Forensic Readiness: Emerging Discipline for Creating ...

Download PDF
5 downloads 83640 Views 400KB Size Report
Comment
different requirements of the three scenarios can be realized using a hardware⁃based solution. ... lawful interception of voice communication, automotive black box, precise farming. .... documented in a security certificate with an appropriate.
Journal of Harbin Institute of Technology ( New Series) , Vol.22, No.1, 2015

Forensic Readiness: Emerging Discipline for Creating Reliable and Secure Digital Evidence Barbara Endicott⁃Popovsky 1 , Nicolai Kuntze2 , Carsten Rudolph 2

(1. Institute of Technology, University of Washington, Tacoma, WA 98402, USA; 2.Fraunhofer Institute of Technology,64295 Darmstadt, Germany)

Abstract: Traditional approaches to digital forensics reconstruct events within digital systems that often are not built for the creation of evidence; however, there is an emerging discipline of forensic readiness that examines what it takes to build systems and devices that produce digital data records for which admissibility is a requirement. This paper reviews the motivation behind research in this area, a generic technical solution that uses hardware⁃based security to bind digital records to a particular state of a device and proposed applications of this solution in concrete, practical scenarios. Research history in this area, the notion of secure digital evidence and a technical solution are discussed. A solution to creating hardware⁃based security in devices producing digital evidence was proposed in 2012. Additionally, this paper revises the proposal and discusses three distinct scenarios where forensic readiness of devices and secure digital evidence are relevant. It shows, how the different requirements of the three scenarios can be realized using a hardware⁃based solution. The scenarios are: lawful interception of voice communication, automotive black box, precise farming. These three scenarios come from very distinctive application domains. Nevertheless, they share a common set of security requirements for processes to be documented and data records to be stored. Keywords: digital forensics, forensic readiness, calibration, digital evidence CLC number: TP39      Document code: A        Article ID: 1005⁃9113(2015)01⁃⁃08

1  Introduction A typical incident response presents time⁃ pressured technicians with networks that provide little support for forensic data collection [1] . Technicians must choose between seeking to gather network data that may be “ forensically sound,” or restoring the network as quickly as possible [2] . When “ forensic soundness ” includes the ability to endure legal scrutiny in a court of law, the effort involved in collecting forensic data can be extremely expensive in labor and time, in addition to the possibility that the effort may not be successful, or even used. The requirement of network technicians to restore productivity often drives them to restore the network, even when the result is alteration of key files, limiting their forensic value, and their value as courtroom evidence. When there is relatively limited interest in pursuing legal action [3] , the rational choice for network administrators is the expedient one—reestablish productivity by restoring network function as rapidly as possible. The expedient choice applies minimal effort to collecting and preserving forensically sound information for later courtroom use. The choice to restore the network immediately is Received 2013-08-12. Corresponding author: Barbara Endicott⁃popovsky. E⁃mail: endicott@ uw.edu.

not necessarily the best choice because online crime and insider misuse of private networks continue to grow. The ever⁃increasing problem of digital crime has given rise to the concept of forensic readiness ( FR) , which arose as a recommendation for improving the efficiency of forensic investigations. Tan [4] firstly defined forensic readiness in 2001 as ″ maximizing the ability of an environment to collect credible digital evidence while minimizing cost of incidence response″. That definition has been evolved by the authors as a result of work with implementable solutions to this challenge. Because industry for years has not seen a market for this capability, which would involve creating significant cost increases to devices and network designs, customers have not seen the value of absorbing these costs and therefore, until recently, there has been little work in this area. Nevertheless, many scenarios do exist where devices are built to produce digital data records for which admissibility can be relevant [5] . Technological solutions proposed by the authors use hardware⁃based security to bind digital records to a particular state of a device. A notion of secure digital evidence and a generic process to set⁃up and deploy such a solution was previously described in Refs. [ 2, 6 - 7 ] . The next step in the work is to discuss

· 99·

Journal of Harbin Institute of Technology ( New Series) , Vol.22, No.1, 2015 the applicability and relevance of secure digital evidence in the context of concrete, practical scenarios. Further, the legal implications of possible attacked in certain digital scenarios need the discussion as well as the suitability of the proposed solutions needs to be evaluated. Finally, the possibility of efficient and economic realization needs to be assessed and validated.

