Welcome to Scribd, the world's digital library. Read, publish, and share books and documents. See more
Standard view
Full view
of .
Save to My Library
Look up keyword
Like this
0 of .
Results for:
No results containing your search query
P. 1
Computer Forensics - The Need for Standardization and Certification

Computer Forensics - The Need for Standardization and Certification

Ratings: (0)|Views: 12 |Likes:
Published by jformica
Written by Matthew Meyers and Marc Rogers, this article discusses standardizing the forensic process.
Written by Matthew Meyers and Marc Rogers, this article discusses standardizing the forensic process.

More info:

Published by: jformica on Nov 29, 2010
Copyright:Attribution Non-commercial


Read on Scribd mobile: iPhone, iPad and Android.
download as PDF, TXT or read online from Scribd
See more
See less





International Journal of Digital Evidence
Fall 2004, Volume 3, Issue 2
Computer Forensics:The Need for Standardization and Certification
Matthew Meyers and Marc RogersCERIASPurdue University
This paper is a call for standardization and certification for the computer forensicsfield. It presents an overview of some of the more serious issues in the maturingdiscipline of computer forensics and explores three areas within the legal systemwhere computer forensics is most likely to be questioned: search and seizure,expert qualifications, and analysis and preservation. One problem area identifiedthat needs to be addressed sooner, as opposed to later, is the lack of standardsand certification. The paper examines the need for standardization andcertification by analyzing federal and state court cases (criminal and civil) andconcludes with suggestions for dealing with some of the issues raised.
The spread of crime using computers was inevitable; the question is how muchdamage computer crime has caused and still may. The domain of computers, for the purposes of this paper, is confined to media that is intended for a computer toread or be used as a peripheral. For example, a digital telephone answeringmachine is not within the scope, but the use of a compact disc containing data or written by a computer would qualify. For this paper, computer forensics isdefined
as “the use of an expert to preserve, analyze, and produce data”
fromvolatile and non-volatile media storage.Computer forensics is in the early stages of development and as a result,problems are emerging that bring into question the validity of computer forensicsusage in the United States (U.S.) federal and state court systems. For practicalpurposes, the legal issues relevant to computer forensics are:
Computer forensics is defined throughout the paper as: the use of an expert to preserve, analyze, and produce data from volatile and non-volatile media storage. This is used to encompass computer and relatedmedia that may be used in conjunction with a computer.
Mack, Mary. Electronic Discovery vs. Computer Forensics. New Jersey Law Journal. October, 20 2003.Page 1. A portion of her definition was used; however, the entire definition was not used due to the limitedscope presented, as she used only single hard drive examination as computer forensics. “Computer forensics is the use of an expert to preserve, analyze, and produce data …”
International Journal of Digital Evidence
Fall 2004, Volume 3, Issue 2
admissibility of evidence,
standards and certifications,
analysis and preservation.Historically, a significant portion of court cases has been settled before the trial.
 In other instances, computer forensics evidence was never contested.Conversely, when computer forensics evidence has been contested, it hasprovided the foundation for evaluating what, why, and how those issues shouldbe considered when creating computer forensic standards and certifications for the U.S. federal and state court systems.
Search and Seizure
Search and seizure of digital evidence is the first process that is often disputed.
 If it can be shown that this step was not completed properly, the defense or prosecution’s evidence may not be admitted. An illegal search and seizure or improper methodology employed during search and seizure can negatively affectthe admissibility of the evidence. Traditional, non-digital instances of search andseizure contentions have been evaluated by courts from precedents.
Incontrast, the digital cases are still emerging as the technology is created,resulting in few precedents to apply. As such, the methods law enforcemententities use with computer crime investigations becomes the issue. Currently,there are no rigid standards, and the guidelines and recommendations differ between law enforcement sources.
 A unique issue with computer forensics search and seizure centers on the sourceof the item(s) in the warrant or in verbal/written affirmation, when a warrant is notneeded (e.g., open view resulting in a search and seizure). For instance, when acomputer has the power turned off, the data in volatile media storage, for technical purposes, is virtually impossible to reconstruct. In pre-digital crimes,electricity was not a major factor in the ability to execute a proper search andseizure. Although there are no documented U.S. federal or state court cases thathave addressed this issue, it is a possibility in the future. In the United Kingdom,one defendant questioned the validity of improperly seized volatile mediastorage.
