In September, Forensic Focus was invited to sit in on a meeting of the Scientific Working Group on Digital Evidence (SWGDE). The third and final meeting of 2020 was held virtually — just as the previous meeting, in June, had been — and brought together participants from all over the world.
What are the Scientific Working Groups? The Facial Identification Scientific Working Group (FISWG) sums it up this way: “Since the early 1990s, American and International forensic science laboratories and practitioners have collaborated in Scientific Working Groups (SWGs) to improve discipline practices and build consensus standards.”
The SWGs work independently of, though symbiotically with, the National Institute of Standards and Technology (NIST)’s Organizations of Scientific Area Committees (OSACs) for Forensic Science, which are focused on “facilitating the development and promoting the use of high-quality, technically sound standards” to “address a lack of discipline-specific forensic science standards”. SWG documents are often relied on as references in OSAC standards development organizations (SDOs).
Since 2006, SWGDE has published nearly 100 documents covering a wide range of topics: quality assurance, data acquisition, and analysis for various types of digital media are all covered, along with two position papers — one on teleworking, and the other on the use of hash algorithms — and archived documents. At any given time, some drafts may also be open for public comment.
September’s meeting, said SWGDE Forensics Committee Chair Steve Watson, represented an “unusual place” for the organization: a completely clean slate. Normally, he explained, documents are carried over from meeting to meeting.
That’s why this article isn’t a “recap” like those we’ve done for other events. While it did feature a Forensic Committee special topic presentation — Nilay Mistry of the University of Gujarat, India presented on volatile memory forensics — its main focus is a highly collaborative process of document brainstorming, scoping, and drafting.
Looking ahead to 2021, readers who seek ways to give back to the community might consider bringing their expertise to SWGDE — as guests, members, or commenters on public drafts. Membership requires attending two consecutive meetings, which typically occur in January, April or May, and September. 2021’s first meeting is planned for January 11-14.
Document drafting: A collaborative process
Traditionally, SWGDE meetings are held in person. The reasoning is to ensure meetings are productive and free of distractions. Previous meetings have been held in cities around the United States; future ones will be held at the U.S. Secret Service’s National Computer Forensics Institute (NCFI) in Hoover (Alabama).
Productivity turned out to be more challenging in 2020’s all-virtual meetings, with not just colleagues but also family members in the mix. Additionally, the virtual format meant most people could only attend for about half a day — not the usual full day.
Still, participation was robust — as it is every meeting, said SWGDE member James Howe, a detective with the Columbus (Ohio) Police Department who’s been involved with the organization for about seven years. As with many events, SWGDE meetings have their “regulars” as well as their brand-new guests.
To ensure an appropriate mix of perspectives, membership demographics are set by the group’s bylaws. The blend includes local, state, and federal law enforcement, as well as private-sector members and academic researchers. Watson said these are people who tend to hold senior positions in their organizations.
Attorneys and vendors also sometimes participate, especially, added Howe, if the topic is of particular interest to them. Katherine Hansen, a deputy district attorney and digital evidence specialist with Colorado’s Denver District Attorney’s Office, joined SWGDE in 2019.
“One of the things that I can contribute as an attorney is knowing the requirements for getting evidence introduced in court,” said Hansen. “When they’re putting together the best practices for how to collect or process evidence, I can look at that and think, okay, we’re going to have to establish reliability and authenticity. Applying my legal skills helps maximize the chance that the evidence will be admissible and persuasive at trial.”
On the meeting’s first day, members and guests gather to discuss items left outstanding from previous meetings, as well as to brainstorm topics for the current session. Once a consensus is reached on which three topics to focus on, participants split off into smaller groups.
Each group scopes and outlines its topic, using Google Docs to track participants’ comments. This ensures not just a visual record of what’s happening, but also a fully collaborative experience no matter where participants are in the world.
Howe said the collaboration process has changed over time and is more efficient for it. “When I first started, we would painstakingly go over every single line of every single paper as an entire group,” he explained. “Now, we break off into smaller working groups based on interest and expertise on a particular subject.”
