Forensic Examination Of Digital Evidence: A Guide For Law .

3y ago
53 Views
2 Downloads
678.25 KB
91 Pages
Last View : 14d ago
Last Download : 2m ago
Upload by : Jenson Heredia
Transcription

APR. 04U.S. Department of JusticeOffice of Justice ProgramsNational Institute of JusticeSpecialForensic Examination of Digital Evidence:A Guide for Law EnforcementREPORT

U.S. Department of JusticeOffice of Justice Programs810 Seventh Street N.W.Washington, DC 20531John AshcroftAttorney GeneralDeborah J. DanielsAssistant Attorney GeneralSarah V. HartDirector, National Institute of JusticeThis and other publications and products of the U.S. Departmentof Justice, Office of Justice Programs, National Institute of Justicecan be found on the World Wide Web at the following site:Office of Justice ProgramsNational Institute of Justicehttp://www.ojp.usdoj.gov/nij

APR. 04Forensic Examination of Digital Evidence:A Guide for Law EnforcementNCJ 199408

Sarah V. HartDirectorThis document is not intended to create, does not create, and may not be relied upon tocreate any rights, substantive or procedural, enforceable at law by any party in any mattercivil or criminal.Opinions or points of view expressed in this document represent a consensus of the authorsand do not represent the official position or policies of the U.S. Department of Justice. Theproducts, manufacturers, and organizations discussed in this document are presented forinformational purposes only and do not constitute product approval or endorsement by theU.S. Department of Justice.This document was prepared under Interagency Agreement #1999–IJ–R–094 between theNational Institute of Justice and the National Institute of Standards and Technology, Office ofLaw Enforcement Standards.The National Institute of Justice is a component of the Office of Justice Programs, which alsoincludes the Bureau of Justice Assistance, the Bureau of Justice Statistics, the Office of JuvenileJustice and Delinquency Prevention, and the Office for Victims of Crime.

ForewordDevelopments in the world have shownhow simple it is to acquire all sorts ofinformation through the use of computers.This information can be used for a varietyof endeavors, and criminal activity is amajor one. In an effort to fight this newcrime wave, law enforcement agencies,financial institutions, and investment firmsare incorporating computer forensics intotheir infrastructure. From network securitybreaches to child pornography investigations, the common bridge is the demonstration that the particular electronic mediacontained the incriminating evidence.Supportive examination procedures andprotocols should be in place in order toshow that the electronic media containsthe incriminating evidence.To assist law enforcement agencies andprosecutorial offices, a series of guidesdealing with digital evidence has beenselected to address the complete investigation process. This process expands from thecrime scene through analysis and finally intothe courtroom. The guides summarize information from a select group of practitionerswho are knowledgeable about the subjectmatter. These groups are more commonlyknown as technical working groups.This guide is the second in a series.The first guide, Electronic Crime SceneInvestigation: A Guide for First Responders,is available through the National Institute ofJustice Web site at he remaining guides in the series willaddress— Using high technology to investigate. Investigating high technology crimes. Creating a digital evidence forensic unit. Presenting digital evidence in the courtroom.Because of the complex issues associatedwith digital evidence examination, theTechnical Working Group for the Examination of Digital Evidence (TWGEDE) recognized that its recommendations maynot be feasible in all circumstances. Theguide’s recommendations are not legalmandates or policy directives, nor do theyrepresent the only correct courses ofaction. Rather, the recommendations represent a consensus of the diverse viewsand experiences of the technical workinggroup members who have provided valuable insight into these important issues.The National Institute of Justice (NIJ)expects that each jurisdiction will be ableto use these recommendations to sparkdiscussions and ensure that its practicesand procedures are best suited to itsunique environment.It is our hope that, through these materials, more of our Nation’s law enforcementpersonnel will be trained to work effectively with digital evidence and maximize thereliability of that evidence to the benefit ofcriminal case prosecutions.NIJ extends its appreciation to the participants in the TWGEDE for their dedicationto the preparation of this guide. Theirefforts are particularly commendable giventhat they were not relieved of their existingduties with their home offices or agencieswhile they participated in the TWGEDE.What is more, it was necessary foriii

