Current location - Quotes Website - Personality signature - What are the rules of electronic data forensics?
What are the rules of electronic data forensics?
Chapter I General Provisions Article 1 These Rules are formulated in accordance with the Criminal Procedure Law of People's Republic of China (PRC), the Procedural Provisions of Public Security Organs on Handling Criminal Cases and other relevant provisions in order to standardize the work of electronic data collection in criminal cases by public security organs, ensure the quality and improve the efficiency of electronic data collection. Article 2 When handling criminal cases, public security organs shall abide by legal procedures and relevant technical standards, collect and extract electronic data involved in a comprehensive, objective and timely manner, and ensure the authenticity and integrity of electronic data. Article 3 Electronic data forensics includes but is not limited to: (1) collecting and extracting electronic data; (2) Electronic data inspection and investigation experiments; (3) Inspection and identification of electronic data. Article 4 If the collection of electronic data by public security organs involves state secrets, police work secrets, business secrets and personal privacy, it shall be kept confidential; If the materials obtained have nothing to do with the case, they shall be returned or destroyed in time. Article 5 Electronic data collected and extracted by other state organs in the process of administrative law enforcement and case investigation and handling, accepted by public security organs or obtained according to law, can be used as evidence in criminal cases. Chapter II Collection and Extraction of Electronic Data Section 1 General Provisions Article 6 The collection and extraction of electronic data shall be conducted by two or more investigators. When necessary, professional technicians can be appointed or hired to collect and extract electronic data under the auspices of investigators. Article 7 To collect and extract electronic data, one or more of the following measures and methods can be taken according to the needs of the case: (1) Seal up and seal up the original storage media; (2) Extracting electronic data on the spot; (3) online extraction of electronic data through the network; (4) freezing electronic data; (5) Obtain electronic data. Article 8 Under any of the following circumstances, relevant evidence can be fixed by printing, taking photos, video recording, etc.: (1) The original storage medium cannot be seized and electronic data cannot be extracted; (two) there is a self-destruction function or device of electronic data, and it is necessary to fix the relevant evidence in time; (three) the need for on-site display, check the relevant electronic data. In accordance with the provisions of items (2) and (3) of the preceding paragraph, if the original storage medium can be seized after the relevant evidence is fixed by printing, photographing or video recording, the original storage medium shall be seized; If the original storage medium cannot be seized but electronic data can be extracted, electronic data shall be extracted. Article 9 Where relevant evidence is fixed by printing, photographing or video recording, the contents of electronic data shall be clearly reflected, the reasons for fixing relevant evidence by printing, photographing or video recording shall be indicated in relevant records, and the investigators and electronic data holders (providers) shall sign or seal to confirm the storage location, features and original storage medium location of electronic data; If the electronic data holder (provider) is unable to sign or refuses to sign, it shall be noted in the record and signed or sealed by the witness. Section 2 Seizure and sealing up the original storage medium Article 10 If the electronic data that can prove the criminal suspect's guilt or innocence, light crime or heavy crime is found in the investigation activities and the original storage medium can be seized, the original storage medium shall be seized and sealed up, and a written record shall be made to record the sealed state of the original storage medium. When conducting an inquest or inspection of a crime scene involving electronic data, the relevant equipment shall be disposed of in accordance with relevant specifications, and the original storage medium shall be seized and sealed. Article 11 The sealed original storage medium shall be sealed in accordance with the following requirements: (1) Ensure that the sealed original storage medium cannot be used or started without releasing the sealed state, and if necessary, seal the electronic equipment with data information storage function and internal storage media such as hard disks and memory cards separately; (2) The sealed original storage medium should be photographed before and after sealing. Photos should reflect the original storage media before and after sealing, and clearly reflect the sealing or posting of seals; When necessary, photos should clearly reflect the details of the internal storage media of electronic equipment; (3) To seal up the original storage media with wireless communication functions such as mobile phones, measures such as signal shielding, signal blocking or power cut-off shall be taken. Article 12 The seized original storage medium shall be checked with the witnesses present and the original storage medium holder (provider), and a seizure list shall be made on the spot in triplicate, indicating the name, serial number, quantity, characteristics and source of the original storage medium, which shall be signed or sealed by the investigators, the holder (provider) and the witness, one for the holder (provider) and one for the keeper of the public security organ. Article 13 If it is uncertain