One key element to a working collaboration: open-mindedness. “We may argue and fight over words and small nuisances, no one ever walks away mad or with hurt feelings,” Howe said. “It is a very thick skinned group.”
Collaborations that remain unfinished are held over until the following meeting(s). “Depending on the level of paper we are doing, drafting the document usually takes two to three meetings if it is something new or a heavy lift from a previous document,” Howe explained.
Because documents are shared within Google Docs, it’s possible for members to continue to work on them in between meetings. The challenge, though, is continuity: busy people aren’t always available to review changes. That’s why, Howe says, most of the work is done at the dedicated meetings.
Once topics are ready for review, they’re presented to the larger group. Part of ensuring a document’s success is its “champion,” a person chosen to present completed drafts to the broader group, answer questions, and keep the team on track.
Then, the committee votes whether to release it for public comment. “Once it has passed that measure, it will be placed on our website for a minimum of 60 days to allow time for the public to weigh in,” Howe added.
Public comments are addressed and incorporated at the following meeting. At that point, the document is ready for public release.
Choosing — and scoping — the topics
Topics tend to be chosen based on their relevance: what members bring to the table, both from their own experience and on others’ behalf. Topics don’t have to be totally new; the committees often consider whether to update older or less detailed documents, or deprecate outdated ones.
Of the total number of brainstormed ideas, Watson estimates that about 30 percent end up becoming a document. In September 2020, for example, the topics that came up for review included:
- An expansion of the existing vehicle forensics document with a broader set of data
- An older document on peer to peer (P2P) software forensics
- Geofencing
- Drone forensics
- Cryptocurrency
- Digital evidence and investigative techniques, including open source intelligence (OSINT) collection
- Website / social media collection
- Virtual reality headsets (a topic one member reflected wasn’t being seen yet, but would be wise to “get ahead of”)
- Industrial Control Systems (ICS) forensics
- Mis- and false information
Both group feedback and group size limits mean that not every topic can be tackled in one meeting, so the topic list is narrowed down. Once a document is started, it’s followed through to the end, but the time this takes can vary. Watson said those documents that are limited by a dearth of industry expertise — or have the opinions of “too many cooks” — can take longer.
These aren’t necessarily setbacks, though. The group is driven by a need to deliver the right guidance to a broad range of practitioners. That can be affected by new research, case law, or legislation, any of which may be ongoing while a document is in progress or under review.
“The documents that we tend to write are things that have a longer shelf life to them,” said Watson. “We’re not sharing the latest tips and tricks that someone has identified, or just found a new way to break into a particular phone. It really is those overarching, foundational guidance documents.”
Topic in focus: geofencing
September’s topics — geofencing, drone forensics, and online collections — were just technical enough that Forensic Focus opted to “embed” in just one of the breakout groups — the geofence meeting — rather than dilute our attention across all three.
Geofencing is currently under review in U.S. courts, so the goal was to craft a document that could dispel myths and misunderstandings by explaining how Google collects geolocation data, as well as how the search warrant process could prevent overbroad data collection across a three-step process.
This group consisted of Watson; Howe; Jim Cook, a cell site analysis expert; and Joseph Remy, an assistant prosecutor with the Burlington County (New Jersey) Prosecutor’s Office. All scoped the document on Day 1. They were joined on Day 2 by Hansen — the deputy DA from Denver — who brought two colleagues experienced in geofencing technology.
It was an example of a dynamic collaboration that sometimes includes last-minute guests. That can happen, said Howe, when participants realize the draft would benefit from additional perspective and know who can provide it. “[Having the right personnel in the room] has greatly increased the quality of the documents,” he said.
Watson said those perspectives are critical to informing practitioners who are often “in the weeds” of technology — and to getting documents in front of others who need them. “How do we educate the attorneys and the judges on a technology that we can barely keep up with the pace ourselves, because of how fast things are changing?” he questioned. “Frankly, [attorneys and judges are] the ones that are making the decisions that affect us all. So [they] should be a part of this process while we’re driving science forward.”
For example, the geofencing group identified one challenge early on: geofence request processes are provider-specific (and often focus on Google), but a “best practices” document would need to offer a generalized process that could remain useful enough to cover legal bases, without naming specific providers.
