or destroyed
  • Requires precautions to prevent alteration
  • Requires special tools and equipment
  • Requires specialized training
  • Requires expert testimony
forensic model

Quality Assurance

Equipment

People

Protocols

Forensic Model
services provided by computer forensic examiners
Services Provided by Computer Forensic Examiners
  • Exams
    • Computer and diskette exams
    • Other media - Jaz, Zip, MO, Tape backups
    • PDA’s
  • On site support of search warrants
    • Consultation with investigators and prosecutors
  • Expert testimony for results and procedures
additional services
Additional Services
  • Recover deleted, erased, and hidden data
  • Password and encryption cracking
  • Determine effects of code
    • such as malicious virus
cart field examiner fe certification
CART Field Examiner (FE) Certification
  • 4-5 weeks specialized in-service training
  • 4 weeks commercial training
  • Lab internship if desired or necessary
  • One year for certification process
  • $25,000 to train & equip a new examiner
  • Also, annual re-certification and commercial training for FE’s - 3 year commitment
other computer forensic certifications
Other Computer Forensic Certifications
  • SCERS - Treasury version of CART
    • also offered to Local LEA through FLETC
  • IACIS - LEA non profit association
  • Local LEO’s
    • State Labs
  • Some commercial and academic programs in early development
computer forensic training
Computer Forensic Training
  • IACIS - International Association of Computer Investigative Specialists - http://www.cops.org/
  • Federal Law Enforcement Training Center (FLETC) Financial Fraud Institute - (SCERS Training) http://www.treas.gov/fletc/ffi/ffi_home.htm
  • HTCIA - High Technology Crime Investigation Association - http://htcia.org/
  • SEARCH Group - http://www.search.org/
  • National White Collar Crime Center - http://www.cybercrime.org
computer forensic equipment
Examination Desktop $3,000

Highest performance affordable

SCSI, DVD, Super Drive

Additional Large Hard Drive $ 500

Printer $ 500 - $1500

Search & Examination Notebook $ 3,000

PCMCIA SCSI & Network Cards $ 300

Additional Large Hard Drive $ 500

External Backup (MO, Jaz or Tape Drive) $ 500 - $ 2,000

Parallel to SCSI Adapter $150

CD Writer $ 500

Forensic Software $ 1,500 - $2,500

Cables/Adapters $ 200 - $ 300

Cases $ 150 - $ 300

PC Tool Kit $ 10 - $ 300

Media $ 20 - $500 per examination

Range Total $ 10, 000 - $ 15,000 prior to media

Computer Forensic Equipment
common challenges faced by computer forensic programs
Common challenges faced by Computer Forensic Programs
  • Volume of Exams
    • Proliferation of computers
  • Training & Staffing
    • Enhancements to Computer Crime Investigations w/o enhancements to Computer Forensic Program
  • Equipment
    • 3 years to obsolescence
    • Supplies
      • Back up media, CD’s, hard drives, misc. hardware, viewing stations
  • Space
    • Secure work/storage area
  • Request for assistance by Other Agencies
    • Travel