±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 0 Overall: 36783
New Yesterday: 0 Visitors: 123

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Videos

±Latest Jobs

Computer Forensics project

Computer forensics training and education issues. If you are looking for topic suggestions for your project, thesis or dissertation please post here rather than the general discussion forum.
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Page Previous  1, 2, 3  Next 
  

athulin
Senior Member
 

Re: Computer Forensics project

Post Posted: Nov 01, 19 08:03

- GumStickStorage
I get that 17025 is a pretty unpopular set of guidelines due to unrealistic expectations and costs. Unfortunately I can't just write that I want to scrap it but I'd love to take a crack at that.


17025 do not specify 'guidelines'.

ISO 17025 specifies a *framework* for quality management for technical laboratories. It is not directly relevant for computer forensic work, in that it does not say 'what to do' during lab work. It does say that there must be methods used in lab work, and it may say something about how those methods must be developed, formulated, and maintained, but it does not go further than (as far as lab methods are concerned). One certified lab may have a method for a particular test, while another certified lab may not or may have a different one, without there being any kind of contradiction or problem involved, as far as the standard itself goes. For that reason, the standard itself may not be relevant for your project. The book you mentioned (Watson & Jones) may be slightly more appropriate: the best would probably be an actual lab's own ISO 17025 implementation, or at least the lab methods specified by it.  
 
  

trewmte
Senior Member
 

Re: Computer Forensics project

Post Posted: Nov 01, 19 19:43

- GumStickStorage


This is just scratching the surface, as my dissertation progresses, I expect to look at more guidelines and do *something* with those too (compare, maybe analyse, it's all in thought right now).

What I essentially would like is expert opinion. It's all well and good proposing something like this but not get an opinion from those who actually conduct real-world work in the field. What do you think about the guidelines you may follow or have followed? Would you personally like to see changes? Do you think they're OK the way they are? They don't have to be limited to just those guidelines so if you have any in thought, please do mention it below.


It would be useful if your approach was challenging to fixed norms of thinking. For instance, reference to ACPO Guidelines could be seen as absurd given where we are today:

a) ACPO doesn't exist, defunct as of 2015, and is now replaced by NPCC
b) ACPO Guidelines were last produced when (what year?). How are the Guidelines relevant to today's tech in 2019, which some tech are only several years old?
c) ACPO Guidelines refers to a principle to make "visible and legible", but there is a missing component which has been well established long before ACPO Guidelines were first produced - what is the missing component?
d) ACPO principles although redundant are still referenced as the backbone, of course, they have been preceded by the FSR codes and iso17025 as being the de facto standards for testing labs (i.e. Digital Forensic Units). Why wouldn't you agree with this? Who validated ACPO Guidelines as de facto Principles?


These are just a few points above, but there are numerous questions today that have been left unanswered, so do check as you said you would what other Guidelines have been produced and run a comparison.

Additionally, consider the positive challenge that Guidelines should be for all, not merely a specific public sector who graciously condone to allows others to follow them if they wish. Make the Guidelines truly global.
_________________
Institute for Digital Forensics (IDF) - www.linkedin.com/groups/2436720
Mobile Telephone Examination Board (MTEB) - www.linkedin.com/groups/141739
Universal Network Investigations - www.linkedin.com/groups/13536130
Mobile Telephone Evidence & Forensics trewmte.blogspot.com 
 
  

tootypeg
Senior Member
 

Re: Computer Forensics project

Post Posted: Nov 02, 19 13:23

The ACPO points are interesting and whilst there might be 'guidance' provided, often its the 4 principles that stand out. I feel like these could be revisited.  
 
  

GumStickStorage
Member
 

Re: Computer Forensics project

Post Posted: Nov 03, 19 16:03

Thanks for all your responses, opinions, corrections, and suggestions. This is some pretty overwhelming, yet very valuable information I'm getting.

This forum post will (if allowed) definitely be part of my literature review and other pieces of literature to go with it. The suggestions and methodologies I've been reading will be stored and used if appropriate. It would be nice if I could attempt to even visit a digital forensics lab in action but I think I'd be pushing it by attempting to get that.