significant time of University personnel to research and document the criminal activity, provides insight into why embedding forensic readiness in the design of compontents or networks is necessary [8] . The following table summarizing these two cases, one a script kiddy from New Zealand seeking vengeance against an ISP, the other a Russian organized crime case where the prepatrators tricked e⁃Bay into paying millions into PayPal, as shown in Table 1. These cases spanned a period of time of several years and demonstrate the advance of motives and consequences of online crime over the last decade. Together they demonstrate the need for a preventive and proactive response to malicious intrusion over a reactive one. Current ad hoc approaches are not sufficiently scalable to address the significant numbers of intrusion cases needing forensic documentation [3] .

2  History of Forensic Readiness Research This body of work has led to an international collaboration between the University of Washington and Fraunhofer Darmstadt. The University firstly observed the limitations of forensic investigations in live network environments as early as the late 1990’ s. A post morten of two cases of cyber attacks that involved University computers, and thus required

Table 1  Comparing the New Zealand and Russian cases Characteristics

New Zealand hacker case

Russian hacker case

Type of attack

Typical intrusion scenario d

Online automated auction scam

Damages( $)

400 000

25 million

Intruders

Script kiddies

Investigator time( h)

417

Investigation costs( $)

27 800

Consequences

Community service

Investigator

Sys admins learning forensics

Network forensic readiness

Reactive

    Subsequent FR research at the University of Washington was guided by the question: How can we overcome the inordinate effort / cost of digital forensic investigations? Results of this work included the development of several models and tools for designing

Criminal hackers 9×30×24

100 000 ( partial)

3 & 4 years in Federal prison

expert recruited to work for the FBI Reactive

and implementing FR approaches and techniques: 1) The 4R model for strategies of accountable systems [1] , extending work on survivability by Carnegie Mellon [2] , as shown in Table 2.

Table 2  Strategies of accountable systems [9] Survivability strategy                                Resistance

Recognition

Ability to repel attacks 1) Ability to detect an attack or a probe 2) Ability to react or adapt during an attack

Recovery

1) Provide essential services during attack 2) Restore services following an attack

Redress

1) Ability to hold intruders accountable in a court of law. 2) Ability to retaliate

· 100·

Tools

Firewalls User authentication Diversification Intrusion detection systems Internal integrity checks Incident response Replication Backup systems Fault tolerant designs Computer Forensics Legal remedies Active defense

Journal of Harbin Institute of Technology ( New Series) , Vol.22, No.1, 2015     2) The Network forensic development life cycle ( NFDLC ) for integrating forensic readiness

requirements into systems design [2] derived from the NIST ISDL [10] , as shown in Fig.1.

I n i t i a t i o n

Ri s k As s e s s me n t

Ne t wo r kf o r e ns i c s de v e l o pme ntl i f ec y c l e ( NFDLC)

Ac qui s i t i o n/ d e v e l o p me n t

Ch e c k l i s t s

I mp l e me n t a t i o n

Ca l i b r a t i o n t e s t s

Op e r a t i o ns / ma i ne na nc e

Audi t s

Di s po s i t i o n

Cha i no f c us t o dy

Fig.1  Network forensics development life cycle

    3) The observability calibration test development framework ( OCTDF ) for calibrating devices for the purposes of establishing foundation for admissibility of

legal evidence derived from devices on networks[9] , as shown in Fig.2.

Observability calibration test development framework ( OCTDF) Step 1  Identify potential challenge areas and environment. Identification is accomplished by briefly modeling interactions of interest given a particular scenario; then using that information to identify whether, or not, lost network data could damage evidence value. The result will be a set of pairs of behavior to be observed, and the circumstances under which that observation is expected to take place. Step 2  Identify calibration testing goals. Given each pairing of behaviors to be observed, and the likely circumstance for observation, testing goals are identified that are supportive of demonstrating evidence value. Step 3  Devise a test protocol. From the testing goals identified in Step 2, a testing protocol is devised that will provide appropriate calibration for the device in question.

