±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 0 Overall: 34471
New Yesterday: 8 Visitors: 174

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

RSS Feed Widget

±Latest Webinars

ISO 17025 for Digital Forensics – Yay or Nay?

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Go to page Previous  1, 2, 3, 4 ... 16, 17, 18  Next 

What do you support for the Digital Forensics Community?

6
9%

42
67%

5
8%

9
14%

 
Total Votes: 62

  

Re: ISO 17025 for Digital Forensics – Yay or Nay?

Post Posted: Thu Jan 25, 2018 11:54 am

- trewmte

Merriora just an observation and at the same time throwing a spanner in the works. How would you envisage cross-border evidence being accepted. For instance, you send evidence to the UK acquired during a joint operation with the US and evidence is for submission to the UK Criminal Court. Should the court assess your evidence against your standards or ISO17025?


This is an excellent question and likely a valid argument for some sort of Lab accreditation compared to only having accredited examiners. But hopefully, if the DF community in the rest of the world moves towards a different standard, solutions would exist to allow for the sharing of information. Just because the UK is ISO 17025 should not force the rest of the world to follow along if the standard truly doesn't fit Digital Forensics.

Assuming a new standard is developed, I would hope that it would be sufficient to compete against 17025 in regards to reliability from the lab.

Perhaps if a new standard is developed, then the UK would look to follow (far future) if that made sense and issues still existed with the implementation of 17025.  

Merriora
Member
 
 
  

Re: ISO 17025 for Digital Forensics – Yay or Nay?

Post Posted: Thu Jan 25, 2018 12:03 pm

- athulin


Computer forensic labs are a odd mixture of investigation on one hand, and question-answering on the other. Much more investigation, much less scientific fact-finding.

In the general area of investigations, I don't think standardization is of any use. But the narrow questions, such as 'was this file modified on <date> <time>? by whom? With what result?' could and should be subject to standardization.


I think this is a very important distinction in the type of work we complete within our field. Often we are not giving expert opinions within our report on if XYZ occurred, but rather providing information on what we observed on the device which can then be used to compare to other information know about the incident. (Investigative)

Example:
- Here is a list of all calls and SMS messages obtained from the device compared to the Call Detail Records (CDRs)

VS.

In cases where an expert opinion is required..

Examples:

- Was this picture taken with this phone on <date>?
- Was Joe using this device on <date/time>?

In the latter examples, further standards should be developed both concentrating on the experience of the investigator and the tools/methods* used to come to that determination.

In this situation, further testing should be done and expected to be done by the courts to be able to provide that expert opinion for this particular question if its essential the case.  

Merriora
Member
 
 
  

Re: ISO 17025 for Digital Forensics – Yay or Nay?

Post Posted: Thu Jan 25, 2018 1:42 pm

My apprehension in the accreditation debate of digital forensics "labs" is that most of the standards proposed do not apply to the DFIR field and therefore will negatively disrupt it.

A digital forensics "lab" is many times just a laptop connected to an external hard drive that contains a forensic image of electronic data that can be used for examination in virtually any location on the planet (or off the planet).

The forensic work is interpreting the data. Preserved data does not spoil or rot and is not affected by an analysis. For scientific analysis as intended by various ISOs, there is no element on the table of elements that can be compared to electronic data as the testing of any element will result in a change, or be altered or modified, or even be destroyed by a lab analysis. All elements, even without an analysis are affected by environmental conditions including the passage of time, some more so than others.

Electronic data is not an element. It can be preserved, perfectly duplicated, and tested (interpreted) forever without alteration. The environment does not affect data. The testing does not affect the data. The passage of time does not affect the data. Storage media may fail, but the data can be preserved onto new media forever. There is practically no difference between reading a book and examining a forensic image. Once preserved, the information/data is unchanging when reading/interpreting. This cannot be said of any element on the table of elements.

The focus should be on training and education standards for the examiner and processes for collection of electronic evidence, whether derived from modified ISO standards and/or commonly used methods used by the community.

