Helpful tidbits.
|
|
DOWNLOAD
|
PUBLISHED
|
CATEGORY
|
|
RB
|
pdf
|
October, 2008 |
|
|
|
Brigade homeland tours start Oct. 1
|
pdf
|
September, 2008 |
|
The 3rd Infantry Division’s 1st Brigade Combat Team has spent 35 of the last 60
months in Iraq patrolling in full battle rattle, helping restore essential services
and escorting supply convoys.
Now they’re training for the same mission — with a twist — at home.
Beginning Oct. 1 for 12 months, the 1st BCT will be under the day-to-day control
of U.S. Army North, the Army service component of Northern Command, as an
on-call federal response force for natural or manmade emergencies and disasters,
including terrorist attacks.
It is not the first time an active-duty unit has been tapped to help at home. In
August 2005, for example, when Hurricane Katrina unleashed hell in Mississippi
and Louisiana, several active-duty units were pulled from various posts and
mobilized to those areas.
But this new mission marks the first time an active unit has been given a
dedicated assignment to NorthCom, a joint command established in 2002 to
provide command and control for federal homeland defense efforts and
coordinate defense support of civil authorities.
After 1st BCT finishes its dwell-time mission, expectations are that another, as
yet unnamed, active-duty brigade will take over and that the mission will be a
permanent one.
|
|
Preservation, Management and
Identification of Sources of Information
that are Not Reasonably Accessible
|
pdf
|
September, 2008 |
ESI |
This Sedona Conference® Commentary focuses on the decision making process relating to the preservation of
sources of electronically stored information that may contain discoverable information that is “not reasonably
accessible.”1 The “reasonable accessibility” distinction - introduced by the 2006 Federal E-Discovery Amendments
as part of the “two-tiered” approach to discovery - plays a role in, but is not wholly determinative of, preservation
obligations.
The central dilemma of preservation planning in the absence of the opportunity to discuss discovery requests or
reach prior agreement among the parties is predicting exactly which sources of information may actually be
discoverable in a given case. No bright-lines exist.2 The primary duty is to make reasonable assessments in good
faith.3
To assist litigants and the courts, we have developed the following Guidelines that summarize our
recommendations for making those assessments.4 The Guidelines also discuss how parties may “identify”
inaccessible sources that will not be preserved and emphasize the value of cooperative efforts to reach agreements
on preservation topics in dispute that reflect the unique demands of each case.
The Guidelines are:
Guideline 1. Where litigation is anticipated but no plaintiff has emerged or other considerations make it
impossible to initiate a dialogue, the producing party should make preservation decisions by a process conforming
to that set forth in the Decision Tree in Figure 1.
Guideline 2. As soon as feasible, preservation issues should be openly and cooperatively discussed in sufficient
detail so the parties can reach mutually satisfactory accommodation and also evaluate the need, if any, to seek court
intervention or assistance.
Guideline 3. In conjunction with the initial discussions or where appropriate in the response to discovery
requests, parties should clearly identify the inaccessible sources reasonably related to the discovery or claims which
are not being searched or preserved.
Guideline 4. A party should exercise caution when it decides for business reasons to move potentially
discoverable information subject to a preservation duty from accessible to less accessible data stores.
Guideline 5. It is acceptable practice, in the absence of an applicable preservation duty, for entities to manage
their information in a way that minimizes accumulations of inaccessible data, provided that adequate provisions are
made to accommodate preservation imperatives.
Guideline 6. An entity should encourage appropriate cooperation among legal and other functions and business
units within the organization to help ensure that preservation obligations are met and that resources are effectively
utilized.
|
|
U.S. courts consider legality of laptop inspections
|
pdf
|
January, 2008 |
ESI |
A couple of years ago, Michael Arnold landed at the Los Angeles International Airport after a 20-hour
flight from the Philippines. He had his laptop with him, and a customs officer took a look at what was on
his hard drive. Clicking on folders called "Kodak pictures" and "Kodak memories," the officer found child
pornography.
The search was not unusual: The government contends that it is perfectly free to inspect every laptop
that enters the country, whether or not there is anything suspicious about the computer or its owner.
Rummaging through a computer's hard drive, the government says, is no different from looking through
a suitcase. One federal appeals court has agreed, and a second seems ready to follow suit.
There is one lonely voice on the other side. In 2006, Judge Dean Pregerson of U.S. District Court in
Los Angeles suppressed the evidence against Arnold.
