Upload
vannhan
View
214
Download
0
Embed Size (px)
Citation preview
An eCrime Reporting Lingua Franca: Optimizing eCrime Investigation Efficiency Using a Common Data Format
A Technical Advisory for
Industry and Government
January 2009
Commi t ted to W ip ing Out In te rne t Scams and F raud
O
SUMMAR
THE RAT
CRITERIA
THE IOD
ENABLIN
USE CAS
LOOKING
REFEREN
Corresp
Patrick C
Disclaimand servaggreganot a comwarrantwith resform of more inf
Optimizing e
RY .................
TIONALE FOR
A FOR DETER
DEF EXTENSI
NG ROBUST D
E SCENARIO
G AHEAD: IO
NCES .............
pondent Au
Cain, APW
mer: PLEASvice providted professmplete list y as to the spect to anycriminal atformation.
e-Crime Invh
PMB 246, 40
.....................
R A COMMON
RMINATION O
IONS FOR E‐C
DATA SHARI
OS AND ASSO
ODEF EXTEN
.....................
uthor Conta
WG, pcain@a
SE NOTE: Ters have prsional experof steps thacompleteney particular tack. Pleas
vestigation http://www.apw05 Waltham
.....................
N ECRIME RE
OF OPTIMAL
CRIME REPO
ING ...............
OCIATED BEN
NSIONS DEVE
.....................
act Data:
antiphishing
The APWGrovided thisrience and at may be taess, accuracregistrar’s
se see the A
EFFIC
Efficiency Uwg.org ● info@Street, Lexin
......................
EPORTING FO
L DATA FORM
ORTING .........
......................
NEFITS ..........
ELOPMENT A
......................
g.org
G and its coos message apersonal opaken to avocy, or pertinoperation,
APWG webs
OPTIMICIENCY USING
Using a [email protected] gton MA USA
.....................
ORMAT ........
MATS ...........
.....................
.....................
.....................
ARC ..............
.....................
operating inas a public pinion. Theoid harm frnence of theor with ressite — http:
IZING E-CRIMG A COMMO
mmon Data
A 02421
.....................
.....................
.....................
.....................
.....................
.....................
.....................
.....................
nvestigatorservice, basese recommom phishinese recommspect to any://www.apw
ME INVESTIGAON DATA FO
a Format
.................. 3
.................. 4
.................. 5
.................. 6
.................. 9
................ 10
................ 11
................ 12
rs, researchesed upon mendations ng. We offemendations y particularwg.org — f
ATION RMAT
2
ers,
are er no
r for
O
Historicvictim. Ebeen upperpetracontineninitial inparties pand comto succesubsequ
To help its globamodel foto remotinvestigformat tlanguag
Data shaexamplearrival aspecific privacy
These faelectronformat wand e‐crof forensexerciseprosecut
PrincipPatrick
Optimizing e
ally, crime Electronic cdated to usator of the cnts. This adnvestigationperformingmplete invesssful manauent prosecu
with this inal membersor reportingte parties inator to sharthat requirege support.
ared in thise, data abouand redirectdata elemeregimes.
actors makenic crime evwill allow forime responsic data intos for privattions for law
pal Investigk Cain, Res
e-Crime Invh
PMB 246, 40
has been a crime (e‐crimse the Interncrime and tdds new chn may be qug different pstigative dagement of eution.
nformation ship base ofg the technn a clear, core relevant es complete
s format canut certain crted to the aents can be c
e this data ments. Ultimorms of autnders the kio actionablte industry,w enforcem
gator: sident Resea
vestigation http://www.apw05 Waltham
Su
local eventme) and vanet have rethe victim mallenges foruite remoteparts of the ata—in mule‐crime eve
exchange,f some 1700ical aspectsonsistent medetails of aeness, like lo
n be furtherrimes can bappropriatecontrolled o
model an exmately, the Atomated prind of insige narrative, as well as ment.
