An evaluation of agreement and conflict among computer forensics experts
|
|
- Bruno Neal
- 8 years ago
- Views:
Transcription
1 An evaluation of agreement and conflict among computer forensics experts Gregory H. Carlton California State Polytechnic University College of Business Administration Computer Information Systems Department Reginald Worthley University of Hawaii Shidler College of Business Dept. of Information Technology Management Abstract The use of computer data as evidence within litigation is growing rapidly. Additionally, courts define computer data as a form of scientific evidence. The courts recognize that subject matter of scientific evidence is outside the general knowledge of the public, and it is beneficial for someone with special skills in the subject to explain the scientific evidence to the court; therefore, expert witnesses are permitted to enter their opinions into evidence to explain the data. However, a recent study identified widespread conflict among professionals in the field of computer forensics. This conflict raises serious questions concerning the data presented as evidence, the conclusions drawn by judges and juries, and the impact of those affected by the outcomes of legal proceedings. This paper discusses the findings of an analysis performed on data collected from computer forensics examiners and attorneys with computer forensics experience and provides a call for additional research. 1. Introduction The courts now recognize the significance of examining digital data from computer systems, personal data assistants (PDA), and cellular telephones in virtually all cases. As typewriters have become relics of the past, it is largely accepted that records of individuals correspondence, calculations, and documentation are maintained on computer systems. This wealth of information is available to be submitted as evidence in legal matters when acquired, analyzed, and reported using forensics methodology, and the volume of digital evidence is growing rapidly [1]. The usage of computer forensics methodology is required when submitting digital data as evidence, as the courts have ruled that digital data is a form of scientific information [2]. Digital data, like all scientific information, is considered by the courts to be of a complexity that is beyond the understanding of the general public; therefore, an expert with specialized education, experience, and training within this field is needed to explain this complex material to the judge and jury, who represent members of the general public. Computer forensics methodology is based on the scientific premise that an established, measurable process is followed that is generally accepted within the field [3]. Individuals qualified by the courts to provide expert testimony in trials are uniquely permitted to provide their opinions as evidence when their opinions are derived from their analysis of data within their area of expertise [1]. This unique ability to enter an individuals opinion as evidence is very powerful within the legal process, and it may represent the single factor that sways the opinion of a judge or jury [1]. Although the legal theory of qualified experts in the scientific field of computer forensics being permitted to offer their opinions as evidence in legal matters may be sound, many of the generally accepted computer forensics procedures were not established by scientific methods [4]. For example, although the European Network of Forensic Science Institutes (ENFSI) and the United States Department of Justices National Institute of Justice (NIJ) produce numerous publications concerning digital forensics and best practices, as of this date, their publications represent the opinions of the authors rather than being derived from empirical studies of best practices. The NIJs special report, titled Forensic Examination of Digital Evidence: A Guide for Law Enforcement states, Opinions or points of view expressed in this document represent a consensus of the authors and do not represent the official position or policies of the U.S. Department of Justice. The products, manufacturers, and organizations discussed in this document are presented for informational purposes only and do not constitute product approval or endorsement by the U.S. Department of Justice [5]. An extensive literature review prior to a doctoral dissertation in 2006 revealed that much of the protocols, instructional materials, and training courses available for computer forensics procedures were largely based on anecdotal opinions or experiences of the authors and instructors [6]. To provide an initial, /09 $ IEEE 1
2 empirical study of forensic data acquisition tasks, the dissertation used Grounded Theory to identify and measure a set of 103 tasks performed by forensic computer examiners pertaining to the data acquisition of personal computer workstations [7]. Forensic examiners were then asked to identify to what extent they perform each of the 103 tasks. Additionally, performance measures for each of the 103 tasks were obtained from two expert review panels, one panel of technical experts and the other panel of legal experts. Lastly, the performance measures from the forensic examiners and expert review panels were compiled into a task performance guide [6]. Although the study described above fulfilled its objective by establishing an empirical set of forensic data acquisition tasks, it also provided data from which additional questions arose. Additional analysis of this data revealed numerous conflicts among the participants of the study concerning task performance. For example, for certain tasks, there appeared to be a high degree of agreement between the responses of forensic computer examiners, the review panel of technical experts and the review panel of legal experts. However, for another subset of tasks, the responses of the forensic computer examiners were in conflict with the opinions of the expert review panel members. Additionally, there were tasks in which the responses from the panel of technical experts were in conflict with the panel of legal experts, and lastly, tasks were identified where members within either expert review panel had conflicting responses. Given the significance of expert testimony in the legal environment pertaining to computer forensics, conflicts among experts in this field present a dilemma. This dilemma stems from the fact that judges and juries rely on the opinions of experts to explain scientific material that is outside the area of expertise of the general public; however, it appears that frequently within this field, the experts have conflicting opinions. This paper discusses the analysis of agreement and conflict among the participants of this study. 2. Data collection The goals of the initial study described above were to identify forensic data acquisition tasks and then measure the extent to which these tasks are performed. To achieve these goals, data were collected from forensic computer examiners and attorneys with expertise in computer forensics. The data collection process consisted of two phases of the initial study, whereby the first phase was concerned with identifying the tasks and the second phase was concerned with measuring the tasks indentified during the first phase. To identify the forensic data acquisition tasks of personal computer workstations, Grounded Theory was utilized in a series of four surveys, and the questions on these surveys evolved from general, open-ended questions on the first survey to more specific, closedended questions on the fourth survey. A point of theoretical saturation was reached during the fourth survey when 103 forensic data acquisition tasks emerged from the data. A thorough discussion of the survey instruments is presented in Carltons dissertation [6]. Refer to Table 1. Data acquisition tasks for a complete listing of the task descriptions. During the second phase of data collection, a fifth survey was administered that consisted of specific, closed-ended questions designed to measure the extent in which forensics examiners perform each task. Each of the five questionnaires surveyed members of the High Technology Crime Investigation Association (HTCIA), and procedures were established to ensure that no one responded more than once. Additionally, the first question on each of the five questionnaires asked whether the respondent performs forensic data acquisitions, and only the records for those that responded positively to the first question on each survey were evaluated. Also, during the second phase of the data collection process, two expert review panels, a panel of technical experts and a panel of legal experts, were questioned to measure the importance of the performance of each task Examiner task performance The fifth questionnaire consisted of closed-ended questions that asked HTCIA members to indicate a measure of their task performance by selecting one of four choices that range within a scale from never performing the task to always performing the task for each of the 103 tasks. Those four choices are: I always perform the task; I typically perform the task, but I may omit it in some cases; I typically omit the task, but I may perform it in some cases; I never perform the task. The respondents were also asked to indicate the conditions that would cause them to add or omit each of the 103 tasks from a set of 8 conditions that emerged from the data collected in the previous four surveys. Additionally, respondents were asked a series of questions regarding characteristics, such as, their education, experience, training, certifications, type of employment, age, gender, self-ratings, and their opinions concerning qualities that they consider to be good measures of a forensics examiners qualifications. The data concerning task conditions 2