Hansen worked with her associates to bring to bear their collective experiences revising Denver’s geofence search warrant template, replacing some of the language with more precise verbiage.
“What should the parameters be? What are we looking for? How many target identifiers?” she explained. “The more target identifiers you have, the more likely you’re going to see a consistent device and that’s going to help your investigation.”
(Disclosure: Forensic Focus was asked for, and provided, our editorial expertise on grammar and style, but was not in a position to contribute technical guidance.)
Getting involved in SWGDE
Participants’ experience matters less than a willingness to come and work. Howe’s experience is a good example. In 2013, just a year after starting in digital forensics at his agency, he was online, looking for training opportunities, when he happened across the SWGDE website.
“I was still just pushing buttons at this point and praying the software would spit out data,” Howe said. Impressed by the SWGDE documents he read online, Howe decided to attend a meeting as a guest, even though he didn’t know anyone there. At that time, the forensic committee was working on the chip-off extraction of data from a credit card skimmer.
Both Hansen and Howe expressed feeling “floored” and “blown away” by the caliber of participants. “While the meetings are not considered ‘training,’ I have learned so much while attending all of the meetings and talking with the other members,” Howe said.
Watson concurs. “You get to a place in your career that a lot of the sessions at the conferences are not as helpful as they are when you’re more junior in your career,” he explained. “What I found in SWGDE was this group of very highly skilled people in a variety of organizations, coming together, wrestling over these really hard topics. It challenged me in a way that many of the other professional development conferences just don’t anymore.”
Hansen agreed. Her contribution is to combine her 25 years as a prosecutor — including writing for appellate courts — with her digital forensics knowledge to bring to the different SWGDE papers. “Even [when] I can’t provide any additional substantive comment, I can still read [them]. I’m then able to overlay those substantive comments with my legal knowledge to help improve cases.”
Another form of personal benefit: what Hansen calls “this pooling of resources and knowledge… these connections that allow you to reach out to someone and say, ‘Hey, I have this problem. I spent my available thoughts on this and it hasn’t been fruitful. Do you have any other suggestions?’”
“I have made connections that stretch across the globe, and friendships that I still carry on to this day,” said Howe, who added that he overcame both a case of impostor syndrome and a fear of flying to attend his second meeting, where he was voted in as a member. “In this group, your answer is always one or two calls a way if you have a question or any issues. There are members I stay in contact with at least once a week on various things.”
Those connections are critical to digital forensics practice. “I would not be where I am now if I had decided not to get on that plane,” Howe said. “We touch on so many different subjects and disciplines, it can really light an interest in those.”
That’s partly the result of including professionals with deep specialist experience, such as video forensics or in Watson’s case, extensive research on severely damaged devices.
More than personal benefit, though, is the chance to contribute to something that had, in Watson’s words, “a much broader impact than some of the other efforts that I would spend my time in.”
Howe has noticed SWGDE documents used as references in training classes, books, and agency policies; Watson says agencies around the world use the documents for guidance in developing their own individual processes and procedures.
That has implications for trials, said Hansen, returning to her observation about the need to build the best possible case. Best practices for collection, ensuring reliability, and authentication are all part of admitting evidence and making it persuasive, and as a result, can be built into the best practices.
The geofence paper is a good example because of its potential to help judges understand how the process works in reality — how probable cause to obtain the geofence warrant might look very different from probable cause to obtain subscriber account information, and the steps it takes in between to move from one to the next. “It’s important that attorneys down the line can get the evidence admitted into court and have confidence that the evidence will stand up,” Hansen explained.
Howe’s advice to prospective members: “It is most definitely not a vacation from work if you take it seriously. I think the thing that always surprises me the most is the level of work that is put into a document during the week we are together in person. It is quite literally a brain drain,” he said.
But even those who are unable to participate at that level can get involved. “The public comment process is vital to the success of the document,” Howe added. “We love when people comment on the documents or ask us for clarification on something… if the comments are relevant and correct, we will discuss them as a group and implement them in the paper if needed.”