Online , profile picture
Uploaded byOnline
15,127 views

Collecting and preserving digital evidence

This document discusses best practices for collecting, preserving, and analyzing digital evidence. It covers topics such as data recovery, backup solutions, hidden data recovery techniques, evidence collection methods, and standards for ensuring digital evidence is authenticated and verified. The goal is to extract useful information from seized devices and recovered data in a way that can be used in a court of law to identify attackers and reconstruct security incidents.

Embed presentation

Collecting and Preserving Digital Evidence
Data Recovery • What is Data Recovery? • Role of Backup in Data Recovery • Data Recovery Solution • Hiding and Recovering Hidden Data
What is Data Recovery • Usually data recovery means that data that is lost is recovered – e.g., when a system crashes some data may be lost, with appropriate recovery procedures the data is recovered • In digital forensics, data recovery is about extracting the data from seized computers (hard drives, disks etc.) for analysis
Role of Backup in Data Recovery • Databases/files are backed up periodically (daily, weekly, hourly etc.) so that if system crashes the databases/files can be recovered to the previous consistent state • Challenge to backup petabyte sized databases/files • Obstacles for backing up – Backup window, network bandwidth, system throughout • Current trends – Storage cost decreasing, systems have to be online 24x7 • Next generation solutions – Multiple backup servers, optimizing storage space
Data Recovery/Backup Solution • Develop a plan/policy for backup and recovery • Develop/Hire/Outsource the appropriate expertise • Develop a system design for backup/recovery – Three tier architectures, caches, backup servers • Examine state of the art backup/recovery products and tools • Implement the backup plan according to the policy and design
Recover Hidden Data • Hidden data – Files may be deleted, but until they are overwritten, the data may remain – Data stored in diskettes and stored insider another disk • Need to get all the pieces and complete the puzzle • Analysis techniques (including statistical reasoning) techniques are being used to recover hidden data and complete the puzzle
Evidence Collection and Data Seizure • What is Evidence Collection • Types of Evidence • Rules of Evidence • Volatile Evidence • Methods of Collection • Steps to Collection • Controlling Contamination
What is Evidence Collection • Collecting information from the data recovered for further analysis • Need to collect evidence so that the attacker can be found and future attacks can be prevented and/or limited • Collect evidence for analysis or monitor the intruder • Obstacles – Difficult to extract patterns or useful information from the recovered data – Difficult to tie the extracted information to a person
Types of Evidence • Testimonial Evidence – Evidence supplied by a witness; subject to the perceived reliability of the witness – Word processor documents written by a witness as long as the author states that he wrote it • Hearsay – Evidence presented by a person who is not a direct witness – Word processor documents written by someone without direct knowledge of the incident
Rules of Evidence • Admissible – Evidence must be able to be used in court • Authentic – Tie the evidence positively to an incident • Complete – Evidence that can cover all perspectives • Reliable – There should be no doubt that proper procedures were used • Believable – Understandable and believable to a jury
Additional considerations • Minimize handling and corruption of original data • Account for any changes and keep detailed logs • Comply with the 5 basic rules • Do not exceed your knowledge – need to understand what you are doing • Follow the security policy established • Work fast / however need to be accurate • Proceed from volatile to persistent evidence • Do not shut down the machine before collecting evidence • Do not run programs on the affected machine
Volatile Evidence • Types – Cached data – Routing tables – Process table – Kernel statistics – Main memory • What to do next – Collect the volatile data and store in a permanent storage device
Methods of Collection • Freezing the scene – Taking a snapshot of the system and its compromised state – Recover data, extract information, analyze • Honeypotting – Create a replica system and attract the attacker for further monitoring