3 and examiner qualities are addressed in another paper, as this paper focuses on expert agreement and conflict Expert review panel ratings Two expert review panels were subsequently surveyed regarding each of 103 tasks identified in section 2.1. One expert review panel consisted of five HTCIA members recognized for their technical prowess as forensic computer examiners, and the second review panel consisted of five attorneys with extensive experience with cases involving computer forensics [3]. The expert review panel members were asked to consider the performance of each of the 103 tasks solely on the basis of their area of expertise, namely technical merit or legal merit, and each expert review panel member was asked to indicate his or her opinion for each of the 103 tasks by selecting from one of five choices that range within a scale from the task being absolutely prohibited to the task being absolutely essential. The five choices are: performance of the task is absolutely prohibited; performance of the task is undesired; performance of the task makes no contribution and causes no harm; performance of the task is desired; performance of the task is absolutely essential. The data collected from the survey of expert review panel members resulted in three merit ratings, an overall expert panel merit rating, a technical expert panel merit rating, and a legal expert panel merit rating. The examiner performance measures and the expert panel merit ratings were compiled into a monograph yielding a task performance guide, thus providing a previously unavailable empirical study from which forensic computer examiners and attorneys can refer when preparing for expert testimony to support their decisions to perform or omit specific tasks concerning a given case [8]. 3. Analysis and findings The 5 technical and 5 legal experts rated each of the 103 tasks on a scale ranging from 0 (i.e, absolutely prohibited) to 4 (i.e., absolutely essential). There were many tasks where the experts agreed with one another within their panel and also between panels. There were, however, many tasks where the legal experts did not agree with the technical experts, and there were also tasks where there was conflict within the respective panels with respect to rating a task. Table 1. Data acquisition tasks. Task Task Description Technical Legal Technical Legal SD Mean Mean SD 1 Purchase new target drives Wipe target disk drives Verify target disk drives are wiped Initialize & format target disk drives Prepare & verify toolkit ensure equipment is fully functional Prepare & verify toolkit ensure that all necessary HW connectors & adapters are fully stocked. 7 Prepare & verify toolkit ensure that all consumable items are fully stocked (bags, tags, forms, & log books). 8 Add additional items to forensic toolkit based on pre-acq intelligence from requestor. 9 Obtain latest versions, releases, or updates for forensic SW tools Test forensic SW tools Create a write-blocking forensic boot floppy disk &/or CD Refer to checklist to ensure that all equipment is available prior to beginning the data acq. 13 Receive written authorization to proceed with the case Assign an identification code to the case Obtain instructions from requestor concerning covert or overt data acq. 16 Document preparation tasks in log book prior to beginning the data acq. 17 Follow procedures identified in the acq. checklist View location of wkstn. prior to acq Document all items connected to the wkstn Determine whether the wkstn. is powered on If the wkstn. is powered on, then reboot it If the wkstn. is powered on & the wkstn monitor is powered on &
4 Task Task Description Technical Legal Technical Legal SD Mean Mean SD blank, move the mouse to end the screen saver. 23 If the wkstn. is powered on & the workstation s monitor is powered on & blank, press the space bar to end the screen saver. 24 If the wkstn. is powered on, examine it prior to powering it down to determine whether encryption may be in use. 25 If the wkstn. is powered on, perform a RAM dump If the wkstn. is powered on, collect volatile data If the wkstn. is powered on, perform a live acq If the wkstn. is powered on, determine the type of OS in use prior to selecting the power off method. 29 If wkstn. is powered on, photograph the displayed image shown on the wkstn monitor. 30 If wkstn. is powered on, determine the programs running If the wkstn. is powered on, power off the unit by using the OS shutdown method. 32 If the wkstn. is powered on, power off the unit by pulling the electrical cord from the rear of the wkstn. 33 If the wkstn. is powered on, power off the unit by pressing & holding the power switch until the wkstn. is powered off. 34 If the wkstn. is powered off, leave it off until storage media is removed. 35 If the wkstn. is powered off, power it on Determine the current date & time from a reliable source Document the current date & time in log book Look for any potential devices detrimental to individual or evidence safety. 39 Document the wkstn manufacturer, model & serial number Photograph the wkstn., including information regarding manufacturer, model, & serial number. 41 Photograph the inside of the wkstn Photograph all sides of the wkstn Photograph the entire area surrounding the seized wkstn Sketch a diagram of the wkstn. with reference to its location & connections in log book. 45 Document identity of individuals present at the scene of data acq Document the wkstn components in the log book Document the manufacturer, model, & serial number of all storage media in the log book. 48 Document irregularities, modifications or damage to the wkstn Remove the hard disk drive(s) from the wkstn Photograph the HDD(s) taken from the wkstn. including manufacturer, model, & serial number(s). 51 Document the pin settings of HDD(s) in log book Photograph the pin settings of HDD(s) Remove diskettes from the wkstn Remove CDs from the wkstn Remove thumb drives from the wkstn Disconnect all USB devices from the wkstn ID any network connections, & document findings ID any telephone modem connections, & document findings ID & document all peripherals attached to wkstn ID & document all peripherals available to the wkstn. through wired or wireless network connections. 61 Assign lab inventory numbers to each item seized & document in log book. 62 Document number of HDDs, size & disk geometry Using a write-protected method, preview contents of the suspect wkstn to determine whether an image of the suspect wkstn is necessary. 64 Filter data based on attorney-client privilege prior to imaging
5 Task Task Description Technical Legal Technical Legal SD Mean Mean SD 65 Seize external storage devices Seize documentation, manuals, & miscellaneous notes found in the proximity of the suspect wkstn. 67 Connect suspect HDD to a HW, write-blocking device, & obtain an image onto target media using a forensic wkstn. 68 Ensure that the suspect wkstn will boot from a SW, write-blocking forensic diskette or CD, replace the HDD in the wkstn., & obtain an image using a network crossover cable method to a target HDD attached to a forensic wkstn. 69 Install a known disk controller card in the suspect wkstn, connect the target HDD to the disk controller card, boot the suspect wkstn with SW write-protection forensic tools, & create an image to the target HDD using the suspect wkstn. 70 Use EnCase to obtain an image of suspect media Use AccessData s FTK to obtain an image of suspect media Use Safeback to obtain an image of suspect media Use SPADA 3 to obtain an image of suspect media Use UNIX/Linux dd command to obtain an image of suspect media. 75 Generate a MD5 hash value of the forensic image Generate a SHA-1 hash value of the forensic image Allow the forensic SW used for imaging to automatically calculate a MD5 hash value & then verify the MD5 hash value. 78 Perform a visual comparison using a hex editor to ensure that byte swapping or sector rotation did not occur during imaging. 79 Perform a visual comparison of the directory structure of the image & the suspect disk to verify that the image is readable. 