"Electronic storage devices function as an extension of our own memory," Pregerson wrote, in
explaining why the government should not be allowed to inspect them without cause. "They are
capable of storing our thoughts, ranging from the most whimsical to the most profound."
|
|
NATIONAL
INDUSTRIAL
SECURITY
PROGRAM
OPERATING
MANUAL
|
pdf
|
December, 2007 |
|
This Manual is issued in
accordance with the National Industrial Security
Program (NISP). It prescribes the requirements,
restrictions, and other safeguards to prevent
unauthorized disclosure of classified information.
The Manual controls the authorized disclosure of
classified information released by U.S. Government
Executive Branch Departments and Agencies to their
contractors. It also prescribes the procedures,
requirements, restrictions, and other safeguards to
protect special classes of classified information,
including Restricted Data (RD), Formerly Restricted
Data (FRD), intelligence sources and methods
information, Sensitive Compartmented Information
(SCI), and Special Access Program (SAP)
information. for prescribing that portion of the Manual that
pertains to intelligence sources and methods,
including SCI.
|
|
Industrial Security Letter
|
pdf
|
December, 2007 |
ESI |
Industrial Security letters will be issued periodically to inform cleared contractors, User Agencies and DoD Activities of developments relating to industrial security. The contents of these letters are for information and clarification of existing policy and requirements. Local reproduction of these letters in their original form is authorized. Suggestions for articles to be included in future Industrial Security Letters are welcome. Articles and ideas contributed will become the property of DSS. Contractor requests for copies of the Industrial Security Letter and inquiries concerning specific information should be addressed to the cognizant DSS industrial security office.
|
|
The Wedge
|
pdf
|
December, 2007 |
|
The Center seeks nothing less than the overthrow of materialism and its cultural legacies...
|
|
States Launching E-Discovery Rules
|
pdf
|
December, 2007 |
ESI |
Most of the states' rules were rolled out amid debate about the electronic discovery amendments to the Federal Rules of Civil Procedure, which kicked in on Dec. 1, 2006. New rules in Idaho and New Jersey took effect last year, while rules in Indiana, Minnesota, Montana and New Hampshire began this year. Arizona's rules are effective starting on Jan. 1, 2008. Proposed rules are on the table in Maryland, Nebraska and Ohio. In addition, committees at the California, Illinois and Tennessee courts and the Washington State Bar Association are studying the issue.
|
|
Did NSA Put a Secret Backdoor in New Encryption Standard?
|
pdf
|
November, 2007 |
|
The NSA has always been intimately involved in U.S. cryptography standards -- it is, after all, expert in making and breaking secret codes. So the agency's participation in the NIST (the U.S. Commerce Department's National Institute of Standards and Technology) standard is not sinister in itself. It's only when you look under the hood at the NSA's contribution that questions arise. Problems with Dual_EC_DRBG were first described in early 2006. The math is complicated, but the general point is that the random numbers it produces have a small bias. The problem isn't large enough to make the algorithm unusable -- and Appendix E of the NIST standard describes an optional work-around to avoid the issue -- but it's cause for concern. Cryptographers are a conservative bunch: We don't like to use algorithms that have even a whiff of a problem.
|
|
Open Source
Mathematical Software
|
pdf
|
November, 2007 |
|
Particularly in more advanced applications of Mathematica, it may sometimes seem worthwhile to try to analyze internal algorithms in order to predict which way of doing a given computation will be the most efficient.[…] But most often the analyses will not be worthwhile. For the internals of Mathematica are quite complicated, and even given a basic description of the algorithm used for a particular purpose, it is usually extremely difficult to reach a reliable conclusion about how the detailed implementation of this algorithm will actually behave in particular circumstances.
No journal would make a statement like the above about the proofs of the theorems they publish. Increasingly, proprietary software and the algorithms used are an essential part of mathematical proofs. To quote J. Neubüser, “with this situation two of the most basic rules of conduct in mathematics are violated: In mathematics information is passed on free of charge and everything is laid open for checking.”
|
|
Researchers: Forensics Software Can Be Hacked
|
pdf
|
July, 2007 |
ESI |
The software that police and enterprise security teams use to investigate wrongdoing on computers is not as secure as it should be, according to researchers with Isec Partners Inc. The San Francisco security company has spent the past six months investigating two forensic investigation programs, Guidance Software Inc.'s EnCase, and an open-source product called The Sleuth Kit. They have discovered about a dozen bugs that could be used to crash the programs or possibly even install unauthorized software on an investigator's machine, according to Alex Stamos, a researcher and founding partner with Isec Partners.
|
|
Journaling file system forensics
|
pdf
|
June, 2007 |
ESI |
Presentation given by Wietse Venema on Forensic Discovery.