Fig.2  Framework for calibration test protocols

    This work leads to the collaboration with Fraunhofer Darmstadt to pursue the development of devices that will implement the principles described above. A series of publications results describe the implementation of FR requirements into devices through integration of the trusted platform module ( TPM ) which provides a hardware security anchor that better assures the authenticity and integrity of evidence produced by the device [11] . What follows is a discussion of the results from that collaboration, including a redefinition of FR that includes the idea of integrating TPM into devices. We conclude with a description of several possible scenarios that can be good candidates for implementation of the work been developed in a

laboratory setting. 3  Secure Digital Evidence This section briefly recapitulates the notion of secure digital evidence and the technical solution previously proposed in Ref.[6] . 3􀆰 1  A Notion of Secure Digital Evidence A data record can be considered secure if it is created authentically by a device for which the following holds: 1) The device is physically protected to ensure at least tamperproof⁃evidence. The data record is securely bound to the identity and status of the device ( including running software and configuration) and to · 101·

Journal of Harbin Institute of Technology ( New Series) , Vol.22, No.1, 2015 all other relevant parameters ( such as time, temperature, location, users involved, etc.) 2) The data record has not been changed after creation. Digital evidence according to this definition comprises the measured value ( e.g. a photo and speed measurement [12] ) and additional information on the state of the measurement device. This additional information on the state of the measurement device aims to document the operational environment providing evidence which can help lay the foundation for admissibility. 3􀆰 2  A Possible Solution to Generate Secure Digital Evidence The content and format of data records produced on a device will depend on various factors, such as the hardware design of the device, software running on the device, and the configuration implemented. Further, once a digital data record is produced, integrity, confidentiality and authenticity must be ensured by some mitigating control such as the use of secure cryptographic algorithms for encryption and digital signatures ( similar requirements are also applicable for long term archiving [13] ) . Also, solutions for secure long⁃term archiving must be considered. The proposed solution is based on a device which is produced and configured in a way resulting in admissible evidence which is correct and reliable as long as the device is not physically manipulated or corrupted. Various types of attacks need to be considered for such a device. Attacks include attacks on communication channels, attacks via various physical interfaces ( e. g. USB [14] ) , or attacks exploiting weaknesses of software running on the device. If the goal is to manipulate digital data before it is protected by a digital signature, attacks need to change software or configurations on the device in order to change the actual creation of the data records. Thus, one possible technical solution is to use a so⁃called Trusted Platform Module [15] to bind data records to the status of the device at the time of creation of the data record. This status can include all executable software started on the device since last reboot, configuration parameters, and other parameters on the device ' s environment such as location or temperature. In order to support forensic readiness [1,16] of the device, the hardware⁃based solution needs to be embedded in a process establishing all necessary information in order to confirm admissibility later. These steps can be summarized as follows: 1. Produce hardware security anchor ( e.g. TPM) . The hardware security anchor must be produced at a high security level. 2. Certify hardware security anchor. Security properties of the hardware security anchor should be · 102·

documented in a security certificate with an appropriate security level. 3. Certify platform. In addition to the single security chip, the means of its integration into the platform and the properties of the root of trust for measurement are relevant and should be verified and certified. 4. Produce software. Relevant infrastructure software such as operating system, drivers, and application are produced and validated. 5. Installation, initialization and certification of software. It must be ensured that software installation and initialization have occurred properly, and have not been manipulated, and security certification does indeed cover all relevant aspects. 6. Define location, valid temperature, etc.. Certify reference measurement values for calibrated devices. 7. Generate and certify signing keys. Since the scheme described above relies heavily on cryptography, and therefore on secure generation, distribution and storage of keys, these processes require verification and certification. Because of the range of possible use cases, it is difficult to find and recommend one single algorithm. 8. Define location, valid temperature, etc.. Parameter ranges for correct use of the system must be established and then, either the occurrence of lower or higher temperatures prevented, or the infrastructure design changed to avoid problems. As an example, perhaps temperature control can be included in the device in order to satisfy temperature requirements. 9. Installation of device. The installation and initialization process is critical as this is the phase where keys can be generated and exchanged. 10. Establish communication with server. The establishment of client server communication is in principle well⁃understood; however, there is no efficient solution currently for binding SSL keys to underlying attestation values and also the platform to which the key owner claims it belongs. 11. Reference measurement record. For attestation to make any sense, reference values for the correct state of the device must be established in order to check for manipulation. 12. Document and store reference records and transfer to server. In addition to reference methods, it can also be useful to store a number of data records on the server side in order to enable sanity checks. 13. Start the boot process and time synchronization. The conditions to begin operation have been met. 14. Evidence collection. Finally, sensor data can become data records that potentially can become evidence. For this reason, data records are time⁃ stamped using the TPM.