80 With storage media removed, power on suspect wkstn. & document the date & time settings from BIOS. 81 With storage media removed, power on suspect wkstn. & determine the boot sequence settings from BIOS. 82 Reinstall media in suspect wkstn Preserve suspect media in its original condition & seal it Return wkstn to original condition & test for functionality if on-site Return Suspect wkstn. to the submitting agency Place suspect media in a secure storage area Place image sets in a secure storage areat Tag suspect media with chain-of-custody labels Replace suspect media in suspect wkstn., but don t attach data & power cables to suspect media. 90 Place label on the suspect wkstn. to prevent powering on unit Place suspect media in an anti-static bag & store inside a manila envelope in the lab. 92 Store suspect media in an offsite, confidential storage facility If instructed to do so, the equipment is returned as close as possible to the original condition after imaging is complete. 94 Create a restore image of the suspect media onto a new HDD to be returned to the owner. 95 Create a clone copy of suspect media for analysis Write handwritten reports to document all activity performed during the data acq. 97 Print computer generated reports to document all activity performed during the data acq. 98 Issue a receipt for the items seized Make sure all items are identifiable by serial number or applied number/tag. 100 Archive image to DVDs Make additional copies of images for attorneys Request a written data destruction form to be sent to suspect if drive contains objectionable material. 103 During a field acq., obtain signed waiver from owner indicating that forensic image is now the best evidence
6 3.1. Agreement among the experts Table 1. Data acquisition tasks shows all 103 tasks with means and standard deviations for both the panel of technical experts and the panel of legal experts. This table is shown for completeness, but most of the discussion revolves around the tables that follow. Table 2. Correlations between the 10 experts shows correlations between each of the experts for the 103 tasks. The average correlation is also shown for both the subset of all other experts and for the subset of experts in the panel that they belong. The correlations range from a low of to a high of All of the correlations, except the two under 0.2, are significantly different from 0 at a level of significance of.05. Correlations tend to be a little higher among the legal experts than among the technical experts. Table 2. Correlations between the 10 experts. Part 1 Expert Tech 1 Tech 2 Tech 3 Tech 4 Tech 5 Tech Tech Tech Tech Tech Part 2 Expert Legal 1 Legal 2 Legal 3 Legal 4 Legal 5 Tech Tech Tech Tech Tech Legal Legal Legal Legal Legal Part 3 Average Correlation Expert All others Within Group Tech Tech Tech Tech Tech Legal Legal Legal Legal Legal Table 3. Top rated tasks shows all tasks with a mean of 3.5 or higher. Although there were no tasks that showed a consistent score of 4 for all members of the combined panel, three tasks had a consistent score of 4 within a given panel. Task 2 was given a score of 4 for each member of the technical panel and a mean score of 3.6 from the members of the legal panel. Task 39 was given a score of 4 by each member of the panel of legal experts and a mean score of 3.8 from members of the panel of technical experts. The only other consistent score of 4 by all members of the panel was for task 10, where the mean score for the panel of legal experts was quite a bit less at 3.2. Table 3. Top rated tasks shows a lot of agreement between the two different panels with a mean difference of 0.6 or less for all tasks, except task 10, which has a difference of 0.8. Table 3. Top rated tasks. Task Overall Mean Technical Mean Legal Mean Conflict among the experts 6
7 Tables 1 and 3 reveal much similarity between the ratings of tasks between the two panels, but Table 4. Largest technical and legal conflicts features tasks where the two panels rate the same tasks very differently showing conflict between the two panels. Tasks 25, 24, 26, 95 and 89 are all rated much higher, on average, by the technical panel members than by the legal panel members, with all showing a mean difference of 1.0 or more. Tasks 32, 69, 61, 47 and 68 all are rated much higher, on average, by the legal panel members than by the technical panel members, also with all showing a mean difference of 1.0 or more. Table 4. Largest technical and legal conflicts also reports the p-value from a t-test for differences in means. Most of the p-values do not show a significant difference at a usual significance level of.05 because the sample sizes of 5 are very small and also because of conflict within each panel that results in large standard deviations. Table 4. Largest technical and legal conflicts Task Technical Legal p-value Mean Mean Tables 5 and 6 reveal the tasks that show the most conflict within each panel. Table 5. Technical panel conflict examines the dynamics within the Technical panel of experts and shows 18 different tasks that have a standard deviation of more than 1. It is ordered by the magnitude of standard deviation, and it shows the actual ratings from each expert as well. There is an extremely large variety of ratings for these tasks. For example, task 28 shows one expert giving a rating of 0 (i.e., absolutely prohibited) and another giving a rating of 4 (i.e., absolutely essential). Tasks 64 and 79 are similar in that they exhibit the same range of responses. The remaining tasks also show a wide range of ratings among the panel members, varying from either 1 to 4 or from 0 to 3, except for task 13. Task 13 shows three members of the panel with a rating of 2 and the remaining two members agreeing with a rating of 4. Table 5. Technical panel conflict Task Technical T 1 T 2 T 3 T 4 T 5 SD Table 6. Legal panel conflict is similar to Table 5 in that it shows a wide range of tasks that show conflict among members of the panel. It is interesting to note that the two tables overlap with only three tasks, 22, 56 and 64. The largest range occurred in tasks 82 and 101 where the experts ratings vary from 0 to 4, the largest possible discrepancy. Most of the rest of the tasks show variability in ratings from either 1 to 4 or from 0 to 3. The only exceptions are tasks 22, 65 and 66. Table 6. Legal panel conflict Task Legal SD L1 L2 L3 L4 L
8 Topics of agreement or conflict A closer inspection of the task descriptions where the experts largely were in agreement or conflict helps to identify topics where additional clarification is beneficial. Although not problematic, the tasks identified as those with high agreement scores represent tasks where the technical and legal aspects of those tasks are likely to be better understood by the experts. The areas of concern focus on those tasks where conflict scores were highest. Two topics are observed as being particularly problematic regarding tasks with high levels of conflict. The first area represents those tasks pertaining to a suspect computer workstation that is running at the time the forensic examiner encounters it. The second area represents those tasks pertaining to disconnecting or removing secondary storage devices other than hard disks. Both of these areas are discussed below. Overall, fifteen of the 103 tasks represent conditions dependent upon the computer workstation being either on or off. Tasks 21 through 33 begin with the condition, If the computer workstation is powered on, and tasks 34 and 35 being with the condition, if the computer workstation is powered off. First, it is interesting to note that none of these tasks are listed in Table 3. Top rated tasks, as the experts did not reach high levels of agreement on any of these fifteen tasks. More problematic is the high level of conflict that occurred among the tasks within this topic. Six of these tasks had the highest levels of conflict within the panel of technical experts, two tasks had the highest level of conflict within the panel of legal experts, and four of the tasks had the highest level of conflict between the two panels of experts. For example, task 22, which states, if the computer workstation is powered on and the workstations monitor is powered on and blank, move the mouse to terminate the screen saver, obtained high levels of conflict within both panels of experts. One member of the panel of technical experts and two members of the panel of legal experts indicated that this task was desired, two members of the panel of technical experts and three members of the panel of legal experts indicated that this task was undesired, and two members of the panel of technical experts indicated that this task is absolutely prohibited. Additionally, although tasks 24 through 26 concern similar concepts pertaining to gathering information from a computer workstation prior to powering it off, each these three tasks achieved high levels of conflict between the two expert panels, while task 24 obtained a high level of conflict within the panel of technical experts and task 26 obtained