arch Fellow
EFFIC
Efficiency Uwg.org ● info@Street, Lexin
ummary
t; that is, thariants on wmoved thismay be separ crime inve from the ainvestigatioltiple languents, law en
the APWG0 institutions of phishinethod. The a possible crocal time‐zo
r processedbe automatie investigatoor encrypte
xcellent vehAPWG belirocessing ofghts they reqs that can acase forma
w, APWG
OPTIMICIENCY USING
Using a [email protected] gton MA USA
he criminal iwell‐knowns persistentarated by enestigators aactual crimeon. The abuages and snforcement
G has workens to develong, fraud, angoal of theriminal act one, while
d quite easilically proceor in near‐red to compl
hicle to repoieves that uf forensic dquire to traanimate potations, inves
Cont
DPeter Cass
IZING E-CRIMG A COMMO
mmon Data
A 02421
is in close pn criminal tat of locality.ntire countas the partye “location”ility to convtyles—is nocase forma
ed with its pop an XML‐nd other elee data modewith otheralso provid
ly by automessed via coreal time. Aly with evo
ort, share, autilizing a cata, giving ansform largtent e‐crimestigations a
tributing Resear
Dave Jevans, Csidy, Secretary
ME INVESTIGAON DATA FO
a Format
proximity toactics that h. The tries ‐ or evey performin” with diffevey accuratow paramoation and
partners ac‐based dataectronic criel is to allows in a data ding multi‐
mation. For omputer onAdditionallyolving data
and interprommon dainvestigatoge repositoe managemand
rchers
Chairman, APWy General, APW
ATION RMAT
3
o the have
en ng erent te ount
ross a imes w an
n y,
ret ta ors ories ment
WG WG
O
APWG ENTERPRLAW ENFEVOLVINRESEMBLHEALTH I
The rise and mal(ISPs), cand anacollectedpursuit
By usingcoordinasources commoninterpret
organizamitigatioattack m
APWG smore cloagent orrecruitedformatioarchivedand to c
With a cengage e
• Pla
• Pinco
Optimizing e
SEES THE ISE OF E-CR
FORCEMENTNG TO A MOLING PUBLICINITIATIVES
The Rati
in phishinglicious codeonsumer aglyze phishid data allowand prosec
g a commonation activitor productsn format bet the differe
ation’s interon steps. If
mitigation o
sees e‐crimosely resemr a toxic subd. Instead oon, in e‐crimd, collated aontribute to
common tere‐crime bec
Private entearger trend
Private enten real‐time oncern them
e-Crime Invh
PMB 246, 40
RIME T ODEL C
ionale Fo
g and fraude insertion hgencies anding attack inws them to cution of att
n format, it ties as well s into a cohecomes evenent sources
Thimexawwia cad
rnal monitof these syster criminal p
e law enformbles publicbstance in thof a report fme investigand analyzeo and deve
rminal formcome possib
rprises ands and augm
rprises andto give all sm or their c
vestigation http://www.apw05 Waltham
or a Com
d activities has compeld financial informationbetter coortackers.
becomes eaas the correesive view.n more impof data.
he accumulmportant toxternally, asware of the ish to notifycentral notidequate resporing systemems cannotprosecution
rcement endc health inithe food chafrom one orgations a lared to build lop existing
mat for repoble in ways
d their contrment their fr
d their contrsharing parcorresponde
EFFIC
Efficiency Uwg.org ● info@Street, Lexin
mon eCr
via e‐mail, lled corporainstitutionsn and data rrdinate miti
asier for an elating of in As the numortant since
lation and cresolving ps the phisheattack. Thiy the phishification serponses coums may alst communicn.
deavors gratiatives likeain. It’s all ar a few sourge numbera summarig cases.
orts, new fos otherwise
ractors can raud detect
ractors can rties earliesents.
OPTIMICIENCY USING
Using a [email protected] gton MA USA
rime Rep
instant meations, Intes to begin torelated to e‐igation activ
organizationformation mber of datae multiple t
correlation phishing ined organizaird parties ahed organizrvice or cleauld commenso detect thecate adequa
avitating ove tracing theabout how rces used for of data resized narrati
orms of dataunimagina
combine artion system
share repost warning o
IZING E-CRIMG A COMMO
mmon Data
A 02421
porting Fo
essaging, DNernet Servico collect, fu‐crime evenvities and s
on to engagfrom multipa sources intools would
of informatncidents detation may naware of atation directaringhousence. The tare attack andately, there
ver time to e source of the case daor case initisources are ive to infor
a sharing nable withou
rchived repms.
orts and e‐crof new atta
ME INVESTIGAON DATA FO
a Format
ormat
NS corrupte Providersse, correlatnts. The support the
ge in these ple data ncreases, a d be needed
tion is also tected not even be ttacks may tly or throue so that rgeted d wish to tae is no hope
a model tha contagiouata are ialization acollected,
rm a new ca
necessary tout it:
ports to dete
rime event cks that ma
ATION RMAT
4
tion s te
e
to
ugh
ake e for
hat us
nd
ase
o
ect
data ay
O
• Pcola
• Ptelo
• Npd
• Pan
• Paco
• Acach
Ultimatecrime daexpositiolaw enfocrime inelectronicommon
When thformat fadopt asapparencriteria—
The impquickly. the crim
Optimizing e
Private enteonsultants)aw enforcem
Private secuelling trendosses to the
National comphishing attdata points i
Public sectornalyze for t
Public sectorround a foronfirmed.