Journal of Harbin Institute of Technology ( New Series) , Vol.22, No.1, 2015 4  Experimental Verification What follows is a discussion of three scenarios in which these ideas can be implemented and can demonstrate the usefulness and cost effectiveness of the solution proposed. 4􀆰 1  Scenario 1: Secure Digital Evidence in Lawful Interception In many countries, law enforcement can apply for the right to intercept communication data [17-18] . For good reasons, the process of lawful interception usually is highly regulated [19] ; however, the admissibility of data records achieved through lawful interception leaves various open questions. The discussion in this section concentrates on the security and reliability of the collected data itself. 4􀆰 1􀆰 1  Scenario and requirements for digital evidence Considering the scenario where interception is done at the premises of a network provider and possibly executed through another service provider. An interface that enables data interception needs to be available and a device connected to this interface. This device collects all data available on the interface. 4􀆰 1􀆰 2  Specific characteristics of the scenario Large streams of data need to be signed. Parts of the data might need to be deleted for privacy reasons without invalidating the signature, but still clearly showing where the data are deleted. Example, VoIP streams. 4􀆰 1􀆰 3  Possible realizations We recommend using a hybrid approach in this scenario. Bind the key for stream signatures to the TPM. Frequently change the key and attest that the key is bound to a particular state of the device. Digitally sign and store quote signatures and signatures on the data stream in a way that they can be clearly related. 4􀆰 2  Scenario 2: Secure Digital Evidence in Automotive Black Boxes A black box in a car is a device that is used to record various parameters of the car's control units. The data recorded by the black box can be used for diagnosis, i. e. to identify malfunction of the car. Further, the data recorded by the black box can also be used to resolve disputes, e. g. in the case of an accident. Most noticeable in the area of event data recorders ( EDR) [20] , less⁃refined versions of the so⁃called black box carried by aircraft, are motor vehicle event data recorders ( MVEDRs ) [21] as defined by the IEEE 1616a within the IEEE 1616 family of standards. IEEE 1616a aims to preserve the data quality and integrity needs to meet federal collection standards like the currently pending Motor Vehicle and Highway Safety Improvement Act of 2011, or Mariah's Act in the U.S.

Data collected by EDRs has already been used in civil and criminal cases [22] . Additionally, an insurance company in the U. S. is promoting basing policy rates on the recorded behavior of the driver within an EDR provided by the company. 4􀆰 2􀆰 1  Scenario and requirements for digital evidence The EDR is implemented as a separate control unit connected to one of the central communication buses in the car. It can monitor traffic on the bus and other control units can actively report the status or event information to the black box EDR. EDRs can record whether or not brakes were used, the speed at the time of impact, the steering angle, and whether seat belts were worn during the crash. The data collected within an EDR reflects the behavior and situation of the car before and during an accident or over even longer periods of time. Every action of the driver, or the subsequent devices in the car, results in events to the car's EDR. As the device is under control of the owner of the car, the evidence collected through an integrated event recorder is suspect to modification, deletion or injection. The consequences of such a tampered EDR vary with respect to the use case in which the collected data is employed. Typical usage today of data collected in a car is for maintenance purposes and diagnostic aims. The intended use in the next generation will be to reconstruct the events leading to an accident and analyzing the driver ' s reactions according to the situation [23] . Therefore, each data item collected by an EDR is used to determine the individual involvement, and thus the liability, of the driver during the accident. Extended uses are recording behavior for longer times allowing analysis of the behavior of a specific driver in various traffic situations. Insurance companies are interested in adapting insurance rates to these profiles to allow risk⁃aware pricing schemes. Again, the data collected result in direct financial impact to the car 's owner. Both scenarios presented provide the owner of the car a strong incentive to modify the EDR's records. As in the first case, the evidence can be destroyed that a misbehavior of the driver ( e.g. speeding) happens that the second the monthly rate for the insurance company is lowered. Modifying the behavior of such an EDR in terms of modifying the software would provide even stronger incentives since a manipulation of the collected records is not required. 4􀆰 2􀆰 2  Specific characteristics of the scenario Creating digital data that can be used in court to determine who is responsible is quite different from a documentation process over the length of time that would be required for data collection to be used for pricing insurance plans. Foremost, recording incidents · 103·