a high level of conflict within the panel of legal experts. Clearly, the experts were not in agreement concerning the performance of tasks when confronting a computer workstation that is powered on. This represents an area where additional information would be helpful to provide a better understanding of best practices among computer forensics practitioners. High conflict scores were also observed in the four tasks concerning the topic of disconnecting or removing secondary storage devices other than hard disks; however, it is particularly confounding that three of these tasks are also among those tasks with the highest levels of agreement. Tasks 53, 54, and 55 are listed in Table 3. Top rated tasks, as their mean scores are all 3.5. Also notice that each of these tasks earned consistent scores from the individual experts. In other words, although there were differences among the scores assigned by the panel members for each of these tasks, each expert was individually consistent by assigning the same score for all three tasks. For each of these three tasks, technical panel member numbers 1, 2, and 5 assigned a score of absolutely essential to the task, technical panel member number 3 assigned a score of desired, and technical panel member number 4 assigned a score of undesired. These scores resulted in a high level of conflict within the panel of technical experts. However, when considering the overall scores of the panel of technical experts with the panel of legal experts, with four members indicating that the tasks were absolutely essential and one member indicating that the tasks were desired, the two panels were largely in agreement While the conditions found in tasks 53, 54, and 55 might indicate an outlier with technical panel member number 4, this view looses some merit when these three tasks are considered along with the scores of similar task 56. Task 56, disconnect all USB devices from the system unit, does not achieve a high level of agreement between the expert panels, and there is a high level of conflict within each panel. Interestingly, both panels had the same number of members issuing the same scores for task 56. Both panels had three members issue a score of absolutely essential, one member indicated desired, and one member assigned the score of undesired to the task. Again, there appears to be disagreement among the experts concerning the treatment of secondary storage devices other than hard disks. Additional 8
9 clarification concerning the best practices within this topic seems necessary, as mishandling of secondary storage media is likely to result in lost or inadmissible data. In addition to the two topics discussed above, it is also interesting to note that of the ten tasks identified as having the highest level of conflict between the panels, scores indicating high conflict within one panel occurred in six of them. Additionally, three tasks were identified as having high conflict within the panel of technical experts and within the panel of legal experts. Of those three tasks, tasks 22 and 56 were discussed above; however, task 64, regarding filtering data based on attorney-client privilege prior to imaging, does not fit into the two topics discussed above. For task 64, one member of the technical panel indicated that it is absolutely essential, one member of the legal panel indicated that the task is desired, three members of the technical panel and two members of the legal panel indicated that it is undesired, and one member of the technical panel and two members of the legal panel indicated that is absolutely prohibited. This high value of conflict within both panels illustrates confusion in an area concerning e-discovery matters, and this is an area that is thought will experience high growth rates within the next several years. Computer forensics examiners will be well-served by additional clarification concerning best practices in e-discovery matters too. 4. Conclusions Our analysis of the data resulted in several interesting findings involving agreement and conflict among experts of computer forensics. Although the observations are interesting, our findings are bound by several limitations, and we see the need for more work to be done on this topic. We will summarize our observations, discuss limitations of our study, and present a call for additional research below Summary of observations It is interesting to note the differences in the levels of agreement observed from the various experts that participated in this study. While it is relatively easy to understand that some of the differences are due to the different perspectives from which the legal experts and the technical experts were asked to evaluate the tasks, there were many differences among each group, as well as differences between the groups. Also, from the complete set of 103 tasks evaluated, only 26 tasks achieved a level of high agreement among all of the experts, representing only 25% of the tasks. Tasks where general agreement occurred within each group of experts, yet conflicting ratings occurred between the groups were observed; however, this condition accounted for just under 10% of the total tasks evaluated. For example, only 10 tasks from the set of 103 tasks represent conditions where agreement occurred among the members of each panel, and the two panels reached conflicting results. Although the differences in ratings between panels can be explained through the specific conditions from which each panel evaluates tasks, differences between members within a panel of experts is more difficult to rationalize, and it occurred more frequently than did the instances where agreement occurred within panels yet conflict occurred between panels. In 16.5% of the tasks evaluated, members of the panel of legal experts reached conflicting ratings whereby at least one member felt very strongly that the task should be performed while at least one other member of the panel strongly felt that the task should not be performed. Even more conflicting was the level of disagreement among the members of the panel of technical experts, as they reached conflicting ratings in 17.5% of the tasks. The level of conflict identified in this study cannot be attributed to one panel member providing outlying responses, as only one task among the subset of tasks that highly aligned (i.e., those shown in Table 3. Top rated tasks) was included in the subset of tasks with largest conflicts (i.e., Table 4. Largest technical and legal conflicts). This task, task 10, concerned testing forensic software tools. Overall, the large extent of conflict among forensic computer experts raises concern regarding reaching predictable outcomes when used in legal matters. Forensic science is based upon using a measureable, scientific process to reach an unbiased conclusion, yet as this study illustrates, different forensic computer experts frequently do not reach the same conclusion concerning the importance to forensic task performance Limitations Although we attempted to be thorough in our analysis, it is important to note that numerous limitations exist, especially concerning the data collected. This study limited its survey population to the HTCIA; therefore, bias from the study population may impact the data collected [8]. However, it is thought that opinions of experts within an organization, such as the HTCIA, are more likely to 9
10 align than would opinions from a more diverse group of experts, thus measures of conflict are thought to be conservative in this report. Also, concerning respondent bias, this study generated its output from a limited number of responses. Non-respondents expressed reasons for not participating that included distrust, being too busy, vacation, and difficulty authenticating themselves on the surveys Website. Invalid addresses and spam blocking filters also contributed to the reduction of responses [8]. The set of 103 tasks presented within this report are not implied to represent a comprehensive set of tasks forensic examiners perform pertaining to the forensic data acquisition of personal computer workstations. This set of tasks is limited to those that were identified by respondents of this study. No conditional logic regarding the performance of tasks is suggested nor is the sequence of the performance of tasks [8] Call for additional research Given the importance of expert testimony in legal proceedings and the level of conflict among forensic computer experts revealed within this study, more study is needed to develop a better understanding of the causes of conflict and solutions to reduce conflict. For example, future studies may identify beneficial solutions from licensing organizations, industry standards, mandatory training, or legislation regarding the credentials of forensic computer examiners. Clearly, the inconsistency among forensic computer examiners opinions identified within this study illustrates a weakness within our legal system that has the potential to alter trail outcomes, thus allowing the guilty to be acquitted and the not-guilty to be wrongly convicted. 5. References [1] Volonino, L., Anzaldua, R., and Godwin, J., Computer Forensics Principles and Practices, Prentice Hall, Upper Saddle River, New Jersey, [2] Nelson, B., Phillips, A., Enfinger, F., and Stewart, C., Guide to Computer Forensics and Investigations, 3 rd Ed., Thomson, Boston, [3] Kerr, O.S., Digital Evidence and the New Criminal Procedure, Columbia Law Review, 105(1) 2005, p [4] Knapp, K.L., Meeting the Daubert Challenge: A Model to Test the Relevance and Reliability of Expert Testimony, ProQuest, Ann Arbor, Michigan, UMI , [5] National Institute of Justice, Forensic Examination of Digital Evidence: A Guide for Law Enforcement, (NCJ ), U.S. Government Printing Office, Washington, DC, [6] Carlton, G.H., A Protocol for the Forensic Data Acquisition of Personal Computer Workstations, ProQuest, Ann Arbor, Michigan, UMI , [7] Glaser, B.G., and Strauss, A.L., The Discovery of Grounded Theory: Strategies for Qualitative Research, Aldine Publishing Co., New York, [8] Carlton, G.H., Forensic Data Acquisition Task Performance Guide The Identification and Measurement of a Protocol for the Forensic Data Acquisition of Personal Computer Workstations,
