The legal aspects of corporate computer forensic investigations

The use of computer forensics was previously limited mainly to law enforcement agencies. However, UK organisations are increasingly undertaking computer forensics activities for incidents such as fraud, money laundering, accessing or distributing indecent images, harassment, industrial spying and identity theft amongst others. In this paper we examine the legal aspects of UK corporate computer forensic investigations.     

The legal aspects of corporate computer usage policies

In this paper we examine the legal aspects of corporate computer usage policies including their creation, management, and their relevance to corporate computer forensic investigations. Misuse of corporate computing facilities cannot only lead to a reduction in employee productivity and network bandwidth, but can also increase the risk of infection of such facilities by computer viruses and other malicious code. Moreover, it may lead to the risk of liability and legal action.     

Trust in digital records: An increasingly cloudy legal area

Trust has been defined in many ways, but at its core it involves acting without the knowledge needed to act. Trust in records depends on four types of knowledge about the creator or custodian of the records: reputation, past performance, competence, and the assurance of confidence in future performance. For over half a century society has been developing and adopting new computer technologies for business and communications in both the public and private realm. Frameworks for establishing trust have developed as technology has progressed. Today, individuals and organizations are increasingly saving and accessing records in cloud computing infrastructures, where we cannot assess our trust in records solely on the four types of knowledge used in the past. Drawing on research conducted at the University of British Columbia into the nature of digital records and their trustworthiness, this article presents the conceptual archival and digital forensic frameworks of trust in records and data, and explores the common law legal framework within which questions of trust in documentary evidence are being tested. Issues and challenges specific to cloud computing are introduced.     

电子邮件真伪鉴定初探

电子邮件作为网络沟通常见的形式之一，应用十分广泛，但涉及电子邮件的相关纠纷与犯罪问题也日益突出。很多案件由于无法判明电子邮件证据真实性，而导致诉讼无法正常进行、无奈拖延或者失败。为确定电子邮件证据真实性，对其进行科学鉴定显得十分重要，但电子邮件不同传统的物证、书证鉴定，其本身十分复杂，对其鉴定研究，必须分析常见的伪造形式，以及如何伪造，并在此基础上探讨鉴定的主要思路。     

The COLLECTORS ranking scale for ‘at‐scene’ digital device triage

As digital evidence now features prominently in many criminal investigations, such large volumes of requests for the forensic examination of devices has led to well publicized backlogs and delays. In an effort to cope, triage policies are frequently implemented in order to reduce the number of digital devices which are seized unnecessarily. Often first responders are tasked with performing triage at scene in order to decide whether any identified devices should be seized and submitted for forensic examination. In some cases, this is done with the assistance of software which allows device content to be “previewed”; however, in some cases, a first responder will triage devices using their judgment and experience alone, absent of knowledge of the devices content, referred to as “decision‐based device triage” (DBDT). This work provides a discussion of the challenges first responders face when carrying out DBDT at scene. In response, the COLLECTORS ranking scale is proposed to help first responders carry out DBDT and to formalize this process in an effort to support quality control of this practice. The COLLECTORS ranking scale consists of 10 categories which first responders should rank a given device against. Each devices cumulative score should be queried against the defined “seizure thresholds” which offer support to first responders in assessing when to seize a device. To offer clarify, an example use‐case involving the COLLECTORS ranking scale is included, highlighting its application when faced with multiple digital devices at scene.     

A study on the forensic mechanisms of VoIP attacks: Analysis and digital evidence

This paper discusses the use of communication technology to commit crimes, including crime facts and crime techniques. The analysis focuses on the security of voice over Internet protocol (VoIP), a prevention method against VoIP call attack and the attention points for setting up an Internet phone. The importance of digital evidence and digital forensics are emphasised. This paper provides the VoIP digital evidence forensics standard operating procedures (DEFSOP) to help police organisations and establishes an experimental platform to simulate phone calls, hacker attacks and forensic data. Finally, this paper provides a general discussion of a digital evidence strategy that includes VoIP for crime investigators who are interested in digital evidence forensics.     

利用邮件头分析电子邮件的真伪

目的通过分析电子邮件头,鉴别电子邮件的真伪,为电子邮件的真实性鉴定提供一些技术方法。方法运用邮件头的关键字段的构建机制对电子邮件的邮件头进行分析处理。结果示例邮件的邮件头的多处关键字段按照邮件传递时间和邮件传递地址的分析,不符合正常规律,系伪造的电子邮件。结论利用邮件头分析电子邮件不仅为确保电子邮件证据的证据效力提供了强有力的支持,也为获取破案的线索提供了条件。     

The different types of reports produced in digital forensic investigations

The importance of ensuring the results of any digital forensic (DF) examination are effectively communicated cannot be understated. In most cases, this communication will be done via written report, yet despite this there is arguably limited best practice guidance available which is specific for this field in regards to report construction. Poor reporting practices in DF are likely to undermine the reliability of evidence provided across this field, where there is a need for formalised guidance regarding the requirements for effective DF report construction; this should not be a task left solely to each individual practitioner to determine without instruction. For this, the field of DF should look to the wider forensic community and the existing work in this area for support. In line with many other ‘traditional’ forensic science types, a DF practitioner can be commissioned to report in one of three ways - ‘technical’, ‘investigative’ or ‘evaluative’, where each reporting type maintains a specific purpose and interpretative-context, determined by the examination workflow undertaken by a practitioner following client instruction. This work draws upon guidance set out in fundamental forensic science reporting literature in order to describe each reporting type in turn, outlining their scope, content and construction requirements in an attempt to provide support for the DF field.     

