±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 0 Overall: 34069
New Yesterday: 2 Visitors: 123

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

RSS Feed Widget

±Latest Webinars

ISO 17025 for Digital Forensics – Yay or Nay?

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Go to page Previous  1, 2, 3 ... 12, 13, 14, 15, 16, 17  Next 

What do you support for the Digital Forensics Community?

6
9%

41
67%

5
8%

9
14%

 
Total Votes: 61

  

Re: ISO 17025 for Digital Forensics – Yay or Nay?

Post Posted: Sat Feb 10, 2018 6:31 am

Just to widen the discussion slightly (this applies to regulating labs or individuals)

statutory regulation requires legals defintions and I have seen very little discussion on how such definitions would come about and how they would be applied in the real World. These are more impoirtant when you consider a good defence barrister will look at the defintions in an attempt to show that requirements have not been met: (and, thereor, the evidence is not reliable)

Legal defintion of digital forensics.

Legal defintion of criminal evidence (can unregulated labs deal with intel?, civil case becoming criminal etc)

Juristiction (evidence from outside of legal borders)

When exactly does data become criminal evidence?

Without the ability to create useable and practical defintions of these, then it's going to be very hard to come up with a regulatory statute.

These are all issues that need discussion and something that the regulator has not really come to grips with yet IMHO. I would hate to be the one who, starting with a plain sheet of paper, had to draft a watertight statute, knowing it would be tested at some point by some of the finest barristers available.

PS of course, many of these questions equally apply to other forms of forensics.  

pbeardmore
Senior Member
 
 
  

Re: ISO 17025 for Digital Forensics – Yay or Nay?

Post Posted: Sat Feb 10, 2018 7:11 am

I agree that the quality of some examiners are shit, some people working for 3/4 letter high prestige government agencies cant even find a piece of common bloody malware that some antivirus locked up in isolation, and their speciality is crunching DD images, while mine is network forensics. (You know who you are).

It is possible to have exams done at job interviews to assert what your current skill level is, like "How would you proceed to investigate X"?

As well as pragmatic tests like executive functioning and problem solving skills, which are quite revealing of the persons capabilities.

In other aspects, jaclaz just said it better than me. We do not need more paperwork, we need practical qualifying tests of knowledge that could have been acquired at a training facility or at home at the desk during nightly online courses or tinkering with project honeynet or similar material, even references can be useful "This guy did catch the intruder while working as a network tech".

But then, i do not have an interest in selling online training courses so what do i know?

The most important thing is to have a genuine interest in the field, if that exists then that person will learn everything there is to know about the field. Monkeys with certificates only interested in doing the bare minimum is not a measure of quality, they have been overflowing the IT industry as a whole for years.  

MDCR
Senior Member
 
 
  

Re: ISO 17025 for Digital Forensics – Yay or Nay?

Post Posted: Sat Feb 10, 2018 1:07 pm

It makes me happy to see discussion of the practitioner over the "lab". It makes me even happier to see a discussion of minimum standards of the practitioner over beliefs of no standards at all.

My only thought in a minimum standard is that some bottom line of knowledge should be met to allow licensing, and more importantly, created by the DFIR community and not by a regulatory agency. If your state requires a PI license to do forensics, you know what I mean.

A minimum standard can be anything, from a certain number of college courses to on-the-job experience or anything in between.

When govt agencies decide to regulate the DF field in which they may be ignorant, the regulation will be far too difficult to meet, will negatively affect those with years of experience, and wipe out a massive number of potential newcomers to the field due inability to meet the minimum standards. I do not feel a college degree is necessary, but I also do not think that just buying a dongle is enough either.

We can prevent over-regulation by having a community wide standard of something minimally agreeable sooner than later. The standard can be virtually anything to show that a minimum required amount of time and effort was completed; perhaps a combination of education hours, OJT, or alternative methods of testing (in effect, to "test out"), certifications, or related experience.

Competence cannot be regulated. But requiring a minimum amount of exposure to important DF*IR information can be. We have to separate competence and education standards as a regulatory goal; let's leave competence determination to the hiring managers where it should be.

*To clarify a bit on the "F" part of DFIR. I do not see a reason to regulate or license the aspects of the field that do not relate to forensics. A system admin does not need certification in forensics; nor does the help desk. Incident response may or may not need it depending on whether or not their job requires investigating incidents with the intention of legal proceedings (thereby, it is 'forensics').

There is a distinct difference in work that requires forensics versus the exact same work that does not require forensics. IT can image a hard drive using the exact methods and tools as a DF examiner does, but one has nothing to do with a legal proceeding and the other has everything to do with it.

When the job posting states 'gathering evidence' or 'testimony', then we have opened the door where personal harm to the public is in the hands of the practitioner, and at that point, the practitioner should know what 'forensics' is. And forensics is not being able to image a hard drive, but rather the legal concepts surrounding it.  

bshavers
Senior Member
 
 
  

Re: ISO 17025 for Digital Forensics – Yay or Nay?

Post Posted: Sun Feb 11, 2018 5:31 am

- MDCR
... and their speciality is crunching DD images, while mine is network forensics.


- bshavers

There is a distinct difference in work that requires forensics versus the exact same work that does not require forensics. IT can image a hard drive using the exact methods and tools as a DF examiner does, but one has nothing to do with a legal proceeding and the other has everything to do with it.


Can we all agree that when it comes to making (at least from standard mass storage devices) a DD image, it represents the simpler, most basic part of digital forensics work (more like a pre-requisite than anything else)?

