1、Designation: E2763 10Standard Practice forComputer Forensics1This standard is issued under the fixed designation E2763; the number immediately following the designation indicates the year oforiginal adoption or, in the case of revision, the year of last revision. A number in parentheses indicates th
2、e year of last reapproval. Asuperscript epsilon () indicates an editorial change since the last revision or reapproval.1. Scope1.1 This practice describes techniques and procedures forcomputer forensics within the context of a criminal investiga-tion.1.1.1 This practice can be applicable to civil li
3、tigation.1.2 This practice describes seizing possible evidence,proper evidence handling, digital imaging, forensic analysis/examination, evidence-handling documentation, and reporting.1.3 This practice is not all inclusive and does not containinformation relative to specific operating systems or for
4、ensictools.1.4 The values stated in SI units are to be regarded asstandard. No other units of measurement are included in thisstandard.1.5 This standard does not purport to address all of thesafety concerns, if any, associated with its use. It is theresponsibility of the user of this standard to est
5、ablish appro-priate safety and health practices and determine the applica-bility of regulatory limitations prior to use.2. Referenced Documents2.1 ASTM Standards:2E2678 Guide for Education and Training in ComputerForensics2.2 SWGDE Standards:3Recommended Guidelines for Validation Testing3. Significa
6、nce and Use3.1 The purpose of this practice is to describe techniquesand procedures for computer forensics in regard to evidencehandling, computers, digital imaging, and forensic analysis andexamination.3.2 The examiner should be trained in accordance withGuide E2678.3.3 Individuals not trained in p
7、roper digital evidence proce-dures should consult with an appropriate specialist beforeproceeding.3.4 When dealing with technology outside your area ofexpertise, consult with an appropriate specialist before pro-ceeding.4. Seizing Evidence4.1 General guidelines concerning the seizing of evidenceare:
8、4.1.1 Consult with the investigator or responsible party todetermine the necessary equipment to take to the scene.4.1.2 Review the legal authority to seize the evidence,ensuring any restrictions are noted. If necessary during theexecution of the seizure, obtain additional authority for evi-dence out
9、side the scope of the search.4.1.3 When it is impractical to remove the evidence fromthe scene, the evidence items shall be copied or imagedaccording to organizational policy.4.1.4 All suspects, witnesses, and bystanders shall be re-moved from the proximity of digital evidence to ensure theintegrity
10、 of potential evidence.4.1.5 Solicit information from potential suspects, witnesses,system administrators, and so forth, to ascertain knowledge ofthe systems to be seized (for example, password(s), operatingsystem(s), screen names, remote access users, and E-mailaddresses).4.1.6 The scene shall be s
11、earched systematically and thor-oughly for evidence. Searchers shall be trained to recognize thedifferent types of evidence. Check for additional media thatmay be attached to the computer system.5. Evidence Handling5.1 Document the scene, which can include: taking clear,detailed photographs (of the
12、computer screen, of the front andback of the computer, and of the area around the computer tobe seized) and making a sketch/notation of the computerconnections and surrounding area, or both.5.2 If the computer is turned off, DO NOT turn on thecomputer.1This practice is under the jurisdiction of ASTM
13、 Committee E30 on ForensicSciences and is the direct responsibility of Subcommittee E30.12 on Digital andMultimedia Evidence.Current edition approved Aug. 15, 2010. Published September 2010. DOI:10.1520/E2763-10.2For referenced ASTM standards, visit the ASTM website, www.astm.org, orcontact ASTM Cus
14、tomer Service at serviceastm.org. For Annual Book of ASTMStandards volume information, refer to the standards Document Summary page onthe ASTM website.3Available from Scientific Working Group on Digital Evidence (SWGDE),http:/www.swgde.org/documents.1Copyright ASTM International, 100 Barr Harbor Dri
15、ve, PO Box C700, West Conshohocken, PA 19428-2959, United States.5.2.1 Before powering down a computer, consider thepotential of encryption software being installed on the com-puter or as part of the operating system. If present, appropriateforensic methods should be used to capture the unencryptedd
