Optimizing eCrime Investigation Efficiency Using a...

An eCrime Reporting Lingua Franca: Optimizing eCrime Investigation Efficiency Using a Common Data Format

A Technical Advisory for

Industry and Government

January 2009

Commi t ted to W ip ing Out In te rne t Scams and F raud

O

SUMMAR

THE RAT

CRITERIA

THE IOD

ENABLIN

USE CAS

LOOKING

REFEREN

Corresp

Patrick C

Disclaimand servaggreganot a comwarrantwith resform of more inf

Optimizing e

RY .................

TIONALE FOR

A FOR DETER

DEF EXTENSI

NG ROBUST D

E SCENARIO

G AHEAD: IO

NCES .............

pondent Au

Cain, APW

mer: PLEASvice providted professmplete list y as to the spect to anycriminal atformation.

e-Crime Invh

PMB 246, 40

.....................

R A COMMON

RMINATION O

IONS FOR E‐C

DATA SHARI

OS AND ASSO

ODEF EXTEN

.....................

uthor Conta

WG, pcain@a

SE NOTE: Ters have prsional experof steps thacompleteney particular tack. Pleas

vestigation http://www.apw05 Waltham

.....................

N ECRIME RE

OF OPTIMAL

CRIME REPO

ING ...............

OCIATED BEN

NSIONS DEVE

.....................

act Data:

antiphishing

The APWGrovided thisrience and at may be taess, accuracregistrar’s

se see the A

EFFIC

Efficiency Uwg.org ● info@Street, Lexin

......................

EPORTING FO

L DATA FORM

ORTING .........

......................

NEFITS ..........

ELOPMENT A

......................

g.org

G and its coos message apersonal opaken to avocy, or pertinoperation,

APWG webs

OPTIMICIENCY USING

Using a [email protected] gton MA USA

.....................

ORMAT ........

MATS ...........

.....................

.....................

.....................

ARC ..............

.....................

operating inas a public pinion. Theoid harm frnence of theor with ressite — http:

IZING E-CRIMG A COMMO

mmon Data

A 02421

.....................

.....................

.....................

.....................

.....................

.....................

.....................

.....................

nvestigatorservice, basese recommom phishinese recommspect to any://www.apw

ME INVESTIGAON DATA FO

a Format

.................. 3

.................. 4

.................. 5

.................. 6

.................. 9

................ 10

................ 11

................ 12

rs, researchesed upon mendations ng. We offemendations y particularwg.org — f

ATION RMAT

2

ers,

are er no

r for

O

Historicvictim. Ebeen upperpetracontineninitial inparties pand comto succesubsequ

To help its globamodel foto remotinvestigformat tlanguag

Data shaexamplearrival aspecific privacy

These faelectronformat wand e‐crof forensexerciseprosecut

PrincipPatrick

Optimizing e

ally, crime Electronic cdated to usator of the cnts. This adnvestigationperformingmplete invesssful manauent prosecu

with this inal membersor reportingte parties inator to sharthat requirege support.

ared in thise, data abouand redirectdata elemeregimes.

actors makenic crime evwill allow forime responsic data intos for privattions for law

pal Investigk Cain, Res

e-Crime Invh

PMB 246, 40

has been a crime (e‐crimse the Interncrime and tdds new chn may be qug different pstigative dagement of eution.

nformation ship base ofg the technn a clear, core relevant es complete

s format canut certain crted to the aents can be c

e this data ments. Ultimorms of autnders the kio actionablte industry,w enforcem

gator: sident Resea


Su

local eventme) and vanet have rethe victim mallenges foruite remoteparts of the ata—in mule‐crime eve

exchange,f some 1700ical aspectsonsistent medetails of aeness, like lo

n be furtherrimes can bappropriatecontrolled o

model an exmately, the Atomated prind of insige narrative, as well as ment.

arch Fellow

EFFIC


ummary

t; that is, thariants on wmoved thismay be separ crime inve from the ainvestigatioltiple languents, law en

the APWG0 institutions of phishinethod. The a possible crocal time‐zo

r processedbe automatie investigatoor encrypte

xcellent vehAPWG belirocessing ofghts they reqs that can acase forma

w, APWG

OPTIMICIENCY USING


he criminal iwell‐knowns persistentarated by enestigators aactual crimeon. The abuages and snforcement