Either way, this thread is still being actively read (until January when I will most likely start the main bulk of the report) so any other comments will be greatly valued.  
 
  

GumStickStorage
Member
 

Re: Computer Forensics project

Post Posted: Nov 04, 19 22:25

- tootypeg
The ACPO points are interesting and whilst there might be 'guidance' provided, often its the 4 principles that stand out. I feel like these could be revisited.


Thanks for your response tootypeg.

Just by looking at this thread, the ACPO guidelines seem to be popular and are happy the way it is. Do you have any reasons why you think it should be revisited?  
 
  

jaclaz
Senior Member
 

Re: Computer Forensics project

Post Posted: Nov 05, 19 12:29

- GumStickStorage

Just by looking at this thread, the ACPO guidelines seem to be popular and are happy the way it is. Do you have any reasons why you think it should be revisited?


IMHO, being "principles" they are very good (please read as making a lot of sense) and "universal":


ACPO Principle 1: That no action take is taken that should change data held on a digital device including a computer or mobile phone that may subsequently be relied upon as evidence in court.

ACPO Principle 2: Where a person finds it necessary to access original data held on a digital device that the person must be competent to do so and able to explain their actions and the implications of those actions on the digital evidence to a Court.

ACPO Principle 3: That an trail or record of all actions taken that have been applied to the digital evidence should be created and preserved. An independent third party forensic expert should be able to examine those processes and reach the same conclusion.

ACPO Principle 4: That the individual in charge of the investigation has overall responsibility to ensure that these principles are followed.


The issues are (still IMHO):
ACPO principle #1 is not (anymore) applicable in all cases (when it comes to phones or encrypted devices) because in some occasions data is actually modified by the method used to access the data, and on this there are different points of view (personally I believe that documented, motivated and *needed* changes to data are not an issue).

ACPO principle #2 is not (anymore) applied in a number of cases (search for "push button forensics" for some takes on the matter).

ACPO principle #3 is not anymore applicable due (mainly) to the issues seen above, and this is also intertwined to the validation (or actually utter lack of it) of tools mandated by - besides "common sense" - ISO 17025.

ACPO principle #4 remains applicable, but is undermined by the (IMHO common) viloations of principles #2 and #3.

jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. - 
 
  

Rich2005
Senior Member
 

Re: Computer Forensics project

Post Posted: Nov 05, 19 13:41

I think it depends on your point of view of the term "principle".

If we think about the common usage of the word principle then I think it helps.

So point one is essentially saying "In principle we should not modify the original data". Nothing wrong with that in my mind.

The second principle goes on to say that "In circumstances where a person finds it necessary to access original data, that person must be competent to do so and be able to give evidence explaining the relevance and the implications of their actions." Again that's perfectly sensible in my view and is really dealing with your concern over principle one. In that, generally speaking, you should seek to avoid accessing/modifying original data, but if it's necessary, the person should be competent enough to know and explain what they did, and why it was necessary. I think this would cover lots of things - mobile extractions probably being the most common example.

Principle three is still applicable in my view (in the broadest sense). However I would remove the final sentence, especially with respect to collection of data that cannot be repeated at a later stage, and this was probably written mostly with something like disk-based evidence, rather than a collection of data that may not be repeatable later. I'd also focus this principle more on documentation of interaction with the source evidence and properly documenting findings. Ie there could be circumstances where, as an example, someone could use a proprietary "black box" piece of software to locate data, and justifiably not reveal the method, or not know it, but be example to point to the raw data on the disk, it's location/details, etc.

Principle 4 - I understand why it was written, and generally is little more than a heads-up, that the "officer in the case" is essentially in charge of what happens, in law enforcement matters. However in practice they're not going to be sat on the shoulder of an examiner directing them or in a position to ensure "the law and these principles are adhered to". This could be rewritten to reflect more that an examiner should consider all legal and evidentary implications of actions they intend to take and, where necessary, consult the person in charge of the investigation for authorisation to proceed with a course of action, particularly in circumstances where data may be being modified or accessed outside the scope of a physically seized item. Or something like that Wink  
 

Page 2 of 3
Page Previous  1, 2, 3  Next