digital evidence standards and principles, by swgde and ioce (forensic science communications, april 2000).mht

SIM卡的文件系统以及各种相对应的流程的介绍

      =
href=3D"http://www.fbi.gov/hq/lab/fsc/backissu/april2000/swgde.htm#Index"=
><I><FONT=20
      face=3DHelvetica size=3D-1>Back to the top</FONT></I></A></P>
      <P><B><FONT face=3DHelvetica size=3D-1>Standards and Criteria=20
      1.3<BR></FONT></B><FONT face=3DHelvetica size=3D-1>Procedures used =
must be=20
      generally accepted in the field or supported by data gathered and =
recorded=20
      in a scientific manner.</FONT></P>
      <P><B><I><FONT face=3DHelvetica =
size=3D-1>Discussion</FONT></I></B><I><FONT=20
      face=3DHelvetica size=3D-1>.<B> </B></FONT></I><FONT =
face=3DHelvetica=20
      size=3D-1>Because a variety of scientific procedures may validly =
be applied=20
      to a given problem, standards and criteria for assessing =
procedures need=20
      to remain flexible. The validity of a procedure may be established =
by=20
      demonstrating the accuracy and reliability of specific techniques. =
In the=20
      digital evidence area, peer review of SOPs by other agencies may =
be=20
      useful.</FONT></P>
      <P><B><FONT face=3DHelvetica size=3D-1>Standards and Criteria=20
      1.4<BR></FONT></B><FONT face=3DHelvetica size=3D-1>The agency must =
maintain=20
      written copies of appropriate technical procedures.</FONT></P>
      <P><B><I><FONT face=3DHelvetica =
size=3D-1>Discussion</FONT></I></B><I><FONT=20
      face=3DHelvetica size=3D-1>.<B> </B></FONT></I><FONT =
face=3DHelvetica=20
      size=3D-1>Procedures should set forth their purpose and =
appropriate=20
      application. Required elements such as hardware and software must =
be=20
      listed and the proper steps for successful use should be listed or =

      discussed. Any limitations in the use of the procedure or the use =
or=20
      interpretation of the results should be established. Personnel who =
use=20
      these procedures must be familiar with them and have them =
available for=20
      reference.</FONT></P>
      <P><B><FONT face=3DHelvetica size=3D-1>Standards and Criteria=20
      1.5<BR></FONT></B><FONT face=3DHelvetica size=3D-1>The agency must =
use=20
      hardware and software that is appropriate and effective for the =
seizure or=20
      examination procedure.</FONT></P>
      <P><B><I><FONT face=3DHelvetica =
size=3D-1>Discussion</FONT></I></B><I><FONT=20
      face=3DHelvetica size=3D-1>.<B> </B></FONT></I><FONT =
face=3DHelvetica=20
      size=3D-1>Although many acceptable procedures may be used to =
perform a task,=20
      considerable variation among cases requires that personnel have =
the=20
      flexibility to exercise judgment in selecting a method appropriate =
to the=20
      problem.</FONT></P>
      <P><FONT face=3DHelvetica size=3D-1>Hardware used in the seizure =
and/or=20
      examination of digital evidence should be in good operating =
condition and=20
      be tested to ensure that it operates correctly. Software must be =
tested to=20
      ensure that it produces reliable results for use in seizure and/or =