G has workens to develong, fraud, angoal of theriminal act one, while

d quite easilically proceor in near‐red to compl

hicle to repoieves that uf forensic dquire to traanimate potations, inves

Cont

DPeter Cass


mmon Data

A 02421

is in close pn criminal tat of locality.ntire countas the partye “location”ility to convtyles—is nocase forma

ed with its pop an XML‐nd other elee data modewith otheralso provid

ly by automessed via coreal time. Aly with evo

ort, share, autilizing a cata, giving ansform largtent e‐crimestigations a

tributing Resear

Dave Jevans, Csidy, Secretary


a Format

proximity toactics that h. The tries ‐ or evey performin” with diffevey accuratow paramoation and

partners ac‐based dataectronic criel is to allows in a data ding multi‐

mation. For omputer onAdditionallyolving data

and interprommon dainvestigatoge repositoe managemand

rchers

Chairman, APWy General, APW

ATION RMAT

3

o the have

en ng erent te ount

ross a imes w an

n y,

ret ta ors ories ment

WG WG

O

APWG ENTERPRLAW ENFEVOLVINRESEMBLHEALTH I

The rise and mal(ISPs), cand anacollectedpursuit

By usingcoordinasources commoninterpret

organizamitigatioattack m

APWG smore cloagent orrecruitedformatioarchivedand to c

With a cengage e

• Pla

• Pinco

Optimizing e

SEES THE ISE OF E-CR

FORCEMENTNG TO A MOLING PUBLICINITIATIVES

The Rati

in phishinglicious codeonsumer aglyze phishid data allowand prosec

g a commonation activitor productsn format bet the differe

ation’s interon steps. If

mitigation o

sees e‐crimosely resemr a toxic subd. Instead oon, in e‐crimd, collated aontribute to

common tere‐crime bec

Private entearger trend

Private enten real‐time oncern them

e-Crime Invh

PMB 246, 40

RIME T ODEL C

ionale Fo

g and fraude insertion hgencies anding attack inws them to cution of att

n format, it ties as well s into a cohecomes evenent sources

Thimexawwia cad

rnal monitof these syster criminal p

e law enformbles publicbstance in thof a report fme investigand analyzeo and deve

rminal formcome possib

rprises ands and augm

rprises andto give all sm or their c


or a Com

d activities has compeld financial informationbetter coortackers.

becomes eaas the correesive view.n more impof data.

he accumulmportant toxternally, asware of the ish to notifycentral notidequate resporing systemems cannotprosecution

rcement endc health inithe food chafrom one orgations a lared to build lop existing

mat for repoble in ways

d their contrment their fr

d their contrsharing parcorresponde

EFFIC


mon eCr

via e‐mail, lled corporainstitutionsn and data rrdinate miti

asier for an elating of in As the numortant since

lation and cresolving ps the phisheattack. Thiy the phishification serponses coums may alst communicn.

deavors gratiatives likeain. It’s all ar a few sourge numbera summarig cases.

orts, new fos otherwise

ractors can raud detect

ractors can rties earliesents.

OPTIMICIENCY USING


rime Rep

instant meations, Intes to begin torelated to e‐igation activ

organizationformation mber of datae multiple t

correlation phishing ined organizaird parties ahed organizrvice or cleauld commenso detect thecate adequa

avitating ove tracing theabout how rces used for of data resized narrati

orms of dataunimagina

combine artion system

share repost warning o


mmon Data

A 02421

porting Fo

essaging, DNernet Servico collect, fu‐crime evenvities and s

on to engagfrom multipa sources intools would

of informatncidents detation may naware of atation directaringhousence. The tare attack andately, there

ver time to e source of the case daor case initisources are ive to infor

a sharing nable withou

rchived repms.