TWGEDE members to attend numerous(and lengthy) guide preparation meetingsthat were held at locations far removedfrom their home offices or agencies. Inrecognition of this, NIJ expresses greatappreciation for the commitment made byivthe home offices or agencies of TWGEDEmembers in suffering the periodic unavailability of their employees.Sarah V. HartDirectorNational Institute of Justice

Technical Working Group for theExamination of Digital EvidenceThe process of developing the guide wasinitiated through an invitational process.Invitees for the Technical Working Groupfor the Examination of Digital Evidence(TWGEDE) were selected initially for theirexpertise with digital evidence and thenby their profession. The intent was toincorporate a medley of individuals withlaw enforcement, corporate, or legal affiliations to ensure a complete representationof the communities involved with digitalevidence.A small core of individuals was invited tocomprise the planning panel. The task ofthe planning panel was to formulate abasic outline of topics that would be considered for inclusion.NIJ thanks Michael P. Everitt of theU.S. Postal Service, Office of InspectorGeneral, and Michael J. Menz. Both ofthese individuals provided their invaluabletime and expertise during the guide’sreview process.Planning panelSusan BallouProgram Manager, Forensic ScienceOffice of Law Enforcement StandardsNational Institute of Standards andTechnologyGaithersburg, MarylandKenneth BroderickSpecial AgentU.S. Bureau of Alcohol, Tobacco,Firearms and ExplosivesComputer Forensics BranchSterling, VirginiaCharles J. FaulkSpecial AgentU.S. Bureau of Alcohol, Tobacco,Firearms and ExplosivesPortland, OregonGrant GottfriedSenior SpecialistNational Center for Forensic ScienceOrlando, FloridaKim HerdCriminal Law and Technology CounselNational Association of Attorneys GeneralWashington, D.C.Mark JohnsonSergeantComputer Crimes UnitKansas City, Missouri, PoliceKansas City, MissouriMichael McCartneyInvestigatorNew York State Attorney General’s OfficeCriminal Prosecution Bureau–OrganizedCrime Task ForceBuffalo, New YorkMark MenzDigital Evidence ScientistFolsom, CaliforniaBill MoylanDetectiveNassau County Police DepartmentComputer Crime SectionCrimes Against Property SquadWestbury, New YorkGlenn NickAssistant DirectorU.S. Customs ServiceCyber Smuggling CenterFairfax, Virginiav

Todd ShipleyDetective SergeantReno Police DepartmentComputer Crimes UnitReno, NevadaAndy SiskeDefense Computer Investigation TrainingProgramLinthicum, MarylandChris StippichDigital Intelligence, Inc.Waukesha, WisconsinTWGEDE membersAdditional members were then incorporated into the TWGEDE to provide a full technical working group. The individuals listedbelow, along with the planning panel,worked together to formulate this guide.Abigail AbrahamAssistant State’s AttorneyCook County State’s Attorney’s OfficeChicago, IllinoisChris G. AndristAgentColorado Bureau of InvestigationDenver, ColoradoSean BarryComputer Forensics Assistant LabManagerNew Technologies, Inc.Gresham, OregonBill BaughCEOSavannah Technology GroupSavannah, GeorgiaRandy BishopSpecial Agent in ChargeU.S. Department of EnergyOffice of Inspector GeneralTechnology Crime SectionWashington, D.C.viCarleton BryantStaff AttorneyKnox County Sheriff’s OfficeKnoxville, TennesseeDon BuchwaldProject EngineerThe Aerospace CorporationLos Angeles, CaliforniaJaime CarazoSpecial AgentUnited States Secret ServiceElectronic Crimes BranchWashington, D.C.Keith G. ChvalChief, High Tech Crimes BureauOffice of the Illinois Attorney GeneralChicago, IllinoisDorothy E. DenningProfessorComputer Science DepartmentGeorgetown UniversityWashington, D.C.Dan DormanInspectorPostal Inspection ServiceAtlanta, GeorgiaJames DoyleSergeantDetective BureauNew York City Police DepartmentComputer Investigation and TechnologyUnitNew York, New YorkMichael DuncanStaff/SergeantEconomic Crime BranchTechnological Crime SectionOttawa, OntarioCanadaDoug ElrickSenior Forensic SpecialistDigital IntelligenceWaukesha, Wisconsin