Steps to Collection • Find the evidence; where is it stored • Find relevant data - recovery • Create order of volatility • Remove external avenues of change; no tampering • Collect evidence – use tools • Good documentation of all the actions
Controlling Contamination • Once the data is collected it should not be contaminated, must be stored in a secure place, encryption techniques • Maintain a chain of custody, who owns the data, data provenance techniques • Analyze the evidence – Use analysis tools to determine what happened • Analyze the log files and determine the timeline • Analyze backups using a dedicated host • Reconstruct the attack from all the information collected
Duplication and Preservation of Evidence • Preserving the Digital Crime Scene – First task is to make a compete bit stream backup of all computer data before review or process – Bit stream backups (also referred to as mirror image backups) involve the backup of all areas of a computer hard disk drive or another type of storage media, e.g., Zip disks, floppy disks, Jazz disks, etc. Such backups exactly replicate all sectors on a given storage device. Thus, all files and ambient data storage areas are copied. Bit stream backups are sometimes also referred to as 'evidence grade' backups and they differ substantially from traditional computer file backups and network server backups. – http://www.forensics-intl.com/def2.html • Make sure that the legal requirements are met and proper procedures are followed
Digital Evidence Process Model • The U.S. Department of Justice published a process model in the Electronic Crime Scene Investigation: A guide to first responders that consists of four phases: - • 1. Collection; which involves the evidence search, evidence recognition, evidence collection and documentation. • 2. Examination; this is designed to facilitate the visibility of evidence, while explaining its origin and significance. It involves revealing hidden and obscured information and the relevant documentation. • 3. Analysis; this looks at the product of the examination for its significance and probative value to the case. • 4. Reporting; this entails writing a report outlining the examination process and pertinent data recovered from the overall investigation.
Standards for Digital Evidence • The Scientific Working Group on Digital Evidence (SWGDE) was established in February 1998 through a collaborative effort of the Federal Crime Laboratory Directors. SWGDE, as the U.S.-based component of standardization efforts conducted by the International Organization on Computer Evidence (IOCE), was charged with the development of cross-disciplinary guidelines and standards for the recovery, preservation, and examination of digital evidence, including audio, imaging, and electronic devices. • The following document was drafted by SWGDE and presented at the International Hi-Tech Crime and Forensics Conference (IHCFC) held in London, United Kingdom, October 4-7, 1999. It proposes the establishment of standards for the exchange of digital evidence between sovereign nations and is intended to elicit constructive discussion regarding digital evidence. This document has been adopted as the draft standard for U.S. law enforcement agencies. • http://www.fbi.gov/hq/lab/fsc/backissu/april2000/swgde.htm
Verifying Digital Evidence • Encryption techniques – Public/Private key encryption – Certification Authorities – Digital ID/Credentials • Owner signs document with his private key, the Receiver decrypts the document with the owner’s public key • Owner signs document with the receiver’s public key, Receiver decrypts the document with his private key • Standards for Encryption – Export/Import laws
Conclusion • Data must be backed up using appropriate policies, procedures and technologies • Once a crime ahs occurred data ahs to be recovered from the various disks and commuters • Data that is recovered has to be analyzed to extract evidence • Evidence has to analyzed to determine what happened • Use log files and documentations to establish the timeline • Reconstruct the attack
Conclusion • Standards and processes have to be set in place for representing, preserving, duplicating, verifying, validating certifying and accrediting digital evidence • Numerous techniques are out there; need to determine which ones are useful for the particular evidence at hand • Need to make it a scientific discipline