orts and e‐crof new atta


a Format

ormat

NS corrupte Providersse, correlatnts. The support the

ge in these ple data ncreases, a d be needed

tion is also tected not even be ttacks may tly or throue so that rgeted d wish to tae is no hope

a model tha contagiouata are ialization acollected,

rm a new ca

necessary tout it:

ports to dete

rime event cks that ma

ATION RMAT

4

tion s te

e

to

ugh

ake e for

hat us

nd

ase

o

ect

data ay

O

• Pcola

• Ptelo

• Npd

• Pan

• Paco

• Acach

Ultimatecrime daexpositiolaw enfocrime inelectronicommon

When thformat fadopt asapparencriteria—

The impquickly. the crim

Optimizing e

Private enteonsultants)aw enforcem

Private secuelling trendosses to the

National comphishing attdata points i

Public sectornalyze for t

Public sectorround a foronfirmed.

All parties toase can proharacteristi

ely the capaata will sugon. Furtherorcement danvestigative ic realm as n data form

Criter

he APWG aor e‐crime rs a way of snt that there—so we dev

portant crite The forma

me data. Tak

e-Crime Invh

PMB 246, 40

rprises and) can quicklment.

urity firms cds as well aseir client com

mputer emetacks, can coin attacks la

r law enfortrends and

r law enforrmerly unid

o developmogram theirics to the ap

acity to rapiggest more armore, dataata resourcetechniquesprocedural

mat is the firs

ria for De

nd its researeports, we treamlining was no exiveloped one

eria for a woat must alloke, for exam


d their contrly consolida

can share das indentify mpanies.

ergency resombine e‐craunched in

rcement ageclues to inf

rcement agedentified su

ment of an e systems toppropriate i

idly recruit,automated ma fusion of ses will redos that will ml as they forst step towa

eterminat

arch correspattempted g the effort isting, readye.

orldwide, inw for text d

mple, an Am

EFFIC


ractors (e.gate e‐crime

ata quicklyand charac

sponse teamrime event n one countr

encies and cform case in

encies can quspect who

existing lawo automaticinvestigato

, combine amechanismsummarizedound, over tmake case inr conventionard that mo

ion of Op

pondents beto find a su— instead oy‐to‐adopt

nter‐domaindata to be enmerican ban

OPTIMICIENCY USING


. banks andreport data

y and effecticterize anta

ms, coordindatabases ry against t

combine e‐nitialization

quickly assese identity

w enforcemecally direct rors.

and analyzems for e‐crimd e‐crime datime, to the nitializationnal law enfoore efficient

ptimal Da

egan the deuitable dataof starting fstandard da

n data formntered in a nk phishing


mmon Data

A 02421

d their secuabases to pr

ively to idegonists wh

nating investo find corrtargets in an

crime evenn.

emble e‐crihas been su

ent or privareports of p

e large dispame detectionata with othdevelopme

n and develoorcement. Efuture.

ata Forma

velopment a model andfrom scratchata format t

mat become different lae‐mail mes


a Format

urity resent a cas

entify and trho are causin

stigations inrespondingnother.

nt databases

me event durmised an

ate securitypre‐determi

arate pools n and her establishent of potenopment in tEstablishing

ats

of a termind format to h. It becamthat met the

apparent vnguage thassage that is

ATION RMAT

5

se to

rack ng

nto g

s to

data nd

y ined

of e‐

hed nt e‐the g a

nal

me e

ery an s

O

sourced text mescriterion

For examinclude treports ithe attacit Summcharactecase narr

Since thethe datato allowdiscoverto add m

A secondata formtools, noMost allneither lreports. necessity

Failing ta set of edefinitiowas offi(The IETstandard

The IODevents sscans bydefinitioimplemethe impo

Optimizing e

from a Latissage betwen allows for

mple, a repothe attackeris the lack ofck happenedmer Time? Inrize time inrative.

e e‐crime laa model andw for the tracred during more data e

dary, but stmat that door encodes dl of parties elarge budge Thus, the y.

