ImageVerifierCode 换一换
格式:PDF , 页数:3 ,大小:61.59KB ,
资源ID:531847      下载积分:5000 积分
快捷下载
登录下载
邮箱/手机:
温馨提示:
如需开发票,请勿充值!快捷下载时,用户名和密码都是您填写的邮箱或者手机号,方便查询和重复下载(系统自动生成)。
如填写123,账号就是123,密码也是123。
特别说明:
请自助下载,系统不会自动发送文件的哦; 如果您已付费,想二次下载,请登录后访问:我的下载记录
支付方式: 支付宝扫码支付 微信扫码支付   
注意:如需开发票,请勿充值!
验证码:   换一换

加入VIP,免费下载
 

温馨提示:由于个人手机设置不同,如果发现不能下载,请复制以下地址【http://www.mydoc123.com/d-531847.html】到电脑端继续下载(重复下载不扣费)。

已注册用户请登录:
账号:
密码:
验证码:   换一换
  忘记密码?
三方登录: 微信登录  

下载须知

1: 本站所有资源如无特殊说明,都需要本地电脑安装OFFICE2007和PDF阅读器。
2: 试题试卷类文档,如果标题没有明确说明有答案则都视为没有答案,请知晓。
3: 文件的所有权益归上传用户所有。
4. 未经权益所有人同意不得将文件中的内容挪作商业或盈利用途。
5. 本站仅提供交流平台,并不能对任何下载内容负责。
6. 下载文件中如有侵权或不适当内容,请与我们联系,我们立即纠正。
7. 本站不保证下载资源的准确性、安全性和完整性, 同时也不承担用户因使用这些下载资源对自己和他人造成任何形式的伤害或损失。

版权提示 | 免责声明

本文(ASTM E2763-2010 Standard Practice for Computer Forensics《计算机法医学标准实施规程》.pdf)为本站会员(unhappyhay135)主动上传,麦多课文库仅提供信息存储空间,仅对用户上传内容的表现方式做保护处理,对上载内容本身不做任何修改或编辑。 若此文所含内容侵犯了您的版权或隐私,请立即通知麦多课文库(发送邮件至master@mydoc123.com或直接QQ联系客服),我们立即给予删除!

ASTM E2763-2010 Standard Practice for Computer Forensics《计算机法医学标准实施规程》.pdf

1、Designation: E2763 10Standard Practice forComputer Forensics1This standard is issued under the fixed designation E2763; the number immediately following the designation indicates the year oforiginal adoption or, in the case of revision, the year of last revision. A number in parentheses indicates th

2、e year of last reapproval. Asuperscript epsilon () indicates an editorial change since the last revision or reapproval.1. Scope1.1 This practice describes techniques and procedures forcomputer forensics within the context of a criminal investiga-tion.1.1.1 This practice can be applicable to civil li

3、tigation.1.2 This practice describes seizing possible evidence,proper evidence handling, digital imaging, forensic analysis/examination, evidence-handling documentation, and reporting.1.3 This practice is not all inclusive and does not containinformation relative to specific operating systems or for

4、ensictools.1.4 The values stated in SI units are to be regarded asstandard. No other units of measurement are included in thisstandard.1.5 This standard does not purport to address all of thesafety concerns, if any, associated with its use. It is theresponsibility of the user of this standard to est

5、ablish appro-priate safety and health practices and determine the applica-bility of regulatory limitations prior to use.2. Referenced Documents2.1 ASTM Standards:2E2678 Guide for Education and Training in ComputerForensics2.2 SWGDE Standards:3Recommended Guidelines for Validation Testing3. Significa

6、nce and Use3.1 The purpose of this practice is to describe techniquesand procedures for computer forensics in regard to evidencehandling, computers, digital imaging, and forensic analysis andexamination.3.2 The examiner should be trained in accordance withGuide E2678.3.3 Individuals not trained in p

7、roper digital evidence proce-dures should consult with an appropriate specialist beforeproceeding.3.4 When dealing with technology outside your area ofexpertise, consult with an appropriate specialist before pro-ceeding.4. Seizing Evidence4.1 General guidelines concerning the seizing of evidenceare:

8、4.1.1 Consult with the investigator or responsible party todetermine the necessary equipment to take to the scene.4.1.2 Review the legal authority to seize the evidence,ensuring any restrictions are noted. If necessary during theexecution of the seizure, obtain additional authority for evi-dence out

9、side the scope of the search.4.1.3 When it is impractical to remove the evidence fromthe scene, the evidence items shall be copied or imagedaccording to organizational policy.4.1.4 All suspects, witnesses, and bystanders shall be re-moved from the proximity of digital evidence to ensure theintegrity