Identifying a Computer Forensics Expert: A Study to Measure the Characteristics of Forensic Computer Examiners
Identifying a Computer Forensics Expert: A Study to Measure the Characteristics of Forensic Computer Examiners Gregory H. Carlton California State Polytechnic University Computer Information Systems Department
More informationScientific Working Group on Digital Evidence
Disclaimer: As a condition to the use of this document and the information contained therein, the SWGDE requests notification by e-mail before or contemporaneous to the introduction of this document, or
More informationDigital Forensics Tutorials Acquiring an Image with FTK Imager
Digital Forensics Tutorials Acquiring an Image with FTK Imager Explanation Section Digital Forensics Definition The use of scientifically derived and proven methods toward the preservation, collection,
More informationMSc Computer Security and Forensics. Examinations for 2009-2010 / Semester 1
MSc Computer Security and Forensics Cohort: MCSF/09B/PT Examinations for 2009-2010 / Semester 1 MODULE: COMPUTER FORENSICS & CYBERCRIME MODULE CODE: SECU5101 Duration: 2 Hours Instructions to Candidates:
More informationA SIMPLE EXPERIMENT WITH MICROSOFT OFFICE 2010 AND WINDOWS 7 UTILIZING DIGITAL FORENSIC METHODOLOGY
A SIMPLE EXPERIMENT WITH MICROSOFT OFFICE 2010 AND WINDOWS 7 UTILIZING DIGITAL FORENSIC METHODOLOGY Gregory H. Carlton California State Polytechnic University ghcarlton@csupomona.edu ABSTRACT Digital forensic
More informationThe Proper Acquisition, Preservation, & Analysis of Computer Evidence: Guidelines & Best-Practices
The Proper Acquisition, Preservation, & Analysis of Computer Evidence: Guidelines & Best-Practices Introduction As organizations rely more heavily on technology-based methods of communication, many corporations
More informationBest Practices for Computer Forensics
Scientific Working Group on Digital Evidence Best Practices for Computer Forensics Disclaimer: As a condition to the use of this document and the information contained therein, the SWGDE requests notification
More informationAn Evaluation of Windows-Based Computer Forensics Application Software Running on a Macintosh
An Evaluation of Windows-Based Computer Forensics Application Software Running on a Macintosh Gregory H. Carlton California State Polytechnic University ghcarlton@csupomona.edu ABSTRACT The two most common
More informationComputer Forensics Processing Checklist. Pueblo High-Tech Crimes Unit
Computer Forensics Processing Checklist Pueblo High-Tech Crimes Unit Cmdr. Dave Pettinari Pueblo County Sheriff's Office davepet@cops.org The purpose of this document is to provide computer forensic technicians
More informationComputer Forensic Capabilities
Computer Forensic Capabilities Agenda What is computer forensics? Where to find computer evidence Forensic imaging Forensic analysis What is Computer Forensics? The preservation, identification, extraction,
More informationTo Catch a Thief: Computer Forensics in the Classroom
To Catch a Thief: Computer Forensics in the Classroom Anna Carlin acarlin@csupomona.edu Steven S. Curl scurl@csupomona.edu Daniel Manson dmanson@csupomona.edu Computer Information Systems Department California
More informationComputer Forensics and Investigations Duration: 5 Days Courseware: CT 0619217065
Computer Forensics and Investigations Duration: 5 Days Courseware: CT 0619217065 Introduction The Computer Forensics and Investigation course presents methods to properly conduct a computer forensics investigation
More informationLecture outline. Computer Forensics and Digital Investigation. Defining the word forensic. Defining Computer forensics. The Digital Investigation
Computer Forensics and Digital Investigation Computer Security EDA263, lecture 14 Ulf Larson Lecture outline! Introduction to Computer Forensics! Digital investigation! Conducting a Digital Crime Scene
More informationEXAMINATION OUTLINE FOR PRIVATE INVESTIGATORS
EXAMINATION OUTLINE FOR PRIVATE INVESTIGATORS 2014 I. Ethics (18%) This area assesses the candidate s ability to comply with ethical standards of private investigators regarding privacy rights, confidentiality,
More informationCSN08101 Digital Forensics. Module Leader: Dr Gordon Russell Lecturers: Robert Ludwiniak
CSN08101 Digital Forensics Lecture 4A: Forensic Processes Module Leader: Dr Gordon Russell Lecturers: Robert Ludwiniak Forensics Processes - objectives Investigation Process Forensic Ethics Issues Forensic
More informationDigital Forensics, ediscovery and Electronic Evidence
Digital Forensics, ediscovery and Electronic Evidence By Digital Forensics What Is It? Forensics is the use of science and technology to investigate and establish facts in a court of law. Digital forensics
More informationDigital Forensics. Larry Daniel
Digital Forensics Larry Daniel Introduction A recent research report from The Yankee Group found that 67.6 percent of US households in 2002 contained at least one PC The investigators foresee three-quarters
More informationENTERPRISE COMPUTER INCIDENT RESPONSE AND FORENSICS TRAINING
ENTERPRISE COMPUTER INCIDENT RESPONSE AND FORENSICS TRAINING MODULE A INTRODUCTION TO COMPUTER FORENSICS AND NVESTIGATIONS A1.0 Explain concepts related to computer forensics. A1.1 This module is measured
More informationCOMPUTER FORENSICS (EFFECTIVE 2013-14) ACTIVITY/COURSE CODE: 5374 (COURSE WILL BE LISTED IN THE 2013-14 CATE STUDENT REPORTING PROCEDURES MANUAL)
COMPUTER FORENSICS (EFFECTIVE 2013-14) ACTIVITY/COURSE CODE: 5374 (COURSE WILL BE LISTED IN THE 2013-14 CATE STUDENT REPORTING PROCEDURES MANUAL) COURSE DESCRIPTION: Computer Forensics is focused on teaching
More informationA STUDY OF FORENSIC IMAGING IN THE ABSENCE OF WRITE-BLOCKERS
A Study of Forensic Imaging in the Absence of JDFSL V9N3 This work is licensed under a Creative Commons Attribution 4.0 International License. A STUDY OF FORENSIC IMAGING IN THE ABSENCE OF WRITE-BLOCKERS
More informationCHAPTER 18 CYBER CRIMES
CHAPTER 18 CYBER CRIMES 18.1 With increased use of computers in homes and offices, there has been a proliferation of computer-related crimes. These crimes include: Crimes committed by using computers as
More informationEC-Council Ethical Hacking and Countermeasures
EC-Council Ethical Hacking and Countermeasures Description This class will immerse the students into an interactive environment where they will be shown how to scan, test, hack and secure their own systems.
More informationDigital Evidence Search Kit
Digital Evidence Search Kit K.P. Chow, C.F. Chong, K.Y. Lai, L.C.K. Hui, K. H. Pun, W.W. Tsang, H.W. Chan Center for Information Security and Cryptography Department of Computer Science The University
More informationGuidelines on Digital Forensic Procedures for OLAF Staff
Ref. Ares(2013)3769761-19/12/2013 Guidelines on Digital Forensic Procedures for OLAF Staff 1 January 2014 Introduction The OLAF Guidelines on Digital Forensic Procedures are internal rules which are to
More informationCYBER FORENSICS (W/LAB) Course Syllabus
6111 E. Skelly Drive P. O. Box 477200 Tulsa, OK 74147-7200 CYBER FORENSICS (W/LAB) Course Syllabus Course Number: CSFS-0020 OHLAP Credit: Yes OCAS Code: 8134 Course Length: 130 Hours Career Cluster: Information
More informationIntroduction. IMF Conference September 2008
Live Forensic Acquisition as Alternative to Traditional Forensic Processes Marthie Lessing* Basie von Solms Introduction The Internet and technology developments introduced a sharp increase in computer
More informationCONCEPT MAPPING FOR DIGITAL FORENSIC INVESTIGATIONS
Chapter 22 CONCEPT MAPPING FOR DIGITAL FORENSIC INVESTIGATIONS April Tanner and David Dampier Abstract Research in digital forensics has yet to focus on modeling case domain information involved in investigations.