Aaron Caffrey, the defendant, was arrested under the suspicion of 
http://www.cybercrime.gov. This site contains a list of current and past select cases by the US DOJ oncomputer crimes. It is important to note the amount of cases where the indicted person pled guilty.
Mandia, Prosise, Pepe. Incident Response & Computer Forensics Second Edition. McGraw-Hill 2003
Miranda v. Arizona 384 U.S. 436 1966Katz v. U.S. 389 U.S. 347, 362 1967Illinois v. Andreas 463 U.S. 765, 771 1983
US Department of Justice Computer Crime and Intellectual Property Section, Criminal Division.Searching and Seizing Computers and Obtaining Electronic Evidence in Criminal Investigations. July 2002 NIJ Electronic Crime Scene Investigation – A Guide for First Responders 2001. NHTCU Good Practice Guide for Computer Based Electronic Evidence 2003
Leyden, John. Caffrey acquittal a setback for cybercrime prosecution. October 17, 2003. The Register – U.K. Press 3. A description of the court case is given regarding the Trojan defense used by Caffrey that led
www.ijde.org 2
International Journal of Digital Evidence
Fall 2004, Volume 3, Issue 2
launching a denial of service attack against the Port of Houston’s systems onSeptember 20
, 2001.
The defense argued that a Trojan
was installed on thedefendant’s computer by others who wanted to frame him for the attack.
TheTrojan, the defense contended, launched the attack from the defendant’scomputer but the defendant was not aware of the attack. The forensicsexamination showed that there was no sign of a Trojan, only attack tools on thecomputer, but could not rule out that a Trojan may have been in volatile storagemedia (random access memory).
The jury unanimously decided that thedefendant was not guilty.
 Though courts may grant a search and seizure warrant, law enforcement mayask individuals for verbal or written consent to search and seize items.
 However, the voluntary nature of consent may vary. In Williford v. Texas,
theappellant complained that the search and seizure of his computer was illegal.The appellant contended that his consent to the search and seizure was taintedand, as there was no warrant, there was no probable cause.
The judgedismissed the claim. In U.S. v. Habershaw,
the issue was whether the officersinvolved had the right to search and seize the computer, and if the defendantwas capable of giving consent. The defendant argued that the warrant went“overboard.”
The defendant gave verbal permission for the officers to operatehis computer after the defendant stated the possible location of contraband childpornography images on the computer.
The defendant contended that the
to his acquittal in the denial of service attacks on the Port of Houston. The prosecution and expert in thecase fear that the courts decision will lead to a new defense tactic – the Trojan defense. This is animportant case in the possible need to change current guidelines on how to deal with a ‘live’ computer.
BBC News Inc. Teenager critical of computer policehttp://news.bbc.co.uk/1/hi/england/hampshire/dorset/3181652.stm October 17, 2003 Page 1
Webopedia. “A destructive program that masquerades as a benign application. Unlike viruses, Trojanhorses do not replicate themselves but they can be just as destructive. One of the most insidious types of Trojan horse is a program that claims to rid your computer of viruses but instead introduces viruses ontoyour computer.”
Leyden, John Page 1
Id. Pages 1-2
Id. Pages 1-2
Williford v. Texas 127 S.W.3d 309; 2004 Tex. App. Appellant took his computer to BCI for repairswhere a technician discovered what he believed to be child pornography. BCI gave the appellant thechoice to call police or they would to report the matter – appellant complied and called the police. Thedetective on scene, Owings, read appellant his Miranda rights, appellant signed a waiver. Owings askedappellant if he could search and seize the computer, appellant complied. Court cited Texas v. Brown andWaugh v. Texas “the facts available to the officer would warrant a man of reasonable caution in the belief that certain items may be in contraband or stolen property or useful as evidence of a crime.” DetectiveOwings had met the requirements – the court dismissed the voluntaries of appellant’s consent to search.
U.S. v Habershaw Criminal No. 01-10195-PBS, 2002 U.S. Dist. Lexis 8977. The defendant was arrestedand found guilty of being in possession of child pornography. The defendant contested his mental ability togive verbal or written consent.
Id. Page 22
Id. Page 16-17 The court citing U.S. v. Laine, 270, F.3d 71, 76 1
Cir. 2001. The court upheld searchingin which an officer asked defendant to open computer files showing on screen, and defendant consented.
www.ijde.org 3

You're Reading a Free Preview

/*********** DO NOT ALTER ANYTHING BELOW THIS LINE ! ************/ var s_code=s.t();if(s_code)document.write(s_code)//-->