|
|
The Sedona Principles: Best Practices Recommendations and Principles for
Addressing Electronic Document Production - Second Edition
|
pdf
|
June, 2007 |
ESI |
Since the first publication of The Sedona Principles in January 2004, the 2004 Annotated Version of The Sedona Principles in the Spring of 2004, and the July 2005 version of The Sedona Principles, there have been many developments in the case law as well as significant amendments to the Federal Rules of Civil Procedure and several state civil procedure rules. The Principles, however, have maintained their vitality. The Second Edition includes updates throughout the Principles and Comments reflecting the new language found in the amended Federal Rules and advances in both jurisprudence and technology. The Introduction has been expanded to include a comparison of The Sedona Principles with the amended Federal Rules. Particular attention has been given to updating the language and commentary on Principle 12 (metadata) and Principle 14 (the imposition of sanctions).
THE SEDONA PRINCIPLES: SECOND EDITION Best Practices Recommendations
& Principles for Addressing Electronic Document Production. A Project of The Sedona Conference Working Group on Electronic Document Retention & Production (WG1). (June 2007).
|
|
HASH: The New Bates Stamp
|
pdf
|
June, 2007 |
ESI |
For over one hundred years, complex litigation has relied upon the
ubiquitous Bates stamp to try and maintain order and clarity in paper
evidence by placing sequential numbers on documents. In today’s world
of vast quantities of electronic documents, the days of the Bates stamp are
numbered. Instead, the future belongs to a new technology, a computerbased
mathematical process known as “hash.” The hash algorithm
analyzes a computer file and calculates a unique identifying number for it,
called a hash value. No two electronic records have the same hash value.
For that reason, it is called the “digital fingerprint” of electronic
documents.
|
|
The Economics of Digital Forensics
|
pdf
|
May, 2007 |
ESI |
The collection of electronic data as evidence of crime is an important
responsibility given to law enforcement. The technical constraints of this task are arguably far less significant than usability and economic ones, since police officers are non-specialists and police departments face significant budgetary limitations. In this position paper, we consider the economics of digital evidence recovery. We argue that the incentives of technology companies, law enforcement agencies and society do not always align, and furthermore that by studying these incentives in different applications we can better understand the efficiency and extent to which digital evidence is gathered.
|
|
Digital Evidence Acquisition Specialist
Training Program (DEASTP)
|
pdf
|
May, 2007 |
ESI |
The primary purpose of the DEASTP course is to equip criminal investigators with the knowledge, skills, and
abilities to properly identify and seize digital evidence. Through a combination of lecture, demonstration,
hands on exercises, labs and a practical exercise investigators learn about a computer’s boot process;
changing the boot sequence and BIOS setup of a computer; setting jumpers on hard drives for master, slave,
single and cable select settings; disk wiping; formatting and partitioning hard drives; assembling external
drive enclosures; creating a forensically sound boot disk; file compression; investigative techniques for
seizing digital evidence from personal computer (PC) and notebook computer hard drives, floppy diskettes,
compact disks (CDs), DVDs, thumb drives, and various flash media by acquiring forensically valid images of
the digital media; previewing digital media prior to acquisition to determine if the media contains key text
strings, unlawful graphics, etc; using external storage devices; using hardware and software write blockers;
using device drivers; writing batch files; using command line programs; essential internal and external DOS
commands; installing software; installing and uninstalling hardware; IDE, USB, and Firewire cables and
devices; and legal aspects pertaining to the seizure and search of electronic evidence. Investigative hardware
and software used in the class are issued to the students so that they are prepared to put the skills learned in
the class to use immediately upon return to their duty stations.
|
|
IN RE: ELECTRONICALLY STORED
INFORMATION - Suggested Protocol for Discovery of Electronically Stored Information
|
pdf
|
May, 2007 |
ESI |
On December 1, 2006, amendments to Fed.R.Civ.P. 16, 26, 33, 34, 37, and 45, and Form 35, became effective, creating a comprehensive set of rules governing discovery of electronically stored information, (“ESI”). Given these rule changes, it is advisable to establish a suggested protocol regarding, and a basic format implementing, only those portions of the amendments that refer to ESI. The purpose of this Suggested Protocol for Discovery of Electronically Stored Information (the “Protocol”) is to facilitate the just, speedy, and inexpensive conduct of discovery involving ESI in civil cases, and to promote, whenever possible, the resolution of disputes regarding the discovery of ESI without Court intervention.
