1、Designation: E2678 09 (Reapproved 2014)Standard Guide forEducation and Training in Computer Forensics1This standard is issued under the fixed designation E2678; the number immediately following the designation indicates the year oforiginal adoption or, in the case of revision, the year of last revis
2、ion. A number in parentheses indicates the year of last reapproval. Asuperscript epsilon () indicates an editorial change since the last revision or reapproval.1. Scope1.1 This guide will improve and advance computer foren-sics through the development of model curricula consistentwith other forensic
3、 science programs.1.2 Section 4 describes the alternative paths by whichstudents may arrive at and move through their professionaltraining. Sections 5 through 7 cover formal educational pro-grams in order of increasing length: a two- year associatedegree, a four-year baccalaureate degree, and gradua
4、te degrees.Section 8 provides a framework for academic certificateprograms offered by educational institutions. Section 9 outlinesmodel criteria and implementation approaches for training andcontinuing education opportunities provided by professionalorganizations, vendors, and academic institutions.
5、1.3 Some professional organizations recognize computerforensics, forensic audio, video, and image analysis as subdis-ciplines of computer forensics. However, the curricula andspecific educational training requirements of subdisciplinesother than computer forensics are beyond the scope of thisguide.1
6、.4 This standard does not purport to address all of thesafety concerns, if any, associated with its use. It is theresponsibility of the user of this standard to establish appro-priate safety and health practices and determine the applica-bility of regulatory limitations prior to use.2. Terminology2.
7、1 Definitions of Terms Specific to This Standard:2.1.1 assembler, nsoftware that translates a low-levelprogram into a form that can be executed by a computer.2.1.2 capstone project, ndesign and implementation-oriented project typically completed during the final year of adegree program that requires
8、 students to apply and integrateknowledge and skills gained from several courses.2.1.3 central processing unit (CPU), ncomputer chip thatinterprets commands and runs programs.2.1.4 compiler, nsoftware that translates a high- levelprogram into a form that can be executed by a computer.2.1.5 digital f
9、orensics, nscience of identifying, collecting,preserving, documenting, examining, and analyzing evidencefrom computer systems, the results of which may be reliedupon in court.2.1.6 cryptography, nusing the sciences of encryption totransform data to hide its information content and decryption toresto
10、re the information to its original form.2.1.7 data fusion, nprocess of associating, correlating, andcombining data and information from single and multiplesources.2.1.8 debugger, nsoftware that is used to find faults inprograms.2.1.9 demultiplexing, vprocess of isolating individual im-ages from a vi
11、deo flow.2.1.10 digital evidence, ninformation of probative valuethat is stored or transmitted in binary form that may be reliedupon in court.2.1.11 computer forensics, nscience of identifying,collecting, preserving, documenting, examining, and analyzingevidence from computer systems, networks, and
12、other elec-tronic devices, the results of which may be relied upon in court.2.1.12 distributed denial of service (DDoS), nintentionalparalyzing of a computer or a computer network by flooding itwith data sent simultaneously from many locations.2.1.13 Electronic Communications Privacy Act (ECPA),nreg
13、ulates interception of wire and electronic communica-tions (18 USC 2510 et seq.) and retrieval of stored wire andelectronic communications (18 USC 2701 et seq.).2.1.14 embedded device, nspecial-purpose computer sys-tem that is completely encapsulated by the device it controls.2.1.15 enterprise syste
14、m, ncomputer systems or networksor both integral to the operation of a company or large entity,possibly global in scope.2.1.16 ext2/ext3 (Linux-extended 2/Linux-extended 3) filesystem, nfile system typically used with Linux-based oper-ating systems.2.1.17 file allocation table (FAT) file system, nor
15、iginal filesystem used with Microsoft and IBM-compatible operatingsystems still in common use.1This guide is under the jurisdiction of ASTM Committee E30 on ForensicSciences and is the direct responsibility of Subcommittee E30.12 on Digital andMultimedia Evidence.Current edition approved Oct. 1, 201
16、4. Published October 2014. Originallyapproved in 2009. Last previous edition approved in 2009 as E2678 09. DOI:10.1520/E2678-09R14.Copyright ASTM International, 100 Barr Harbor Drive, PO Box C700, West Conshohocken, PA 19428-2959. United States12.1.18 intrusion detection system (IDS), nsoftware orha
17、rdware that are used to identify attacks or anomalies oncomputers or networks or both.2.1.19 link analysis, ntype of analysis often used by lawenforcement that uses visual or other means of showingrelationships between people, places, events, and things bylinking them through timelines, telephone ca
