1、Designation: E 2678 09Standard Guide forEducation and Training in Computer Forensics1This standard is issued under the fixed designation E 2678; the number immediately following the designation indicates the year oforiginal adoption or, in the case of revision, the year of last revision. A number in
2、 parentheses indicates the year of last reapproval. Asuperscript epsilon () indicates an editorial change since the last revision or reapproval.1. Scope1.1 This guide will improve and advance computer foren-sics through the development of model curricula consistentwith other forensic science program
3、s.1.2 Section 4 describes the alternative paths by whichstudents may arrive at and move through their professionaltraining. Sections 5 through 7 cover formal educational pro-grams in order of increasing length: a two- year associatedegree, a four-year baccalaureate degree, and graduate degrees.Secti
4、on 8 provides a framework for academic certificateprograms offered by educational institutions. Section 9 outlinesmodel criteria and implementation approaches for training andcontinuing education opportunities provided by professionalorganizations, vendors, and academic institutions.1.3 Some profess
5、ional organizations recognize computerforensics, forensic audio, video, and image analysis as subdis-ciplines of computer forensics. However, the curricula andspecific educational training requirements of subdisciplinesother than computer forensics are beyond the scope of thisguide.1.4 This standard
6、 does not purport to address all of thesafety concerns, if any, associated with its use. It is theresponsibility of the user of this standard to establish appro-priate safety and health practices and determine the applica-bility of regulatory limitations prior to use.2. Terminology2.1 Definitions of
7、 Terms Specific to This Standard:2.1.1 assembler, nsoftware that translates a low-levelprogram into a form that can be executed by a computer.2.1.2 capstone project, ndesign and implementation-oriented project typically completed during the final year of adegree program that requires students to app
8、ly and integrateknowledge and skills gained from several courses.2.1.3 central processing unit (CPU), ncomputer chip thatinterprets commands and runs programs.2.1.4 compiler, nsoftware that translates a high- levelprogram into a form that can be executed by a computer.2.1.5 digital forensics, nscien
9、ce of identifying, collecting,preserving, documenting, examining, and analyzing evidencefrom computer systems, the results of which may be reliedupon in court.2.1.6 cryptography, nusing the sciences of encryption totransform data to hide its information content and decryption torestore the informati
10、on to its original form.2.1.7 data fusion, nprocess of associating, correlating,and combining data and information from single and multiplesources.2.1.8 debugger, nsoftware that is used to find faults inprograms.2.1.9 demultiplexing, vprocess of isolating individual im-ages from a video flow.2.1.10
11、digital evidence, ninformation of probative valuethat is stored or transmitted in binary form that may be reliedupon in court.2.1.11 computer forensics, nscience of identifying, col-lecting, preserving, documenting, examining, and analyzingevidence from computer systems, networks, and other elec-tro
12、nic devices, the results of which may be relied upon in court.2.1.12 distributed denial of service (DDoS), nintentionalparalyzing of a computer or a computer network by flooding itwith data sent simultaneously from many locations.2.1.13 Electronic Communications Privacy Act (ECPA),nregulates interce
13、ption of wire and electronic communica-tions (18 USC 2510 et seq.) and retrieval of stored wire andelectronic communications (18 USC 2701 et seq.)2.1.14 embedded device, nspecial-purpose computer sys-tem that is completely encapsulated by the device it controls.2.1.15 enterprise system, ncomputer sy
14、stems or networksor both integral to the operation of a company or large entity,possibly global in scope.2.1.16 ext2/ext3 (Linux-extended 2/Linux-extended 3) filesystem, nfile system typically used with Linux-based oper-ating systems.1This guide is under the jurisdiction of ASTM Committee E30 on For
15、ensicSciences and is the direct responsibility of Subcommittee E30.12 on Digital andMultimedia Evidence.Current edition approved June 15, 2009. Published August 2009.1Copyright ASTM International, 100 Barr Harbor Drive, PO Box C700, West Conshohocken, PA 19428-2959, United States.2.1.17 file allocat
16、ion table (FAT) file system, noriginal filesystem used with Microsoft and IBM-compatible operatingsystems still in common use.2.1.18 intrusion detection system (IDS), nsoftware orhardware that are used to identify attacks or anomalies oncomputers or networks or both.2.1.19 link analysis, ntype of an
17、alysis often used by lawenforcement that uses visual or other means of showingrelationships between people, places, events, and things bylinking them through timelines, telephone calls, emails, or anyother consistent scheme.2.1.20 local area network (LAN), ncomputer networkcovering a local area such