If Yes, do you both realize that the community (at large) has completely failed in years to provide a definite guideline and tools/methodology outside the (IMHO poor and outdated) NIST tests and the needed "acts of faith" in this or that (hardware write blocker) vendors?

In this (little?) sub-community at forensicsfocus we have here and there references to WinPe (not so casually also thanks to bshavers Smile ), we have customized Linux distro's (like the Passmark/Osforensics, which are seemingly far from having been properly tested), we have patches for them (see TheFuf's work).

Yet, we cannot even produce one (or two) definite, verified, foolproof, basic tool(s) guaranteed (by the consensus of the community) to make a stupid dd-like image without altering the source.

Heck!
We cannot even fully agree on some basic definitions (example):
www.forensicfocus.com/...c/t=15714/

A rose by any other name will still smell as sweet Wink , but calling things with their names has traditionally been the very first step to start communicating.

Do you really expect that out of nowhere something like:
- bshavers

We can prevent over-regulation by having a community wide standard of something minimally agreeable sooner than later. The standard can be virtually anything to show that a minimum required amount of time and effort was completed; perhaps a combination of education hours, OJT, or alternative methods of testing (in effect, to "test out"), certifications, or related experience.

will ever (as opposed to sooner or later) come out?

And now a set of (legit Question ) ISO 17025 question:
Do you use an anti-static/earthing wristband when disassembling a PC to extract a HDD or SSD (or whenever you touch any electronic device, including, but not limited to USB sticks)
How is the wristband tested and certified?
Does it need periodical verification?

en.wikipedia.org/wiki/...rist_strap

jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. - 

jaclaz
Senior Member
 
 
  

Re: ISO 17025 for Digital Forensics – Yay or Nay?

Post Posted: Sun Feb 11, 2018 6:14 am

- jaclaz


And now a set of (legit Question ) ISO 17025 question:
Do you use an anti-static/earthing wristband when disassembling a PC to extract a HDD or SSD (or whenever you touch any electronic device, including, but not limited to USB sticks)
How is the wristband tested and certified?
Does it need periodical verification?

en.wikipedia.org/wiki/...rist_strap

jaclaz


Following on from the useful comments by jaclaz - www.forensicfocus.com/...6/#6592586
_________________
Institute for Digital Forensics (IDF) - www.linkedin.com/groups/2436720
Mobile Telephone Examination Board (MTEB) - www.linkedin.com/groups/141739
Universal Network Investigations - www.linkedin.com/groups/13536130
Mobile Telephone Evidence & Forensics trewmte.blogspot.com 

trewmte
Senior Member
 
 
  

Re: ISO 17025 for Digital Forensics – Yay or Nay?

Post Posted: Sun Feb 11, 2018 6:19 am

- jaclaz

And now a set of (legit Question ) ISO 17025 question:
Do you use an anti-static/earthing wristband when disassembling a PC to extract a HDD or SSD (or whenever you touch any electronic device, including, but not limited to USB sticks)
How is the wristband tested and certified?
Does it need periodical verification?

en.wikipedia.org/wiki/...rist_strap

jaclaz



First as for the DD comment, that was just an all encompassing remark about doing forensics on media, not a reference to a particular tool or anything.

As for ESD: When disassembling PC and related hardware, even when not working with it for investigative purposes, i have one around. I touch it to make sure any static buildup is gone, there is no need to actually wear it. I could also touch the metallic ground pin in a standard European powerstrip connector:



(Its the shiny metallic part in the plug that is 90' offset from the connector holes)

That would probably not suffice in a theoretical world of standards and procedures, but it is enough for anyone who ever has taken a basic class about electronics.  

MDCR
Senior Member
 
 
  

Re: ISO 17025 for Digital Forensics – Yay or Nay?

Post Posted: Sun Feb 11, 2018 10:02 am

- MDCR

I could also touch the metallic ground pin in a standard European powerstrip connector:

[Image removed for page formatting]

(Its the shiny metallic part in the plug that is 90' offset from the connector holes)

That would probably not suffice in a theoretical world of standards and procedures, but it is enough for anyone who ever has taken a basic class about electronics.


You mean a non-standard European power strip.

That kind of socket is called CEE 7/3 socket (Schuko), it is the "only" standard in - say - Germany, Sweden, Spain and Portugal (but not - say - in Italy or in UK, provided that UK is EU).

en.wikipedia.org/wiki/Schuko

Particularly both the Italian (other) standard (as nowadays the use of multi-standard sockets is increasingly common) and the UK (only) standard sockets do not expose the ground terminal, so you cannot even use that - anyway unorthodox[1] - trick.
en.wikipedia.org/wiki/...nd_sockets

And still, how often do you check that the ground (of the wristband or of the socket) is effective?
How do you test it? (with which instrument)
How often do you calibrate that instrument?


JFYI, generically here in Italy (and limited to the electrical "fixed" wirings, not to appliances such as an extension cord or a wristband would be) in workplaces the periodicity is 5 years or 2 years in some particular environments (including many with high fire risk), and the control is made by certified engineers, using some equipment tested/calibrated yearly.

It would only be sensible to have a much shorter interval in a forensics laboratory, like three or six months and of course test also the wristband.

jaclaz

[1] unorthodox because an anti-static wristband is connected to ground through (usually) a set of resistors as the idea is to safely connect to ground without any risk of electric shock (possible when touching directly a ground in some circumstances), if you adopted (in a work environment) your method you would be in serious violation of safety rules.
_________________
- In theory there is no difference between theory and practice, but in practice there is. - 

jaclaz
Senior Member
 
 

Page 13 of 17
Go to page Previous  1, 2, 3 ... 12, 13, 14, 15, 16, 17  Next