Michael FinnieForensic SpecialistComputer Forensics Inc.Seattle, WashingtonToby M. FinnieDirectorHigh Tech Crime ConsortiumTacoma, WashingtonPaul T. FrenchDirector, Consulting ServicesNew Technologies, Inc.Computer Forensics Lab ManagerGresham, OregonPat GilmoreDirectorRedSiren, Inc.Pittsburgh, PennsylvaniaSam GuttmanPostal InspectorForensic and Technical ServicesU.S. Postal ServiceDulles, VirginiaDave HeslepSergeantMaryland State PoliceComputer Forensics LaboratoryColumbia, MarylandAl HobbsSpecial Deputy U.S. MarshalChild Exploitation Strike ForceArlington Heights Police DepartmentArlington Heights, IllinoisRobert HopperSergeantArizona Department of Public SafetyComputer Forensic UnitPhoenix, ArizonaMary HorvathProgram ManagerFBI–CARTWashington, D.C.Nigel JonesProgramme ManagerNational High Tech Crime Training CentreNational Police TrainingWyboston Lakes Leisure CentreUnited KingdomRoland LascolaCyber Security SpecialistIndependent OversightU.S. Department of EnergyWashington, D.C.Barry LeeseLieutenantMaryland State PoliceComputer Crimes UnitColumbia, MarylandGlenn LewisKroll Global HeadquartersNew York, New YorkJason LuttgensComputer Specialist, R&DNASA Office of the Inspector GeneralComputer Crimes DivisionWashington, D.C.Dan MaresPresidentMares and Company, LLCLawrenceville, GeorgiaRalph McNamaraAssistant Inspector General forInvestigationsNational Archives and RecordsAdministrationOffice of Inspector GeneralCollege Park, MarylandJoel MoskowitzInvestigatorClark County District Attorney’s OfficeLas Vegas, Nevadavii

James K. PaceSenior Special AgentChief of Computer Forensics andInvestigationsU.S. Army Criminal InvestigationLaboratoryForest Park, GeorgiaScott R. PatronikChief, Division of Technology andAdvancementErie County Sheriff’s OfficeBuffalo, New YorkGreg RedfernDirectorDepartment of Defense ComputerInvestigations Training ProgramLinthicum, MarylandHenry R. ReeveGeneral CounselSecond Judicial DistrictDenver, ColoradoJim Riccardi, Jr.Electronic Crime SpecialistNational Law Enforcement and CorrectionsTechnology Center–NortheastRome, New YorkviiiGreg SchmidtInvestigations/TechnicalComputer Forensics ExaminerPlano, TexasHoward SchmidtVice ChairPresident’s Critical InfrastructureProtection BoardWashington, D.C.Raemarie SchmidtComputer Crimes Training SpecialistNational White Collar Crime CenterComputer Crime SectionFairmont, West VirginiaJohn A. SgromoloPresidentDigital Forensics, Inc.Clearwater, FloridaGeorge SidorSr. Computer Forensics InvestigatorG-Wag, Inc.St. Albert, AlbertaCanadaMike WeilComputer Forensic ExaminerDoD Computer Forensics LaboratoryLinthicum, Maryland

ContentsForeword . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . iiiTechnical Working Group for the Examination of Digital Evidence . . . . . . . . . . vIntroduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1Chapter 1. Policy and Procedure Development . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3Chapter 2. Evidence Assessment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7Chapter 3. Evidence Acquisition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11Chapter 4. Evidence Examination . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15Chapter 5. Documenting and Reporting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19Appendix A. Case Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23Appendix B. Glossary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39Appendix C. Sample Worksheets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43Appendix D. Examples of Request for Service Forms . . . . . . . . . . . . . . . . . . . . . 51Appendix E. Legal Resources List . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59Appendix F. Technical Resources List . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61Appendix G. Training Resources List . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83Appendix H. List of Organizations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87ix

