±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 1 Overall: 34614
New Yesterday: 3 Visitors: 193

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Webinars

ISO 17025 for Digital Forensics – Yay or Nay?

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Go to page 1, 2, 3 ... 16, 17, 18  Next 

What do you support for the Digital Forensics Community?

6
9%

42
67%

5
8%

9
14%

 
Total Votes: 62

  

ISO 17025 for Digital Forensics – Yay or Nay?

Post Posted: Wed Jan 24, 2018 7:55 am

“Much of the digital forensic community desires to have their evidence seen in court as forensically sound and bulletproof, yet do not want to go through the rigors that other traditional forensic sciences have done to prevent evidence spoliation and other mishandling and misinterpretations.”
~ Josh Moulin
Deputy Chief Information Officer
US Federal Government, National


ISO 17025 is now the mandatory standard in the United Kingdom for all Digital Forensics Laboratories.

Will the Digital Forensics community in the United States, Canada, Australia and elsewhere adopt ISO 17025, another standard, or wait for one to be imposed on them by a government agency?
To find the best solution for those working outside the UK, the following article calls for an in-depth analysis of IS0 17025, and everything it represents.

Input from those working in ISO 17025 labs in the UK and other countries will help the rest of us better understand the reasons for and against this accreditation.

Please read the following article posted here on Forensic Focus and join the discussion by posting your comments here.
articles.forensicfocus...ay-or-nay/

Your input will help start the conversation on this important topic.
_________________
Robert Merriott
Founder - Forensic Notes

Note: The ideas and opinions presented in my posts do not reflect the policies, procedures, and regulations of my employer or agency.
 

Merriora
Member
 
 
  

Re: ISO 17025 for Digital Forensics – Yay or Nay?

Post Posted: Wed Jan 24, 2018 11:48 am

So there is a great deal of problems that are plaguing the implementation of this standard:
Consistency across audits - major problem
Massively used to areas which have standard methods - as in British Standard/International methods not common use of IEF
Areas where terms are made to fit digital standard - uncertainty of measurement
Competency - based around the idea that each method is very different and separate and that someone needs to demonstrate how to do it. I would argue that running IEF or Regripper or other tools doesn't require a specific competency, but investigations require competent staff. A work instruction detailing the former covers ISO but never addresses someones actual competency.
Specific work instructions - doesn't allow flexibility for taking into account unknowns. How do you write a work instruction for something you don't know exists.
Pace - ISO 17025 is designed for areas which rarely change. Digital Investigators are already behind and technology changes pace rapidly.
Calibration - requirement to 'calibrate' computers used in investigations, a requirement of ISO but stupidly applied.

There are more areas than I can show here right now, but the audits have shown me how ridiculous the whole process is. I know more than one or two labs have been asked how they protect hard drives from solar flare activity!  

minime2k9
Senior Member
 
 
  

Re: ISO 17025 for Digital Forensics – Yay or Nay?

Post Posted: Wed Jan 24, 2018 11:59 am

- minime2k9

There are more areas than I can show here right now, but the audits have shown me how ridiculous the whole process is. I know more than one or two labs have been asked how they protect hard drives from solar flare activity!


Not only, the > 1 meter thick reinforced concrete walls of underground laboratories would probably need to be certified as "solar flare proof" or at the very least "solar flare resistant", according to a standard grading system developed at the time for "glasshouses" (which is obviously "closely related"). Wink

jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. - 

jaclaz
Senior Member
 
 
  

Re: ISO 17025 for Digital Forensics – Yay or Nay?

Post Posted: Wed Jan 24, 2018 12:57 pm

Isn't lab certification for computer work overkill and unnecessary?

Other lab types that work with chemical, biological, or nuclear substances surely need accreditation with substantial regulation for public safety measures. But certifying a computer lab?

I believe the "lab" should not be any part of regulation.

The path to make DFIR more like other forensic fields should be directed at the person, not the lab, as electronic evidence is different than any other type of evidence. Electronic evidence can be preserved in a static state (as if preserved in amber), reproduced, duplicated, transmitted, and copied without alteration. It can be examined countless times by countless persons using countless methods to obtain forensically sound results. The same cannot be said of other forensic fields. Once a physical substance has been tested (blood, drugs, a human body, etc..), it cannot be tested again as if it were never tested in the first place, nor can the substance be duplicated or preserved as electronic evidence can. Once preserved, electronic evidence does not spoil or rot.

For the computer "labs" having to comply with medical lab standards, I would expect compliance failures to be a regular occurrence, which will impact forensic admissibility in the courtroom for the simple fact of failure to follow an impossible-to-follow policy regardless of how perfect of a forensic exam was conducted.  

bshavers
Senior Member
 
 
  

Re: ISO 17025 for Digital Forensics – Yay or Nay?

Post Posted: Wed Jan 24, 2018 2:12 pm

- bshavers
Isn't lab certification for computer work overkill and unnecessary?

Other lab types that work with chemical, biological, or nuclear substances surely need accreditation with substantial regulation for public safety measures. But certifying a computer lab?

I believe the "lab" should not be any part of regulation.

