±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 0 Overall: 34804
New Yesterday: 0 Visitors: 199

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Webinars

ISO 17025 for Digital Forensics – Yay or Nay?

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Go to page Previous  1, 2, 3, ... 16, 17, 18  Next 

What do you support for the Digital Forensics Community?

6
9%

42
66%

5
7%

10
15%

 
Total Votes: 63

  

Re: ISO 17025 for Digital Forensics – Yay or Nay?

Post Posted: Wed Jan 24, 2018 3:46 pm

[Quote]
No, because - at least judging from the recent news - some (hopefully only isolated cases) laboratories (or analysts or both) make so sloppy (or plainly wrong or partial/incomplete) reports that *something* needs to be done about it. [\quote]

Except the recent mistakes, assuming the rape trials, relate to non-disclosure of data. The phone extraction had been done and no evidence it wasn't done correctly. The accreditation wouldn't have stopped it. The other instance related to facebook messages extracted by a front line officer. Again outside the accreditation scope. So ironically wouldn't have affected them  

minime2k9
Senior Member
 
 
  

Re: ISO 17025 for Digital Forensics – Yay or Nay?

Post Posted: Thu Jan 25, 2018 12:24 am

07:10 2018-01-25
- bshavers
Once preserved, electronic evidence does not spoil or rot.


Given enough time (decades), digital media, even preserved on the best of whatever we have today will degrade and become unusable. I'm part of a retro community that deals with preservation of software, and many are reporting some disks are reported as being unable to read from.

Not to forget, hardware go away and is replaced by new technology, requiring hardware also to be stored for media to be recovered in the future, and hardware has a shorter shelf life (i.e. electrolytic capacitors go bad and leak, as well as batteries that barf acid all over the motherboard). I know of one company that has been storing tech since the 60s and their technology storage is significant, I'd call it a museum.

- jaclaz
No, because - at least judging from the recent news - some (hopefully only isolated cases) laboratories (or analysts or both) make so sloppy (or plainly wrong or partial/incomplete) reports that *something* needs to be done about it.


So it's more of a people problem. Can also be taken care of by having 2-hand sign-off instead of forcing people to pay for a piece of paper.

- JaredDM
Computer calibration. That's funny. Better make sure that your clock isn't running .23ms fast. That could get the whole case thrown out. Laughing


That kind of stuff. People applying standards because of knee jerk reaction on things that are outside the standard and someone trying to make money on certification/accreditation. It's the PE licensing idiocracy thing all over again.  

MDCR
Senior Member
 
 
  

Re: ISO 17025 for Digital Forensics – Yay or Nay?

Post Posted: Thu Jan 25, 2018 7:26 am

- minime2k9
The accreditation wouldn't have stopped it.

Exactly. Smile

Maybe I expressed myself poorly Confused , I referenced those recent case to point out how "digital data" have a great relevance in Police and Courts decisions and thus mistakes revolving around these "digital data" (both inside and outside the laboratory) may have serious consequences. thus it makes little sense to have very strict norm on the way the data is acquired in a laboratory if data can be acquired outside the laboratory or can be mishandled by other actors in the process.

The decision to apply ISO 17025 to digital forensics laboratories - besides and before discussing whether the norm is applicable/right or not (it is not IMHO) - only patches a small part of what is involved in a fair and correct trial.

A "better" or "more suitable" standard (or however guideline or procedure) is - as I see it - however needed and should cover the whole process of discovery and reporting not only the mere activities in the laboratory.

At the end of the day the people - righteously - expect that the judiciary system will punish (adequately) the guilty and leave the innocent free, i.e. they want justice to be - as much as possible - just.

jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. - 

jaclaz
Senior Member
 
 
  

Re: ISO 17025 for Digital Forensics – Yay or Nay?

Post Posted: Thu Jan 25, 2018 8:40 am

Thank you to everyone that is taking part in this discussion. I personally don't have the answers to this complex discussion so I value everyone's input so that we can all better understand the pro's and con's of possible future standards.

From the 17 votes so far, it is clear that 17025 has its issues and few are a fan of this current standard.

For those that have voted that "Standards are NOT required", do you mind posting comments as to why you believe this? By understanding everyone's argument, hopefully, we can move our community in the correct direction.

- jaclaz
- bshavers
Isn't lab certification for computer work overkill and unnecessary?


IMHO yes and no.

Yes, it makes no sense whatsoever because it is inherently a "moving target", and - provided that actual ISO17025 is applied (which I doubt) the consequence is that either the lab will "remain behind" or a lot of resources (which doesn't seem to be that much abundant) will be (should be) diverted to verification and compliance of tools and methods.


- jaclaz
A "better" or "more suitable" standard (or however guideline or procedure) is - as I see it - however needed and should cover the whole process of discovery and reporting not only the mere activities in the laboratory.


Jaclaz: Correct me if I'm wrong, but you feel that a new standard covering everything from the initial collection to the final testimony in court would be most appropriate. This is assuming the new standard is not too rigid allowing examiners to do their work in our ever-changing environment without being required to verify and validate tools individually on an ongoing basis.

In your experience, have you come across any current standards that could be adapted to fit within Digital Forensics?