Th

to find an aextensions tons as defincially adopTF is an inteds for the o

DEF is an XMuch as viruy attackers. on indicatinenters to sportant ones

e-Crime Invh

PMB 246, 40

in America een the invedata eleme

ort about anr’s Internet Pf required tid at two o’cln which hemn order, for i

andscape isd formats mcking of theinvestigatiolements to

till importaoes not requdata in hardexchangingets nor big ability to re

he IODEF

acceptable eto the IETFned in IETF pted by the ernational bperation an

ML‐based dus infectionsEach part ong the data pecify whichs are includ


web serverestigating pents to be m

n Internet evProtocol (IPime zone mlock in the mmisphere? Tinstance, to

s continuallmust be easie new technons as wellexisting rep

ant criterionuire odd or d‐to‐deciphg investigatsupport groead and com

Extensio

existing datF Incident ORFC 5070, Internet Enbody that, ind mainten

data formats, Denial ofof an IODEelements ah elements ed within a

EFFIC


r. The commarties may b

marked as re

vent is not vP) address. Tmarkers on timorning. WThere mustcraft a cohe

ly evolving,ily expandaniques l as the abilports.

n is to use aexpensive her formatstive data haoups readymprehend r

ons for e-C

ta format inObject Data a reporting

ngineering Tin part, devnance of the

t designed f Service (DF report is nd their attand attribua report.

OPTIMICIENCY USING


IN EFFEFORMAAUTOMMANAGENFORSPEED WELECTRARE EX

municationbe in Spaniequired or o

very useful iThe bane ofimestamps,Was this locat be a uniforerent chrono

, able

ity

a

s. ave y and able treports with

Crime Re

nspired APWExchange Fg standard Task Force velops techne Internet.)

to identify DoS) attacksspecified thtributes. Thutes are req


mmon Data

A 02421

ECT, THE COAT CAN ENAMATION IN EGEMENT ANCEMENT OPWITH WHICH

RONIC CRIMXECUTED

ns discussinsh. A seconoptional.

if the reportf many inter, e.g., the repal time? Warm way to pology of e‐cr

o figure ouhout comp

eporting

WG researcFormat (IOfor network(IETF) in Dnical and pr

and describs, or large schrough a sche schema aquired to m


a Format

OMMON DAABLE E-CRIME ND LAW PERATING AH THE

MES THEMSE

g the Englisnd prime

t does not rnational port states tas it GMT? precisely rime events

ut unclear lex tools is

chers to defDEF) k events thDecember 2rotocol

be networkcale malevochema also allows ake sure th

ATION RMAT

6

ATA

AT THE

LVES

sh

that Was

s in a

a

fine

at 007.

k olent

for hat

O

The APWNetwork elementissue to

• F

• W

• D

• E

As the exand—asdisplay XWord. Awill show

The XMthe repomachineprocessiforensic crime melectron

Optimizing e

WG’s ExtenLayer Repos common specify the

raud sourc

Web servers

Domain Nam

Evidentiary

xtensions as text—are rXML formaAny text edw you the X

L base alsoort validatioe processinging can be eapplication

managementnic crimes th

e-Crime Invh

PMB 246, 40

nsion to IODrts builds oto phishinge elements o

ce and targe

s involved;

me Service

files of a w

are XML‐basreadable wiatted files asitor in any cXML forma

o allows for on, collaborg, many of executed asn. In effect,t and law ehemselves a


DEF‐Documeon the IODEg, fraud, anof the attem

et such a ba

data comm

(DNS) and

web site’s co

sed, they caithout specis will most common opatted conten

significantration, and the forensis soon as re, the commnforcementare execute

EFFIC


ent Class forEF base spend other e‐cmpted crime

ank;

munication p

d registry in

ontent.

an be procesial viewing any populaperating sysnt as well.)

t improvemdistributionc routines tlevant data

mon data fort operatingd.

