Authoritative Texts/Academic papers on Forensic Computing

Hi Andy,

Good question!

My initial thoughts were of ISTS at Dartmouth College ( http://www.ists.dartmouth.edu ) and the guidelines published by the National Institute of Justice ( http://www.ojp.usdoj.gov/nij/sciencetech/ecrime_pub.htm ) but I'm not sure if either address the specific points you've raised. I guess there's also DFRWS ( http://www.dfrws.org/ ), IJDE ( http://www.ijde.org/ ), SWGDE ( http://ncfs.org/swgde/documents.html ) and NIST ( http://www.cftt.nist.gov/ ) as far as respectable sources of best practice info are concerned. Beyond that http://www.forensics.nl/links/ and http://www.e-evidence.info/index.html are good resources for a wide variety of whitepapers.

I suspect you're already aware of most, if not all, of the above though so I'm not sure how helpful any of it is. One thing I'd be interested in learning…what do we think is the standard reference for digital evidence recovery in the UK? ACPO?

Cheers,

Jamie

Hi Jamie,

Many thanks for the link, I will take a loot at what they have got to offer.

In respect of the UK you are right, its the ACPO's Good Practice Guide for Computer Based Electronic Evidence (NHTCU, 2004) that is adhered to.

This is often referred to as the doctrine of documentary evidence and quoted in the ACPO guide as “the onus is on the prosecution to prove that the item is no more or no less that when it first came into the possession of the police”.

The four principles can be briefly listed as:-

1. No officer or agent should access or alter the original data
2. In exceptional circumstances, should data be accessed only those competent to do so may perform this action.
3. An audit should be made of the process so that an independent third part can retrace the steps.
4. The officer in charge of the case is responsible for ensuring these principles are followed.

The guide is published by HMSO, and is available online.

I have read similar best practice guidelines for other countries, but for the puropse of my paper I'm consentrating on the UK.

Andy

3. An audit should be made of the process so that an independent third part can retrace the steps.

IMHO, this is an area understood by LEOs and academics, but most of the rest of the IT (in particular, security) industry avoids it like the plague. The processes we use should be repeatable and verifiable, regardless of whether we're talking about vulnerability assessments or incident handling.

H. Carvey
"Windows Forensics and Incident Recovery"

I agree

Many thanks for the link, I will take a loot at what they have got to offer

A fraudian slip? 😆

R

Oh, very good 😆 😆 😆

(And welcome to Forensic Focus!)

Jamie

Oi cheeky 😀

Hi mate, nice to see you made it here.

A fraudian slip?

Ah, good one! Where it should have been "Freudian", you put a variation on "fraud"…in the words of Mr. Burns, "Excellent!"

Wanted to through this one out there…

Windows Forensics and Incident Recovery
http://www.windows-ir.com

Thanks!

Lol – ‘through’ instead of ‘throw’, very good. We need to seize erm … cease the slip-ups, least we look legitimate ….. erm literate. 😆

I downloaded the sample pdf for your book keydet89. It looks very interesting. I’ll have to look into obtaining a copy. 😉

Many thanks

Andy