In light of the recent amendments to the Federal Rules of Civil Procedure regarding discovery of electronically stored information (“ESI”), a joint bar-court committee consisting of Magistrate Judge Paul W. Grimm and members of the Bar of this Court as well as technical consultants has developed a proposed protocol for use in cases where ESI may be involved. This is a working model that has not been adopted by the court but may be of assistance to counsel. It is the intent of the joint committee to review the Proposed Protocol periodically to determine if revisions would be appropriate, and after a sufficient period of time to evaluate the proposed protocol has passed, to determine whether to recommend to the Court that more formal guidelines or local rules relating to ESI be considered for adoption. (United States District Court for the District of Maryland).
|
|
Guidelines on Cell Phone Forensics
Recommendations of the National
Institute of Standards and Technology
|
pdf
|
May, 2007 |
ESI |
Mobile phone forensics is the science of recovering digital evidence from a mobile phone under forensically sound conditions using accepted methods. Mobile phones, especially those with advanced capabilities, are a relatively recent phenomenon, not usually covered in classical computer forensics. This guide attempts to bridge that gap by providing an in-depth look into mobile phones and explaining the technologies involved and their relationship to forensic procedures. It covers phones with features beyond simple voice communication and text messaging and their technical and operating characteristics. This guide also discusses procedures for the preservation, acquisition, examination, analysis, and reporting of digital information present on cell phones, as well as available forensic software tools that support those activities.
|
|
Forensic Corpora:
A Challenge for Forensic Research
|
pdf
|
April, 2007 |
ESI |
Research in the field of computer forensics is hobbled by the lack of
realistic data. Academics are not developing automated techniques
and tools because they lack the raw data necessary to develop and
validate algorithms. Investigators that have access to real data
operate under legal and practical restraints that prevent the data
from being used in research.
To make progress, we must “prime the pump” by collecting or
creating forensic corpora that can be used by researchers. We
must also pursue targeted technical developments in forensic file
formats, knowledge representation, inference techniques, and the
presentation of forensic results.
|
|
Managing Discovery of
Electronic Information:
A Pocket Guide for Judges
|
pdf
|
January, 2007 |
ESI |
This pocket guide is designed to help federal judges manage the discovery of electronically stored information (ESI). It encourages judges to actively manage those cases involving ESI, raising points for consideration by the parties rather than awaiting the parties’ identification and argument of the matters. The guide covers issues unique to the discovery of ESI, including its scope, the allocation of costs, the form of production, the waiver of privilege and work-product protection, and the preservation of data and spoliation. As you are reading, you may encounter some unfamiliar terms. Many of these terms are defined in a glossary at the end of the guide.
|
|
3D Data Recovery: a professional approach to data recovery
|
pdf
|
January, 2007 |
|
3D Data Recovery always starts with diagnosis of the drive and repair if necessary, progresses to disk imaging, and then (and only then) does the actual retrieval of data begin.
|
|
Digital Evidence in the Courtroom: A Guide for Law Enforcement and Prosecutors
|
pdf
|
January, 2007 |
|
Law enforcement agencies, prosecutors, and judges are overwhelmed by the amount of information required to keep pace with the rapid changes involving the computer and its associated devices and features. Criminals continually alter, revise, or create hardware, software, viruses, and other attacks in an effort to disguise criminal activity and thwart detection. In addition to being familiar with these changes in technology, law enforcement officers and prosecutors also must stay abreast of the latest revisions of applicable laws.
|
|
Federal Judges Association Newsletter November 29, 2006
|
pdf
|
November, 2006 |
ESI |
FAQ's of E-Discovery
by Judge Shira A. Scheindlin, S.D. N.Y.
The Ten Most FAQ's in the Post-December 1, 2006 World of E-Discovery
|
|
Is the Open Way a Better Way?
Digital Forensics using Open Source Tools
|
pdf
|
October, 2006 |
ESI |
The subject of digital forensics can be quite challenging. Digital forensics is in its infancy and teaching digital forensics includes the techniques as well as the tools that assist in the process. This article discusses the tools used in computer forensics, compares an open source too to two commercial tools, and the advantages and disadvantages of all three tools in an academic environment.