      examination purposes.</FONT></P>
      <P><A=20
      =
href=3D"http://www.fbi.gov/hq/lab/fsc/backissu/april2000/swgde.htm#Index"=
><I><FONT=20
      face=3DHelvetica size=3D-1>Back to the top</FONT></I></A></P>
      <P><B><FONT face=3DHelvetica size=3D-1>Standards and Criteria=20
      1.6<BR></FONT></B><FONT face=3DHelvetica size=3D-1>All activity =
relating to=20
      the seizure, storage, examination, or transfer of digital evidence =
must be=20
      recorded in writing and be available for review and =
testimony.</FONT></P>
      <P><B><I><FONT face=3DHelvetica =
size=3D-1>Discussion</FONT></I></B><I><FONT=20
      face=3DHelvetica size=3D-1>.<B> </B></FONT></I><FONT =
face=3DHelvetica size=3D-1>In=20
      general, documentation to support conclusions must be such that, =
in the=20
      absence of the originator, another competent person could evaluate =
what=20
      was done, interpret the data, and arrive at the same conclusions =
as the=20
      originator.</FONT></P>
      <P><FONT face=3DHelvetica size=3D-1>The requirement for evidence =
reliability=20
      necessitates a chain of custody for all items of evidence.=20
      Chain-of-custody documentation must be maintained for all digital=20
      evidence.</FONT></P>
      <P><FONT face=3DHelvetica size=3D-1>Case notes and records of =
observations=20
      must be of a permanent nature. Handwritten notes and observations =
must be=20
      in ink, not pencil, although pencil (including color) may be =
appropriate=20
      for diagrams or making tracings. Any corrections to notes must be =
made by=20
      an initialed, single strikeout; nothing in the handwritten =
information=20
      should be obliterated or erased. Notes and records should be =
authenticated=20
      by handwritten signatures, initials, digital signatures, or other =
marking=20
      systems.</FONT></P>
      <P><B><FONT face=3DHelvetica size=3D-1>Standards and Criteria=20
      1.7<BR></FONT></B><FONT face=3DHelvetica size=3D-1>Any action that =
has the=20
      potential to alter, damage, or destroy any aspect of original =
evidence=20
      must be performed by qualified persons in a forensically sound=20
      manner.</FONT></P>
      <P><B><I><FONT face=3DHelvetica =
size=3D-1>Discussion</FONT></I></B><I><FONT=20
      face=3DHelvetica size=3D-1>.<B> </B></FONT></I><FONT =
face=3DHelvetica size=3D-1>As=20
      outlined in the preceding standards and criteria, evidence has =
value only=20
      if it can be shown to be accurate, reliable, and controlled. A =
quality=20
      forensic program consists of properly trained personnel and =
appropriate=20
      equipment, software, and procedures to collectively ensure these=20
      attributes.</FONT></P>
      <H3><A name=3DComments></A><FONT =
face=3DHelvetica>Comments</FONT></H3>
      <P><FONT face=3DHelvetica size=3D-1>SWGDE's proposed standards for =
the=20
      exchange of digital evidence will be posted on the National =
Forensic=20
      Science Technology Center, Law Enforcement Online, and IOCE Web =
sites in=20
      the near future.</FONT></P>
      <P><FONT face=3DHelvetica size=3D-1>Comments and questions =
concerning the=20
      proposed standards may be forwarded to <A=20
      href=3D"mailto:whitcomb@mail.ucf.edu?subject=3DSWGDE =
feedback">mailto:whitcomb@mail.ucf.edu?subject=3DSWGDE=20
      feedback</A> or <A=20
      href=3D"mailto:mpollitt.cart@fbi.gov?subject=3DSWGDE =
feedback">mailto:mpollitt.cart@fbi.gov?subject=3DSWGDE=20
      feedback</A></FONT></P>
      <P><A=20
      =
href=3D"http://www.fbi.gov/hq/lab/fsc/backissu/april2000/swgde.htm#Index"=
><I><FONT=20
      face=3DHelvetica size=3D-1>Back to the top</FONT></I></A></P>
      <P>&nbsp;</P>
      <H2>
      <CENTER><A name=3DInternational></A><FONT =
face=3DHelvetica>International=20
      Principles<BR>for Computer Evidence</FONT></CENTER></H2>
      <H2>
      <CENTER>
      <TABLE cellSpacing=3D0 cellPadding=3D0 width=3D"98%" border=3D0>
        <TBODY>
        <TR>
          <TD width=3D413>
            <P>
            <CENTER><B><FONT face=3DHelvetica size=3D-1>International =
Organization=20
            on Computer Evidence=20
      (IOCE)</FONT></B></CENTER></TD></TR></TBODY></TABLE></CENTER></H2>
      <H3><A name=3DIOCEIntroduction></A><FONT=20
      face=3DHelvetica>Introduction</FONT></H3>
      <P><FONT face=3DHelvetica size=3D-1>The International Organization =
on Computer=20
      Evidence (IOCE) was established in 1995 to provide international =
law=20
      enforcement agencies a forum for the exchange of information =
concerning=20
      computer crime investigation and other computer-related forensic =
issues.=20
      Comprised of accredited government agencies involved in computer =
forensic=20
      investigations, IOCE identifies and discusses issues of interest =
to its=20
      constituents, facilitates the international dissemination of =
information,=20
      and develops recommendations for consideration by its member =
agencies. In=20
      addition to formulating computer evidence standards, IOCE develops =