All parties toase can proharacteristi
ely the capaata will sugon. Furtherorcement danvestigative ic realm as n data form
Criter
he APWG aor e‐crime rs a way of snt that there—so we dev
portant crite The forma
me data. Tak
e-Crime Invh
PMB 246, 40
rprises and) can quicklment.
urity firms cds as well aseir client com
mputer emetacks, can coin attacks la
r law enfortrends and
r law enforrmerly unid
o developmogram theirics to the ap
acity to rapiggest more armore, dataata resourcetechniquesprocedural
mat is the firs
ria for De
nd its researeports, we treamlining was no exiveloped one
eria for a woat must alloke, for exam
vestigation http://www.apw05 Waltham
d their contrly consolida
can share das indentify mpanies.
ergency resombine e‐craunched in
rcement ageclues to inf
rcement agedentified su
ment of an e systems toppropriate i
idly recruit,automated ma fusion of ses will redos that will ml as they forst step towa
eterminat
arch correspattempted g the effort isting, readye.
orldwide, inw for text d
mple, an Am
EFFIC
Efficiency Uwg.org ● info@Street, Lexin
ractors (e.gate e‐crime
ata quicklyand charac
sponse teamrime event n one countr
encies and cform case in
encies can quspect who
existing lawo automaticinvestigato
, combine amechanismsummarizedound, over tmake case inr conventionard that mo
ion of Op
pondents beto find a su— instead oy‐to‐adopt
nter‐domaindata to be enmerican ban
OPTIMICIENCY USING
Using a [email protected] gton MA USA
. banks andreport data
y and effecticterize anta
ms, coordindatabases ry against t
combine e‐nitialization
quickly assese identity
w enforcemecally direct rors.
and analyzems for e‐crimd e‐crime datime, to the nitializationnal law enfoore efficient
ptimal Da
egan the deuitable dataof starting fstandard da
n data formntered in a nk phishing
IZING E-CRIMG A COMMO
mmon Data
A 02421
d their secuabases to pr
ively to idegonists wh
nating investo find corrtargets in an
crime evenn.
emble e‐crihas been su
ent or privareports of p
e large dispame detectionata with othdevelopme
n and develoorcement. Efuture.
ata Forma
velopment a model andfrom scratchata format t
mat become different lae‐mail mes
ME INVESTIGAON DATA FO
a Format
urity resent a cas
entify and trho are causin
stigations inrespondingnother.
nt databases
me event durmised an
ate securitypre‐determi
arate pools n and her establishent of potenopment in tEstablishing
ats
of a termind format to h. It becamthat met the
apparent vnguage thassage that is
ATION RMAT
5
se to
rack ng
nto g
s to
data nd
y ined
of e‐
hed nt e‐the g a
nal
me e
ery an s
O
sourced text mescriterion
For examinclude treports ithe attacit Summcharactecase narr
Since thethe datato allowdiscoverto add m
A secondata formtools, noMost allneither lreports. necessity
Failing ta set of edefinitiowas offi(The IETstandard
The IODevents sscans bydefinitioimplemethe impo
Optimizing e
from a Latissage betwen allows for
mple, a repothe attackeris the lack ofck happenedmer Time? Inrize time inrative.
e e‐crime laa model andw for the tracred during more data e
dary, but stmat that door encodes dl of parties elarge budge Thus, the y.