Journal of Harbin Institute of Technology ( New Series) , Vol.22, No.1, 2015 is time critical allowing for the recording and signing of events even when they occur a very short time before a crash. In case of an accident, it is required that as much data as possible be covered by verifiable signatures. Data recorded is considered to be available as clearly defined data structures. The data stored is intentionally limited and reduced to small data sizes. This behavior supports the implementation of crash records under time critical situations. It should be noted that an independent power supply is not assumed to be available in cars due to cost and engineering reasons. Therefore, it is extremely important to reduce the write cycles for evidence to make sure that relevant evidence is captured. Long⁃term storage of data records [24] needs to be local, i. e. within the box, providing an enclosed and isolated system with special measures against physical destruction. Only restricted memory is available for long⁃term storage. 4􀆰 2􀆰 3  Possible realizations In principle, the basic design for a device generating secure evidence can also be applied to develop a black box; however, the criticality of the timing requires changes to the protocol. Firstly, it is to store the data record and subsequently sign, time⁃ stamp and bind to quote information. Unsigned events recorded directly before a crash can still be considered valid as long as all signed data records that happened prior show that the status of the device is okay. 4􀆰 3   Scenario 3: Secure Digital Evidence in Precise Farming The evolution of technology in agricultural processes has changed the way that different steps in farming are executed [25] . Examples include the calculation and planning for fertilizers or creating the correct mixture of chemicals for plant protection [26] . These technologies provide the means for a very precise use of seeding material, fertilizer, etc.. Large farms can be managed and controlled based on the recorded data. Especially in the growing market for sustainable agriculture and eco⁃farming, there is a need for a qualitative value monitoring of the processes and the materials used such as of seeds, fertilizers etc.. Further, farming subvention schemes for funding a farmer to grow particular crops are automatically controlled using data records produced by the machines used in these processes. Parameters include GPS positions to calculate the location and size of the area and the types of crop [27] . 4􀆰 3􀆰 1  Scenario and requirements for digital evidence The scenario consists of devices installed in the different types of farm machinery ( tractors, harvesters, operating devices like fertilizer distribution equipment) and a central computer that collects and evaluates all · 104·

the different data records. Depending on the particular use of the data records, different types of requirements exist. If genetically manipulated crops are used, it is very important to be able to reliably document where exactly the crops have been planted. In the case of fertilizers and pesticides or fungicides a wrong calculation of the amount of chemicals used in a particular area can create extensive damage. In the case of a question as to the predicted origin of farm produce or proper verification of the innocuousness of pesticides or fungicides, etc., this evidence is relevant. This becomes even more important as consumer concern increases regarding eco farming products and the evidence of eco farming. Further, when the data are used as proof for subventions as to which crop is grown in which area, manipulating these data records can be used to calculate wrongful subvention claims. Under the above circumstances, it is necessary to integrate monitoring to ensure, that there is no hidden deployment of forbidden material or processing in the fields. To solve this problem, supervision of the area can be realized by drones. A European research project called Smart Inspectors is developing a drone⁃system for supervision of agriculture areas [28] . This system can be equipped with a TMP to be combined with the scenario described here. 4􀆰 3􀆰 2  Specific characteristics of the scenario Because of the potential number of devices and systems involved, a communication network must be used for transferring the data to a central storage unit. This includes a network between several locations using the Internet as the carrier platform. For reliability and convenience, an 802􀆰 11 network should be used. Encryption of data as well as documented access control to all entities is required. Therefore the entire system considered in this scenario is much more complex than the automotive black box scenario. Considering the whole verified process, it will be necessary to bring three systems together to secure the entire scenario: 1) farm monitoring system ( described here) ; 2) automotive black box; 3) smart inspection system. The devices for this scenario should be highly usable and robust because they will be used outdoors and therefore exposed to rough weather conditions. Zero⁃touch configuration [29] for security mechanisms would be very useful as a design feature. 4􀆰 3􀆰 3  Possible realizations Assuming correctness of the sensor measurements, the generic concept of a device for generating secure evidence can be applied directly; however, devices for secure documentation in precise farming technology need to consider that various sensors contribute to the

