As 2020 drew to a close, demand for digital forensics and investigations had perhaps never been higher. The COVID-19 pandemic continued to accelerate many forms of digital crime, particularly crimes against children and various types of fraud.
At the same time, the technology used to investigate and analyze these crimes continues to evolve. With the potential for profound impact on people’s livelihoods, lives, and liberty, these tools and the processes they facilitate are still the subject of efforts to standardize them, ideally to improve the entire industry.
This quarter we look at updates from Project LOCARD, FORMOBILE, the National Institute of Standards & Technology (NIST), the Scientific Working Group on Digital Evidence (SWGDE), and the Forensic Capability Network (FCN).
Upcoming Project LOCARD webinar
A February 23 webinar will discuss current issues and challenges with digital forensic evidence handling, in particular chain of custody. “A new common approach to manage cross-border digital evidence” will cover how European law enforcement agencies transfer digital evidence between different European countries — currently an inefficient and laborious process.
The webinar will also offer a platform demonstration of Project LOCARD, which is currently in its development phase. Its data workflows, storage and analyses are in the process of being enhanced, tested, and validated in realistic environments. Interconnectivity and the creation of an information exchange standard will be areas of focus in 2021, with the project targeted for a 2022 completion date. Read more about the project’s public deliverables here.
FORMOBILE: Call for training participants
At the end of September, Europe’s FORMOBILE project began to seek participants for its novel training pilot program. First responders, analysts, experts, investigators, prosecutors, judges, and managers are all invited to participate, with an eye toward evaluating both content and efficiency.
This is an opportunity not just for personal professional development, but also for participants to learn more about the standard and tools created in FORMOBILE and to have a direct impact on the delivery of mobile forensics base knowledge to law enforcement, relevant non-profit organisations, and academia.
For more information, including answers to frequently asked questions and additional information about available courses, visit FORMOBILE’s site here.
In October FORMOBILE also took part in the European Commission’s Directorate-General for Migration and Home Affairs (DG-Home) Community of Users Workshop on forensics. About half of the 200-attendee workshop attended the break-out session for digital forensics, which covered 11 total projects.
Topics covered included challenges / solutions in research, involvement / deployment in operations, synergies / transfers / adoption of standards in terms of exploitation. In its blog, FORMOBILE reflected the need for continued collaboration with the other projects and expressed plans to communicate new cooperative efforts.
SWGDE seeks public comment on 4 drafts
The Scientific Working Group on Digital Evidence (SWGDE) has posted draft documents for public review and comment:
- SWGDE Best Practices for Forensic Audio v2.3
- SWGDE Best Practices for Teleworking and Digital Forensics v1.0
- SWGDE Guidelines for Video Evidence Canvassing and Collection v1.0
- SWGDE Informational Overview: Computer Vision v2.0
SWGDE’s policy is to post draft documents for a minimum of 60 days for public comment. Comments are accepted via email per the instructions on the first page of each draft document. All feedback received prior to the group’s next meeting in June 2021 will be reviewed by the appropriate subcommittee at that meeting.
(Want to know more about how SWGDE works? Read our recent article!)
At the conclusion of its September meeting, SWGDE additionally voted to release numerous Approved documents. They are available for download on the Current Documents page of the website. Among them are several documents of particular interest to the digital forensics community:
- Best Practices for Archiving Digital and Multimedia Evidence_v1.0
- Best Practices for Digital Evidence Acquisition from Cloud Service Providers_v1.0
- Best Practices for Examining Magnetic Card Readers_v3.1
- Best Practices for Mobile Device Evidence Collection & Preservation Handling and Acquisition_v1.2
- Best Practices for Mobile Device Forensic Analysis_v1.0
- Core Competencies for Embedded Device Forensics_v1.0
- Practical Considerations for Submission and Presentation of Multimedia Evidence in Court_v1.0
- Technical Notes on Internet of Things Devices_v1.0
- Test Method for Bluetooth® Module Extraction and Analysis_v1.1
- Test Method for Skimmer Forensics – Analog Devices_v1.0
- Test Method for Skimmer Forensics – Digital Devices_v1.0
For those working in audio/video forensics:
- Best Practice for Frame Timing Analysis of H.264 Video Stored in ISO Base Media File Formats_v1.0
- Best Practices for Enhancement of Digital Audio_v1.2
- Considerations for the Use of Time-Based Analysis of Digital Video for Court_v1.0
- Core Technical Concepts for Time-Based Analysis of Digital Video Files_v1.0
- Fundamentals of H.264 Coded Video for Examiners_v1.0
- Video and Audio Redaction Guidelines_v2.0
SWGDE encourages stakeholder feedback, and suggestions for modifications to any document are welcome. Please use the “Submit Comments” link beside the listed document to provide feedback.