Th
to find an aextensions tons as defincially adopTF is an inteds for the o
DEF is an XMuch as viruy attackers. on indicatinenters to sportant ones
e-Crime Invh
PMB 246, 40
in America een the invedata eleme
ort about anr’s Internet Pf required tid at two o’cln which hemn order, for i
andscape isd formats mcking of theinvestigatiolements to
till importaoes not requdata in hardexchangingets nor big ability to re
he IODEF
acceptable eto the IETFned in IETF pted by the ernational bperation an
ML‐based dus infectionsEach part ong the data pecify whichs are includ
vestigation http://www.apw05 Waltham
web serverestigating pents to be m
n Internet evProtocol (IPime zone mlock in the mmisphere? Tinstance, to
s continuallmust be easie new technons as wellexisting rep
ant criterionuire odd or d‐to‐deciphg investigatsupport groead and com
Extensio
existing datF Incident ORFC 5070, Internet Enbody that, ind mainten
data formats, Denial ofof an IODEelements ah elements ed within a
EFFIC
Efficiency Uwg.org ● info@Street, Lexin
r. The commarties may b
marked as re
vent is not vP) address. Tmarkers on timorning. WThere mustcraft a cohe
ly evolving,ily expandaniques l as the abilports.
n is to use aexpensive her formatstive data haoups readymprehend r
ons for e-C
ta format inObject Data a reporting
ngineering Tin part, devnance of the
t designed f Service (DF report is nd their attand attribua report.
OPTIMICIENCY USING
Using a [email protected] gton MA USA
IN EFFEFORMAAUTOMMANAGENFORSPEED WELECTRARE EX
municationbe in Spaniequired or o
very useful iThe bane ofimestamps,Was this locat be a uniforerent chrono
, able
ity
a
s. ave y and able treports with
Crime Re
nspired APWExchange Fg standard Task Force velops techne Internet.)
to identify DoS) attacksspecified thtributes. Thutes are req
IZING E-CRIMG A COMMO
mmon Data
A 02421
ECT, THE COAT CAN ENAMATION IN EGEMENT ANCEMENT OPWITH WHICH
RONIC CRIMXECUTED
ns discussinsh. A seconoptional.
if the reportf many inter, e.g., the repal time? Warm way to pology of e‐cr
o figure ouhout comp
eporting
WG researcFormat (IOfor network(IETF) in Dnical and pr
and describs, or large schrough a sche schema aquired to m
ME INVESTIGAON DATA FO
a Format
OMMON DAABLE E-CRIME ND LAW PERATING AH THE
MES THEMSE
g the Englisnd prime
t does not rnational port states tas it GMT? precisely rime events
ut unclear lex tools is
chers to defDEF) k events thDecember 2rotocol
be networkcale malevochema also allows ake sure th
ATION RMAT
6
ATA
AT THE
LVES
sh
that Was
s in a
a
fine
at 007.
k olent
for hat
O
The APWNetwork elementissue to
• F
• W
• D
• E
As the exand—asdisplay XWord. Awill show
The XMthe repomachineprocessiforensic crime melectron
Optimizing e
WG’s ExtenLayer Repos common specify the
raud sourc
Web servers
Domain Nam
Evidentiary
xtensions as text—are rXML formaAny text edw you the X
L base alsoort validatioe processinging can be eapplication
managementnic crimes th
e-Crime Invh
PMB 246, 40
nsion to IODrts builds oto phishinge elements o
ce and targe
s involved;
me Service
files of a w
are XML‐basreadable wiatted files asitor in any cXML forma
o allows for on, collaborg, many of executed asn. In effect,t and law ehemselves a
vestigation http://www.apw05 Waltham
DEF‐Documeon the IODEg, fraud, anof the attem
et such a ba
data comm
(DNS) and
web site’s co
sed, they caithout specis will most common opatted conten
significantration, and the forensis soon as re, the commnforcementare execute
EFFIC
Efficiency Uwg.org ● info@Street, Lexin
ent Class forEF base spend other e‐cmpted crime
ank;
munication p
d registry in
ontent.
an be procesial viewing any populaperating sysnt as well.)
t improvemdistributionc routines tlevant data
mon data fort operatingd.
OPTIMICIENCY USING
Using a [email protected] gton MA USA
r Phishing, Fecification brime that ae, such as:
packets;
nformation;
ssed with mprograms.ar word prostem (vi, em
ments in repn activities that requirea becomes armat can eng at the spee
IZING E-CRIMG A COMMO
mmon Data
A 02421
Fraud, and Oby defining llows the re
many freely(All web brocessor suchmacs, nano,
port handlincan be autoe pains takiavailable tonable automed with wh
ME INVESTIGAON DATA FO
a Format
Other Non‐a set of dateporter of a
available torowsers wilh as Microsnotepad, et
ng, as manyomated. Wing hand a programmation in e‐hich the
ATION RMAT
7
ta an
ools, ll soft tc.)