More Related Content

PPT
Computer forensics
bySCREAM138
 
PPTX
Analysis of digital evidence
byrakesh mishra
 
PPTX
Processing Crimes and Incident Scenes
byprimeteacher32
 
PPT
Lecture2 Introduction to Digital Forensics.ppt
bySurajgroupsvideo
 
PDF
06 Computer Image Verification and Authentication - Notes
byKranthi
 
PDF
Digital Evidence in Computer Forensic Investigations
byFilip Maertens
 
PDF
05 Duplication and Preservation of Digital evidence - Notes
byKranthi
 
PPTX
Computer Forensics ppt
byOECLIB Odisha Electronics Control Library
 
Computer forensics
bySCREAM138
 
Analysis of digital evidence
byrakesh mishra
 
Processing Crimes and Incident Scenes
byprimeteacher32
 
Lecture2 Introduction to Digital Forensics.ppt
bySurajgroupsvideo
 
06 Computer Image Verification and Authentication - Notes
byKranthi
 
Digital Evidence in Computer Forensic Investigations
byFilip Maertens
 
05 Duplication and Preservation of Digital evidence - Notes
byKranthi
 
Computer Forensics ppt
byOECLIB Odisha Electronics Control Library
 

What's hot

PPTX
Digital Evidence by Raghu Khimani
byDr Raghu Khimani
 
PPTX
Digital Forensic ppt
bySuchita Rawat
 
PPT
Digital Forensic
byCleverence Kombe
 
ODT
Operating System Forensics
byArunJS5
 
PPTX
mobile forensic.pptx
byAmbuj Kumar
 
PPTX
Network Forensics
byprimeteacher32
 
PPTX
Digital forensics
byyash sawarkar
 
PPTX
Difference between Cyber and digital Forensic.pptx
byApplied Forensic Research Sciences
 
PDF
04 Evidence Collection and Data Seizure - Notes
byKranthi
 
PDF
Digital forensic principles and procedure
bynewbie2019
 
PPT
Preserving and recovering digital evidence
byOnline
 
PPTX
Mobile Forensics
byprimeteacher32
 
PPTX
Network forensic
byManjushree Mashal
 
PPTX
computer forensic tools-Hardware & Software tools
byN.Jagadish Kumar
 
PPTX
Network forensics and investigating logs
byanilinvns
 
PDF
Cyber Forensics Module 1
byManu Mathew Cherian
 
PPTX
Data Acquisition
byprimeteacher32
 
PPTX
Digital forensics
byvishnuv43
 
PPTX
Cyber Forensics Overview
byYansi Keim
 
PPTX
Computer forensics
byRamesh Ogania
 
Digital Evidence by Raghu Khimani
byDr Raghu Khimani
 
Digital Forensic ppt
bySuchita Rawat
 
Digital Forensic
byCleverence Kombe
 
Operating System Forensics
byArunJS5
 
mobile forensic.pptx
byAmbuj Kumar
 
Network Forensics
byprimeteacher32
 
Digital forensics
byyash sawarkar
 
Difference between Cyber and digital Forensic.pptx
byApplied Forensic Research Sciences
 
04 Evidence Collection and Data Seizure - Notes
byKranthi
 
Digital forensic principles and procedure
bynewbie2019
 
Preserving and recovering digital evidence
byOnline
 
Mobile Forensics
byprimeteacher32
 
Network forensic
byManjushree Mashal
 
computer forensic tools-Hardware & Software tools
byN.Jagadish Kumar
 
Network forensics and investigating logs
byanilinvns
 
Cyber Forensics Module 1
byManu Mathew Cherian
 
Data Acquisition
byprimeteacher32
 
Digital forensics
byvishnuv43
 
Cyber Forensics Overview
byYansi Keim
 
Computer forensics
byRamesh Ogania
 

Similar to Collecting and preserving digital evidence

PPTX
Introduction to computer forensics in IT society
bynorhasiahakhir1
 
PDF
Daniel_CISSP_Dom7__1_.pdf
byAlejandro Daricz
 
PPTX
digitalforensicpptlatest28-230522192202-1d9b832e (1).pptx
byMoshoodKareemOlawale
 
PPTX
Chapter 3 cmp forensic
byshahhardik27
 
PDF
Digital evidencepaper
bywiwin_wuland
 
PPTX
unit 5 understanding computer forensics.pptx
byDimple Relekar
 
PPTX
Presentation cyber forensics & ethical hacking
byAmbuj Kumar
 
PPTX
Cyber forensic-Evedidence collection tools
byN.Jagadish Kumar
 
PPT
Computer Forensic
byTawhidur Rahman
 
PDF
644205e3-8f85-43da-95ac-e4cbb6a7a406-150917105917-lva1-app6892.pdf
byGnanavi2
 
