Digital Evidence Standards - Information Systems and Internet Security
advertisement
Digital Evidence Standards Don Cavender Computer Analysis Response Team FBI Laboratory Why standards? • A scenario… Dagestan separatists • Supported by Islamic fundamentalists Send two teams: • Washington • London Wire transfer funds from: • Paris • Rome By means of PC banking Simultaneously explode two devices The crime scenes • • • • • • Subjects identified Computers recovered Reveal communications links Requests for investigations Additional digital evidence collected Digital evidence became the glue Digital Evidence Trail Critical issues… • How do we ask for what evidence? • Do we get what we thought we asked for? • Can we use what we received? Why standards? • Trans-jurisdictional • Exchange • Digital evidence What standards? • • • • • Definitions Principles Processes Outcomes Common language How it started • 1993 - 1st International Conference on Computer Evidence • 1995 - International Organization on Computer Evidence formed • 1997 - IOCE & G-8 independently decide to develop standards How it started - continued • 1998 - G-8 asks IOCE to undertake this initiative • 1998 - SWG-DE formed to pursue U.S. participation • 1998 - ACPO, FCG and ENSFI agree to participate • 1998 - INTERPOL is briefed on progress Where we are now • UK Good Practice Guide (ACPO) • ENSFI Working Group • SWG-DE draft standards – www.for-swg.org/swgdein.htm (under construction) • October 4-7, 1999 – IOCE, ACPO, FCG & ENSFI meet on European standards – www.ihcfc.com - results forthcomming Where we are going • First you must crawl… • Create foundation – definitions – principles – processes • Durable • Universal – all digital evidence types – mutually understood SWG-DE Definitions: Digital evidence • is information of probative value stored or transmitted in digital form (SWG-DE 7/14/98) • is acquired when information and/or physical items are collected and stored for examination purposes. (SWG-DE 8/18/98) SWG-DE Principle: Evidence Handling • ANY action which has the potential to alter, damage or destroy any aspect of original evidence must be performed by qualified persons in a forensically sound manner (SWG-DE 3/12/99) SWG-DE Definitions: Evidence types • Original digital evidence - physical items and all the associated data objects at the time of acquisition SWG-DE Definitions: Evidence types cont. • Duplicates - an accurate reproduction of all data objects independent of the physical item • Copy - an accurate reproduction of the information contained in the data objects independent of the physical item. In Summary... • Nearly all computer crime is transjurisdictional • Standards for collection & processing evidence required to share evidence – Adopt standards - compare standards – DE Forensics is a specialty, distinct from computer investigations • Forensic Laboratories encouraged to lead effort to develop standards Questions? • Don Cavender • Mark M. Pollitt • Supervisory Special • Unit Chief Agent • mpollitt.cart@fbi.gov • dlcavender.cart@fbi.gov • • • • • Computer Analysis Response Team Room 4315 935 Pennsylvania Ave, NW Washington, DC 20535 USA 202.324.9307 Computer Investigative Skills • Digital Evidence Collection Specialist – First Responder – 2-3 days training – Seize & Preserve Evidentiary Computers/Media • Computer Investigator – Above experience + – Understanding of Internet/Networks/Tracing computer communications, etc. – 1 to 2 weeks specialized training • Computer Forensic Examiner – Examines Original Media – Extracts Data for Investigator to review – 4 - 6 weeks specialized training Digital evidence = Latent evidence: • • • • • • Is invisible Is easily altered or destroyed Requires precautions to prevent alteration Requires special tools and equipment Requires specialized training Requires expert testimony Forensic Model Protocols Services Provided by Computer Forensic Examiners • Exams – Computer and diskette exams – Other media - Jaz, Zip, MO, Tape backups – PDA’s • On site support of search warrants – Consultation with investigators and prosecutors • Expert testimony for results and procedures Additional Services • Recover deleted, erased, and hidden data • Password and encryption cracking • Determine effects of code – such as malicious virus CART Field Examiner (FE) Certification • • • • • • 4-5 weeks specialized in-service training 4 weeks commercial training Lab internship if desired or necessary One year for certification process $25,000 to train & equip a new examiner Also, annual re-certification and commercial training for FE’s - 3 year commitment Other Computer Forensic Certifications • SCERS - Treasury version of CART – also offered to Local LEA through FLETC • IACIS - LEA non profit association • Local LEO’s – State Labs • Some commercial and academic programs in early development Computer Forensic Training • IACIS - International Association of Computer Investigative Specialists - http://www.cops.org/ • Federal Law Enforcement Training Center (FLETC) Financial Fraud Institute - (SCERS Training) http://www.treas.gov/fletc/ffi/ffi_home.htm • HTCIA - High Technology Crime Investigation Association - http://htcia.org/ • SEARCH Group - http://www.search.org/ • National White Collar Crime Center http://www.cybercrime.org Computer Forensic Equipment • Examination Desktop $3,000 – Highest performance affordable – SCSI, DVD, Super Drive – Additional Large Hard Drive $ 500 – Printer $ 500 - $1500 • Search & Examination Notebook $ 3,000 – PCMCIA SCSI & Network Cards $ 300 – Additional Large Hard Drive $ 500 • External Backup (MO, Jaz or Tape Drive) $ 500 - $ 2,000 – Parallel to SCSI Adapter $150 • CD Writer $ 500 • Forensic Software $ 1,500 $2,500 • Cables/Adapters $ 200 - $ 300 • Cases $ 150 - $ 300 • PC Tool Kit $ 10 - $ 300 • Media $ 20 - $500 per examination • Range Total $ 10, 000 - $ 15,000 prior to media Common challenges faced by Computer Forensic Programs • Volume of Exams – Proliferation of computers • Training & Staffing – Enhancements to Computer Crime Investigations w/o enhancements to Computer Forensic Program • Equipment – 3 years to obsolescence – Supplies • Back up media, CD’s, hard drives, misc. hardware, viewing stations • Space – Secure work/storage area • Request for assistance by Other Agencies – Travel
