Embed Size (px)
Citation preview
Digital Evidence Standards
Don Cavender
Computer Analysis Response Team
FBI Laboratory
Why standards?
• A scenario…
Dagestan separatists
• Supported by Islamic fundamentalists
Send two teams:
• Washington • London
Wire transfer funds from:
• Paris • Rome
By means of PC banking
Simultaneously explode two devices
The crime scenes
• Subjects identified
• Computers recovered
• Reveal communications links
• Requests for investigations
• Additional digital evidence collected
• Digital evidence became the glue
Digital Evidence Trail
Critical issues…
• How do we ask for what evidence?
• Do we get what we thought we asked for?
• Can we use what we received?
Why standards?
• Trans-jurisdictional
• Exchange
• Digital evidence
What standards?
• Definitions
• Principles
• Processes
• Outcomes
• Common language
How it started
• 1993 - 1st International Conference on Computer Evidence
• 1995 - International Organization on Computer Evidence formed
• 1997 - IOCE & G-8 independently decide to develop standards
How it started - continued
• 1998 - G-8 asks IOCE to undertake this initiative
• 1998 - SWG-DE formed to pursue U.S. participation
• 1998 - ACPO, FCG and ENSFI agree to participate
• 1998 - INTERPOL is briefed on progress
Where we are now
• UK Good Practice Guide (ACPO)
• ENSFI Working Group
• SWG-DE draft standards– www.for-swg.org/swgdein.htm (under construction)
• October 4-7, 1999– IOCE, ACPO, FCG & ENSFI meet on European
standards – www.ihcfc.com - results forthcomming
Where we are going
• First you must crawl…
• Create foundation– definitions– principles– processes
• Durable
• Universal– all digital evidence types– mutually understood
SWG-DE Definitions:Digital evidence -
• is information of probative value stored or transmitted in digital form (SWG-DE 7/14/98)
• is acquired when information and/or physical items are collected and stored for examination purposes. (SWG-DE 8/18/98)
SWG-DE Principle:Evidence Handling
• ANY action which has the potential to alter, damage or destroy any aspect of original evidence must be performed by qualified persons in a forensically sound manner (SWG-DE 3/12/99)
SWG-DE Definitions:Evidence types
• Original digital evidence - physical items and all the associated data objects at the time of acquisition
SWG-DE Definitions:Evidence types cont.
• Duplicates - an accurate reproduction of all data objects independent of the physical item
• Copy - an accurate reproduction of the information contained in the data objects independent of the physical item.
In Summary...
• Nearly all computer crime is trans-jurisdictional
• Standards for collection & processing evidence required to share evidence– Adopt standards - compare standards– DE Forensics is a specialty, distinct from computer
investigations
• Forensic Laboratories encouraged to lead effort to develop standards
Questions?
• Mark M. Pollitt
• Unit Chief
• Don Cavender
• Supervisory Special Agent
• Computer Analysis Response Team
• Room 4315
• 935 Pennsylvania Ave, NW
• Washington, DC 20535 USA
• 202.324.9307
Computer Investigative Skills• Digital Evidence Collection Specialist
– First Responder– 2-3 days training– Seize & Preserve Evidentiary Computers/Media
• Computer Investigator– Above experience +– Understanding of Internet/Networks/Tracing computer communications, etc.– 1 to 2 weeks specialized training
• Computer Forensic Examiner– Examines Original Media– Extracts Data for Investigator to review– 4 - 6 weeks specialized training
Digital evidence = Latent evidence:
• Is invisible
• Is easily altered or destroyed
• Requires precautions to prevent alteration
• Requires special tools and equipment
• Requires specialized training
• Requires expert testimony
Forensic Model
People
Equipment
Protocols
Services Provided by Computer Forensic Examiners
• Exams– Computer and diskette exams– Other media - Jaz, Zip, MO, Tape backups– PDA’s
• On site support of search warrants– Consultation with investigators and prosecutors
• Expert testimony for results and procedures
Additional Services
• Recover deleted, erased, and hidden data
• Password and encryption cracking
• Determine effects of code– such as malicious virus
CART Field Examiner (FE) Certification
• 4-5 weeks specialized in-service training• 4 weeks commercial training• Lab internship if desired or necessary• One year for certification process• $25,000 to train & equip a new examiner• Also, annual re-certification and commercial
training for FE’s - 3 year commitment
Other Computer Forensic Certifications
• SCERS - Treasury version of CART
– also offered to Local LEA through FLETC
• IACIS - LEA non profit association
• Local LEO’s– State Labs
• Some commercial and academic programs in early development
Computer Forensic Training• IACIS - International Association of Computer
Investigative Specialists - http://www.cops.org/
• Federal Law Enforcement Training Center (FLETC) Financial Fraud Institute - (SCERS Training) http://www.treas.gov/fletc/ffi/ffi_home.htm
• HTCIA - High Technology Crime Investigation Association - http://htcia.org/
• SEARCH Group - http://www.search.org/
• National White Collar Crime Center - http://www.cybercrime.org
Computer Forensic Equipment
• Examination Desktop $3,000– Highest performance
affordable– SCSI, DVD, Super Drive– Additional Large Hard Drive
$ 500– Printer $ 500 - $1500
• Search & Examination Notebook $ 3,000– PCMCIA SCSI & Network
Cards $ 300– Additional Large Hard Drive
$ 500
• External Backup (MO, Jaz or Tape Drive) $ 500 - $ 2,000– Parallel to SCSI Adapter $150
• CD Writer $ 500• Forensic Software $ 1,500 - $2,500• Cables/Adapters $ 200 - $ 300• Cases $ 150 - $ 300• PC Tool Kit $ 10 - $ 300 • Media $ 20 - $500 per examination• Range Total $ 10, 000 - $ 15,000
prior to media
Common challenges faced by Computer Forensic Programs
• Volume of Exams– Proliferation of computers
• Training & Staffing– Enhancements to Computer Crime Investigations w/o enhancements to Computer
Forensic Program
• Equipment– 3 years to obsolescence
– Supplies• Back up media, CD’s, hard drives, misc. hardware, viewing stations
• Space– Secure work/storage area
• Request for assistance by Other Agencies– Travel