18、lls, emails, or anyother consistent scheme.2.1.20 local area network (LAN), ncomputer networkcovering a local area such as a home, office, or small group ofbuildings, such as a college.2.1.21 malware, nmalicious software designed to causeunexpected and frequently undesirable actions on a system (for
19、example, viruses, worms, spyware, or Trojan horses).2.1.22 mock trial, noften referred to as “moot court,”role-playing court proceedings intended to prepare students forcourtroom testimony.2.1.23 new technology file system (NTFS), nadvanced filesystem with security features commonly used with the Wi
20、n-dows and all subsequent sytems.2.1.24 open system interconnect (OSI), nlayered modelthat describes the way computers communicate on a network.2.1.25 personal area network (PAN), nnetworking schemethat enables computers and other electronic devices to com-municate with each other over short distanc
21、es either with orwithout wires.2.1.26 partitioning, vsoftware method of dividing a physi-cal hard drive into logical containers that will appear asmultiple logical drives.2.1.27 peer to peer (P2P), ncommunications network thatallows multiple computers to share files.2.1.28 personal electronic device
22、 (PED), nconsumer elec-tronic device that is typically mobile or handheld (for example,personal digital assistant (PDA), cell phone, or iPOD).2.1.29 photogrammetry, nscience of obtaining dimen-sional information of items depicted in photographs.2.1.30 public key infrastructure (PKI), nsystem that us
23、esencryption to verify and authenticate network transactions.2.1.31 random access memory (RAM), ncomputers read/write memory; it provides temporary memory space for thecomputer to process data.2.1.32 redundant array of inexpensive/independent disks(RAID), nsystem that uses two or more drives in comb
24、inationfor fault tolerance or performance.2.1.33 steganography, ntechnique for embedding infor-mation into something else, such as a text file in an image or asound file, for the sole purpose of hiding the existence of theembedded information.2.1.34 thumb drive, nsmall digital storage device that us
25、esflash memory and a universal serial bus (USB) connection tointerface with a computer.2.1.35 topology, nphysical layout or logical operation of anetwork.2.1.36 virtual private network (VPN), ncomputer networkthat uses encryption to transmit data in a secure fashion over apublic network.2.1.37 voice
26、 over internet protocol (VoIP), ntechnique fortransmitting real-time voice communications over the internetor another transmission control protocol/internet protocol(TCP/IP) network.2.1.38 wide-area network (WAN), ncomputer networkcovering a wide geographical area.2.2 Acronyms:2.2.1 FDA, nFood and D
27、rug Administration2.2.2 FTC, nFederal Trade Commission2.2.3 IP, ninternet protocol2.2.4 IRS, nInternal Revenue Service2.2.5 KSA, nknowledge, skill, and ability2.2.6 SEC, nSecurities and Exchange Commission2.2.7 TCP, ntransmission control protocol3. Significance and Use3.1 With the proliferation of c
28、omputers and other electronicdevices, it is difficult to imagine a crime that could notpotentially involve digital evidence. Because of the paucity ofdegree programs in computer forensics, practitioners havehistorically relied on practical training through law enforce-ment or vendor-specific program
29、s or both.3.2 In this guide, curricula for different levels of theeducational system are outlined. It is intended to provideguidance to:3.2.1 Individuals interested in pursuing academic programsand professional opportunities in computer forensics,3.2.2 Academic institutions interested in developing
30、com-puter forensics programs, and3.2.3 Employers seeking information about the educationalbackground of graduates of computer forensics programs andevaluating continuing education opportunities for current em-ployees.4. Qualifications for a Career in Computer Forensics4.1 Introduction:4.1.1 Computer
31、 forensics plays a fundamental role in theinvestigation and prosecution of crimes. Since any type ofcriminal activity may involve the seizure and examination ofdigital evidence, the percentage of cases that involves digitalevidence will continue to increase. The preservation,examination, and analysi
32、s of digital evidence require a foun-dation in the practical application of science, computertechnology, and the law. A practitioner of computer forensicsshall be capable of integrating knowledge, skills, and abilitiesin the identification, preservation, documentation,examination, analysis, interpre
33、tation, reporting, and testimo-nial support of digital evidence. A combination of educationand practical training can prepare an individual for a career incomputer forensics, and this section addresses the qualifica-tions an individual will need to pursue such a career.4.1.2 As in all forensic disci