The path to make DFIR more like other forensic fields should be directed at the person, not the lab, as electronic evidence is different than any other type of evidence. Electronic evidence can be preserved in a static state (as if preserved in amber), reproduced, duplicated, transmitted, and copied without alteration. It can be examined countless times by countless persons using countless methods to obtain forensically sound results. The same cannot be said of other forensic fields. Once a physical substance has been tested (blood, drugs, a human body, etc..), it cannot be tested again as if it were never tested in the first place, nor can the substance be duplicated or preserved as electronic evidence can. Once preserved, electronic evidence does not spoil or rot.

For the computer "labs" having to comply with medical lab standards, I would expect compliance failures to be a regular occurrence, which will impact forensic admissibility in the courtroom for the simple fact of failure to follow an impossible-to-follow policy regardless of how perfect of a forensic exam was conducted.


As always Brett, you are a voice of reason. I agree 100% to this. While we have a lot of similarities to "traditional" forensic sciences, DFIR is unique and should be treated as such. Not forced into a bucket that doesn't fit.  

mcman
Senior Member
 
 
  

Re: ISO 17025 for Digital Forensics – Yay or Nay?

Post Posted: Wed Jan 24, 2018 2:46 pm

- bshavers
Isn't lab certification for computer work overkill and unnecessary?


IMHO yes and no.

Yes, it makes no sense whatsoever because it is inherently a "moving target", and - provided that actual ISO17025 is applied (which I doubt) the consequence is that either the lab will "remain behind" or a lot of resources (which doesn't seem to be that much abundant) will be (should be) diverted to verification and compliance of tools and methods.

No, because - at least judging from the recent news - some (hopefully only isolated cases) laboratories (or analysts or both) make so sloppy (or plainly wrong or partial/incomplete) reports that *something* needs to be done about it.

- bshavers

Other lab types that work with chemical, biological, or nuclear substances surely need accreditation with substantial regulation for public safety measures.

Not only, it is much easier to create a standard for them, because the amount of variability in the "source" and the total number of possible tests are limited and - almost - always the "same" ones.

- bshavers

I believe the "lab" should not be any part of regulation.

The path to make DFIR more like other forensic fields should be directed at the person, not the lab, as electronic evidence is different than any other type of evidence.

Still that would amount to *needing* some "standard" certification of sorts linked to the person instead of the lab, a much better IMHO approach, but - without some good ideas on how exactly to have that - only moving the actual target without solving the issue.

- bshavers

Electronic evidence can be preserved in a static state (as if preserved in amber), reproduced, duplicated, transmitted, and copied without alteration. It can be examined countless times by countless persons using countless methods to obtain forensically sound results. The same cannot be said of other forensic fields. Once a physical substance has been tested (blood, drugs, a human body, etc..), it cannot be tested again as if it were never tested in the first place, nor can the substance be duplicated or preserved as electronic evidence can. Once preserved, electronic evidence does not spoil or rot.

Sure, but when possible and within limits even biological samples can be re-tested (and often are when there is an appeal or similar).
If the "scientific data" from the very first test has - and it increasingly seems like it is the case lately - the potentiality to put (and keep) innocent people in jail, or viceversa allow the culprit to get away free of charges, *something* in the quality assurance of these "scientific data" *needs* to be done.


- bshavers

For the computer "labs" having to comply with medical lab standards, I would expect compliance failures to be a regular occurrence, which will impact forensic admissibility in the courtroom for the simple fact of failure to follow an impossible-to-follow policy regardless of how perfect of a forensic exam was conducted.

Yes, and that is IMHO the worst aspect.

Since the "other part" (be it prosecution or defense) is essentially made by lawyers, i.e. people that by trade look for and find even minimal defects in whatever/whoever the other part brings in court (be that eyewitnesses, expert witnesses or reports), this would open a whole Pandora's Vase of "procedural exceptions" or similar.

With the consequence that digital investigators may shift their competence and focus from actually finding out what is contained in the evidence to making sure that the methods through which this content is extracted and interpreted is compliant as much as possible to the "impossible-to-follow" policy, i.e., in a nutshell, provide less or worse data.

jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. - 

jaclaz
Senior Member
 
 
  

Re: ISO 17025 for Digital Forensics – Yay or Nay?

Post Posted: Wed Jan 24, 2018 3:56 pm

This conversation makes me glad I moved into data recovery and stayed out of DF. I'm happy the government(s) neither understand or care enough about data recovery to even attempt regulation.

I find it hilarious when other data recovery labs try to post their "accreditation" of a certain ISO standard. Last time I checked DriveSavers was showing off their latest ISO certificate. But if you looked up the number it was just relating to cloud storage and has nothing to do with data recovery at all.

If ISO 17025 is like most ISO accreditation processes I've researched in past jobs, half the requirements are clearly written by bureaucrats who have no understanding of practical application at all.

Computer calibration. That's funny. Better make sure that your clock isn't running .23ms fast. That could get the whole case thrown out. Laughing
_________________
Lead Data Recovery Tech at Data Medics® - www.data-medics.com 

JaredDM
Senior Member
 
 

Page 1 of 18
Go to page 1, 2, 3 ... 16, 17, 18  Next