Digital Evidence Standards Don Cavender Computer Analysis Response Team FBI Laboratory.

Digital Evidence Standards

Don Cavender

Computer Analysis Response Team

FBI Laboratory

Why standards?

• A scenario…

Dagestan separatists

• Supported by Islamic fundamentalists

Send two teams:

• Washington • London

Wire transfer funds from:

• Paris • Rome

By means of PC banking

Simultaneously explode two devices

The crime scenes

• Subjects identified

• Computers recovered

• Reveal communications links

• Requests for investigations

• Additional digital evidence collected

• Digital evidence became the glue

Digital Evidence Trail

Critical issues…

• How do we ask for what evidence?

• Do we get what we thought we asked for?

• Can we use what we received?

Why standards?

• Trans-jurisdictional

• Exchange

• Digital evidence

What standards?

• Definitions

• Principles

• Processes

• Outcomes

• Common language

How it started

• 1993 - 1st International Conference on Computer Evidence

• 1995 - International Organization on Computer Evidence formed

• 1997 - IOCE & G-8 independently decide to develop standards

How it started - continued

• 1998 - G-8 asks IOCE to undertake this initiative

• 1998 - SWG-DE formed to pursue U.S. participation

• 1998 - ACPO, FCG and ENSFI agree to participate

• 1998 - INTERPOL is briefed on progress

Where we are now

• UK Good Practice Guide (ACPO)

• ENSFI Working Group

• SWG-DE draft standards– www.for-swg.org/swgdein.htm (under construction)

• October 4-7, 1999– IOCE, ACPO, FCG & ENSFI meet on European

standards – www.ihcfc.com - results forthcomming

Where we are going

• First you must crawl…

• Create foundation– definitions– principles– processes

• Durable

• Universal– all digital evidence types– mutually understood

SWG-DE Definitions:Digital evidence -

• is information of probative value stored or transmitted in digital form (SWG-DE 7/14/98)

• is acquired when information and/or physical items are collected and stored for examination purposes. (SWG-DE 8/18/98)

SWG-DE Principle:Evidence Handling

• ANY action which has the potential to alter, damage or destroy any aspect of original evidence must be performed by qualified persons in a forensically sound manner (SWG-DE 3/12/99)

SWG-DE Definitions:Evidence types

• Original digital evidence - physical items and all the associated data objects at the time of acquisition

SWG-DE Definitions:Evidence types cont.

• Duplicates - an accurate reproduction of all data objects independent of the physical item

• Copy - an accurate reproduction of the information contained in the data objects independent of the physical item.

In Summary...

• Nearly all computer crime is trans-jurisdictional

• Standards for collection & processing evidence required to share evidence– Adopt standards - compare standards– DE Forensics is a specialty, distinct from computer

investigations

• Forensic Laboratories encouraged to lead effort to develop standards

Questions?

• Mark M. Pollitt

• Unit Chief

• [email protected]

• Don Cavender

• Supervisory Special Agent

• [email protected]

• Computer Analysis Response Team

• Room 4315

• 935 Pennsylvania Ave, NW

• Washington, DC 20535 USA

• 202.324.9307

Computer Investigative Skills• Digital Evidence Collection Specialist

– First Responder– 2-3 days training– Seize & Preserve Evidentiary Computers/Media

• Computer Investigator– Above experience +– Understanding of Internet/Networks/Tracing computer communications, etc.– 1 to 2 weeks specialized training

• Computer Forensic Examiner– Examines Original Media– Extracts Data for Investigator to review– 4 - 6 weeks specialized training

Digital evidence = Latent evidence:

• Is invisible

• Is easily altered or destroyed

• Requires precautions to prevent alteration

• Requires special tools and equipment

• Requires specialized training

• Requires expert testimony

Forensic Model

People

Equipment

Protocols

Services Provided by Computer Forensic Examiners

• Exams– Computer and diskette exams– Other media - Jaz, Zip, MO, Tape backups– PDA’s

• On site support of search warrants– Consultation with investigators and prosecutors

• Expert testimony for results and procedures

Additional Services

• Recover deleted, erased, and hidden data

• Password and encryption cracking

• Determine effects of code– such as malicious virus

CART Field Examiner (FE) Certification

• 4-5 weeks specialized in-service training• 4 weeks commercial training• Lab internship if desired or necessary• One year for certification process• $25,000 to train & equip a new examiner• Also, annual re-certification and commercial

training for FE’s - 3 year commitment

Other Computer Forensic Certifications

• SCERS - Treasury version of CART

– also offered to Local LEA through FLETC

• IACIS - LEA non profit association

• Local LEO’s– State Labs

• Some commercial and academic programs in early development

Computer Forensic Training• IACIS - International Association of Computer

Investigative Specialists - http://www.cops.org/

• Federal Law Enforcement Training Center (FLETC) Financial Fraud Institute - (SCERS Training) http://www.treas.gov/fletc/ffi/ffi_home.htm

• HTCIA - High Technology Crime Investigation Association - http://htcia.org/

• SEARCH Group - http://www.search.org/

• National White Collar Crime Center - http://www.cybercrime.org

Computer Forensic Equipment

• Examination Desktop $3,000– Highest performance

affordable– SCSI, DVD, Super Drive– Additional Large Hard Drive

$ 500– Printer $ 500 - $1500

• Search & Examination Notebook $ 3,000– PCMCIA SCSI & Network

Cards $ 300– Additional Large Hard Drive

$ 500

• External Backup (MO, Jaz or Tape Drive) $ 500 - $ 2,000– Parallel to SCSI Adapter $150

• CD Writer $ 500• Forensic Software $ 1,500 - $2,500• Cables/Adapters $ 200 - $ 300• Cases $ 150 - $ 300• PC Tool Kit $ 10 - $ 300 • Media $ 20 - $500 per examination• Range Total $ 10, 000 - $ 15,000

prior to media

Common challenges faced by Computer Forensic Programs

• Volume of Exams– Proliferation of computers

• Training & Staffing– Enhancements to Computer Crime Investigations w/o enhancements to Computer

Forensic Program

• Equipment– 3 years to obsolescence

– Supplies• Back up media, CD’s, hard drives, misc. hardware, viewing stations

• Space– Secure work/storage area

• Request for assistance by Other Agencies– Travel