34、plines, a combination ofpersonal, technical, and professional criteria will influence aE2678 09 (2014)2prospective computer forensics practitioners suitability foremployment. Effective written and oral communication skillsare essential to computer forensics practitioners because theymay have to test
35、ify to their examination results in court. Newemployees may be hired provisionally or go through a proba-tionary period that requires successful completion of additionaltraining or competency testing or both as a prerequisite forcontinued employment.4.2 Career Paths in Computer Forensics:4.2.1 Numer
36、ous competent, accurate, and admissible digitalforensic examinations are performed every year by qualifiedand experienced examiners who have no college education. Infact, much of the expertise in this field is represented byprofessionals whose practical experience, on-the-job training,and work crede
37、ntials qualify them in this discipline. Fewinstitutions offer degrees in the discipline because the field isrelatively new. As academic programs are developed and madeavailable, it will become preferable for forensic examinationsto be performed by individuals who have a degree in computerforensics (
38、or a related field) supported by experience andtraining.4.2.2 The discussion of qualifications presents three alter-native career paths into computer forensics which are depictedin Fig. 1:4.2.2.1 One is for law enforcement personnel who seek tomove into computer forensics after they become swornoffi
39、cers,4.2.2.2 Another is for persons with relevant technical andcritical thinking skills that are equivalent to a bachelorsdegree, and4.2.2.3 A third is for persons who have earned the formaldegree.4.2.3 A description of careers in computer forensics isprovided in Appendix X1.4.2.4 Personal Character
40、isticsComputer forensics, likeother forensic disciplines, requires personal honesty, integrity,and scientific objectivity. Those seeking careers in this fieldshould be aware that background checks similar to thoserequired for law enforcement officers are likely to be acondition of employment. The fo
41、llowing may be conducted orreviewed or both before an employment offer is made and maybe ongoing conditions of employment (this list is not all-inclusive):(1) Past work performance(2) Drug tests(3) History of drug use(4) Driving record(5) Criminal history(6) Citizenship(7) Credit history(8) History
42、of hacking(9) Personal associations(10) Psychological screening(11) Medical or physical examination(12) Polygraph examination4.2.5 Academic QualificationsPractitioners of computerforensics historically have not been required to have a degree.However, the trend within some areas of the field is tostr
43、engthen the academic requirements for this discipline andrequire a baccalaureate degree, preferably in a science. Theacademic qualifications for computer forensics practitionersare discussed in greater detail later in this guide and mayinclude the following knowledge, skills, and abilities:4.2.5.1 T
44、echnical:(1) Computer hardware and architecture(2) Storage media(3) Operating systems(4) File systems(5) Database systems(6) Network technologies and infrastructures(7) Programming and scripting(8) Computer security(9) Cryptography(10) Software tools(11) Validation and testing(12) Cross-discipline a
45、wareness4.2.5.2 Professional:(1) Critical thinking(2) Scientific methodology(3) Quantitative reasoning and problem solving(4) Decision making(5) Laboratory practices(6) Laboratory safety(7) Attention to detail(8) Interpersonal skills(9) Public speaking(10) Oral and written communication(11) Time man
46、agement(12) Task prioritization(13) Application of digital forensic procedures(14) Preservation of evidence(15) Interpretation of examination results(16) Investigative process(17) Legal process4.2.5.3 Copies of diplomas and formal academic transcriptsare generally required as proof of academic quali
47、fication.Awards, publications, internships, and student activities may beused to differentiate applicants. Claims in this regard aresubject to verification through the background investigationprocess.4.2.6 CredentialsA digital forensic practitioner shoulddemonstrate continued professional developmen
48、t that is docu-mented by credentials. A credential is a formal recognition ofa professionals KSA. Indicators of professional standinginclude academic credentials, professional credentials, trainingcredentials, and competency tests. Credentials can facilitate thequalification of a witness as an exper
49、t.4.3 Implementation: Keys to a Career in Computer Foren-sics:4.3.1 Preemployment PreparationCompetitive candidatescan demonstrate the interest and aptitude or KSAs that estab-lish their readiness for a digital forensic position. These KSAsmay include areas important to all potential forensic sciencepractitioners including, but not limited to, quality assurance,ethics, professional standards of behavior, evidence control,report writing, scientific method, inductive and deductiveE2678 09 (2014)3reasoning, investigative techniques