      communications services between member agencies and holds =
conferences=20
      geared toward the establishment of working =
relationships.</FONT></P>
      <P><FONT face=3DHelvetica size=3D-1>In response to the G-8 =
Communique and=20
      Action plans of 1997, IOCE was tasked with the development of=20
      international standards for the exchange and recovery of =
electronic=20
      evidence. Working groups in Canada, Europe, the United Kingdom, =
and the=20
      United States have been formed to address this standardization of =
computer=20
      evidence.</FONT></P>
      <P><FONT face=3DHelvetica size=3D-1>During the International =
Hi-Tech Crime and=20
      Forensics Conference (IHCFC) of October 1999, the IOCE held =
meetings and a=20
      workshop which reviewed the United Kingdom Good Practice Guide and =
the=20
      SWGDE Draft Standards. The working group proposed the following=20
      principles, which were voted upon by the IOCE delegates present =
with=20
      unanimous approval.</FONT></P>
      <H3><A name=3DIOCEInternationalPrinciples></A><FONT =
face=3DHelvetica>IOCE=20
      International Principles</FONT></H3>
      <P><FONT face=3DHelvetica size=3D-1>The international principles =
developed by=20
      IOCE for the standardized recovery of computer-based evidence are =
governed=20
      by the following attributes:</FONT></P>
      <UL>
        <LI><FONT face=3DHelvetica size=3D-1>Consistency with all legal=20
        systems;<BR><BR></FONT>
        <LI><FONT face=3DHelvetica size=3D-1>Allowance for the use of a =
common=20
        language;<BR><BR></FONT>
        <LI><FONT face=3DHelvetica size=3D-1>Durability;<BR><BR></FONT>
        <LI><FONT face=3DHelvetica size=3D-1>Ability to cross =
international=20
        boundaries;<BR><BR></FONT>
        <LI><FONT face=3DHelvetica size=3D-1>Ability to instill =
confidence in the=20
        integrity of evidence;<BR><BR></FONT>
        <LI><FONT face=3DHelvetica size=3D-1>Applicability to all =
forensic evidence;=20
        and<BR><BR></FONT>
        <LI><FONT face=3DHelvetica size=3D-1>Applicability at every =
level, including=20
        that of individual, agency, and country.</FONT> </LI></UL>
      <P><A=20
      =
href=3D"http://www.fbi.gov/hq/lab/fsc/backissu/april2000/swgde.htm#Index"=
><I><FONT=20
      face=3DHelvetica size=3D-1>Back to the top</FONT></I></A></P>
      <P><FONT face=3DHelvetica size=3D-1>These principles were =
presented and=20
      approved at the International Hi-Tech Crime and Forensics =
Conference in=20
      October 1999. They are as follow:</FONT></P>
      <UL>
        <LI><FONT face=3DHelvetica size=3D-1>Upon seizing digital =
evidence, actions=20
        taken should not change that evidence.<BR><BR></FONT>
        <LI><FONT face=3DHelvetica size=3D-1>When it is necessary for a =
person to=20
        access original digital evidence, that person must be =
forensically=20
        competent.<BR><BR></FONT>
        <LI><FONT face=3DHelvetica size=3D-1>All activity relating to =
the seizure,=20