16、ata and any volatile data that would be lost if the computer ispowered down.5.2.2 Be aware that storage devices may not be physicallyconnected and a proper search for wireless devices must beconducted.5.2.3 Assess the power needs for devices with volatilememory and follow organizational policy for t
17、he handling ofthose devices.5.2.4 Document the condition of the evidence, includingany preexisting damage.5.2.5 Appropriately document the connection of the exter-nal components.5.3 Stand-Alone Computer (Non-Networked):5.3.1 Disconnect all power sources by unplugging from theback of the computer. Al
18、so, remove batteries from laptops.5.3.2 Place evidence tape over the power plug connector onthe back of the computer.5.4 Networked Computer:5.4.1 WorkstationsRemove the power connector from theback of the computer.5.4.2 Place evidence tape over the power plug connector onthe back of the computer.NOT
19、E 1Any network computer can be used for file sharing and thosesystems should follow normal shutdown procedures.5.5 Servers:5.5.1 Determine whether the network connection should bedisconnected after consulting with an individual trained inproper digital evidence procedures.5.5.2 A determination shall
20、 be made as to the extent of datathat should be seized.5.5.3 Capture volatile data if necessary.5.5.4 If shutdown is necessary, use the appropriate com-mands. (WarningPulling the plug could severely damagethe system, disrupt legitimate business, or create officer anddepartment liability, or combinat
21、ions thereof.)5.6 Each piece of evidence shall be protected from changeand a chain of custody maintained as determined by organiza-tional policy. Appropriate packaging of evidence can includeany of the following:5.6.1 Plastic/paper bags or sleeves;5.6.2 Computer case sealed with evidence tape over c
22、aseaccess points and power connector;5.6.3 Some devices may require power to maintain thevolatile memory and should be packaged appropriately; and5.6.4 Specific care shall be taken with the transportation ofdigital evidence material to avoid physical damage, vibration,and the effects of magnetic fie
23、lds, static electricity, and largevariations of temperature and humidity.6. Equipment Preparation6.1 “Equipment” in this section refers to the non-evidentiaryhardware and software the examiner uses to conduct theforensic imaging or analysis of the evidence.6.1.1 Equipment shall be monitored and docu
24、mented toensure proper performance is maintained.6.1.2 Only suitable and properly operating equipment shallbe used.6.1.3 The manufacturers operation manual and other rel-evant documentation for each piece of equipment shall beaccessible.6.1.4 Analysis/imaging software shall be validated beforeuse as
25、 discussed in the SWGDE Recommended Guidelines forValidation Testing.7. Forensic Imaging7.1 Document the current condition of evidence.7.2 Take precautions to prevent exposure to evidence thatmay be contaminated with dangerous substances or hazardousmaterials.7.2.1 All items submitted for forensic e
26、xamination shall beexamined for the integrity of their packaging. Any deficiencyin the packaging, which may compromise the received value ofthe examination, shall be documented. Consideration shall begiven if the deficiency in packaging warrants the refusal toconduct the examination. Any exceptions
27、between the inven-tory and the actual evidence discovered by the examiner shallbe documented.7.3 Hardware or software write blockers should be used toprevent the evidence from being modified.7.4 Methods of acquiring evidence should be forensicallysound and verifiable.7.5 Forensic image(s) should be
28、captured using hardware/software that is capable of capturing a “bit stream” image ofthe original media.7.6 Digital evidence submitted for examination shall bemaintained in such a way that the integrity of the data ispreserved, for example, use a hashing function.7.7 Properly prepared media shall be
29、 used when makingforensic copies to ensure no commingling of data fromdifferent sources.7.8 Forensic image(s) shall be archived to media andmaintained consistent with departmental policy and applicablelaws.8. Forensic Analysis/Examination8.1 The examiner shall review documentation provided bythe req
30、uestor to determine the processes necessary to completethe examination and ascertain legal authority to perform therequested examination. Examples of such authority include:consent to search by owner, search warrant, or other legalauthority.8.2 Before commencing any examination, consider:8.2.1 The u