A team of four senior students sponsored by two faculty members established the project scope and requirements, presented three prototypes, and detailed the considerations of using open source tools. The same image was used to measure the
performance of each software tool. The team found that the three tools provided the same results with different degrees of difficulty. The end results indicate that Open Source tools are a very good verification of evidence found using other products and should be included in the academic environment.
|
|
Survey of Disk Image Storage Formats
Version 1.0
|
pdf
|
September, 2006 |
ESI |
Digital data that could be used as evidence are typically stored in specialized and closed formats, which typically also include metadata about the evidence. Closed formats limit the number of tools and analysis techniques that can be used on the data. The goal of the Common Digital Evidence Storage Format (CDESF) working group is to define a storage format that is open and accepted by the community. The first step in this process is to define what currently exists. To assess the state of the field, the CDESF working group surveyed the following disk image formats: raw, AFF, DEB (Qinetiq), EnCase, Expert Witness, gfzip, ProDiscover, and SMART. This document contains the working group findings after evaluating the storage formats using several criteria, such as publication status, extensibility, and metadata that are stored.
|
|
Crash Course in Digital Forensics
|
pdf
|
June, 2006 |
ESI |
Presentation given by Brian Carrier regarding basic concepts in computer forensics
|
|
Forensic feature extraction and cross-drive analysis
|
pdf
|
June, 2006 |
ESI |
This paper introduces Forensic Feature Extraction (FFE) and Cross-Drive Analysis (CDA), two new approaches for analyzing large data sets of disk images and other forensic data. FFE uses a variety of lexigraphic techniques for extracting information from bulk data; CDA uses statistical techniques for correlating this information within a single disk image and across multiple disk images. An architecture for these techniques is presented that consists of five discrete steps: imaging, feature extraction, first-order cross-drive analysis, cross-drive correlation, and report generation. CDA was used to analyze 750 images of
drives acquired on the secondary market; it automatically identified drives containing a high concentration of confidential financial records as well as clusters of drives that came from the same organization. FFE and CDA are promising techniques for prioritizing work and automatically identifying members of social networks under investigation. We believe it is likely to have other uses as well.
|
|
Law Practice in the Electronic Age
|
pdf
|
May, 2006 |
ESI |
It is difficult to imagine the practice of law today without computers. Upon arriving at the office, who among us does not turn on the computer and review the e-mails received, review client information stored on the firm’s server and begin
communicating, drafting and filing electronically? If we practice that way, ethical rules are clearly implicated. How much do we really know about the workings of e-mail and data storage? How much are we expected to know? Can we simply leave the “techie” issues to the IT managers? What knowledge and competency can our clients and profession expect lawyers to maintain? On the other hand, if we are among the remnant who refuse to enter the digital fray and continue to create documents on Selectric typewriters using onion skin carbons, what are we ethically obligated to understand about the digital realm? Can we practice trial advocacy without some knowledge of digital discovery? Can we properly advise our clients on business matters if we refuse to keep abreast of our clients’ digital business practices? The rules of ethics or, more properly, the rules of “Professional Conduct,” do not answer these questions directly
|
|
Test Results for Hardware Write Block Device: Digital Intelligence Firefly 800 IDE (FireWire Interface)
|
pdf
|
April, 2006 |
ESI |
This document reports the results from testing the Digital IntelligenceFireFly 800 IDE (FireWire Interface) write blocker against Hardware Write Blocker (HWB) Assertions and Test Plan Version 1.0, available on the CFTT Web site (http://www.cftt.nist.gov/HWB-ATP-19.pdf). This specification identifies the following top-level tool requirements:
1. A hardware write block (HWB) device shall not transmit a command to a protected storage device that modifies the data on the storage device;
2. An HWB device shall return the data requested by a read operation;
3. An HWB device shall return without modification any access-significant information requested from the drive; and
4. Any error condition reported by the storage device to the HWB device shall be reported to the host.
|
|
ADVANCED FORENSIC FORMAT:
AN OPEN, EXTENSIBLE FORMAT
FOR DISK IMAGING
|
pdf
|
February, 2006 |
ESI |
This paper describes the Advanced Forensic Format (AFF), which is
designed as an alternative to current proprietary disk image formats.
AFF wo significant benefits. AFF offers two significant benefits. First, it is more flexible because it allows extensive metadata to be stored with images. Second, AFF images consume less disk space than images in other formats (e.g., EnCase images). This paper also describes the Advanced Disk Imager (AImage),
a new program for acquiring disk images that compares favorably with
existing alternatives.
|
|
New Directions In Disc Forensics
|
pdf
|
January, 2006 |
ESI |
Discussion of disc forensics and presentation of the Advanced Forensic Format (AFF) on a collection of hard drives.
|
|
ADVISORY COMMITTEE ON EVIDENCE RULES
|
pdf
|
November, 2005 |
ESI |
Federal Judicial Advisory Committee On Evidence Rules submission on various ESI issues.
|
|
Digital Data Acquisition Tool Test Assertions and Test
Plan
|
pdf
|
October, 2005 |
ESI |
The two critical measurable attributes of the digital source acquisition process are accuracy and completeness. Accuracy is a qualitative measure to determine if each bit of the acquisition is equal to the corresponding bit of the source. Completeness is a quantitative measure to determine if each accessible bit of the source is acquired. The digital source may contain visible and hidden sectors. A clone of a digital source may contain benign fill in place of source data that could not be acquired. An image file may contain other information in addition to a representation of the source data acquired. An image file may also be encrypted or compressed.