从一起经济纠纷案看电子证据司法鉴定

随着信息技术的快速发展和普及,电子证据司法鉴定工作的综合性和复杂性特征日益突出。通过以一起经济纠纷案为例,综合论述了某公司商用计算机系统的检验鉴定过程,文中涉及的主要技术包括商用管理软件分析、硬盘阵列重组、数据库检验等,在这类案件司法鉴定工作中具有一定的代表性。     

27-plex SNPs复合扩增检测体系构建与应用评价

目的建立27个常染色体SNPs复合检测体系,用于未知个体种族来源推断。方法通过对Hap Map数据库中描述祖先(非洲、欧洲、东亚)的遗传标记信息分析,选出27个SNPs位点,构建27个SNPs复合扩增体系;采用该体系对17个不同祖先人群的1 164份样本进行测试,得到的分型数据和在Hap Map数据库查询到的11个相关人群的数据;采用据聚类分析方法(K=3)进行祖先成分和匹配率计算,分析推算样品9947A的祖先来源,并进行体系性能验证。结果该体系可以进行单一和混合人群的种族来源和种族成分推断,来自新疆的人群遗传成分呈现在欧洲与东亚祖先之间连续分布,样品9947A祖先成分和匹配率与相关文献分析结果一致。浓度最低为0.1ng/μL时27个等位基因均可正确判型。结论本文构建的27-plex SNPs复合体系可以精确推断非洲、欧洲、东亚血统的个体祖先起源,且对欧亚混合人群(欧洲/东亚)有较好的推断能力,可在相关研究和实践中选择使用。     

27个常染色体AIM-SNP的筛选和验证

目的构建27个常染色体AIM-SNP组合用于未知个体种族来源推断。方法通过对Hap Map数据库中描述祖先遗传信息标记的908个AIMs位点(非洲、欧洲、东亚人群)筛选,选出27个AIMs位点组合,利用相关软件同时与数据库908个AIMs不同子集合的分析进行对比,验证其推断祖先来源的可行性。结果应用本研究27个AIMs的SNP多态性分析方法可以正确推断未知样品祖先起源,估算祖先成分比例。结论本研究建立的常染色体27个AIMs的SNP多态性分析方法可准确推断来自于欧洲、非洲、东亚3大祖先血统个体的祖先来源,是SNP多态性分析用于个体种族来源推断的一种有效方法,在法医实践中可以用于DNA检验中未知DNA供者洲际人群祖先来源推断。     

对利用网络进行诈骗犯罪的侦查取证问题研究

近年来，伴随着网络普及程度的提高，网络诈骗犯罪亦日趋严重。网络的开放性、不确定性、虚拟性等特点使网络诈骗犯罪的证据更加复杂多变、网络诈骗犯罪的取证更加困难。面对诸多严峻的取证难的现状，在分析其原因后有针对性地提出一些解决网络诈骗犯罪取证难的办法和建议，以期突破网络诈骗案件取证的难题，从而有效地遏制网络诈骗犯罪。     

电子数据鉴定标准体系研究

结合电子数据鉴定实务与实验室管理体系建设的需求,在分析国内外电子数据鉴定标准化现状的基础上,提出了电子数据鉴定标准体系的整体框架及其组成,并分析了标准研制的关键技术问题。     

A Comprehensive and Harmonized Digital Forensic Investigation Process Model

Performing a digital forensic investigation (DFI) requires a standardized and formalized process. There is currently neither an international standard nor does a global, harmonized DFI process (DFIP) exist. The authors studied existing state-of-the-art DFIP models and concluded that there are significant disparities pertaining to the number of processes, the scope, the hierarchical levels, and concepts applied. This paper proposes a comprehensive model that harmonizes existing models. An effort was made to incorporate all types of processes proposed by the existing models, including those aimed at achieving digital forensic readiness. The authors introduce a novel class of processes called concurrent processes. This is a novel contribution that should, together with the rest of the model, enable more efficient and effective DFI, while ensuring admissibility of digital evidence. Ultimately, the proposed model is intended to be used for different types of DFI and should lead to standardization.     

Challenges in digital forensics

Abstract

Various terms have been used to describe the intersection between computing technology and violations of the law-including computer crime, electronic crime, and cybercrime. While there remains little agreement on terminology, most experts agree that the use of electronic devices to commit crime has increased dramatically and is now commonplace. It is the role of the digital investigator to bring cybercriminals to justice. Cybercrime however differs from traditional crime and presents a variety of unique challenges including the variety of electronic devices available, amount of data produced by these devices, the absence of standard practices and guidelines for analyzing that data, the lack qualified personnel to perform investigations and the lack of resources to provide on-going training. This paper examines these challenges     

“双规、双指”期间自书材料的证据法分析

自书材料是职务犯罪审理时常见的一种证据形式,但它作为诉讼证据的合法性不足,故在证据属性上应当把它界定为“准口供”。自书材料在使用时应当受到限制,不能随侦查卷宗一起不受限制地直入法庭,应以用作弹劾证据为原则。在满足真实性保障的前提下,自书材料可以用作实质证据,但任何时候不得用作补强证据。应当把刑讯、变相刑讯以及威胁、引诱、欺骗所取得的自书材料均界定为非法证据。但非法自书材料不能对后续的侦查口供产生波及效应,否则就意味着惩罚守法的侦查人员,有违排除规则之阻却违法的目的,也有以司法干预党纪之嫌。