OPTIMICIENCY USING


r Phishing, Fecification brime that ae, such as:

packets;

nformation;

ssed with mprograms.ar word prostem (vi, em

ments in repn activities that requirea becomes armat can eng at the spee


mmon Data

A 02421

Fraud, and Oby defining llows the re

many freely(All web brocessor suchmacs, nano,

port handlincan be autoe pains takiavailable tonable automed with wh


a Format

Other Non‐a set of dateporter of a

available torowsers wilh as Microsnotepad, et

ng, as manyomated. Wing hand a programmation in e‐hich the

ATION RMAT

7

ta an

ools, ll soft tc.)

y of ith

mmed ‐

O

XML makhuman-dof data a

The APWGEN, UK-ENcreate a vwhich elesector an

A workingmanual rehttp://sou

Figure 1: A

Optimizing e

kes reports huriven workflond machine

G has establN and ES-ES (version of th

ectronic crimd non-profit

g beta of theeporting andurceforge.ne

APWG e-Cri

e-Crime Invh

PMB 246, 40

uman readaows. The stan

e processing

ished workin(Spain-nativee APWG e-C

me is a proble e-crime dat

e APWG e-Crd archiving oet/projects/e

me Reportin


able and assndardized fo of reports fo

ng betas of ae Spanish).

Crime Reportem to help eta repositorie

rime Reportiof e-Crime eecrisp-x

ng Tool

EFFIC


ists in editingormat also alor different fo

a compliant More languating Tool avaestablish andes

ng Tool, a coevents is ava

OPTIMICIENCY USING


g, adding dallows for rap

orensic appli

eCrime Repages are to ailable in eved feed privat

onsole that ailable in US-


mmon Data

A 02421

ata and orgaid consolidaication scen

porting Tool focome. Goalery languagte sector, pu

allows for deEN at:


a Format

anizing ation narios

or US-l:

ge in ublic

etailed

ATION RMAT

8

O

Significaamongstreport, iprogram

Anotherdatabasexisting tsecond poriginal using th

There arIODEF ddata; a ga numbe

The end • Filanguag • P • E The APWOther Nolong timforeseea The schesuch as eminimizcases fol

Optimizing e

ant operatiot reporting t can be ele

mmatically b

r party coule, receive ittools to decparty couldreport and

he same com

re four comdata modelgroup of finer of ICT se

uring logist

inding a coes;

Providing ad

nsuring tha

WG believeon‐Network

me horizon aable future.

ema was deexchangingze the back‐llow.

e-Crime Invh

PMB 246, 40

Ena

on efficiencand consum

ectronicallybe consume

ld request tt in the comompose and also add areturn it to

mmon forma

mmunities cu and its extnancial instiecurity com

tical challen

mmon data

dequate flex

at created re

s that the I Layer Reporand will ada

eveloped tog informatio‐and‐forth n


abling Ro

cies are posming partiey sent to a ded and redi

that data frommon formand examine additional do the originaat.

urrently ustensions: naitutions exc

mpanies and

nges of inte

a sharing an

xibility to ev

eports conta

Extension torts meet theapt to indus

o solve a fewon with spenegotiation

EFFIC


bust Data

sible if a coes. For examdatabase whistributed.

om the at, and use it. This data to the al database

sing the ational CERchanging IPd individua

rnational e‐

nd reporting

volve with

ain sufficien

o IODEF‐Dose challengstrial and la

w specific, beakers of otn of capturin

OPTIMICIENCY USING


WITH A FORMATNEW FOEXCHANENGAGEPOSSIBLUNIMAG

a Sharing

ommon datample, once here the dat

RTs exchangP Addressels reporting

‐crime data

g format th

the changin

nt and synt

ocument Clages and will aw enforcem

but growinther languang critical d


mmon Data

A 02421

COMMON T FOR E-CRIRMS OF DA

NGE NECESSE E-CRIME BE IN WAYS O

GINABLE WIT

g

a format is a reporter gta could au

ging netwos and fraudg phishing

a sharing are

hat supports

ng e‐crime l

tactically co

ass for Phishicontinue toment needs

ng, identifieages and trydata. A few


a Format

TERMINAL IME REPORT

ATA SARY TO BECOME OTHERWISE THOUT IT

shared generates atomatically

ork incidentd attack detattempts.

e:

s multiple lo

landscape;

rrect data.

ing, Fraud, ao do so for afor the

ed problemsying to w example u

ATION RMAT

9

TS,

a y or

t tails;

ocal

and a

s

use

O

1. Untrasend comhorror ssource dare empthat a reeasier to 2. Exchaelectronto descrilanguagallows aand assothe sendanticipaquicker 3. The bcan be rthroughdesensitincidentforwardcompilefigure outhe entirit back tthe inclusubmittedata. 4. Additpart of texchangmessagesignatur