More informationCCE Certification Competencies
CCE Certification Competencies May 10, 2012 Page 1 The Certified Computer Examiner (CCE) has evolved into one of the most desired certifications in the computer forensics industry. The certification is
More informationCertified Digital Forensics Examiner
Certified Digital Forensics Examiner Course Name: CDFE V6.0 Duration: Language: 5 days English Format: Instructor-led (Lecture and Lab) Prerequisite: Experience in using a computer Student Materials: Student
More informationEvidentiary Considerations for Collecting and Examining Hard-Drive Media Anthony F. DeSante November 28, 2001
Evidentiary Considerations for Collecting and Examining Hard-Drive Media Anthony F. DeSante November 28, 2001 Forensic Sciences 262 The George Washington University Assistant Professorial Lecturer David
More informationCertified Digital Forensics Examiner
Certified Digital Forensics Examiner Course Name: CDFE V6.0 Duration: Language: 5 days English Format: Instructor-led (Lecture and Lab) Prerequisite: Experience in using a computer Student Materials: Student
More informationEmpower TM 2 Software
Empower TM 2 Software 21 CFR PART 11 COMPLIANCE ASSESSMENT Revision A, December, 2005 1 of 14 Waters Corporation Note: Information presented in this document assumes that the appropriate Empower 2 System
More informationOpen Source Digital Forensics Tools
The Legal Argument 1 carrier@cerias.purdue.edu Abstract This paper addresses digital forensic analysis tools and their use in a legal setting. To enter scientific evidence into a United States court, a
More informationHow To Do Digital Forensics
Enterprise Risk Management Miami, FL Digital Forensics Risk Management and Information Systems Security Consulting Services January 2011 UMiami alumnus Bachelors: Information Systems and Marketing MS Computer
More informationInformation Technology Audit & Forensic Techniques. CMA Amit Kumar
Information Technology Audit & Forensic Techniques CMA Amit Kumar 1 Amit Kumar & Co. (Cost Accountants) A perfect blend of Tax, Audit & Advisory services Information Technology Audit & Forensic Techniques
More information2! Bit-stream copy. Acquisition and Tools. Planning Your Investigation. Understanding Bit-Stream Copies. Bit-stream Copies (contd.
Acquisition and Tools COMP 2555: Principles of Computer Forensics Autumn 2014 http://www.cs.du.edu/2555 1 Planning Your Investigation! A basic investigation plan should include the following activities:!
More informationOverview of Computer Forensics
Overview of Computer Forensics Don Mason, Associate Director National Center for Justice and the Rule of Law University of Mississippi School of Law [These materials are based on 4.3.1-4.3.3 in the National
More informationTen Deadly Sins of Computer Forensics
Ten Deadly Sins of Computer Forensics Cyber criminals take advantage of the anonymity of the Internet to escape punishment. Computer Forensics has emerged as a new discipline to counter cyber crime. This
More informationCertified Digital Forensics Examiner
Cyber Security Training & Consulting Certified Digital COURSE OVERVIEW 5 Days 40 CPE Credits $3,000 Digital is the investigation and recovery of data contained in digital devices. This data is often the
More informationAdmissibility of Digital Photographs in Criminal Trials
Admissibility of Digital Photographs in Criminal Trials Keith Hodges, Senior Instructor, Keith.Hodges@dhs.gov Federal Law Enforcement Training Center Glynco, GA 1 What we will discuss Digital photos captured
More informationDigital Evidence Collection and Use. CS 585 Fall 2009
Digital Evidence Collection and Use CS 585 Fall 2009 Outline I. II. III. IV. Disclaimers Crime Scene Processing Legal considerations in Processing Digital Evidence A Question for Discussion Disclaimers
More informationComparing and Contrasting Windows and Linux Forensics. Zlatko Jovanovic. International Academy of Design and Technology
Comparing and Contrasting Windows and Linux Forensics Zlatko Jovanovic International Academy of Design and Technology Abstract Windows and Linux are the most common operating systems used on personal computers.
More informationChapter 7 Securing Information Systems
1 Chapter 7 Securing Information Systems LEARNING TRACK 3: COMPUTER FORENSICS For thirty years, a serial murderer known as the BTK killer (standing for bind, torture, and kill) remained at large in Wichita,
More informationImpact of Digital Forensics Training on Computer Incident Response Techniques
Impact of Digital Forensics Training on Computer Incident Response Techniques Valorie J. King, PhD Collegiate Associate Professor University of Maryland University College Presentation to AFCEA June 25,
More informationCourse Forensic Science. Unit II History
Course Forensic Science Unit II History Essential Question What is legally and ethically expected of forensic scientists and Crime Scene Investigators? TEKS 130.295(c) (4)(C) Prior Student Learning History
More informationCDFE Certified Digital Forensics Examiner (CFED Replacement)
Course: CDFE Certified Digital Forensics Examiner (CFED Replacement) Description: Price: $3,450.00 Category: Popular Courses Duration: 5 days Schedule: Request Dates Outline: COURSE OVERVIEW Computer Forensics
More informationCyber Security Response to Physical Security Breaches
Cyber Security Response to Physical Security Breaches INTRODUCTION Physical break-ins and other unauthorized entries into critical infrastructure locations, such as electrical power substations, have historically
More informationSupplier Information Security Addendum for GE Restricted Data
Supplier Information Security Addendum for GE Restricted Data This Supplier Information Security Addendum lists the security controls that GE Suppliers are required to adopt when accessing, processing,
More information1. Redistributions of documents, or parts of documents, must retain the SWGIT cover page containing the disclaimer.