whether the original storage medium holder (provider) or the original storage medium holder (provider) is unable to sign or seal or refuses to sign or seal, it shall be noted in relevant records and signed or sealed by witnesses. If a qualified person cannot be a witness due to objective reasons, the situation shall be noted in the relevant transcripts, and the whole process of detaining the original storage medium shall be recorded. Article 14 When detaining the original storage medium, evidence related to the original storage medium, such as witness testimony, statements and excuses of criminal suspects, shall be collected. Article 15 When detaining the original storage medium, you can know, collect and indicate the following information in relevant records: (1) Management of the original storage medium and application system, network topology and system architecture, whether it is used and managed by more than one person, and the identity of the manager and user; (two) the original storage medium and user name and password managed by the application system; (3) The data backup of the original storage medium, whether there are encrypted disks and containers, whether there are self-destruction functions, whether there are other mobile storage media, whether there have been backups, and the storage location of the backup data. ; (4) Other relevant contents. Section 3 On-site Extraction of Electronic Data Article 16 If the original storage medium cannot be seized under any of the following circumstances, electronic data can be extracted on site: (1) The original storage medium is inconvenient to seal; (2) Extracting computer memory data, network transmission data and other electronic data not stored in the storage medium; (three) the case is urgent, and the failure to extract electronic data immediately may cause the loss of electronic data or other serious consequences; (four) closing the electronic equipment will cause the important information system to stop serving; (five) it is necessary to investigate suspicious storage media by extracting electronic data on the spot; (6) After the functions or applications of the running computer information system are shut down, they cannot be extracted without a password; (seven) other circumstances in which the original storage medium cannot be seized. After the situation that the original storage medium cannot be sealed up disappears, the original storage medium shall be sealed up in time. Seventeenth on-site extraction of electronic data can take the following measures to protect related electronic equipment: (1) timely isolate criminal suspects or other related personnel from electronic equipment; (two) in the case of not sure whether it is easy to lose data, it is impossible to turn off the electronic equipment in the running state; (3) If the on-site computer information system may be remotely controlled, measures such as signal shielding, signal blocking and network disconnection shall be taken in time; (4) protect the power supply; (5) Other necessary protective measures. Article 18 When extracting electronic data on site, the following provisions shall be observed: (1) The extracted data shall not be stored in the original storage medium; (2) New applications cannot be installed in the target system. If a new application needs to be installed in the target system for special reasons, the installation procedure and purpose shall be recorded in the transcript; (three) the implementation of the operation shall be recorded in detail and accurately in the relevant transcripts. Article 19 Where electronic data is extracted on the spot, a record of electronic data extraction on the spot shall be made, indicating the source, reason, purpose and object of electronic data, the time, place, method and process of extracting electronic data, the reason why the original storage medium cannot be seized, and the storage place of the original storage medium, and a fixed list of electronic data extraction shall be attached, indicating the category, file format, integrity check value and other contents. , should be produced by investigators and electronic data holders. If the electronic data holder (provider) is unable to sign or refuses to sign, it shall be noted in the record and signed or sealed by the witness. Article 20 The extracted electronic data can be compressed, and the corresponding method and the integrity check value of the compressed file shall be indicated in the record. Twenty-first personnel who are not competent for witness work due to objective reasons shall be noted in the Record of On-the-spot Extraction of Electronic Data, and the video files shall be calculated and recorded in the record. Article 22 The original storage media that can't be seized and electronic data that can't be extracted at one time can be sealed by the holder (provider) after being registered, photographed or videotaped, and a list of registration and preservation can be issued in duplicate, which shall be signed or sealed by the investigator, the holder (provider) and the witness, one of which shall be handed over to the holder (provider) and the other shall be attached with photos or video materials for future reference. The holder (provider) shall keep it properly, and shall not transfer, sell, damage or release the sealed state, surf the Internet without the approval of the case-handling department, and shall not add, delete or modify electronic data that may be used as evidence. When necessary, the computer information system should be kept on. The original storage media registered and preserved shall be decided within seven days. If no decision is made within the time limit, it shall be deemed as automatic termination. If it is found that it has nothing to do with the case, it shall be dissolved within three days.