Journal of Harbin Institute of Technology ( New Series) , Vol.22, No.1, 2015 data records and that most of them potentially can be manipulated. Therefore, a solution must be designed that combines the attestation of the platform with some kind of run⁃time validation for the correctness of the sensor information. Additionally, as physical manipulations to the sensor or to the environment of the sensor are possible, a straightforward technical solution is difficult. Nevertheless, using Trusted Computing as well as protection mechanisms for sensors, or plausibility calculations for a collection of sensors, these devices can be protected. Additionally data transfer between the devices and the central storage unit must be secured and enabled for overall verification of the data, as well as of the condition of the sensors. TPM can be used for the verification. ( Here a process must be defined for creation of a complete chain of evidence.) The resulting evidence will be created on the device side, and stored on the storage side, of the system. TPM certificates will be used for authentication of the device / storage to prevent an attack from any non⁃ authorized device. It is possible, that a farmer can use a non⁃ confirmed device for bringing non⁃allowed materials onto his fields. To detect this, a smart⁃detection device can be used. In the " Smart Inspector" project, a drone will be developed and equipped with infrared cameras ( IR ) and radar systems for detection of unusual behavior or manipulation of the field's infrastructure. 5  Conclusions We have described the origins of our work in the area of forensic readiness, inspired by observable challenges in scaling digital forensic investigations unaided by devices that are specifically designed to capture admissible evidence. We describe work that is undertaken independently by the University of Washington resulting in the development of tools and models that can be applied to the development of systems that are forensically ready. Further we describe how that work inspires the collaboration between the University of Washington and Fraunhofer Darmstadt where the concept of incorporating TPM into designs as a means of rendering them forensically ready was firstly described. Finally, we discuss three distinct scenarios where the concept of employing a hardware device is designed to produce admissible digital evidence is relevant. It is shown that although the requirements for each are quite different, all three scenarios can be realized using the solution proposed in 2012. Future work will include identifying and analyzing additional scenarios in which this solution is relevant and testing the solution in actual circumstances. The concept of forensic readiness, discussed at length years ago [30-34]

is now realized and available for specific applications. It is anticipated that as the bar is raised on the admissibility of digital evidence due to the successful implementation of the technology described in Ref. [ 35 ] more applications requiring this solution will emerge. We also anticipate that our work will inspire others to expand and enhance these concepts of forensic readiness into other devices, designs and application. Absent thoughtful intervention in the current state of forensic investigations, we will see 1) a justice system subject to confusion as digital evidence ( over 90% of all evidence submitted in U. S. Courts) is viewed as unreliable and challengeable, 2) escalating growth in technology crimes as criminals find easy ways to challenge digital evidence, 3 ) growing and new liabilities for companies and individuals who use devises that do not yield reliable evidence, 4 ) decreasing trust in the economy as our record keeping becomes less and less reliable and 5) a general halt to the progress of the Information Age as a result. References