18、 as a home, office, or small group ofbuildings, such as a college.2.1.21 malware, nmalicious software designed to causeunexpected and frequently undesirable actions on a system (forexample, viruses, worms, spyware, or Trojan horses).2.1.22 mock trial, noften referred to as “moot court,”role-playing
19、court proceedings intended to prepare students forcourtroom testimony.2.1.23 new technology file system (NTFS), nadvanced filesystem with security features commonly used with the Win-dows and all subsequent sytems.2.1.24 open system interconnect (OSI), nlayered modelthat describes the way computers
20、communicate on a network.2.1.25 personal area network (PAN), nnetworkingscheme that enables computers and other electronic devices tocommunicate with each other over short distances either withor without wires.2.1.26 partitioning, vsoftware method of dividing aphysical hard drive into logical contai
21、ners that will appear asmultiple logical drives.2.1.27 peer to peer (P2P), ncommunications network thatallows multiple computers to share files.2.1.28 personal electronic device (PED), nconsumerelectronic device that is typically mobile or handheld (forexample, personal digital assistant (PDA), cell
22、 phone, oriPOD).2.1.29 photogrammetry, nscience of obtaining dimen-sional information of items depicted in photographs.2.1.30 public key infrastructure (PKI), nsystem that usesencryption to verify and authenticate network transactions.2.1.31 random access memory (RAM), ncomputers read/write memory;
23、it provides temporary memory space for thecomputer to process data.2.1.32 redundant array of inexpensive/independent disks(RAID), nsystem that uses two or more drives in combina-tion for fault tolerance or performance.2.1.33 steganography, ntechnique for embedding infor-mation into something else, s
24、uch as a text file in an image or asound file, for the sole purpose of hiding the existence of theembedded information.2.1.34 thumb drive, nsmall digital storage device thatuses flash memory and a universal serial bus (USB) connectionto interface with a computer.2.1.35 topology, nphysical layout or
25、logical operation of anetwork.2.1.36 virtual private network (VPN), ncomputer networkthat uses encryption to transmit data in a secure fashion over apublic network.2.1.37 voice over internet protocol (VoIP), ntechnique fortransmitting real-time voice communications over the internetor another transm
26、ission control protocol/internet protocol(TCP/IP) network.2.1.38 wide-area network (WAN), ncomputer networkcovering a wide geographical area.2.2 Acronyms:2.2.1 FDA, nFood and Drug Administration2.2.2 FTC, nFederal Trade Commission2.2.3 IP, ninternet protocol2.2.4 IRS, nInternal Revenue Service2.2.5
27、KSA, nknowledge, skill, and ability2.2.6 SEC, nSecurities and Exchange Commission2.2.7 TCP, ntransmission control protocol3. Significance and Use3.1 With the proliferation of computers and other electronicdevices, it is difficult to imagine a crime that could notpotentially involve digital evidence.
28、 Because of the paucity ofdegree programs in computer forensics, practitioners havehistorically relied on practical training through law enforce-ment or vendor-specific programs or both.3.2 In this guide, curricula for different levels of theeducational system are outlined. It is intended to provide
29、guidance to:3.2.1 Individuals interested in pursuing academic programsand professional opportunities in computer forensics,3.2.2 Academic institutions interested in developing com-puter forensics programs, and3.2.3 Employers seeking information about the educationalbackground of graduates of compute
30、r forensics programs andevaluating continuing education opportunities for current em-ployees.4. Qualifications for a Career in Computer Forensics4.1 Introduction:4.1.1 Computer forensics plays a fundamental role in theinvestigation and prosecution of crimes. Since any type ofcriminal activity may in
31、volve the seizure and examination ofdigital evidence, the percentage of cases that involves digitalevidence will continue to increase. The preservation, examina-tion, and analysis of digital evidence require a foundation inthe practical application of science, computer technology, andthe law. A prac
32、titioner of computer forensics shall be capableof integrating knowledge, skills, and abilities in the identifica-tion, preservation, documentation, examination, analysis, inter-pretation, reporting, and testimonial support of digital evi-dence. A combination of education and practical training canpr
33、epare an individual for a career in computer forensics, andthis section addresses the qualifications an individual will needto pursue such a career.4.1.2 As in all forensic disciplines, a combination of per-sonal, technical, and professional criteria will influence aprospective computer forensics pr