IntroductionNote: Terms that are defined in the glossary appear in bold italics on their first appearance in thebody of the report.This guide is intended for use by law enforcement officers and other members of the lawenforcement community who are responsible for the examination of digital evidence.This guide is not all-inclusive. Rather, it deals with common situations encountered during the examination of digital evidence. It is not a mandate for the law enforcementcommunity; it is a guide agencies can use to help them develop their own policies andprocedures.Technology is advancing at such a rapid rate that the suggestions in this guide are bestexamined in the context of current technology and practices. Each case is unique and thejudgment of the examiner should be given deference in the implementation of the procedures suggested in this guide. Circumstances of individual cases and Federal, State,and local laws/rules may also require actions other than those described in this guide.When dealing with digital evidence, the following general forensic and procedural principles should be applied: Actions taken to secure and collect digital evidence should not affect the integrity ofthat evidence. Persons conducting an examination of digital evidence should be trained for thatpurpose. Activity relating to the seizure, examination, storage, or transfer of digital evidence shouldbe documented, preserved, and available for review.Through all of this, the examiner should be cognizant of the need to conduct an accurateand impartial examination of the digital evidence.How is digital evidence processed?Assessment. Computer forensic examiners should assess digital evidence thoroughlywith respect to the scope of the case to determine the course of action to take.Acquisition. Digital evidence, by its very nature, is fragile and can be altered, damaged,or destroyed by improper handling or examination. Examination is best conducted on acopy of the original evidence. The original evidence should be acquired in a manner thatprotects and preserves the integrity of the evidence.1

SPECIAL REPORT / APR. 04Examination. The purpose of the examination process is to extract and analyze digital evidence. Extraction refers to the recovery of data from its media. Analysis refers to the interpretation of the recovered data and putting it in a logical and useful format.Documenting and reporting. Actions and observations should be documented throughout the forensic processing of evidence. This will conclude with the preparation of awritten report of the findings.Is your agency prepared to handle digital evidence?This document recommends that agencies likely to handle digital evidence identifyappropriate external resources for the processing of digital evidence before they areneeded. These resources should be readily available for situations that are beyond thetechnical expertise or resources of the department. It is also recommended that agenciesdevelop policies and procedures to ensure compliance with Federal, State, and local laws.The following five topics describe the necessary basic steps to conduct a computerforensic examination and suggest the order in which they should be conducted. Althoughdocumentation is listed as the last step, a well-trained examiner understands that documentation is continuous throughout the entire examination process.1. Policy and Procedure Development2. Evidence Assessment3. Evidence Acquisition4. Evidence Examination5. Documenting and ReportingEach of these steps is explained further in the subsequent chapters. The chapters arefurther supported by the specialized information provided in the appendixes.2

Chapter 1. Policy and Procedure DevelopmentPrinciple: Computer forensics as a discipline demands specially trained personnel, support from management, and the necessary funding to keep a unit operating. This can beattained by constructing a comprehensive training program for examiners, sound digitalevidence recovery techniques, and a commitment to keep any developed unit operatingat maximum efficiency.Procedure: Departments should create policies and procedures for the establishmentand/or operation of a computer forensics unit.Protocols and proceduresMission statementDeveloping policies and procedures that establish the parameters for operation and function is an important phase of creating a computer forensics unit. An effective way tobegin this task is to develop a mission statement that incorporates the core functions ofthe unit, whether those functions include high-technology crime investigations, evidencecollection, or forensic analysis.PersonnelThe policies and procedures should consider defining the personnel requirements for theunit. Topics that might be included in this section are job descriptions and minimum qualifications, hours of operation, on-call duty status, command structure, and team configuration.Administrative considerationsSoftware licensing. Ensure that all software used by the computer forensics unit isproperly licensed by the agency or an individual assigned to the unit.Resource commitment. Establishing and operating a computer forensics unit mayrequire significant allocation of financial resources and personnel. Many of the expensesare recurring and will have to be budgeted on a yearly basis. Resource allocation shouldinclude the type of facility that will house the unit, equipment used by examiners, software and hardware requirements, upgrades, training, and ongoing professional development and retention of examiners.Training. It is important that computer forensics units maintain skilled, competent examiners. This can be accomplished by developing the skills of existing personnel or hiring individuals from specific disciplines. Because of the dynamic nature of the field, a comprehensive3

