Digital Forensics Standards In Q1 2021

The items in our roundup this spring build on many of the updates from our January roundup, including new drafts available for public comment and additional work on standardization projects in the United Kingdom and European Union.

Additionally, a development in the South African digital forensics industry highlights the complexities of standardization, including some of the industry and political forces at work in ensuring the highest quality digital forensic evidence.

SWGDE drafts available for public comment

In advance of its June meeting, the Scientific Working Group on Digital Evidence (SWGDE) posted six draft documents for public review and comment:

  • Best Practices for Drone Forensics v1.0
  • Best Practices for Forensic Audio v2.4
  • Best Practices for Vehicle Infotainment and Telematics Systems v3.0
  • Establishing a Quality Management System for a Digital and Multimedia Organization under ISO-IEC 17025 or 17020 v1.0
  • Technical Overview for Reverse Projection Photogrammetry v1.0
  • Best Practices for Teleworking and Digital Forensics v1.0

Instructions for submitting comments are on the first page of each draft document. All feedback received prior to SWGDE’s next meeting will be reviewed by the appropriate subcommittee at that meeting.

In addition, at January’s meeting, SWGDE voted to release the following Approved documents:


Get The Latest DFIR News

Join the Forensic Focus newsletter for the best DFIR articles in your inbox every month.

Unsubscribe any time. We respect your privacy - read our privacy policy.


  • 2021-01-14 SWGDE Guidelines for Video Evidence Canvassing and Collection v1.0
  • 2021-01-14 SWGDE Overview Artificial Intelligence Trends in Video Analysis v1.0 *

                (*formerly titled SWGDE Informational Overview: Computer Vision)

Project LOCARD joins EU criminal network analysis project

In March, Project LOCARD announced that it had joined with sister project ROXANNE, a consortium of law enforcement agencies, industry and academia, towards “promoting common collaboration frameworks… and developing more advanced tools” in addressing cybercrime.

Again, LOCARD’s goal is to develop a chain of custody framework that relies on blockchain technology to secure digital evidence; ROXANNE’s is to develop tools to accelerate law enforcement investigative processes, including an artificial intelligence-driven interactive platform combining network analysis with advanced text, speech, and language technologies to identify large scale criminal organizations.

One aspect of this: research and tools to detect deviant online behaviour via natural language processing (NLP), which researcher Constantinos Patsakis said in a presentation delivered “very good results when handling large chunks of data.”

Forensic Capability Network announces new project developments

The United Kingdom’s Forensic Capability Network (FCN) reported a new development from the Transforming Forensics programme with regard to its CSE Automate Project. According to the FCN’s March 2021 newsletter, the project encompasses three different technology options:

  • An Amazon Web Service orchestration platform to automate data ingestion, processing, and analysis so that end users can review the results and report from a single system.
  • Robotic Process Automation (RPA) to handle repetitive tasks in the CSE workflow, saving time and effort for human users.
  • API/CLI linking multiple digital forensics examination tools together, via Magnet Automate, to produce an automated workflow for both computer and mobile device examination.

According to service development manager Adam Korol, each of the three is being trialled within separate police forces.

“We aim to create a variety of examination workflows with different applications dependent on the case specifics,” Korol said. “These are likely to include methods of live examination, rapid examination, standard examination and extended examination of forensic images.”

The CSE Automate project overall seeks to deliver an entire child sexual exploitation casework system solution. Besides the three automated technological solutions, it covers training and competency frameworks, policy and guidance input — in part to improve CSE investigators’ mental health, as well as validation/verification of the automated service — and measured benefits and evaluation mapping across the project’s lifecycle.

“Placement activity runs until October 2021 and work to finalise the service elements described above is scheduled to complete in April 2022,” said Korol. “At that time we plan for the service to be hosted on the FCN Exchange platform.”

Another project involves amending FCN’s draft guidance for forces on handling legacy digital forensics data. With the draft submitted to the National Police Chiefs Council (NPCC) Quality Board in March, the final publication is expected later in the year.

Finally, the FCN Xchange platform is now live and undergoing testing. Developed by the FCN in conjunction with the NPCC Transforming Forensics programme, the cloud-based Xchange is designed to “provide nationally consistent, standardised processes,” thereby improving both turnaround times and evidence quality.

Its browser-based interface facilitates connections between FCN’s members in England and Wales so that they can share data and services and access new digital forensics tools.

Although digital forensics data isn’t yet being shared on the platform — a digital fingerprint capability is its first technical release — FCN’s electronic quality management system is scheduled to move to the platform by November this year.

Debate in South Africa highlights standardization’s complexities

Finally, a recent attempt by South Africa Chapter 91 of the Association of Certified Fraud Examiners (ACFE) to mandate Professional Standards for Digital Forensic Practitioners in South Africa demonstrates the tension between the need for standardization, and who is in the best position to oversee it.

Added to its other standards for fraud investigation professionals — including healthcare fraud, document and polygraph examiners, and others — the new document “adopts and underwrites the International Organisation of Standardisation’s (ISO/IEC) 27037 [Security Techniques − Guidelines for identification, collection, acquisition and preservation of digital evidence] and 27043 [Standard on Information Technology − Security techniques − Incident investigation principles and processes] for digital forensics in South Africa.”

The framework for investigation methodology and reporting includes fairly standard digital forensic best practices, such as the need to follow established law and standard operating procedures (SOPs), maintain chain of custody, make forensic copies of evidence, ensure an examination is repeatable and reproducible, etc.

But Jason Jordaan, founder and managing director of DFIR Labs, has expressed some concerns about the move. In a statement delivered to the chapter, he wrote that existing international digital forensic standards covering accepted scientific methodologies — including ISO/SANS 27037, ISO/SANS 27043, ISO/SANS 27041, ISO/SANS 27042 and ISO/SANS 27050 — should suffice, given that “at this stage no legal imperative to change anything in this regard.”

Jordaan further cautioned that part of a draft Cybercrimes Bill, once signed, would codify the adoption of official SOPs for digital forensics practice throughout South Africa. This, he wrote, would be a more appropriate means of standardizing the industry.

Drawing a distinction between the science of digital forensics and the investigation of fraud, Jordaan welcomed ACFE-SA’s suggestions for digital forensic practitioners. However, he argued that including the concepts from various standards doesn’t, in itself, constitute a standard. “My concern with this is that it acts to simplify the entire digital forensics process, and the scientific and legal methodologies that must be employed,” he wrote.

Other concerns included ACFE-SA’s attempt to define functional positions — and their qualifications — differently from the way “relevant scientific literature” defines them, as well as overemphasis on provider capabilities versus what he called “the key aspects of capacity and infrastructure as set out in appropriate ISO standards.”

Forensic Focus is interested in covering more stories about the implementation of new technology and standards in different countries and regions across the globe. If you know of an initiative in your region that you think we should cover, please email christa@forensicfocus.com with more information!

Christa Miller is a Content Manager at Forensic Focus. She specializes in writing about technology and criminal justice, with particular interest in issues related to digital evidence and cyber law.

Leave a Comment