This document defines test assertions and a test methodology for testing conformance of digital data acquisition tools to the requirements specified in Digital Data Acquisition Tool Specification, Version 4, October 4, 2004. The requirements were developed by a focus group of individuals who have been trained and are experienced in the use of hardware write blocking tools and have performed investigations that have depended on the results of these tools. The assertions are described as general statements of conditions that can be checked after a test is executed. Each assertion appears in one or more test cases that specify detailed parameters, procedures for executing a test, and expected results.
|
|
Report of the Civil Rules Advisory Committee
|
pdf
|
July, 2005 |
ESI |
The Civil Rules Advisory Committee held three hearings in 2005 on proposed rules
amendments published for comment in August 2004. The hearings were held on January 12 in San Francisco, January 28 in Dallas, and February 11 and 12 in Washington, D.C. The Committee met at the Administrative Office of the United States Courts on April 14-15, 2005. Draft minutes of the April 2005 meeting are attached. Summaries of the written comments and testimony presented at the hearings are also provided with the several recommendations of proposed rule amendments for adoption. Rules 16, 26, 33, 34, 37, 45, and Form 35.
|
|
Best Practices for the Selection of Electronic Discovery Vendors: Navigating the Vendor Proposal Process
|
pdf
|
July, 2005 |
|
The goal of the RFP+ Group and this paper is to outline an approach to the selection of an electronic discovery vendor that allows the “user” to compare apples to apples, to the extent feasible, and which makes it easier for all parties to the process to better understand the nature, cost and impact of what is being discussed. In the belief that an informed market will lead to reduced transaction costs, more predictable outcomes, and better business relationships, the RFP+ Group was formally launched on July 1, 2004, and this paper is its first work product, along with its companion, The Sedona Glossary.
This effort is an outgrowth of our Working Group on Electronic Document Retention and Production (WG1), and represents the work of its RFP+ Group: 5 “users” of electronic discovery vendor services (2 from defense firms, 2 from plaintiff firms, and 1 consultant/attorney) with input from time to time provided by the RFP+ Vendor Panel, a group of over 30 electronic discovery vendors who signed up as members to support this effort in response to an open invitation and whose membership fees have financially supported the efforts of the Group.
|
|
THE SEDONA
GUIDELINES:
Best Practice Guidelines
& Commentary for
Managing Information
& Records in the
Electronic Age
|
pdf
|
September, 2004 |
ESI |
This is the public comment version of The Sedona Guidelines: Best Practice Guidelines & Commentary for Managing Information & Records in the Electronic Age, a companion piece to The Sedona Principles on Electronic Document Production. The subject of information management and record retention is of critical importance in the digital age and subject of many treatises and publications, yet the members and participants of the Working Group believed that there was a need to distill existing thoughts and, in doing so, reach across the boundaries of legal compliance, records management and information technology.
A Project of The Sedona Conference Working Group on Best Practices for Electronic Document Retention & Production. (Public Comment Draft, September 2004).
|
|
A Digital Investigation Process Model
|
pdf
|
June, 2004 |
ESI |
Goal: To develop a model for the digital investigation process, so that requirements can be developed for forensic analysis tools and procedures.
Summary: The procedures for a physical crime scene are applied to the digital crime scene.
|
|
Forensic Examination of Digital Evidence
|
pdf
|
April, 2004 |
ESI |
Developments in the world have shown
how simple it is to acquire all sorts of
information through the use of computers.
This information can be used for a variety
of endeavors, and criminal activity is a
major one. In an effort to fight this new
crime wave, law enforcement agencies,
financial institutions, and investment firms
are incorporating computer forensics into
their infrastructure. From network security
breaches to child pornography investigations,
the common bridge is the demonstration
that the particular electronic media
contained the incriminating evidence.
Supportive examination procedures and
protocols should be in place in order to
show that the electronic media contains
the incriminating evidence.