31、rgency and priority of the requestors need forinformation and the time conditions contained in the searchauthorization;8.2.2 The other types of forensic examination that mightneed to be carried out on the evidentiary item; and8.2.3 Which items offer the best choice of target data interms of evidenti
32、ary value.8.3 The requestor and the examiner should identify thescope and purpose of the examination.E2763 1028.4 Conducting an examination on the original evidencemedia should be avoided. Examinations should be conductedon forensic copies or via forensic image files.8.5 Use appropriate controls and
33、 standards during the ex-amination procedure.8.6 Conduct the examination of the media in a mannerconsistent with the laboratorys standard operating procedures(SOPs).8.7 Forensic Analysis/Examination of Nontraditional Com-puter Technologies:8.7.1 With the rapid development of technologies such ascell
34、 phones, smart phones, personal digital assistants (PDAs),portable digital audio players, digital video recorder (DVR)systems, gaming systems, and so forth, traditional digitalforensic techniques and procedures may not be appropriate noreffective in the processing of this type of data.8.7.2 All atte
35、mpts shall be made to use accepted practicesand procedures when processing electronic digital devices witha nontraditional format. If these techniques are ineffective ornot appropriate for the analysis of this type of data or both,alternate procedures may be used. All nontraditional tech-niques, if
36、possible and feasible, shall be tested or validated orboth before the application on the evidentiary media. All stepsof the methodology used shall be documented.9. Documentation9.1 Evidence-handling documentation shall include:9.1.1 Copy of legal authority,9.1.2 Chain of custody,9.1.3 Initial count
37、of evidence items to be examined,9.1.4 Information regarding the packaging and condition ofthe evidence upon receipt by the examiner,9.1.5 Description of the evidence, and9.1.6 Communications regarding the case.9.2 Examination documentation shall be case specific andcontain sufficient details to all
38、ow another forensic examiner,competent in the same area of expertise, to be able to identifywhat has been done and access the findings independently.9.3 Documentation shall be preserved according to theexaminers organizational policy.10. Report10.1 Examination reports shall meet the requirements of
39、theexaminers organization.10.2 Reports issued by the examiner shall address therequestors needs.10.3 The report is to provide the reader with all the relevantinformation in a clear and concise manner.11. Review11.1 The examiners organization shall have a writtenpolicy establishing the protocols for
40、technical/peer and admin-istrative review.11.2 The examiners organization shall have a writtenpolicy to determine the course of action if an examiner andreviewer fail to reach agreement.12. Keywords12.1 computer data; computer forensic analysis; computerforensics; computers; evidence; software; vola
41、tile memoryASTM International takes no position respecting the validity of any patent rights asserted in connection with any item mentionedin this standard. Users of this standard are expressly advised that determination of the validity of any such patent rights, and the riskof infringement of such
42、rights, are entirely their own responsibility.This standard is subject to revision at any time by the responsible technical committee and must be reviewed every five years andif not revised, either reapproved or withdrawn. Your comments are invited either for revision of this standard or for additio
43、nal standardsand should be addressed to ASTM International Headquarters. Your comments will receive careful consideration at a meeting of theresponsible technical committee, which you may attend. If you feel that your comments have not received a fair hearing you shouldmake your views known to the A
44、STM Committee on Standards, at the address shown below.This standard is copyrighted by ASTM International, 100 Barr Harbor Drive, PO Box C700, West Conshohocken, PA 19428-2959,United States. Individual reprints (single or multiple copies) of this standard may be obtained by contacting ASTM at the aboveaddress or at 610-832-9585 (phone), 610-832-9555 (fax), or serviceastm.org (e-mail); or through the ASTM website(www.astm.org). Permission rights to photocopy the standard may also be secured from the ASTM website (www.astm.org/COPYRIGHT/).E2763 103