Optimizing e

Us

ained sourcmplete reptories of recdata is misspty. The IODeceived repoo receive inc

anging e‐crinic crime evibe an evenge. The text a receiver toorted informder of an IOted languagand simple

back‐and‐foreduced or h a third partized, anonyt data to a cding to an ind report traut what repre ‐‐ or pieco the originuded IODEed to the cle

tional standthe data excged with othe or requirinre. As the IO

e-Crime Invh

PMB 246, 40

e Case S

ces who areorts. Veteraceiving incoing; the timDEF exchanort is compcident data

ime data wents happent to an inveareas in ano use tools tmation intoODEF reporge of the reer.

orth convereliminatedrty before dymized or aclearinghounvestigatoraditionally port neededces of the ‐‐ nator. The oF Incident Iearinghous

dard securichange proher parties,ng that the ODEF form


Scenarios

e preparingan investigomplete damestamp hange format plete. This aa from a wid

with speakeen in multipestigator thn IODEF forto semi‐auto a languaget may also eceiver, mak

rsations whd. Some pordelivery to taggregateduse at which. If additiona series of bd what datacompiled roriginator cIdentifier inse trying to

ity mechanocess. Some, such as enoriginal da

mat complie

EFFIC


s and Ass

g and sendiators and rata about anas no time zcan requireability to reqder reportin

ers of anothple jurisdicthat understarmat messatomatically e that the retranslate ‐‐king true in

hen e‐crimertion of excthe intended. For examph it is compnal data is rback‐and‐foa. When usireport backcan quickly nstead of sematch up t

nisms can be parties arensuring thatata contain s with the X

OPTIMICIENCY USING


sociated

ing crime deceivers of n importantzone informe certain criquire certaing audience

her languagtions. An e‐ands and/oage contain translate theceiver undand mark

nternationa

e data is chchanged inced receiver ple, a grouppiled into a required duorth comming the IODk to the cleafind their searching ththe returne

be applied te sensitive tt only the rean integrityXML encod


mmon Data

A 02421

Benefits

data can be incident dat crime eve

mation; the ditical data fiin fields mae.

ge is simpli‐crime repor reads a dia languagehe sentencederstands. Aappropriateal informatio

anneled vicident data so the origip of banks generalizeduring investunications DEF formatsringhouse wsubmitted rhrough all thd report an

to the exchato the data eceived pary mechanisding rules, a


a Format

directed toata all havent, e.g., thedata payloaields to ensakes it much

ified. Manyorter may nifferent e marker thes, paragrapAdditionallely ‐‐ the on exchang

ia a third pais channeleinal data camay send td report beftigation of happens tos, one can swho can sereports usinhe data theynd their inte

anged datathat is rty can readsm or digitaany standar

ATION RMAT

10

o e e ads sure h

y eed

at phs ly,

ges

arty ed an be their fore the o send end ng y ernal

a as

d the al rd

O

security SSL/TLSthe receisecurity 5. InternjurisdictUsing thapplicatis transp(enciphecertain dpolicy o

The estaelement indeed, power w Still, theforensic agenciescrime da First, tooreports wAPWG hwho canreport an The APWconstruccorrespoMany ofmost all

Optimizing e

mechanismS, or generaiving partyservices.

national reptions with mhe IODEF fotion of otheport to the rerment). Thdata fields br regulation

Lookin

ablishment in the consa counter fwith every p

ere are othedata that iss, governmeata.

ols for repowill have tohas alreadyn operate a nd archive

WG has estct data tranondents’ syf the convercorrespond

e-Crime Invh

PMB 246, 40

m can be eaalized encipy. No additi

porting reqmultiple priormat to shr standard receiving pahe format albefore furthn.

ng Ahead

of a commostruction ofor the globpassing day

r data logiss islanded ient agencie

orting and fo be establisy programmgeneral puit. [See Figu

tablished annslation toolystems into rsion softwdent system


asily appliedpherment, aional securi

quirementsivacy, releahare data acXML securarty ‐‐ suchlso allows ther distribu

d: IODEF

on terminalf a global coal e‐crime py.