To assist law enforcement agencies and
prosecutorial offices, a series of guides
dealing with digital evidence has been
selected to address the complete investigation
process. This process expands from the
crime scene through analysis and finally into
the courtroom. The guides summarize information
from a select group of practitioners
who are knowledgeable about the subject
matter. These groups are more commonly
known as technical working groups.
|
|
Hancock: A language for analyzing
transactional data streams
|
pdf
|
March, 2004 |
ESI |
Massive transaction streams present a number of opportunities for data mining techniques. The transactions in such streams might represent calls on a telephone network, commercial credit card purchases, stock market trades, or HTTP requests to a web server. While historically such data have been collected for billing or security purposes, they are now being used to discover how the transactors, e.g. credit-card numbers or IP addresses, use the associated services.
Over the past five years, we have computed evolving profiles (called signatures) of transactors in several very large data streams. The signature for each transactor captures the salient features of his behavior through time. Programs for processing signatures must be highly optimized because of the size of the data stream (several gigabytes per day) and the number of signatures to maintain (hundreds of millions). Originally, we wrote such programs directly in C, but because these programs often sacrificed readability for performance, they were difficult to verify and maintain.
Hancock is a domain-specific language we created to express computationally efficient signature programs cleanly. In this paper, we describe the obstacles to computing signatures from massive streams and explain how Hancock addresses these problems. For expository purposes, we present Hancock using a running example from the telecommunications industry; however, the language itself is general and applies equally well to other data sources.
|
|
Test Results for Disk Imaging Tools: dd Provided with FreeBSD 4.4
|
pdf
|
January, 2004 |
ESI |
The Computer Forensics Tool Testing (CFTT) project is the joint effort of the National Institute of Justice, the National Institute of Standards and Technology NIST), the U. S. Department of Defense, the Technical Support Working Group, and other related agencies. The objective of the CFTT project is to provide measurable assurance to practitioners, researchers, and other applicable users that the tools used in computer forensic investigations provide accurate results. Accomplishing this requires the development of specifications and test methods for computer forensic tools and subsequent testing of specific tools against those specifications.
This document reports the results from testing one commonly used disk imaging tool, dd as provided with FreeBSD 4.4 (FreeBSD 4.4-RELEASE #0 released 9/01), against Disk Imaging Tool Specification, Version 3.1.6, developed by the CFTT staff and available at http://www.cftt.nist.gov/DI-spec-3-1-6.doc. This specification identifies the top-level disk imaging tool requirements as—
1. The tool shall make a bit-stream duplicate or an image of an original disk or partition;
2. The tool shall not alter the original disk;
3. The tool shall log I/O errors;
4. The tool’s documentation shall be correct.
Note: The test methodology is for software tools that copy or image hard disk drives. It does not cover analog media or digital media such as cell phones or personal digital assistants (PDAs).
|
|
Open Source Digital Forensics Tools -
The Legal Argument
|
pdf
|
October, 2002 |
ESI |
This paper addresses digital forensic analysis tools and their use in a legal setting. To enter scientific evidence into a United States court, a tool must be reliable and relevant. The reliability of evidence is tested by applying “Daubert” guidelines. To date, there have been few legal challenges to digital evidence, but as the field matures this will likely change. This paper examines the Daubert guidelines and shows that open source tools may more clearly and comprehensively meet the guidelines than closed source tools.
|
|
Electronic Crime Scene
Investigation:
A Guide for First
Responders
|
pdf
|
July, 2001 |
ESI |
To assist State and local law enforcement agencies and prosecutorial
offices with the growing volume of electronic crime, a
series of reference guides regarding practices, procedures, and
decisionmaking processes for investigating electronic crime is
being prepared by technical working groups of practitioners and
subject matter experts who are knowledgeable about electronic
crime. The practitioners and experts are from Federal, State, and
local law enforcement agencies; criminal justice agencies; offices
of prosecutors and district attorneys general; and academic, commercial,
and professional organizations.
|
|
Hancock: A Language for Extracting Signatures from Data
Streams
|
pdf
|
October, 2000 |
ESI |
Massive transaction streams present a number of opportunities for data mining techniques. Transactions might represent calls on a telephone network, commercial credit card purchases, stock market trades, or HTTP requests to a web server. While historically such data have been collected for billing or security purposes, they are now being used to discover how customers or their intermediaries (called transactors) use the underlying services.
For several years, we have computed evolving profiles (called signatures) of the transactors in large data streams using handwritten C code. The signature for each transactor captures the salient features of his transactions through time. Programs for processing signatures must be highly optimized because of the size of the data stream (several gigabytes per day) and the number of signatures to maintain (hundreds of millions). C programs to compute signatures often sacrificed readability for performance. Consequently, they are difficult to verify and maintain.