Disclaimer: As a condition to the use of this document and the information contained herein, the SWGIT requests notification by e-mail before or contemporaneously to the introduction of this document,
More informationNC SBI QUALITY ASSURANCE PROGRAM
NC SBI QUALITY ASSURANCE PROGRAM for the SBI Reviewed by: Deputy Assistant Director Bill Weis Date: Approved by: Assistant Director Jerry Richardson Date: Originating Unit: SBI Effective Date: July 25,
More informationRule 30(b)(6) Depositions in Electronic Discovery. Discovering What There Is to Discover
: Discovering What There Is to Discover One of the challenges in electronic discovery is identifying the various sources of electronically stored information (ESI) that could potentially be relevant to
More informationMicrosoft Vista: Serious Challenges for Digital Investigations
Proceedings of Student-Faculty Research Day, CSIS, Pace University, May 2 nd, 2008 Microsoft Vista: Serious Challenges for Digital Investigations Darren R. Hayes and Shareq Qureshi Seidenberg School of
More informationHow To Protect The Time System From Being Hacked
WISCONSIN TIME SYSTEM Training Materials TIME SYSTEM SECURITY AWARENESS HANDOUT Revised 11/21/13 2014 Security Awareness Handout All System Security The TIME/NCIC Systems are criminal justice computer
More informationWhen E-Discovery Becomes Evidence
Monday, June 11, 2007 When E-Discovery Becomes Evidence Make sure that you can easily authenticate the information that was so costly to produce By Leonard Deutchman Special to the Law Weekly A federal
More informationPRIVACY IMPACT ASSESSMENT
PRIVACY IMPACT ASSESSMENT Deloitte Forensic Data Capture Services January 2013 FDIC External Service Table of Contents System Overview Personally Identifiable Information (PII) in Deloitte Purpose & Use
More informationA Critical Evaluation of the Treatment of Deleted Files in Microsoft Windows Operation Systems
A Critical Evaluation of the Treatment of Deleted Files in Microsoft Windows Operation Systems Gregory H. Carlton University of Hawaii gcarlton@hawaii.edu Abstract Recent discourse regarding security vulnerabilities
More informationComputer Forensics: an approach to evidence in cyberspace
Computer Forensics: an approach to evidence in cyberspace Abstract This paper defines the term computer forensics, discusses how digital media relates to the legal requirements for admissibility of paper-based
More informationDigital Forensics. Tom Pigg Executive Director Tennessee CSEC
Digital Forensics Tom Pigg Executive Director Tennessee CSEC Definitions Digital forensics Involves obtaining and analyzing digital information as evidence in civil, criminal, or administrative cases Analyze
More informationUsing Automated, Detailed Configuration and Change Reporting to Achieve and Maintain PCI Compliance Part 4
WHITEPAPER Using Automated, Detailed Configuration and Change Reporting to Achieve and Maintain PCI Compliance Part 4 An in-depth look at Payment Card Industry Data Security Standard Requirements 10, 11,
More informationinformation security and its Describe what drives the need for information security.
Computer Information Systems (Forensics Classes) Objectives for Course Challenges CIS 200 Intro to Info Security: Includes managerial and Describe information security and its critical role in business.
More informationDIGITAL FORENSIC INVESTIGATION, COLLECTION AND PRESERVATION OF DIGITAL EVIDENCE. Vahidin Đaltur, Kemal Hajdarević,
DIGITAL FORENSIC INVESTIGATION, COLLECTION AND PRESERVATION OF DIGITAL EVIDENCE Vahidin Đaltur, Kemal Hajdarević, Internacional Burch University, Faculty of Information Technlogy 71000 Sarajevo, Bosnia
More informationIntroduction to Network Security Comptia Security+ Exam. Computer Forensics. Evidence. Domain 5 Computer Forensics
Introduction to Network Security Comptia Security+ Exam Domain 5 Computer Forensics Computer Forensics Forensics relates to the application of scientific knowledge and method to legal problems Investigating
More informationBest Practices for Incident Responders Collecting Electronic Evidence
Best Practices for Incident Responders Collecting Electronic Evidence rev. April 2013 Prepared by: Rick Clyde Forensic Examiner rick.clyde@cwcsecurity.com M: (402) 709-6064 Chris Hoke Principal and Owner
More informationComputer Forensics Basics, First Responder, Collection of Evidence
May 7, 2008 1 Computer Forensics Basics, First Responder, Collection of Evidence Omveer Singh Joint Director / Scientist D omveer@cert-in.org.in Indian Computer Emergency Response Team (CERT-In) Department
More informationHands-On How-To Computer Forensics Training
j8fm6pmlnqq3ghdgoucsm/ach5zvkzett7guroaqtgzbz8+t+8d2w538ke3c7t 02jjdklhaMFCQHihQAECwMCAQIZAQAKCRDafWsAOnHzRmAeAJ9yABw8v2fGxaq skeu29sdxrpb25zidxpbmznogtheories...ofhilz9e1xthvqxbb0gknrc1ng OKLbRXF/j5jJQPxXaNUu/It1TQHSiyEumrHNsnn65aUMPnrbVOVJ8hV8NQvsUE
More informationInformation Technologies and Fraud
Information Technologies and Fraud Florin Gogoasa CISA, CFE, CGEIT, CRISC ACFE Romania - Founder and Board member Managing Partner Blue Lab Consulting Information Technologies for Fraud investigation A.
More informationCHAPTER 11 COMPUTER SYSTEMS INFORMATION TECHNOLOGY SERVICES CONTROLS
11-1 CHAPTER 11 COMPUTER SYSTEMS INFORMATION TECHNOLOGY SERVICES CONTROLS INTRODUCTION The State Board of Accounts, in accordance with State statutes and the Statements on Auditing Standards Numbers 78
More informationDigital Forensics for Attorneys Overview of Digital Forensics
Lars Daniel,, EnCE, ACE, CTNS Digital Forensic Examiner Digital Forensics for Attorneys Overview of Digital Forensics Digital Forensics For Attorneys Overview of Digital Forensics Types of Digital Evidence
More informationDigital Forensics & e-discovery Services
Digital Forensics & e-discovery Services U.S. Security Associates Digital Forensics & e-discovery Services 21st century fraud investigations require expert digital forensics skills to deal with the complexities
More informationHIPAA Security Alert
Shipman & Goodwin LLP HIPAA Security Alert July 2008 EXECUTIVE GUIDANCE HIPAA SECURITY COMPLIANCE How would your organization s senior management respond to CMS or OIG inquiries about health information
More informationDesign and Implementation of a Live-analysis Digital Forensic System
Design and Implementation of a Live-analysis Digital Forensic System Pei-Hua Yen Graduate Institute of Information and Computer Education, National Kaohsiung Normal University, Taiwan amber8520@gmail.com
More informationGuide to Computer Forensics and Investigations, Second Edition
Guide to Computer Forensics and Investigations, Second Edition Chapter 4 Current Computer Forensics Tools Objectives Understand how to identify needs for computer forensics tools Evaluate the requirements
More informationDigital Forensics & e-discovery Services
Digital Forensics & e-discovery Services Andrews International Digital Forensics & e-discovery Services 21st century fraud investigations require expert digital forensics skills to deal with the complexities
More informationCERTIFIED DIGITAL FORENSICS EXAMINER
CERTIFIED DIGITAL FORENSICS EXAMINER KEY DATA Course Title: C)DFE Duration: 5 days CPE Credits: 40 Class Format Options: Instructor-led classroom Live Online Training Computer Based Training Who Should
More informationIncident Response and Computer Forensics
Incident Response and Computer Forensics James L. Antonakos WhiteHat Forensics Incident Response Topics Why does an organization need a CSIRT? Who s on the team? Initial Steps Detailed Project Plan Incident
More informationCSN08101 Digital Forensics. Module Leader: Dr Gordon Russell Lecturers: Robert Ludwiniak
CSN08101 Digital Forensics Lecture 1A: Introduction to Forensics Module Leader: Dr Gordon Russell Lecturers: Robert Ludwiniak Digital Forensics You will learn in this module: The principals of computer
More informationB. Preservation is not limited to simply avoiding affirmative acts of destruction because day-to-day operations routinely alter or destroy evidence.