stics challenin repositores, CERTs, N

for translatished to takmed a manurpose compure 1, p 8.]

n open‐sourls to converthe IODEF

ware routinems would re

EFFIC


d to the IODand transpoity develop

s can be impase, retentiocross nationrity mechanh as digital sthe ability tution to sup

Extension

l data formounter e‐criplexus that

nges that mries maintaNGOs and

ing existingke advantagual reportinputer to con

rce softwarrt data sets Extensions

es are identequire their

OPTIMICIENCY USING


DEF data, sorted and rement is req

plementedon, and connal boundarnisms ‐‐ irresignatures to remove, epport comp

ns Develo

mat for e‐crimime data exis growing

must be engained by indindepende

g data sets ige of the comng console tnstruct a co

re project spin non‐coms for e‐Crimical with onr own conv


mmon Data

A 02421

such as PGPecovered orquired to us

d. E‐crimes snfidentialityries allows espective ofand confidencipher, oliance with

opment A

me reports xchange infg in compet

aged in orddustry, law nt clearingh

into IODEFmmon datathat will allomplete e‐cr

pecifically tmpliant formme Reportinnly minor dverters.


a Format

P, S/MIME,r validated se these

span multipy requiremefor the f how the dentiality or obfuscateh national

Arc

is an essenrastructuretence and

der to mobilenforcemehouses of e

F‐compatibla schema. Tlow anyonerime event

to design anmats of ng format. differences,

ATION RMAT

11

, at

ple ents.

data

e

ntial e,

lize ent e‐

le The e

nd

but

O

Given thto forensthe subswill yiel Researchdoubtlesdata logcounter clearing Before thlegal, regmovemecorrespoThat prodevelopuniversa

“ExtensiCrimewhttp://w

DanyliwFormat,”

An openreportin

Optimizing e

he eagernessic exchangsequent discld telling, co

hers, investss begin degistics barriee‐crime dahouses and

hat juncturegulatory anent of e‐crimondents whocess is undpment of a gal data sche

ions to the ware,” Internwww.ietf.org

w, R., Meijer” RFC 5070

n source sofng can be fo

e-Crime Invh

PMB 246, 40

ss of all stakge data, thecovery of nonclusive in

tigators andmanding mers to facileta exchanged legally rat

e, howevernd sometimme data acrho may or mderway in gglobal counema for e‐cr

IODEF‐Docnet Engineeg/internet‐d

r, J., and Y. 0, December

ftware projound at: htt


keholders e APWG expnew advantntelligence

d respondermore data ane, automatee will havetional corre

r, e‐crime dmes complicross internamay not havgovernmentnter e‐crimerime report

Ref

cument Claering Task Fdrafts/draft

Demchenkr 2007. http

ect relatingtp://sourcef

EFFIC


engaged in pects rapidtageous datfor forensi

rs from indnd more fred e‐crime e been estabespondence

ata correspcated ethicaational fronve specific ptal bodies we data exchats.

ferences

ass for RepoForce, July t‐cain‐post‐i

ko, “The Incp://www.ie

g to the devforge.net/pr

OPTIMICIENCY USING


e‐crime resd organizatita fusion anc artisans.

dustry and tequent correvent data ablished and e agreement

pondents wial questionsntiers and ofpermissionworldwideange as is th

s

orting Phish2008. inch‐phishi

cident Objetf.org/rfc/rf

velopment orojects/ecris


mmon Data

A 02421

sponse and on of corrend analysis

the public srespondencare removewill flourists.

ill have to cs that attendften througn to handle tand is as vhe developm

hing, Fraud

ingextns‐05

ect Descriptfc5070.txt

of tools for sp‐x


a Format

investigatispondenceschemes th

sector will ce. Then, wd, a global sh through

confront thed the gh the handthose data.ital to the ment of

d, and Othe

5.txt

tion Exchan

e‐Crime

ATION RMAT

12

ons and hat

hen

e

ds of

er

nge

Optimizing eCrime Investigation Efficiency Using a...

Documents

Transcript of Optimizing eCrime Investigation Efficiency Using a...