[1] Endicott⁃Popovsky B, Chee B, Frincke D. Adding the fourth ′R′: a systems approach to solving the hacker 's arms race. Proceedings of the International Conference on System Sciences (HICSS) 39 Symposium: Skilled Human⁃intelligent Agent Performance: Measurement, Application and Symposium. Hawaii,2006. http:/ / www.itl.nist.gov / iaui / vvrg / hicss39/ 4_r_s_rev_3_HICSS_2006.doc.(2014-12-30) [2] Ellison R, Fisher D, Linger R, et al. Survivable Network Systems: An Emerging Discipline. Pittsburgh, PA: Carnegie⁃Mellon University. http: / / www. sei. cmu. edu / reports / 97tr013.pdf. 2004-05-14. [3] Orton I. Coordinating with Law Enforcement on Security Issues.Computer Security and Cybercrime II: King County Bar Association Legal Risks and Responsibilities in a Dangerous World Workshop. Seattle,2002. [4] Tan J. Forensic Readiness. Technical Report. Cambridge MA: @ Stake, 2001. http: / / isis. poly. edu / kulesh / forensics / forensic_readiness.pdf. 2005-03-20. [ 5 ] Boddington R. Digital evidence. Kerr D, Gammack J, Bryant K, eds. Digital Business Security Development: Management Technologies. Hershey, PA: IGI Global, 2011. 37-72. [6] Kuntze N, Rudolph C. Secure digital chains of evidence. In Systematic Approaches to Digital Forensic Engineering ( SADFE) , 2011 Fifth IEEE International Workshop on. Piscataway:IEEE, 2011. 1-8. [7] Kuntze N, Rudolph C. Constructing and evaluating digital evidence for processes. In Systematic Approaches to Digital Forensic Engineering ( SADFE ) , 2012 Fifth IEEE International Workshop on. Piscataway: IEEE, 2012. http: / / sit. sit. fraunhofer. de / smv / publications / download / constructingEvidence.pdf.2013-01-24. [ 8 ] Endicott⁃Popovsky B, Ryan D, Frincke D. The New Zealand hacker case: a post mortem. Presented at Safety and Security in a Networked World: Balancing Cyber⁃ Rights & Responsibilities Conference, Oxford Internet

· 105·

Journal of Harbin Institute of Technology ( New Series) , Vol.22, No.1, 2015 Institute, Oxford, 2005. http: / / www. oii. ox. ac. uk / research / cybersafety / ? view = papers. [9] Dittrich D A. Developing an effective incident cost analysis mechanism. Security Focus. http:/ / www. symantec. com/ connect / articles / developing⁃effective⁃ incident⁃ cost⁃analysis⁃ mechanism. 2002-07-12. [10] Grance T, Hash J, Stevens M. Security Considerations in the Information System Development Life Cycle. Gaithersburg:NIST,2004.NIST SP800-64. [11] Kuntze N, Rudolph C, Alva A, et al. On the creation of reliable digital evidence. Peterson G, Shenoi S. Eds.. Advances in Digital Evidence VIII2012. Heidelberg: Springer, 2012􀆰 3-17. [12] Retting R, Ferguson S, Hakkert A. Effects of red light cameras on violations and crashes: a review of the international literature. Traffic Injury Prevention, 2003, 4 (1) :17-23. [13] Waugh A, Wilkinson R, Hills B, et al. Preserving digital information forever. In Proceedings of the fifth ACM conference on Digital libraries. State of Texas:ACM, 2000. 175-184. [14] Barrall D, Dewey D. Plug and root, the USB key to the kingdom. Presentation at Black Hat Briefings. 2005. http: / / repo. hackerzvoice. net / depot _ cehv6 / CEHv6% 20Module% 2000% 20 -% 20Miscellaneous / BlackHat% 202005 / Shakespearean%20Shellcode.pdf. 2005-07-27. [15] Mitchell C. Trusted Computing. Piscataway:IEEE, 2005. [16] Ngobeni S, Venter H, Burke I. A forensic readiness model for wireless networks. Advances in Digital Forensics VI. 2010. 107-117. [17] ETSI TC⁃STAG. Security techniques advisory group (stag); definition of user requirements for lawful interception of telecommunications: requirements of the law enforcement agencies. Sophia Antipolis:ETSI, 1996.ETR 331. [18] Gleave S. The mechanics of lawful interception. Network Security, 2007(5) :8-11. [19] Akdeniz Y, Taylor N, Walker C. Regulation of investigatory powers act 2000 (1): Bigbrother. gov. uk: State surveillance in the age of information and rights. Criminal Law Review, 2001􀆰 73-90. [20] German A, Comeau J, Monk B, et al. The use of event data recorders in the analysis of real⁃world crashes. Proceedings of the CMRSC⁃XII. 2001. 10-13. [21] Committee M. 1616 - 2004 ( VT / LT) IEEE Standard for Motor Vehicle Event Data Recorders ( mvedrs) .Piscataway: IEEE, 2004. http: / / grouper. ieee. org / groups / 1616a / . 2009-12-22. [22] Fay R, Robinette R, Deering D, et al. Using event data recorders in collision reconstruction. SAE Technical Paper, 2002. 01 - 0535. Fay R, Robinette R, Deering D, et al. Using Event Data in Collision Reconstruction. Fay Engineering Corporation, Denver, Colo. 13 pp. Accident