This is a sample approach to developing a sound document collection process, referenced at Section II(7)(vi) of the Guidelines on Best Practices for Litigating Cases Before the Court of Chancery. It should
More informationMassachusetts Digital Evidence Consortium. Digital Evidence Guide for First Responders
Massachusetts Digital Evidence Consortium Digital Evidence Guide for First Responders May 2015 Digital Evidence Guide for First Responders - MDEC A Note to the Reader There are an unlimited number of legal
More informationAppendix A: Rules of Behavior for VA Employees
Appendix A: Rules of Behavior for VA Employees Department of Veterans Affairs (VA) National Rules of Behavior 1 Background a) Section 5723(b)(12) of title 38, United States Code, requires the Assistant
More informationVALPARAISO UNIVERSITY NOTICE OF PRIVACY PRACTICES. Health, Dental and Vision Benefits Health Care Reimbursement Account
VALPARAISO UNIVERSITY NOTICE OF PRIVACY PRACTICES THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY.
More informationXact Data Discovery. Xact Data Discovery. Xact Data Discovery. Xact Data Discovery. ediscovery for DUMMIES LAWYERS. MDLA TTS August 23, 2013
MDLA TTS August 23, 2013 ediscovery for DUMMIES LAWYERS Kate Burke Mortensen, Esq. kburke@xactdatadiscovery.com Scott Polus, Director of Forensic Services spolus@xactdatadiscovery.com 1 Where Do I Start??
More informationwinhex Disk Editor, RAM Editor PRESENTED BY: OMAR ZYADAT and LOAI HATTAR
winhex Disk Editor, RAM Editor PRESENTED BY: OMAR ZYADAT and LOAI HATTAR Supervised by : Dr. Lo'ai Tawalbeh New York Institute of Technology (NYIT)-Jordan X-Ways Software Technology AG is a stock corporation
More informationPREPARED BY: AUDIT PROGRAM Author: Lance M. Turcato. APPROVED BY: Logical Security Operating Systems - Generic. Audit Date:
A SYSTEMS UNDERSTANDING A 1.0 Organization Objective: To ensure that the audit team has a clear understanding of the delineation of responsibilities for system administration and maintenance. A 1.1 Determine
More informationITM 642: Digital Forensics Sanjay Goel School of Business University at Albany, State University of New York
INSTRUCTOR INFORMATION Name: Sanjay Goel Email: goel@albany.edu Phone: (518) 442-4925 Office Location: BA 310b, University at Albany Office Hours: TBD CLASS INFORMATION Time: N/A Location: Online Dates:
More informationBest Practices. For Seizing Electronic Evidence. v.3 A Pocket Guide for First Responders. United States Secret Service
Best Practices For Seizing Electronic Evidence v.3 A Pocket Guide for First Responders U.S. Department of Homeland Security United States Secret Service BEST PRACTICES FOR SEIZING ELECTRONIC EVIDENCE This
More information1. Redistributions of documents, or parts of documents, must retain the SWGIT cover page containing the disclaimer.
Disclaimer: As a condition to the use of this document and the information contained herein, the SWGIT requests notification by e-mail before or contemporaneously to the introduction of this document,
More informationKindly allow me to showcase our services as to how it can help you to get your valuable data recovered.
Dear Customer, Thank you for choosing Stellar Data Recovery Inc. Pioneers and one of the leading providers of Data Recovery and Data safety solutions globally since 1993. We have had the privilege to serve
More informationCITY UNIVERSITY OF HONG KONG. Information Classification and
CITY UNIVERSITY OF HONG KONG Handling Standard (Approved by the Information Strategy and Governance Committee in December 2013) PUBLIC Date of Issue: 2013-12-24 Document Control Document Owner Classification
More informationBUSINESS ONLINE BANKING AGREEMENT
BUSINESS ONLINE BANKING AGREEMENT This Business Online Banking Agreement ("Agreement") establishes the terms and conditions for Business Online Banking Services ( Service(s) ) provided by Mechanics Bank
More informationTrue Image Home Beginner s Guide to creating a basic full disk archive by Grover Hatcher with much appreciated input from Menorcaman
True Image Home Beginner s Guide to creating a basic full disk archive by Grover Hatcher with much appreciated input from Menorcaman These basic steps apply to image backups inside Windows as well as using
More informationPOLICY STATEMENT Commonwealth of Pennsylvania Department of Corrections
POLICY STATEMENT Commonwealth of Pennsylvania Department of Corrections Policy Subject: Policy Number: Computer Forensic Investigations (CFI) 2.4.1 Date of Issue: Authority: Effective Date: August 28,
More informationCHEVRON CORP AND TEXACO PETROLEUM COMPANY V. THE REPUBLIC OF ECUADOR EXPERT REBUTTAL REPORT OF J. CHRISTOPHER RACICH DECEMBER 16, 2013
CHEVRON CORP AND TEXACO PETROLEUM COMPANY V. THE REPUBLIC OF ECUADOR EXPERT REBUTTAL REPORT OF J. CHRISTOPHER RACICH DECEMBER 16, 2013 1 I. BACKGROUND AND QUALIFICATIONS 1. Vestigant, LLC ( Vestigant )
More informationELECTRONIC EVIDENCE THE TEXT MESSAGE
ELECTRONIC EVIDENCE THE TEXT MESSAGE In terms of divorce practice, this time period could easily be called the electronic age. We have an increasing number of clients who are extremely well versed (many
More informationComputer Forensics as an Integral Component of the Information Security Enterprise
Computer Forensics as an Integral Component of the Information Security Enterprise By John Patzakis 10/28/03 I. EXECUTIVE SUMMARY In addition to fending off network intrusions and denial of service attacks,
More informationValidating Tools for Cell Phone Forensics
Validating Tools for Cell Phone Forensics Neil Bhadsavle and Ju An Wang Southern Polytechnic State University 1100 South Marietta Parkway Marietta, GA 30060 (01) 678-915-3718 {nbhadsav, jwang}@spsu.edu
More informationOhio Supercomputer Center
Ohio Supercomputer Center Portable Security Computing No: Effective: OSC-09 05/27/09 Issued By: Kevin Wohlever Director of Supercomputer Operations Published By: Ohio Supercomputer Center Original Publication
More informationCompliance Response Edition 07/2009. SIMATIC WinCC V7.0 Compliance Response Electronic Records / Electronic Signatures. simatic wincc DOKUMENTATION
Compliance Response Edition 07/2009 SIMATIC WinCC V7.0 Compliance Response Electronic Records / Electronic Signatures simatic wincc DOKUMENTATION Compliance Response Electronic Records / Electronic Signatures
More informationBOR 6432 Cybersecurity and the Constitution. Course Bibliography and Required Readings:
BOR 6432 Cybersecurity and the Constitution Course Description This course examines the scope of cybercrime and its impact on today s system of criminal justice. Topics to be studied include: cybercrime
More informationA BEST PRACTICE APPROACH TO LIVE FORENSIC ACQUISITION
A BEST PRACTICE APPROACH TO LIVE FORENSIC ACQUISITION MM Grobler 1, SH von Solms 2 1 Council for Scientific and Industrial Research, Pretoria, South Africa 2 Academy for Information Technology, University
More informationSchool of Computer Science and Engineering policy with regard to self-administered computers
School of Computer Science and Engineering policy with regard to self-administered computers CSE Computer Security Committee October, 2002 Abstract The School s Computing Support Group (CSG) provides a
More information