y of ith
mmed ‐
O
XML makhuman-dof data a
The APWGEN, UK-ENcreate a vwhich elesector an
A workingmanual rehttp://sou
Figure 1: A
Optimizing e
kes reports huriven workflond machine
G has establN and ES-ES (version of th
ectronic crimd non-profit
g beta of theeporting andurceforge.ne
APWG e-Cri
e-Crime Invh
PMB 246, 40
uman readaows. The stan
e processing
ished workin(Spain-nativee APWG e-C
me is a proble e-crime dat
e APWG e-Crd archiving oet/projects/e
me Reportin
vestigation http://www.apw05 Waltham
able and assndardized fo of reports fo
ng betas of ae Spanish).
Crime Reportem to help eta repositorie
rime Reportiof e-Crime eecrisp-x
ng Tool
EFFIC
Efficiency Uwg.org ● info@Street, Lexin
ists in editingormat also alor different fo
a compliant More languating Tool avaestablish andes
ng Tool, a coevents is ava
OPTIMICIENCY USING
Using a [email protected] gton MA USA
g, adding dallows for rap
orensic appli
eCrime Repages are to ailable in eved feed privat
onsole that ailable in US-
IZING E-CRIMG A COMMO
mmon Data
A 02421
ata and orgaid consolidaication scen
porting Tool focome. Goalery languagte sector, pu
allows for deEN at:
ME INVESTIGAON DATA FO
a Format
anizing ation narios
or US-l:
ge in ublic
etailed
ATION RMAT
8
O
Significaamongstreport, iprogram
Anotherdatabasexisting tsecond poriginal using th
There arIODEF ddata; a ga numbe
The end • Filanguag • P • E The APWOther Nolong timforeseea The schesuch as eminimizcases fol
Optimizing e
ant operatiot reporting t can be ele
mmatically b
r party coule, receive ittools to decparty couldreport and
he same com
re four comdata modelgroup of finer of ICT se
uring logist
inding a coes;
Providing ad
nsuring tha
WG believeon‐Network
me horizon aable future.
ema was deexchangingze the back‐llow.
e-Crime Invh
PMB 246, 40
Ena
on efficiencand consum
ectronicallybe consume
ld request tt in the comompose and also add areturn it to
mmon forma
mmunities cu and its extnancial instiecurity com
tical challen
mmon data
dequate flex
at created re
s that the I Layer Reporand will ada
eveloped tog informatio‐and‐forth n
vestigation http://www.apw05 Waltham
abling Ro
cies are posming partiey sent to a ded and redi
that data frommon formand examine additional do the originaat.
urrently ustensions: naitutions exc
mpanies and
nges of inte
a sharing an
xibility to ev
eports conta
Extension torts meet theapt to indus
o solve a fewon with spenegotiation
EFFIC
Efficiency Uwg.org ● info@Street, Lexin
bust Data
sible if a coes. For examdatabase whistributed.
om the at, and use it. This data to the al database
sing the ational CERchanging IPd individua
rnational e‐
nd reporting
volve with
ain sufficien
o IODEF‐Dose challengstrial and la
w specific, beakers of otn of capturin
OPTIMICIENCY USING
Using a [email protected] gton MA USA
WITH A FORMATNEW FOEXCHANENGAGEPOSSIBLUNIMAG
a Sharing
ommon datample, once here the dat
RTs exchangP Addressels reporting
‐crime data
g format th
the changin
nt and synt
ocument Clages and will aw enforcem
but growinther languang critical d
IZING E-CRIMG A COMMO
mmon Data
A 02421
COMMON T FOR E-CRIRMS OF DA
NGE NECESSE E-CRIME BE IN WAYS O
GINABLE WIT
g
a format is a reporter gta could au
ging netwos and fraudg phishing
a sharing are
hat supports
ng e‐crime l
tactically co
ass for Phishicontinue toment needs
ng, identifieages and trydata. A few
ME INVESTIGAON DATA FO
a Format
TERMINAL IME REPORT
ATA SARY TO BECOME OTHERWISE THOUT IT
shared generates atomatically
ork incidentd attack detattempts.
e:
s multiple lo
landscape;
rrect data.
