Digital Evidence Standards

Don Cavender
Computer Analysis Response Team
FBI Laboratory
 Why standards?
• A scenario…
 Dagestan separatists
• Supported by Islamic fundamentalists
 Send two teams:
• Washington • London
 Wire transfer funds from:
• Paris • Rome

By means of PC banking
Simultaneously explode two
devices
 The crime scenes
• Subjects identified
• Computers recovered
• Reveal communications links
• Requests for investigations
• Additional digital evidence collected
• Digital evidence became the glue
Digital Evidence Trail
 Critical issues…
• How do we ask for what evidence?
• Do we get what we thought we asked for?
• Can we use what we received?
 Why standards?
• Trans-jurisdictional
• Exchange
• Digital evidence
 What standards?
• Definitions
• Principles
• Processes
• Outcomes
• Common language
 How it started
• 1993 - 1st International Conference on
Computer Evidence
• 1995 - International Organization on
Computer Evidence formed
• 1997 - IOCE & G-8 independently decide
to develop standards
 How it started - continued
• 1998 - G-8 asks IOCE to undertake this
initiative
• 1998 - SWG-DE formed to pursue U.S.
participation
• 1998 - ACPO, FCG and ENSFI agree to
participate
• 1998 - INTERPOL is briefed on progress
 Where we are now
• UK Good Practice Guide (ACPO)
• ENSFI Working Group
• SWG-DE draft standards
– www.for-swg.org/swgdein.htm (under construction)
• October 4-7, 1999
– IOCE, ACPO, FCG & ENSFI meet on European
standards
– www.ihcfc.com - results forthcomming
 Where we are going
• First you must crawl…
• Create foundation
– definitions
– principles
– processes
• Durable
• Universal
– all digital evidence types
– mutually understood
 SWG-DE Definitions:
Digital evidence -
• is information of probative value stored or
transmitted in digital form (SWG-DE
7/14/98)
• is acquired when information and/or
physical items are collected and stored for
examination purposes. (SWG-DE 8/18/98)
 SWG-DE Principle:
Evidence Handling
• ANY action which has the potential to alter,
damage or destroy any aspect of original
evidence must be performed by qualified
persons in a forensically sound manner
(SWG-DE 3/12/99)
 SWG-DE Definitions:
Evidence types
• Original digital evidence - physical items
and all the associated data objects at the
time of acquisition
 SWG-DE Definitions:
Evidence types cont.
• Duplicates - an accurate reproduction of all
data objects independent of the physical
item
• Copy - an accurate reproduction of the
information contained in the data objects
independent of the physical item.
 In Summary...
• Nearly all computer crime is trans-jurisdictional
• Standards for collection & processing evidence
required to share evidence
– Adopt standards - compare standards
– DE Forensics is a specialty, distinct from computer
investigations
• Forensic Laboratories encouraged to lead effort
to develop standards
 Questions?
• Don Cavender • Mark M. Pollitt
• Supervisory Special • Unit Chief
Agent • mpollitt.cart@fbi.gov
• dlcavender.cart@fbi.gov
• Computer Analysis Response Team
• Room 4315
• 935 Pennsylvania Ave, NW
• Washington, DC 20535 USA
• 202.324.9307
 Computer Investigative Skills
• Digital Evidence Collection Specialist
– First Responder
– 2-3 days training
– Seize & Preserve Evidentiary Computers/Media

• Computer Investigator
– Above experience +
– Understanding of Internet/Networks/Tracing computer communications, etc.
– 1 to 2 weeks specialized training

• Computer Forensic Examiner

– Examines Original Media
– Extracts Data for Investigator to review
– 4 - 6 weeks specialized training
 Digital evidence =
Latent evidence:
• Is invisible
• Is easily altered or destroyed
• Requires precautions to prevent alteration
• Requires special tools and equipment
• Requires specialized training
• Requires expert testimony
Forensic Model

Eq
ple

u
ipm
o
Pe

en
t
Protocols
 Services Provided by Computer
Forensic Examiners
• Exams
– Computer and diskette exams
– Other media - Jaz, Zip, MO, Tape backups
– PDA’s
• On site support of search warrants
– Consultation with investigators and prosecutors
• Expert testimony for results and procedures
 Additional Services
• Recover deleted, erased, and hidden data
• Password and encryption cracking
• Determine effects of code
– such as malicious virus
 CART Field Examiner (FE)
Certification
• 4-5 weeks specialized in-service training
• 4 weeks commercial training
• Lab internship if desired or necessary
• One year for certification process
• $25,000 to train & equip a new examiner
• Also, annual re-certification and commercial
training for FE’s - 3 year commitment
 Other Computer Forensic
Certifications
• SCERS - Treasury version of CART
– also offered to Local LEA through FLETC
• IACIS - LEA non profit association
• Local LEO’s
– State Labs
• Some commercial and academic programs in
early development
 Computer Forensic Training
• IACIS - International Association of Computer
Investigative Specialists - http://www.cops.org/
• Federal Law Enforcement Training Center (FLETC)
Financial Fraud Institute - (SCERS Training)
http://www.treas.gov/fletc/ffi/ffi_home.htm
• HTCIA - High Technology Crime Investigation
Association - http://htcia.org/
• SEARCH Group - http://www.search.org/
• National White Collar Crime Center -
http://www.cybercrime.org
 Computer Forensic Equipment
• Examination Desktop $3,000
– Highest performance affordable
– SCSI, DVD, Super Drive
– Additional Large Hard Drive $
500
– Printer $ 500 - $1500
• Search & Examination Notebook $
3,000
– PCMCIA SCSI & Network
Cards $ 300
– Additional Large Hard Drive $
500
• External Backup (MO, Jaz or Tape
Drive) $ 500 - $ 2,000
– Parallel to SCSI Adapter $150
• CD Writer $ 500
• Forensic Software $ 1,500 - $2,500
• Cables/Adapters $ 200 - $ 300
• Cases $ 150 - $ 300
• PC Tool Kit $ 10 - $ 300
• Media $ 20 - $500 per examination
• Range Total $ 10, 000 - $ 15,000
prior to media
 Common challenges faced by
Computer Forensic Programs
• Volume of Exams
– Proliferation of computers
• Training & Staffing
– Enhancements to Computer Crime Investigations w/o enhancements to Computer
Forensic Program
• Equipment
– 3 years to obsolescence
– Supplies
• Back up media, CD’s, hard drives, misc. hardware, viewing stations

• Space
– Secure work/storage area
• Request for assistance by Other Agencies
– Travel