Hancock is a domain-specific language created to express computationally efficient signature programs cleanly. In this paper, we describe the obstacles to computing signatures from massive streams and explain how Hancock addresses these problems. For expository purposes, we present Hancock using a running example from the telecommunications industry; however, the language itself is general and applies equally well to other data sources.
|
|
Recovering The Original Fourth Amendment
|
pdf
|
December, 1999 |
|
Claims regarding the original or intended meaning of constitutional texts are commonplace in constitutional argument and analysis. All such claims are subject to an implicit validity criterion — only historically authentic assertions should matter. The rub is that the original meaning commonly attributed to a constitutional text may not be authentic. The historical Fourth Amendment is a case in point. If American judges, lawyers, or law teachers were asked what the
Framers intended when they adopted the Fourth Amendment, they would likely answer that the Framers intended that all searches and seizures conducted by government officers must be reasonable given the circumstances. That answer may seem obvious — the Amendment begins with a clause that states that “[t]he right of the people to be secure in their persons, houses, papers, and effects, against unreasonable
searches and seizures, shall not be violated . . . .” Indeed, this language has been identified as a prime example of how the original understanding can be gleaned directly from constitutional text — what could “unreasonable” mean if not inappropriate in the circumstances?
|
|
Hancock:
A Language for Processing Very Large-Scale Data
|
pdf
|
October, 1999 |
ESI |
A signature is an evolving customer profile computed from call records. AT&T uses signatures to detect fraud and to target marketing. Code to compute signatures can be difficult to write and maintain because of the volume of data. We have designed and implemented Hancock a C based domain specific programming language for describing signatures. Hancock provides data abstraction mechanisms to manage the volume of data and control abstractions to facilitate looping over records. This paper describes the design and implementation of Hancock discusses early experiences with the language and describes our design process.
|
|
Computer Forensic Analysis Class
|
pdf
|
August, 1999 |
ESI |
On August 6th, 1999, Dan Farmer (Earthlink) and Wietse Venema (IBM) presented a full-day free class on UNIX computer forensic analysis, sponsored by IBM. The class was attended by an audience of over 200 and was given at the IBM T.J. Watson Research Center near Yorktown Heights (NY, USA). These are the slides presented at that class.
|
|
Mother Board Mother Earth
|
pdf
|
December, 1996 |
ESI |
In which the hacker tourist ventures forth across the wide and wondrous meatspace of three continents, acquainting himself with the
customs and dialects of the exotic Manhole Villagers of Thailand, the U-Turn Tunnelers of the Nile Delta, the Cable Nomads of Lan tao Island,
the Slack Control Wizards of Chelmsford, the Subterranean Ex-Telegraphers of Cornwall, and other previously unknown and unchronicled
folk; also, biographical sketches of the two long-dead Supreme Ninja Hacker Mage Lords of global telecommunications, and other material
pertaining to the business and technology of Undersea Fiber-Optic Cables, as well as an account of the laying of the longest wire on Earth,
which should not be without interest to the readers of Wired.
You might well ask yourself the same question before diving into an article as long as this one. The answer is that we all depend heavily on
wires, but we hardly ever think about them. Before learning about FLAG, I knew that data packets could get from America to Asia or the
Middle East, but I had no idea how. I knew that it had something to do with wires across the bottom of the ocean, but I didn't know how
many of those wires existed, how they got there, who controlled them, or how many bits they could carry.
According to legend, in 1876 the first sounds transmitted down a wire were Alexander Graham Bell saying "Mr. Watson, come here. I want
you." Compared with Morse's "What hath God wrought!'' this is disappointingly banal - as if Neil Armstrong, setting foot on the moon, had
uttered the words: "Buzz, could you toss me that rock hammer?'' It's as though during the 32 years following Morse's message, people had
become inured to the amazing powers of wire.
|
|
Secure Deletion of Data from Magnetic and
Solid-State Memory
|
pdf
|
July, 1996 |
ESI |
With the use of increasingly sophisticated encryption systems, an attacker wishing to gain access to sensitive data is forced to look elsewhere for information. One avenue of attack is the recovery of supposedly erased data from magnetic media or random-access memory. This paper covers some of the methods available to recover erased data and presents schemes to make this recovery significantly more difficult.
|
|
Defending: An Essay by Michael E. Tigar
|
pdf
|
April, 1996 |
|
74 Tex. L. Rev. 101 (1995)
|
|