ing, Fraud, ao do so for afor the
ed problemsying to w example u
ATION RMAT
9
TS,
a y or
t tails;
ocal
and a
s
use
O
1. Untrasend comhorror ssource dare empthat a reeasier to 2. Exchaelectronto descrilanguagallows aand assothe sendanticipaquicker 3. The bcan be rthroughdesensitincidentforwardcompilefigure outhe entirit back tthe inclusubmittedata. 4. Additpart of texchangmessagesignatur
Optimizing e
Us
ained sourcmplete reptories of recdata is misspty. The IODeceived repoo receive inc
anging e‐crinic crime evibe an evenge. The text a receiver toorted informder of an IOted languagand simple
back‐and‐foreduced or h a third partized, anonyt data to a cding to an ind report traut what repre ‐‐ or pieco the originuded IODEed to the cle
tional standthe data excged with othe or requirinre. As the IO
e-Crime Invh
PMB 246, 40
e Case S
ces who areorts. Veteraceiving incoing; the timDEF exchanort is compcident data
ime data wents happent to an inveareas in ano use tools tmation intoODEF reporge of the reer.
orth convereliminatedrty before dymized or aclearinghounvestigatoraditionally port neededces of the ‐‐ nator. The oF Incident Iearinghous
dard securichange proher parties,ng that the ODEF form
vestigation http://www.apw05 Waltham
Scenarios
e preparingan investigomplete damestamp hange format plete. This aa from a wid
with speakeen in multipestigator thn IODEF forto semi‐auto a languaget may also eceiver, mak
rsations whd. Some pordelivery to taggregateduse at which. If additiona series of bd what datacompiled roriginator cIdentifier inse trying to
ity mechanocess. Some, such as enoriginal da
mat complie
EFFIC
Efficiency Uwg.org ● info@Street, Lexin
s and Ass
g and sendiators and rata about anas no time zcan requireability to reqder reportin
ers of anothple jurisdicthat understarmat messatomatically e that the retranslate ‐‐king true in
hen e‐crimertion of excthe intended. For examph it is compnal data is rback‐and‐foa. When usireport backcan quickly nstead of sematch up t
nisms can be parties arensuring thatata contain s with the X
OPTIMICIENCY USING
Using a [email protected] gton MA USA
sociated
ing crime deceivers of n importantzone informe certain criquire certaing audience
her languagtions. An e‐ands and/oage contain translate theceiver undand mark
nternationa
e data is chchanged inced receiver ple, a grouppiled into a required duorth comming the IODk to the cleafind their searching ththe returne
be applied te sensitive tt only the rean integrityXML encod
IZING E-CRIMG A COMMO
mmon Data
A 02421
Benefits
data can be incident dat crime eve
mation; the ditical data fiin fields mae.
ge is simpli‐crime repor reads a dia languagehe sentencederstands. Aappropriateal informatio
anneled vicident data so the origip of banks generalizeduring investunications DEF formatsringhouse wsubmitted rhrough all thd report an
to the exchato the data eceived pary mechanisding rules, a
ME INVESTIGAON DATA FO
a Format
directed toata all havent, e.g., thedata payloaields to ensakes it much
ified. Manyorter may nifferent e marker thes, paragrapAdditionallely ‐‐ the on exchang
ia a third pais channeleinal data camay send td report beftigation of happens tos, one can swho can sereports usinhe data theynd their inte
anged datathat is rty can readsm or digitaany standar
ATION RMAT
10
o e e ads sure h
y eed
at phs ly,
ges
arty ed an be their fore the o send end ng y ernal
a as
d the al rd
O
security SSL/TLSthe receisecurity 5. InternjurisdictUsing thapplicatis transp(enciphecertain dpolicy o
The estaelement indeed, power w Still, theforensic agenciescrime da First, tooreports wAPWG hwho canreport an The APWconstruccorrespoMany ofmost all
Optimizing e
mechanismS, or generaiving partyservices.
national reptions with mhe IODEF fotion of otheport to the rerment). Thdata fields br regulation
Lookin
ablishment in the consa counter fwith every p
ere are othedata that iss, governmeata.
ols for repowill have tohas alreadyn operate a nd archive
WG has estct data tranondents’ syf the convercorrespond
e-Crime Invh
PMB 246, 40
m can be eaalized encipy. No additi
porting reqmultiple priormat to shr standard receiving pahe format albefore furthn.
ng Ahead
of a commostruction ofor the globpassing day
r data logiss islanded ient agencie
orting and fo be establisy programmgeneral puit. [See Figu
tablished annslation toolystems into rsion softwdent system
vestigation http://www.apw05 Waltham
asily appliedpherment, aional securi
quirementsivacy, releahare data acXML securarty ‐‐ suchlso allows ther distribu
d: IODEF
on terminalf a global coal e‐crime py.