PPT
Cyber forensic standard operating procedures
bySoumen Debgupta
 
PPTX
CYB 305 Forensics and Digital Computer Security.pptx
byMuhammad54342
 
PPTX
MODULE-2 CONTD processing crime &incident scene.pptx
byandrewvivan981
 
PPTX
Evidence and data
byAtul Rai
 
PPT
Processing Crime and Incident Scenes.ppt
bymcjaya2024
 
PPT
COMPUTER FORENSICS MODULE III of unit 3.ppt
byssuserec53e73
 
PPT
ch05 forensics cyber topics covers tools of forensics
byDurgaDeviP2
 
PPTX
Examining computer and evidence collection
bygagan deep
 
PPT
Lecture 9 and 10 comp forensics 09 10-18 file system
byAlchemist095
 
PPT
164199724-Introduction-To-Digital-Forensics-ppt.ppt
byharshbj1801
 
Introduction to computer forensics in IT society
bynorhasiahakhir1
 
Daniel_CISSP_Dom7__1_.pdf
byAlejandro Daricz
 
digitalforensicpptlatest28-230522192202-1d9b832e (1).pptx
byMoshoodKareemOlawale
 
Chapter 3 cmp forensic
byshahhardik27
 
Digital evidencepaper
bywiwin_wuland
 
unit 5 understanding computer forensics.pptx
byDimple Relekar
 
Presentation cyber forensics & ethical hacking
byAmbuj Kumar
 
Cyber forensic-Evedidence collection tools
byN.Jagadish Kumar
 
Computer Forensic
byTawhidur Rahman
 
644205e3-8f85-43da-95ac-e4cbb6a7a406-150917105917-lva1-app6892.pdf
byGnanavi2
 
Cyber forensic standard operating procedures
bySoumen Debgupta
 
CYB 305 Forensics and Digital Computer Security.pptx
byMuhammad54342
 
MODULE-2 CONTD processing crime &incident scene.pptx
byandrewvivan981
 
Evidence and data
byAtul Rai
 
Processing Crime and Incident Scenes.ppt
bymcjaya2024
 
COMPUTER FORENSICS MODULE III of unit 3.ppt
byssuserec53e73
 
ch05 forensics cyber topics covers tools of forensics
byDurgaDeviP2
 
Examining computer and evidence collection
bygagan deep
 
Lecture 9 and 10 comp forensics 09 10-18 file system
byAlchemist095
 
164199724-Introduction-To-Digital-Forensics-ppt.ppt
byharshbj1801
 

More from Online

PPT
Philosophy of early childhood education 3
byOnline
 
PPT
Philosophy of early childhood education 2
byOnline
 
PPT
Philosophy of early childhood education 1
byOnline
 
PPT
Philosophy of early childhood education 4
byOnline
 
PPT
Operation and expression in c++
byOnline
 
PPT
Functions
byOnline
 
PPT
Formatted input and output
byOnline
 
PPT
Control structures selection
byOnline
 
PPT
Control structures repetition
byOnline
 
PPT
Introduction to problem solving in c++
byOnline
 
PPT
Optical transmission technique
byOnline
 
PPT
Multi protocol label switching (mpls)
byOnline
 
PPT
Lan technologies
byOnline
 
PPT
Introduction to internet technology
byOnline
 
PPT
Internet standard routing protocols
byOnline
 
PPT
Internet protocol
byOnline
 
PPT
Application protocols
byOnline
 
PPT
Addressing
byOnline
 
PPT
Transport protocols
byOnline
 
PPT
Leadership
byOnline
 
Philosophy of early childhood education 3
byOnline
 
Philosophy of early childhood education 2
byOnline
 
Philosophy of early childhood education 1
byOnline
 
Philosophy of early childhood education 4
byOnline
 
Operation and expression in c++
byOnline
 
Functions
