Digital Forensics Standards: Recent News And Research

The global COVID-19 pandemic hasn’t slowed either the pace of technological change or its relevance to both criminal and civil investigations. Both fraud and child exploitation are examples of crimes that have increased since much of the world went on lockdown.

Digital evidence is, of course, key in these types of crimes as well as others. Tasked in recent months with processing evidence from home, forensic examiners and their lab managers have juggled staying healthy with maintaining chain of custody and evidentiary integrity. Four new resources — two from the United States, and two from Europe — aim to address different aspects of these issues:

  • In the United States, the Scientific Working Group on Digital Evidence (SWGDE) and the National Institute of Standards and Technology (NIST)’s Organization of Scientific Area Committees (OSAC) Digital and Multimedia Scientific Area Committee offer new considerations for digital forensics telework.
  • In Europe, sets of deliverables newly released from the FORMOBILE and LOCARD projects describe law enforcement agencies’ mobile forensics requirements, along with several key elements of a “blockchain of custody” deployment.

In the United States: New considerations for digital forensics telework

Two documents, one from SWGDE and the other from NIST’s DMSAC, offer guidance for digital forensics labs in need of contingency plans — in any situation, including natural disasters — for full or at least partial telework.

SWGDE’s new document outlines the following key considerations:

  • Policy process pathways for both public and private sector labs, as well as both accredited and non-accredited labs. 
  • Confidentiality of evidence/data, customer communications including telephone conversations, technical notes, and reports — particularly within home environments not built with typical lab controls.
  • Facilities, including an appropriate environment for forensic equipment and a dedicated area to conduct technical services, which could be secured using locks, an alarm, video monitoring, etc.
  • Equipment and software management, including the use of “remote in” or cloud-based access to forensic tools in the home lab. The use of dedicated equipment, having appropriate bandwidth, and security and authentication all factor in, too.
  • Data integrity and physical device management, including physical device intakes and chain of custody, the collection of images and data from external sources such as cloud accounts and remote computers, transferring evidence between locations, and encrypting data at rest / in storage and in motion.
  • Risk management weighs telework risks against risks to personnel, stakeholders, and the organization as a whole. SWGDE’s document raises the notion of “opportunities for process improvements and alternative practices that can establish organization resilience when confronted by future unknown events that impact traditional laboratory operations.”

Considerations for Teleworking and Digital Forensics Analysis” is meant to be used in conjunction with the OSAC document, “Guidance on Non-routine Offsite Examination of Forensic Digital/Multimedia Evidence,” which covers related, but slightly different areas of concern.

For example, OSAC defines risk mitigation in terms of “baseline information security parameters,” testing tools and techniques, environmental conditions — including standard workstation configurations, along with additional requirements for proper video, image, and audio analysis. These requirements are particularly important when accessing remote workstations owing to the impact that internet bandwidth can have especially on audio and video quality. 

OSAC’s document also describes nonroutine offsite options, including access to remote workstations, offline examinations conducted at a telework location, cloud computing and secure file transfer, contraband evidence, examiner health and wellness, software licensing, and policies and procedures.

For additional reading, Forensic Focus’ article “Virtualizing the Digital Forensics Lab” described how two labs had implemented telework arrangements very similar to what SWGDE and OSAC recommend.

In Europe: Law enforcement mobile forensics and chain of custody requirements

Early in July, the Council of Europe (CoE) presented its webinar, “International standards on collection and handling of electronic evidence,” as part of an ongoing series. Moderated by Virgil Spiridon, Head of Operations of the Cybercrime Programme Office at the CoE’s Directorate General of Human Rights and Rule of Law, the webinar covered international standards on collection and handling of e-evidence, which were developed under the CoE’s framework of capacity building projects.

Victor Voelzow, a Council of Europe expert, discussed the Electronic Evidence Guide and Standard Operating Procedures (SOP) which, in conjunction with lab management and procedures, assists law enforcement agencies, judges, and prosecutors with the search and seizure of dead-box, live-data, online, and third-party electronic evidence.

Carlota Urruela, European Cybercrime Training and Education Group (ECTEG) Capacity Building Officer with the eFirst Project, described interactive online training for first responders, using “case games” to help law enforcement officers build their skills in collecting and transporting electronic evidence. The training is localized for different countries’ jurisdictions, even if they share languages.

Claude el-Weter, a member of the Lebanese Internal Security Forces, highlighted the benefits his country had realized through the eFirst Project. Among them, training improved mobility and traceability, which led to better quality of evidence and better statistics.

Finally, Fernando Lazaro at the Interpol Innovation Centre spoke about the four sections in Interpol’s “Global guidelines for digital forensics labs,” adapted from the CoE to help other countries to improve admissibility, regardless of jurisdiction; outline procedures and serve as a template; and to provide advice without imposing. The sections consist of:

  1. Lab management, including planning and procurement of the right premises, staff, and equipment (Lazaro stressed that equipment is the last step)
  2. Case management
  3. Evidence processing, including acquisition, examination, analysis, presentation
  4. Quality assurance for staff, environment, and equipment

More information is available at the Council of Europe website.

Also in July, the FORMOBILE Project — founded in 2019 to develop a complete mobile device forensic investigation chain including fundamental rights, tools, standard processes, and training — released a summary of law enforcement agencies’ requirements for improvements in mobile forensics.

Relying on responses to a detailed questionnaire submitted primarily by first responders or common (not specialized) forensic lab personnel from 49 agencies in 15 countries, the team found the following: 

  • Respondents value knowledge transfer between agencies both nationally and internationally
  • While respondents agreed that current work methods aligned with standards, nearly half disagreed that standardization was well suited to digital forensic work, and the same proportion of respondents weren’t involved with either standardization activities or new technology procurement
  • Given a “wish list,” respondents desired better access to leading technologies to perform mobile forensic extractions and analyses
  • For training, respondents valued hands-on experience the most, followed by additional specialized staff, improved hardware and software, and theoretical training

FORMOBILE’s sister project, LOCARD — Lawful evidence cOllecting & Continuity plAtfoRm Development, which is implementing blockchain technology for evidence chain of custody and management — likewise released a set of deliverables this month. Having completed the first two of eight work packages, LOCARD’s most recent products include:

  • Reference architecture, a comprehensive overview of the forensics flows plus the LOCARD system’s high-level architectural design and functionality (Work Package 3)
  • State-of-the-art reports on detection of deviant behaviour in social networks, blockchain technologies, appropriate identity and access management along with associated trust services, and trusted computer and trusted execution environments (Work Package 4)
  • An established test environment with a set of tests to be carried out on both individual components and integrated system and deployment infrastructure (Work Package 5)

Forensic Focus is interested in covering more stories about the implementation of new technology and standards in different countries and regions across the globe. If you know of an initiative in your region that you think we should cover, please email [email protected] with more information!

Christa Miller is a Content Manager at Forensic Focus. She specializes in writing about technology and criminal justice, with particular interest in issues related to digital evidence and cyber law.

Leave a Comment