Forensics @ NIST: Digital & Identification Evidence segment
In November, NIST held its annual two-day forensics symposium, which drew 1750+ registrants from around the world. The virtual Digital & Identification Evidence segment covered updates to its six major programs. Of note:
- Barbara Guttman shared a brief update on the NIST Digital Forensics Black Box Study, which she described for Forensic Focus in July. Registration to participate closed on October 31, but NIST is in the process of collecting data. If you registered but haven’t returned your data, please send it before the November 30 deadline!
- Having noticed some discrepancies in the way some tools reported deleted or modified SQLite data, the NIST team is now expanding its existing mobile forensic tool testing specification. To ask about beta testing the prototype, email NIST.
- The Computer Forensics Reference Dataset (CFReDs) has a new portal in beta. It will make technology, functionality, and scenario-based datasets easier to share and modify (subject to administrator approval). Datasets will be easier to search, too, with a new taxonomy tree, tagging, and a search bar to support large amounts of data. Currently it contains 160 entries. The CFReDS team seeks feedback, so check out the beta portal here.
This ongoing work is part of NIST’s goal to provide trustworthy, useful, and timely information that helps forensic examiners deal with both the volume and variety of material, including its constant rate of change. Additional presentations included:
- Improvements to the Computer Forensic Tool Testing (CFTT) federated testing. As of v5.1 coming next year, a self-contained Windows 10 application will make mobile federated testing easier, and logfiles will be stored to USB or desktop.
- String search testing via the Computer Forensic Tool Testing (CFTT) Project. Project leader Jim Lyle described testing that’s relevant to a lab’s work as well as what the user expects the tool to do. He also covered common challenges like ligatures, diacritics, formatted text search, and stressed that unexpected results are an opportunity to learn.
- The National Software Reference Library (NSRL). Project leader Doug White covered how to customize the NSRL hashes / reference data sets — updated quarterly — to fit investigative needs by using metadata to identify software and its versions, and/or to create data subsets of notable software classes that individual investigators commonly see.
Virtual Hansken Community Day highlights DFaaS
In September’s digital forensics research roundup, we described Hansken, the Netherlands Forensic Institute’s “digital forensics as a service” (DFaaS) platform. In December, the NFI held its first Hansken Community Day. A series of webinars explained the project vision, collaborative aspect, forensic knowledge, extraction plug-ins, and training manuals.
This event saw more than 100 participants representing 23 organizations from eight different countries — including the United States, Belgium, Australia, Spain, Germany, Norway, the UK and the Netherlands — come together online to exchange their knowledge and experience, whether they are current or prospective Hansken users.
A Hansken Discord channel is open to encourage continued information sharing, and the next virtual Hansken Community Day is scheduled for March 24-25.
Forensic Capability Network / Transforming Forensics
Designed and developed under the Transforming Forensics programme of the United Kingdom’s National Police Chiefs’ Council (NPCC), the Forensic Capability Network (FCN) launched in summer 2020. It’s designed to provide operational support to front-line law enforcement in need of forensic evidence.
The FCN recently reported that since launching new Streamlined Forensic Reporting guidelines in July 2020, the documentation — “the first ever time SFR documentation was publicly available to download and hosted in one place” — has been accessed 4,800 times.
That metric is key considering SFR’s purpose: since 2012, it has enabled investigators and scientists to enter forensic evidence into the criminal justice system in such a way as to focus on “key conclusions that are simple for juries to understand, and which speed up cases by allowing the defence to quickly accept or challenge evidence.”
The documentation consists of both guidance and templates. FCN additionally reported that since SFR’s July launch, “technical readiness work… is taking place to assist forces in embedding the new forms into their case management systems.” That’s in advance of a new release planned for January, which will include updated digital guidance and reformatted forms.
Another FCN project, CSE Automate, “is developing opportunities to automate and enable remote viewing to speed up and simplify CSE workflow with a view to providing this as a service through the FCN…. based on the principle of doing things once for the benefit of many.”
That’s the result of a finding that child exploitation cases demand about 60 percent of overall digital forensics unit capacity, with an outcome of longer turnaround times for all digital forensics cases. Having invited Expressions of Interest (EOI) from forces that want to help design the automated CSE workflow, the FCN is currently working through all EOIs before implementing the next phase in the project.
On a different topic, FCN reported its development of “an agreed, consistent and national approach to handling legacy [digital forensics] data, producing operational guidance to interpret existing policy and legislation.”
That’s in response to an observation in the NPCC Digital Forensic Science Strategy (DFSS), which highlighted difficulties in determining digital forensics data retention requirements, resulting in a patchwork of “largely manual” processes. An ongoing consultation with policing and other strategic stakeholders is expected to result in new guidance sometime in 2021.
Forensic Focus is interested in covering more stories about the implementation of new technology and standards in different countries and regions across the globe. If you know of an initiative in your region that you think we should cover, please email [email protected] with more information!