byOnline
 
Formatted input and output
byOnline
 
Control structures selection
byOnline
 
Control structures repetition
byOnline
 
Introduction to problem solving in c++
byOnline
 
Optical transmission technique
byOnline
 
Multi protocol label switching (mpls)
byOnline
 
Lan technologies
byOnline
 
Introduction to internet technology
byOnline
 
Internet standard routing protocols
byOnline
 
Internet protocol
byOnline
 
Application protocols
byOnline
 
Addressing
byOnline
 
Transport protocols
byOnline
 
Leadership
byOnline
 

Recently uploaded

PDF
Biology Practical Class 12th 2025 PDF(2)-2-52.pdf
bySCPRPWomenCollegeChi
 
PPTX
Details of Epithelial and Connective Tissue.pptx
byAshish Umale
 
PPTX
REVISED DEFENSE MECHANISM / ADJUSTMENT MECHANISM-FINAL
byShimla
 
PPTX
Multiple Linear Regression - Least Square Method X₁ on X₂ and X₃
bySundar B N
 
PPTX
10-12-2025 Francois Staring How can Researchers and Initial Teacher Educators...
byEduSkills OECD
 
PPTX
How to Track a Link Using Odoo 18 SMS Marketing
byCeline George
 
PPTX
Pig- piggy bank in Big Data Analytics.ppt.pptx
byVarshini M
 
PPTX
TAMIS & TEMS - HOW, WHY and THE STEPS IN PROCTOLOGY
byJohn Thanakumar
 
PDF
Risk management in Moroccan public hospitals_ a literature review
byMan_Ebook
 
PPTX
Overview of how to Create a Model in Odoo 18
byCeline George
 
PPTX
How to Create Lead_Opportunity From Odoo 18 Website
byCeline George
 
PDF
Scalable-MADDPG-Based Cooperative Target Invasion for a Multi-USV System.pdf
byMan_Ebook
 
PDF
Using Charts and Tables in Presenting Data
byThelma Villaflores
 
PDF
Analyzing the data of your initial survey
byThelma Villaflores
 
PPTX
Access partner report in Odoo 18.2 _ Odoo 19
byCeline George
 
PPTX
Semester 6 Unit 2 Club foot (talipes).pptx
bysachin7989
 
PDF
Multiple Myeloma , definition, etiology, PP, CM , DE and management
byNisha Borsa
 
PPTX
Accounting Skills Paper-II (Registers of PACs and Credit Co-operative Societies)
byDr. Sushil Bansode
 
PDF
M.Sc. Nonchordates Complete Syllabus PPT | All Important Topics Covered
byKNIPSS SULTANPUR
 
PPTX
Growth & Development MILESTONES (ADOLESCENTS ).pptx
byAneetaSharma15
 
Biology Practical Class 12th 2025 PDF(2)-2-52.pdf
bySCPRPWomenCollegeChi
 
Details of Epithelial and Connective Tissue.pptx
byAshish Umale
 
REVISED DEFENSE MECHANISM / ADJUSTMENT MECHANISM-FINAL
byShimla
 
Multiple Linear Regression - Least Square Method X₁ on X₂ and X₃
bySundar B N
 
10-12-2025 Francois Staring How can Researchers and Initial Teacher Educators...
byEduSkills OECD
 
How to Track a Link Using Odoo 18 SMS Marketing
byCeline George
 
Pig- piggy bank in Big Data Analytics.ppt.pptx
byVarshini M
 
TAMIS & TEMS - HOW, WHY and THE STEPS IN PROCTOLOGY
byJohn Thanakumar
 
Risk management in Moroccan public hospitals_ a literature review
byMan_Ebook
 
Overview of how to Create a Model in Odoo 18
byCeline George
 
How to Create Lead_Opportunity From Odoo 18 Website
byCeline George
 
Scalable-MADDPG-Based Cooperative Target Invasion for a Multi-USV System.pdf
byMan_Ebook
 