My personal opinion is that a standard would work better if it was less rigid in regards to validations of tools and instead placed emphasis on the validation of the data that is extracted and included within the final Digital Forensic Report as we are taught to do. Each tool can and will extract and display data differently and its the validation steps we as examiners take afterward that is essential to confirm that the extracted data is correctly interpreted and presented within our reports.

- bshavers
I believe the "lab" should not be any part of regulation.

The path to make DFIR more like other forensic fields should be directed at the person, not the lab, as electronic evidence is different than any other type of evidence.


Brett: Do you see any sort of standard for labs?

What's to stop a lab from following improper protocols by having inexperienced examiners taking on work beyond their skill level?

If an examiner is highly regarded and then does contract work in a lab that is later found to cut corners and not follow basic common sense procedures, will that examiner's reputation be tarnished unfairly?

How do you see individuals meeting standards? Would this not be similar to certificates?

I believe that perhaps a combination of standards for both the lab and examiner is needed. My fear is that if we eliminate a standard for the lab, then they have less of an incentive to ensure the work is done appropriately and instead worry more about the financial costs cutting corners where they can to gain an advantage over their competition.  

Merriora
Member
 
 
  

Re: ISO 17025 for Digital Forensics – Yay or Nay?

Post Posted: Thu Jan 25, 2018 9:38 am

Hi,

Before I came into digital forensics (in 2004) I worked in traditional scientific test laboratories, most notably a pharmaceutical lab (AH Robins) and a microbiology lab (Malthus Instruments).

I got to know these environments and working practices pretty well and when I read 17025, it makes complete sense to me for those environments.

One of the things I believe even some UKAS assessors don't fully appreciate is the level of translation already required to go from what 17025 was intended for, into a wet forensics environment.

To then port it across into digital forensics, requires an even greater level of translation to the point where some points have become meaningless when you consider what the original authors intended to achieve.

There's so much more I could and want to say but it's all pretty much been said many times over. I just wanted to make the point that we shouldn't forget this standard was not written for forensics at all and from my point of view, having worked in traditional scientific test laboratories and digital forensics, I can see how wide the gulf is between the two disciplines.

Steve
_________________
Steve Falkner, Forensic Computer Examiner, London, UK 

steve862
Senior Member
 
 
  

Re: ISO 17025 for Digital Forensics – Yay or Nay?

Post Posted: Thu Jan 25, 2018 10:06 am

- Merriora
“Much of the digital forensic community desires to have their evidence seen in court as forensically sound and bulletproof, yet do not want to go through the rigors that other traditional forensic sciences have done to prevent evidence spoliation and other mishandling and misinterpretations.”
~ Josh Moulin
Deputy Chief Information Officer
US Federal Government, National


ISO 17025 is now the mandatory standard in the United Kingdom for all Digital Forensics Laboratories.

Will the Digital Forensics community in the United States, Canada, Australia and elsewhere adopt ISO 17025, another standard, or wait for one to be imposed on them by a government agency?


Merriora just an observation and at the same time throwing a spanner in the works. How would you envisage cross-border evidence being accepted. For instance, you send evidence to the UK acquired during a joint operation with the US and evidence is for submission to the UK Criminal Court. Should the court assess your evidence against your standards or ISO17025?
_________________
Institute for Digital Forensics (IDF) - www.linkedin.com/groups/2436720
Mobile Telephone Examination Board (MTEB) - www.linkedin.com/groups/141739
Universal Network Investigations - www.linkedin.com/groups/13536130
Mobile Telephone Evidence & Forensics trewmte.blogspot.com 

trewmte
Senior Member
 
 
  

Re: ISO 17025 for Digital Forensics – Yay or Nay?

Post Posted: Thu Jan 25, 2018 10:29 am

- bshavers
For the computer "labs" having to comply with medical lab standards, I would expect compliance failures to be a regular occurrence, which will impact forensic admissibility in the courtroom for the simple fact of failure to follow an impossible-to-follow policy regardless of how perfect of a forensic exam was conducted.


Medical labs typically answer very narrow questions: ïs this human blood? does it match blood samples X, Y, Z? If it does, what is the probability for a random match? They aren't asked 'did X murder Y?' or 'How did the DNA of X end up under Y's nails? (And if they are, they should have the sense to refuse the job...)

Computer forensic labs are a odd mixture of investigation on one hand, and question-answering on the other. Much more investigation, much less scientific fact-finding.

In the general area of investigations, I don't think standardization is of any use. But the narrow questions, such as 'was this file modified on <date> <time>? by whom? With what result?' could and should be subject to standardization.

Just as that lab being asked 'does this blood speciment belong to anyone known?' should have a considered methodology for answering that question, with known source of error (including verifying that the specimen a) is blood, and b) is human blood before the question of identity using a DNA database is addressed), I believe that similar specific questions that a computer forensic lab is asked to answer should have a similar methodology, and similar appreciation of errors affecting a result.

That is, ISO 17025 has a place. But it seems it is being applied as a wet blanket in the hope that it may cover and cure everything, instead of being applied as hot poultice for a specifc purpose and limited area of application. (Please ignore my medieval notions of medical treatment ...)  

athulin
Senior Member
 
 

Page 2 of 18
Go to page Previous  1, 2, 3, ... 16, 17, 18  Next