Today, technology is a moving target. Tomorrow, it may be out of reach if we restrict our work by implying that the mere interpretation of data from a forensic image requires the same environmental standards as conducting an autopsy on a human body or on a single drop of blood.  

bshavers
Senior Member
 
 
  

Re: ISO 17025 for Digital Forensics – Yay or Nay?

Post Posted: Fri Jan 26, 2018 1:12 am

- bshavers
The forensic work is interpreting the data. Preserved data does not spoil or rot and is not affected by an analysis.


The forensic work also includes such a significant element as data acquisition. It's easy to say "preserved data", it's not so easy to preserve the data during the acquisition. If data is preserved, then yes, data interpretation errors can be resolved by examining this data again, although such errors can remain invisible in a particular case (still, there are legal ways to reduce the risk of unnoticed data interpretation errors). When data is not preserved (during its acquisition or at a later time), a number of obvious issues may arise. Moreover, sometimes forensic examiners have to prove that data was actually preserved as expected (and there should be an easy way to do this).

Currently, forensic examiners are blindly attaching a magic box which makes the acquisition process forensically sound (this box is called a hardware write blocker) and courts are accepting this method. But this is so much wrong! We need better validation methods and standards for hardware write blockers and other tools. We need a disclosure standard for vendors of forensic software/hardware. The acquisition process is crucial, so critical issues with basic tools like write blockers should be publicly discussed, because the "examine the data again" approach won't always work if original data isn't intact.  

thefuf
Senior Member
 
 
  

Re: ISO 17025 for Digital Forensics – Yay or Nay?

Post Posted: Fri Jan 26, 2018 1:25 am

I neglected the acquisition aspect since it is impossible to require all or even some acquisitions to occur in an ISO certified lab environment. Many acquisitions are conducted onsite by virtue of the systems or limited time allowed to acquire. If there is ever a requirement to have lab-only acquisitions, you can imagine the negative impact that will have on forensics.  

bshavers
Senior Member
 
 
  

Re: ISO 17025 for Digital Forensics – Yay or Nay?

Post Posted: Fri Jan 26, 2018 5:20 am

Not being a professional in the field, I am allowed to say that - while of course data should not be changed at a whim - the current fixation on "total integrity" is mainly fluff that the industry of write blockers happily promotes and that risks to have forensic examiners - obsessed by this particular (largely) non-issue to focus on this aspect and leave unexplored or mis-explored other parts of the evidence.

Previous related discussion:
www.forensicfocus.com/...c/start=5/

Anyway there is not one reason in the world to have a hardware write blocker (let alone trusting it blindly) the fact that noone has put together a basic OS, open source and fully documented that runs (at a decent speed) on something inexpensive like a Pi or any given "standard" board (possibly with a processor that has NOT "speculative execution" Wink ), and that is verified/certified by members the international forensics community should be proof enough that there is no actual consensus on this very basic aspect, there is simply no chance in any foreseeable future to have any senceful standard/procedure.

The good news about the forcing down the throat of the good UK forensicators the ISO 17025 norm could be the occasion to have them (and those from other countries, scared to death by the possibility that the same will happen to them before o later) to actually put their act together and propose (better) alternatives.

jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. - 

jaclaz
Senior Member
 
 
  

Re: ISO 17025 for Digital Forensics – Yay or Nay?

Post Posted: Fri Jan 26, 2018 5:39 am

- bshavers
I neglected the acquisition aspect since it is impossible to require all or even some acquisitions to occur in an ISO certified lab environment. Many acquisitions are conducted onsite by virtue of the systems or limited time allowed to acquire. If there is ever a requirement to have lab-only acquisitions, you can imagine the negative impact that will have on forensics.


This aspect could be neglected if forensic labs weren't doing data acquisitions (within a lab) at all and if the integrity of digital evidence wasn't the issue. Also, there could be a better solution than ISO 17025 for the acquisition phase, so on-site data acquisitions can be covered as well.  

thefuf
Senior Member
 
 

Page 3 of 18
Go to page Previous  1, 2, 3, 4 ... 16, 17, 18  Next