stics challenin repositores, CERTs, N
for translatished to takmed a manurpose compure 1, p 8.]
n open‐sourls to converthe IODEF
ware routinems would re
EFFIC
Efficiency Uwg.org ● info@Street, Lexin
d to the IODand transpoity develop
s can be impase, retentiocross nationrity mechanh as digital sthe ability tution to sup
Extension
l data formounter e‐criplexus that
nges that mries maintaNGOs and
ing existingke advantagual reportinputer to con
rce softwarrt data sets Extensions
es are identequire their
OPTIMICIENCY USING
Using a [email protected] gton MA USA
DEF data, sorted and rement is req
plementedon, and connal boundarnisms ‐‐ irresignatures to remove, epport comp
ns Develo
mat for e‐crimime data exis growing
must be engained by indindepende
g data sets ige of the comng console tnstruct a co
re project spin non‐coms for e‐Crimical with onr own conv
IZING E-CRIMG A COMMO
mmon Data
A 02421
such as PGPecovered orquired to us
d. E‐crimes snfidentialityries allows espective ofand confidencipher, oliance with
opment A
me reports xchange infg in compet
aged in orddustry, law nt clearingh
into IODEFmmon datathat will allomplete e‐cr
pecifically tmpliant formme Reportinnly minor dverters.
ME INVESTIGAON DATA FO
a Format
P, S/MIME,r validated se these
span multipy requiremefor the f how the dentiality or obfuscateh national
Arc
is an essenrastructuretence and
der to mobilenforcemehouses of e
F‐compatibla schema. Tlow anyonerime event
to design anmats of ng format. differences,
ATION RMAT
11
, at
ple ents.
data
e
ntial e,
lize ent e‐
le The e
nd
but
O
Given thto forensthe subswill yiel Researchdoubtlesdata logcounter clearing Before thlegal, regmovemecorrespoThat prodevelopuniversa
“ExtensiCrimewhttp://w
DanyliwFormat,”
An openreportin
Optimizing e
he eagernessic exchangsequent discld telling, co
hers, investss begin degistics barriee‐crime dahouses and
hat juncturegulatory anent of e‐crimondents whocess is undpment of a gal data sche
ions to the ware,” Internwww.ietf.org
w, R., Meijer” RFC 5070
n source sofng can be fo
e-Crime Invh
PMB 246, 40
ss of all stakge data, thecovery of nonclusive in
tigators andmanding mers to facileta exchanged legally rat
e, howevernd sometimme data acrho may or mderway in gglobal counema for e‐cr
IODEF‐Docnet Engineeg/internet‐d
r, J., and Y. 0, December
ftware projound at: htt
vestigation http://www.apw05 Waltham
keholders e APWG expnew advantntelligence
d respondermore data ane, automatee will havetional corre
r, e‐crime dmes complicross internamay not havgovernmentnter e‐crimerime report
Ref
cument Claering Task Fdrafts/draft
Demchenkr 2007. http
ect relatingtp://sourcef
EFFIC
Efficiency Uwg.org ● info@Street, Lexin
engaged in pects rapidtageous datfor forensi
rs from indnd more fred e‐crime e been estabespondence
ata correspcated ethicaational fronve specific ptal bodies we data exchats.
ferences
ass for RepoForce, July t‐cain‐post‐i
ko, “The Incp://www.ie
g to the devforge.net/pr
OPTIMICIENCY USING
Using a [email protected] gton MA USA
e‐crime resd organizatita fusion anc artisans.
dustry and tequent correvent data ablished and e agreement
pondents wial questionsntiers and ofpermissionworldwideange as is th
s
orting Phish2008. inch‐phishi
cident Objetf.org/rfc/rf
velopment orojects/ecris
IZING E-CRIMG A COMMO
mmon Data
A 02421
sponse and on of corrend analysis
the public srespondencare removewill flourists.
ill have to cs that attendften througn to handle tand is as vhe developm
hing, Fraud
ingextns‐05
ect Descriptfc5070.txt
of tools for sp‐x
ME INVESTIGAON DATA FO
a Format
investigatispondenceschemes th
sector will ce. Then, wd, a global sh through
confront thed the gh the handthose data.ital to the ment of
d, and Othe
5.txt
tion Exchan
e‐Crime
ATION RMAT
12
ons and hat
hen
e
ds of
er
nge