10、 of potential evidence.4.1.5 Solicit information from potential suspects, witnesses,system administrators, and so forth, to ascertain knowledge ofthe systems to be seized (for example, password(s), operatingsystem(s), screen names, remote access users, and E-mailaddresses).4.1.6 The scene shall be s

11、earched systematically and thor-oughly for evidence. Searchers shall be trained to recognize thedifferent types of evidence. Check for additional media thatmay be attached to the computer system.5. Evidence Handling5.1 Document the scene, which can include: taking clear,detailed photographs (of the

12、computer screen, of the front andback of the computer, and of the area around the computer tobe seized) and making a sketch/notation of the computerconnections and surrounding area, or both.5.2 If the computer is turned off, DO NOT turn on thecomputer.1This practice is under the jurisdiction of ASTM

13、 Committee E30 on ForensicSciences and is the direct responsibility of Subcommittee E30.12 on Digital andMultimedia Evidence.Current edition approved Aug. 15, 2010. Published September 2010. DOI:10.1520/E2763-10.2For referenced ASTM standards, visit the ASTM website, www.astm.org, orcontact ASTM Cus

14、tomer Service at serviceastm.org. For Annual Book of ASTMStandards volume information, refer to the standards Document Summary page onthe ASTM website.3Available from Scientific Working Group on Digital Evidence (SWGDE),http:/www.swgde.org/documents.1Copyright ASTM International, 100 Barr Harbor Dri

15、ve, PO Box C700, West Conshohocken, PA 19428-2959, United States.5.2.1 Before powering down a computer, consider thepotential of encryption software being installed on the com-puter or as part of the operating system. If present, appropriateforensic methods should be used to capture the unencryptedd

16、ata and any volatile data that would be lost if the computer ispowered down.5.2.2 Be aware that storage devices may not be physicallyconnected and a proper search for wireless devices must beconducted.5.2.3 Assess the power needs for devices with volatilememory and follow organizational policy for t

17、he handling ofthose devices.5.2.4 Document the condition of the evidence, includingany preexisting damage.5.2.5 Appropriately document the connection of the exter-nal components.5.3 Stand-Alone Computer (Non-Networked):5.3.1 Disconnect all power sources by unplugging from theback of the computer. Al

18、so, remove batteries from laptops.5.3.2 Place evidence tape over the power plug connector onthe back of the computer.5.4 Networked Computer:5.4.1 WorkstationsRemove the power connector from theback of the computer.5.4.2 Place evidence tape over the power plug connector onthe back of the computer.NOT

19、E 1Any network computer can be used for file sharing and thosesystems should follow normal shutdown procedures.5.5 Servers:5.5.1 Determine whether the network connection should bedisconnected after consulting with an individual trained inproper digital evidence procedures.5.5.2 A determination shall

20、 be made as to the extent of datathat should be seized.5.5.3 Capture volatile data if necessary.5.5.4 If shutdown is necessary, use the appropriate com-mands. (WarningPulling the plug could severely damagethe system, disrupt legitimate business, or create officer anddepartment liability, or combinat

21、ions thereof.)5.6 Each piece of evidence shall be protected from changeand a chain of custody maintained as determined by organiza-tional policy. Appropriate packaging of evidence can includeany of the following:5.6.1 Plastic/paper bags or sleeves;5.6.2 Computer case sealed with evidence tape over c

22、aseaccess points and power connector;5.6.3 Some devices may require power to maintain thevolatile memory and should be packaged appropriately; and5.6.4 Specific care shall be taken with the transportation ofdigital evidence material to avoid physical damage, vibration,and the effects of magnetic fie

23、lds, static electricity, and largevariations of temperature and humidity.6. Equipment Preparation6.1 “Equipment” in this section refers to the non-evidentiaryhardware and software the examiner uses to conduct theforensic imaging or analysis of the evidence.6.1.1 Equipment shall be monitored and docu

24、mented toensure proper performance is maintained.6.1.2 Only suitable and properly operating equipment shallbe used.6.1.3 The manufacturers operation manual and other rel-evant documentation for each piece of equipment shall beaccessible.6.1.4 Analysis/imaging software shall be validated beforeuse as

25、 discussed in the SWGDE Recommended Guidelines forValidation Testing.7. Forensic Imaging7.1 Document the current condition of evidence.7.2 Take precautions to prevent exposure to evidence thatmay be contaminated with dangerous substances or hazardousmaterials.7.2.1 All items submitted for forensic e

26、xamination shall beexamined for the integrity of their packaging. Any deficiencyin the packaging, which may compromise the received value ofthe examination, shall be documented. Consideration shall begiven if the deficiency in packaging warrants the refusal toconduct the examination. Any exceptions

27、between the inven-tory and the actual evidence discovered by the examiner shallbe documented.7.3 Hardware or software write blockers should be used toprevent the evidence from being modified.7.4 Methods of acquiring evidence should be forensicallysound and verifiable.7.5 Forensic image(s) should be