34、actitioners suitability foremployment. Effective written and oral communication skillsare essential to computer forensics practitioners because theyE2678092may have to testify to their examination results in court. Newemployees may be hired provisionally or go through a proba-tionary period that req
35、uires successful completion of additionaltraining or competency testing or both as a prerequisite forcontinued employment.4.2 Career Paths in Computer Forensics:4.2.1 Numerous competent, accurate, and admissible digitalforensic examinations are performed every year by qualifiedand experienced examin
36、ers who have no college education. Infact, much of the expertise in this field is represented byprofessionals whose practical experience, on-the-job training,and work credentials qualify them in this discipline. Fewinstitutions offer degrees in the discipline because the field isrelatively new. As a
37、cademic programs are developed and madeavailable, it will become preferable for forensic examinationsto be performed by individuals who have a degree in computerforensics (or a related field) supported by experience andtraining.4.2.2 The discussion of qualifications presents three alter-native caree
38、r paths into computer forensics which are depictedin Fig. 1:4.2.2.1 One is for law enforcement personnel who seek tomove into computer forensics after they become sworn offic-ers,4.2.2.2 Another is for persons with relevant technical andcritical thinking skills that are equivalent to a bachelorsdegr
39、ee, and4.2.2.3 A third is for persons who have earned the formaldegree.4.2.3 A description of careers in computer forensics isprovided in Appendix X1.4.2.4 Personal CharacteristicsComputer forensics, likeother forensic disciplines, requires personal honesty, integrity,and scientific objectivity. Tho
40、se seeking careers in this fieldshould be aware that background checks similar to thoserequired for law enforcement officers are likely to be acondition of employment. The following may be conducted orreviewed or both before an employment offer is made and maybe ongoing conditions of employment (thi
41、s list is not all-inclusive):(1) Past work performance(2) Drug tests(3) History of drug use(4) Driving record(5) Criminal history(6) Citizenship(7) Credit history(8) History of hacking(9) Personal associations(10) Psychological screening(11) Medical or physical examination(12) Polygraph examination4
42、.2.5 Academic QualificationsPractitioners of computerforensics historically have not been required to have a degree.However, the trend within some areas of the field is tostrengthen the academic requirements for this discipline andrequire a baccalaureate degree, preferably in a science. Theacademic
43、qualifications for computer forensics practitionersare discussed in greater detail later in this guide and mayinclude the following knowledge, skills, and abilities:4.2.5.1 Technical:(1) Computer hardware and architecture(2) Storage media(3) Operating systems(4) File systems(5) Database systems(6) N
44、etwork technologies and infrastructures(7) Programming and scripting(8) Computer security(9) Cryptography(10) Software tools(11) Validation and testing(12) Cross-discipline awareness4.2.5.2 Professional:(1) Critical thinking(2) Scientific methodology(3) Quantitative reasoning and problem solving(4)
45、Decision making(5) Laboratory practices(6) Laboratory safety(7) Attention to detail(8) Interpersonal skills(9) Public speaking(10) Oral and written communication(11) Time management(12) Task prioritization(13) Application of digital forensic procedures(14) Preservation of evidence(15) Interpretation
46、 of examination results(16) Investigative process(17) Legal process4.2.5.3 Copies of diplomas and formal academic transcriptsare generally required as proof of academic qualification.Awards, publications, internships, and student activities may beused to differentiate applicants. Claims in this rega
47、rd aresubject to verification through the background investigationprocess.4.2.6 CredentialsA digital forensic practitioner shoulddemonstrate continued professional development that is docu-mented by credentials. A credential is a formal recognition ofa professionals KSA. Indicators of professional s
48、tandinginclude academic credentials, professional credentials, trainingcredentials, and competency tests. Credentials can facilitate thequalification of a witness as an expert.4.3 Implementation: Keys to a Career in Computer Foren-sics:4.3.1 Preemployment PreparationCompetitive candidatescan demonst
49、rate the interest and aptitude or KSAs that estab-lish their readiness for a digital forensic position. These KSAsmay include areas important to all potential forensic sciencepractitioners including, but not limited to, quality assurance,ethics, professional standards of behavior, evidence control,report writing, scientific method, inductive and deductivereasoning, investigative techniques, statistics, and safety.E2678093Documentation of coursework and practical experiences in-volving these KSAs can significantly enhance the objecti