Using Charts and Tables in Presenting Data
byThelma Villaflores
 
Analyzing the data of your initial survey
byThelma Villaflores
 
Access partner report in Odoo 18.2 _ Odoo 19
byCeline George
 
Semester 6 Unit 2 Club foot (talipes).pptx
bysachin7989
 
Multiple Myeloma , definition, etiology, PP, CM , DE and management
byNisha Borsa
 
Accounting Skills Paper-II (Registers of PACs and Credit Co-operative Societies)
byDr. Sushil Bansode
 
M.Sc. Nonchordates Complete Syllabus PPT | All Important Topics Covered
byKNIPSS SULTANPUR
 
Growth & Development MILESTONES (ADOLESCENTS ).pptx
byAneetaSharma15
 

Collecting and preserving digital evidence

  • 1.
    Collecting and PreservingDigital Evidence
  • 2.
    Data Recovery • What is Data Recovery? • Role of Backup in Data Recovery • Data Recovery Solution • Hiding and Recovering Hidden Data
  • 3.
    What is DataRecovery • Usually data recovery means that data that is lost is recovered – e.g., when a system crashes some data may be lost, with appropriate recovery procedures the data is recovered • In digital forensics, data recovery is about extracting the data from seized computers (hard drives, disks etc.) for analysis
  • 4.
    Role of Backupin Data Recovery • Databases/files are backed up periodically (daily, weekly, hourly etc.) so that if system crashes the databases/files can be recovered to the previous consistent state • Challenge to backup petabyte sized databases/files • Obstacles for backing up – Backup window, network bandwidth, system throughout • Current trends – Storage cost decreasing, systems have to be online 24x7 • Next generation solutions – Multiple backup servers, optimizing storage space
  • 5.
    Data Recovery/Backup Solution •Develop a plan/policy for backup and recovery • Develop/Hire/Outsource the appropriate expertise • Develop a system design for backup/recovery – Three tier architectures, caches, backup servers • Examine state of the art backup/recovery products and tools • Implement the backup plan according to the policy and design
  • 6.
    Recover Hidden Data •Hidden data – Files may be deleted, but until they are overwritten, the data may remain – Data stored in diskettes and stored insider another disk • Need to get all the pieces and complete the puzzle • Analysis techniques (including statistical reasoning) techniques are being used to recover hidden data and complete the puzzle
  • 7.
    Evidence Collection andData Seizure • What is Evidence Collection • Types of Evidence • Rules of Evidence • Volatile Evidence • Methods of Collection • Steps to Collection • Controlling Contamination
  • 8.
    What is EvidenceCollection • Collecting information from the data recovered for further analysis • Need to collect evidence so that the attacker can be found and future attacks can be prevented and/or limited • Collect evidence for analysis or monitor the intruder • Obstacles – Difficult to extract patterns or useful information from the recovered data – Difficult to tie the extracted information to a person
  • 9.
    Types of Evidence •Testimonial Evidence – Evidence supplied by a witness; subject to the perceived reliability of the witness – Word processor documents written by a witness as long as the author states that he wrote it • Hearsay – Evidence presented by a person who is not a direct witness – Word processor documents written by someone without direct knowledge of the incident
  • 10.
    Rules of Evidence •Admissible – Evidence must be able to be used in court • Authentic – Tie the evidence positively to an incident • Complete – Evidence that can cover all perspectives • Reliable – There should be no doubt that proper procedures were used • Believable – Understandable and believable to a jury
  • 11.
    Additional considerations • Minimize handling and corruption of original data • Account for any changes and keep detailed logs • Comply with the 5 basic rules • Do not exceed your knowledge – need to understand what you are doing • Follow the security policy established • Work fast / however need to be accurate • Proceed from volatile to persistent evidence • Do not shut down the machine before collecting evidence • Do not run programs on the affected machine
  • 12.
    Volatile Evidence • Types – Cached data – Routing tables – Process table – Kernel statistics – Main memory • What to do next – Collect the volatile data and store in a permanent storage device
  • 13.
    Methods of Collection •Freezing the scene – Taking a snapshot of the system and its compromised state – Recover data, extract information, analyze • Honeypotting – Create a replica system and attract the attacker for further monitoring