28、captured using hardware/software that is capable of capturing a “bit stream” image ofthe original media.7.6 Digital evidence submitted for examination shall bemaintained in such a way that the integrity of the data ispreserved, for example, use a hashing function.7.7 Properly prepared media shall be

29、 used when makingforensic copies to ensure no commingling of data fromdifferent sources.7.8 Forensic image(s) shall be archived to media andmaintained consistent with departmental policy and applicablelaws.8. Forensic Analysis/Examination8.1 The examiner shall review documentation provided bythe req

30、uestor to determine the processes necessary to completethe examination and ascertain legal authority to perform therequested examination. Examples of such authority include:consent to search by owner, search warrant, or other legalauthority.8.2 Before commencing any examination, consider:8.2.1 The u

31、rgency and priority of the requestors need forinformation and the time conditions contained in the searchauthorization;8.2.2 The other types of forensic examination that mightneed to be carried out on the evidentiary item; and8.2.3 Which items offer the best choice of target data interms of evidenti

32、ary value.8.3 The requestor and the examiner should identify thescope and purpose of the examination.E2763 1028.4 Conducting an examination on the original evidencemedia should be avoided. Examinations should be conductedon forensic copies or via forensic image files.8.5 Use appropriate controls and

33、 standards during the ex-amination procedure.8.6 Conduct the examination of the media in a mannerconsistent with the laboratorys standard operating procedures(SOPs).8.7 Forensic Analysis/Examination of Nontraditional Com-puter Technologies:8.7.1 With the rapid development of technologies such ascell

34、 phones, smart phones, personal digital assistants (PDAs),portable digital audio players, digital video recorder (DVR)systems, gaming systems, and so forth, traditional digitalforensic techniques and procedures may not be appropriate noreffective in the processing of this type of data.8.7.2 All atte

35、mpts shall be made to use accepted practicesand procedures when processing electronic digital devices witha nontraditional format. If these techniques are ineffective ornot appropriate for the analysis of this type of data or both,alternate procedures may be used. All nontraditional tech-niques, if

36、possible and feasible, shall be tested or validated orboth before the application on the evidentiary media. All stepsof the methodology used shall be documented.9. Documentation9.1 Evidence-handling documentation shall include:9.1.1 Copy of legal authority,9.1.2 Chain of custody,9.1.3 Initial count

37、of evidence items to be examined,9.1.4 Information regarding the packaging and condition ofthe evidence upon receipt by the examiner,9.1.5 Description of the evidence, and9.1.6 Communications regarding the case.9.2 Examination documentation shall be case specific andcontain sufficient details to all

38、ow another forensic examiner,competent in the same area of expertise, to be able to identifywhat has been done and access the findings independently.9.3 Documentation shall be preserved according to theexaminers organizational policy.10. Report10.1 Examination reports shall meet the requirements of

39、theexaminers organization.10.2 Reports issued by the examiner shall address therequestors needs.10.3 The report is to provide the reader with all the relevantinformation in a clear and concise manner.11. Review11.1 The examiners organization shall have a writtenpolicy establishing the protocols for

40、technical/peer and admin-istrative review.11.2 The examiners organization shall have a writtenpolicy to determine the course of action if an examiner andreviewer fail to reach agreement.12. Keywords12.1 computer data; computer forensic analysis; computerforensics; computers; evidence; software; vola

41、tile memoryASTM International takes no position respecting the validity of any patent rights asserted in connection with any item mentionedin this standard. Users of this standard are expressly advised that determination of the validity of any such patent rights, and the riskof infringement of such

42、rights, are entirely their own responsibility.This standard is subject to revision at any time by the responsible technical committee and must be reviewed every five years andif not revised, either reapproved or withdrawn. Your comments are invited either for revision of this standard or for additio

43、nal standardsand should be addressed to ASTM International Headquarters. Your comments will receive careful consideration at a meeting of theresponsible technical committee, which you may attend. If you feel that your comments have not received a fair hearing you shouldmake your views known to the A

44、STM Committee on Standards, at the address shown below.This standard is copyrighted by ASTM International, 100 Barr Harbor Drive, PO Box C700, West Conshohocken, PA 19428-2959,United States. Individual reprints (single or multiple copies) of this standard may be obtained by contacting ASTM at the aboveaddress or at 610-832-9585 (phone), 610-832-9555 (fax), or serviceastm.org (e-mail); or through the ASTM website(www.astm.org). Permission rights to photocopy the standard may also be secured from the ASTM website (www.astm.org/COPYRIGHT/).E2763 103

copyright@ 2008-2019 麦多课文库(www.mydoc123.com)网站版权所有
备案/许可证编号:苏ICP备17064731号-1