SPECIAL REPORT / APR. 04ongoing training plan should be developed based on currently available training resourcesand should be considered in budget submissions. Consideration may also be given to mentorprograms, on-the-job training, and other forms of career development.Service request and intakeGuidelines should be developed to establish a process for the submission of forensicservice requests and the intake of accepted requests for examination of digital evidence.Topics to consider in these guidelines include request and intake forms, point of contact,required documentation, acceptance criteria,* and requirements for the submission ofphysical evidence. Field personnel are expected to know the policies for service requestand intake.Case managementOnce a request for forensic services is approved, criteria for prioritizing and assign

Creating a digital evidence forensic unit. Presenting digital evidence in the court-room. Because of the complex issues associated with digital evidence examination, the Technical Working Group for the Exami-nation of Digital Evidence (TWGEDE) rec-ognized that its recommendations may not be feasible in all circumstances. The

Related Documents:

Forensic Science is the integration of core scientific disciplines. Forensic science involves a variety of careers. 1. Students will recognize the major contributors to the development of Forensic . Worksheets Lab; Activity Project assessments Research activities such as “famous forensic scientists and their contributions” or “careers inFile Size: 444KBPage Count: 21People also search forforensic science for high school textbook pdfdo forensic criminologist investigate the cri forensic criminology bookswhat is a dental hygienisthow to check fingerprint forensic criminologyare dental hygienists and dentist same thing

Sample Forensic Examination Worksheet Examination of Firearms Lab File No.:_ Examiner: _ . 08ws_firearm.pdf Page 1 of 6: Sample Forensic Examination Worksheet Examination of Firearms . National Forensic Science Technology Center (NFSTC)

Forensic science is the application of science to law. Any science can be applied into a legal situation, but some of the commonest forensic sciences include forensic biology, forensic chemistry, and forensic toxicology. The word forensic in today’s world simply

forensic science discipline (or equivalent). Experience It is essential that the post holder is an experienced forensic scientist in forensic drug analysis, forensic toxicology and preferably in forensic criminalistics, with a minimum of 10 years performing multi-disciplined forensic

Forensic Psychology Chapter ObjeCtives ·orensic Define f psychology. · Review career areas in the forensic sciences. · Distinguish forensic psychology from forensic psychiatry. · Identify and describe the major subareas of forensic psychology. · Review the educational, training, and certification requirements to become a forensic psychologist.

Delivering forensic services (Report 21: 2018-19) 4 . Summary of audit findings . Delivering forensic services . We audited four types of forensic services: fingerprints, deoxyribonucleic acid(DNA), forensic medical examinations and illicit drugs. Three of these services accounted for approximately 92 per cent of all forensic services .

FORENSIC ANTHROPOLOGY: A PRIMER FOR COURTS 3 Contents 1. Introduction and scope 6 2. Definition of forensic anthropology 7 2.1 The role of the forensic anthropologist 7 2.2 Forensic anthropology evidence 8 2.3 Qualifications competency and regulation of forensic anthropology 9 3. Identification of the deceased 10 3.1 Triage 10 3.2 Is it bone? 11

Purposes: (1) to introduce the basic counseling ideas and skills for responding to students’ psychological, emotional, and developmental issues, and (2) to learn to identify students in need of additional academic or personal counseling. Obviously we will not create counselors in 90 minutes- but you will be better equipped to handle a number of student issues. Effective use of th