· 106·

Reconstruction 2002. Warrendale, SAE, 2002. 1 – 13. Report No. SAE 2002-01-0535 UMTRI-95830 A01. [23] Gabler H, Gabauer D, Newell H, et al.Use of Event Data Recorder ( EDR ) Technology for Highway Crash Data Analysis, Volume 298. Washington DC: Transportation Research Board of the National Academies, 2005. [ 24] Wallace C, Pordesch U, Brandner R. Long⁃term archive service requirements. 2007⁃03. http: / / wenku. baidu. com / link? url = MgQacjWbs⁃ey⁃cPgtgxLUyJ0v2 XlDPXhg3 WqpX5 vbALzx4 ST9 rPnsdpIi0 GIx9 huWHEC6 yImqZ88 Ay3 FFjyN5 CS - O1w1ZMXXbzWxZqX8iT7. [ 25 ] Auernhammer H. Precision farming: the environmental challenge. Computers and Electronics in Agriculture, 2001,30(1) :31-43. [26] Wang N, Zhang N, Wang M.Wireless sensors in agriculture and food industry: Recent development and future perspective. Computers and Electronics in Agriculture, 2006,50(1):1-14. [ 27 ] Wolf S, Wood S. Precision farming: Environmental legitimation, commodification of information, and industrial coordination1. Rural Sociology,1997, 62(2) :180-206. [28] Rolf Becker. Smart inspectors⁃smart aerial test rigs with infrared spectrometers and radars. http: / / www.hochschule⁃ rhein⁃waal. de / en / forschungszentrum / forschungsprojekte / smart⁃inspectors.html. [29] Kuntze N, Rudolph C. On the automatic establishment of security relations for devices. Proceedings of the IEEE IM. Piscataway:IEEE, 2013. [ 30 ] Endicott⁃Popovsky B, Chee B, Frincke D. Role of calibration as part of establishing foundation for expert testimony. Proceedings of the 3rd Annual IFIP WG 11􀆰 9 Conference. Orlando FL, 2007. 61-66. [ 31 ] Endicott⁃Popovsky B, Frincke D. Embedding forensic capabilities into networks: addressing inefficiencies in digital forensics investigations. In Information Assurance Workshop, 2006 IEEE. Piscataway: IEEE, 2006. 133 - 139. [ 32 ] Endicott⁃Popovsky B, Frincke D. The observability calibration test development framework. Proceedings of 8 th IEEE Systems, Man and Cybernetics Information Assurance Workshop.Los Alamitos, CA: IEEE Publishing,2007. 61- 66. [33] Endicott⁃Popovsky B, Frincke D, Taylor C. A theoretical framework for organizational network forensic readiness. Journal of Computers, 2007,2(3) :1-11. [34] Taylor C, Endicott⁃Popovsky B, Frincke D. Specifying digital forensics: A forensics policy approach. Digital Investigation, 2007,4:101-104. [ 35 ] Richter J, Kuntze N, Rudolph C. Securing digital evidence. In Fifth International Workshop on Systematic Approaches to Digital Forensic Engineering. Oakland, CA, 2010. 119-130.