  • 14.
    Steps to Collection •Find the evidence; where is it stored • Find relevant data - recovery • Create order of volatility • Remove external avenues of change; no tampering • Collect evidence – use tools • Good documentation of all the actions
  • 15.
    Controlling Contamination • Oncethe data is collected it should not be contaminated, must be stored in a secure place, encryption techniques • Maintain a chain of custody, who owns the data, data provenance techniques • Analyze the evidence – Use analysis tools to determine what happened • Analyze the log files and determine the timeline • Analyze backups using a dedicated host • Reconstruct the attack from all the information collected
  • 16.
    Duplication and Preservationof Evidence • Preserving the Digital Crime Scene – First task is to make a compete bit stream backup of all computer data before review or process – Bit stream backups (also referred to as mirror image backups) involve the backup of all areas of a computer hard disk drive or another type of storage media, e.g., Zip disks, floppy disks, Jazz disks, etc. Such backups exactly replicate all sectors on a given storage device. Thus, all files and ambient data storage areas are copied. Bit stream backups are sometimes also referred to as 'evidence grade' backups and they differ substantially from traditional computer file backups and network server backups. – http://www.forensics-intl.com/def2.html • Make sure that the legal requirements are met and proper procedures are followed
  • 17.
    Digital Evidence ProcessModel • The U.S. Department of Justice published a process model in the Electronic Crime Scene Investigation: A guide to first responders that consists of four phases: - • 1. Collection; which involves the evidence search, evidence recognition, evidence collection and documentation. • 2. Examination; this is designed to facilitate the visibility of evidence, while explaining its origin and significance. It involves revealing hidden and obscured information and the relevant documentation. • 3. Analysis; this looks at the product of the examination for its significance and probative value to the case. • 4. Reporting; this entails writing a report outlining the examination process and pertinent data recovered from the overall investigation.
  • 18.
    Standards for DigitalEvidence • The Scientific Working Group on Digital Evidence (SWGDE) was established in February 1998 through a collaborative effort of the Federal Crime Laboratory Directors. SWGDE, as the U.S.-based component of standardization efforts conducted by the International Organization on Computer Evidence (IOCE), was charged with the development of cross-disciplinary guidelines and standards for the recovery, preservation, and examination of digital evidence, including audio, imaging, and electronic devices. • The following document was drafted by SWGDE and presented at the International Hi-Tech Crime and Forensics Conference (IHCFC) held in London, United Kingdom, October 4-7, 1999. It proposes the establishment of standards for the exchange of digital evidence between sovereign nations and is intended to elicit constructive discussion regarding digital evidence. This document has been adopted as the draft standard for U.S. law enforcement agencies. • http://www.fbi.gov/hq/lab/fsc/backissu/april2000/swgde.htm
  • 19.
    Verifying Digital Evidence •Encryption techniques – Public/Private key encryption – Certification Authorities – Digital ID/Credentials • Owner signs document with his private key, the Receiver decrypts the document with the owner’s public key • Owner signs document with the receiver’s public key, Receiver decrypts the document with his private key • Standards for Encryption – Export/Import laws
  • 20.
    Conclusion • Data mustbe backed up using appropriate policies, procedures and technologies • Once a crime ahs occurred data ahs to be recovered from the various disks and commuters • Data that is recovered has to be analyzed to extract evidence • Evidence has to analyzed to determine what happened • Use log files and documentations to establish the timeline • Reconstruct the attack
  • 21.
    Conclusion • Standards andprocesses have to be set in place for representing, preserving, duplicating, verifying, validating certifying and accrediting digital evidence • Numerous techniques are out there; need to determine which ones are useful for the particular evidence at hand • Need to make it a scientific discipline