So my question is this - if the information we retrieved from a compromised payment device can be confirmed from more public records why should we reveal a very commercially secret technique for public scrutiny and potentially compromise the electronic banking system worldwide to explain how we found information that could be verified from more public sources?
To my mind the iso17025 element is separate from the actual question you are asking, which your question is one concerning 'disclosure'.
I think you would need to qualify what "verified from more public sources" actually means and why that disclosure wouldn't cause breach or ruin of the financial payment industry but it would do if your techniques were exposed to scrutiny?
Depending upon who you are working for e.g. sensitive law enforcement case work it could be/might be you may need to seek legal advice as to whether there is any protection afforded to you under PII (public interest immunity). For instance, would your techniques amount to "sensitive information"?
You may wish to enquire about the legal provisions for PII. For example, the relevant statutory provisions and codes are
•Disclosure Court of Appeal protocol for the control and management of unused material in the Crown Court
•Attorney-General’s Guidelines Disclosure of Information in Criminal Proceedings
•Criminal Procedure and Investigations Act 1996 (CPIA 1996)
•The Criminal Procedure Rules 2005, Part 25
Hi Gregg
I hope you are well and many thanks for your reply
We used PII many times to protect disclosure of sensitive information
I wanted to point out that the naive idea that ISO 17025 "standardisation" will not work in a real world commercial environment
Best wishes
N
Some kind of basic functionality tests. File metadata, particularly that which influences forensic questions. Timestamps, ownership, access rights, and perhaps metadata that affect other things that are of particular forensic interest. Similar metadata from file archives, from backup files, restore points, what have you.
This is where ISO 17205 massively diverges from tool testing. If you have a process to extract files of type X from a device, you have to generate requirements specifically for that, so generic tool testing is not appropriate. You would have to say that it extracts files of Type X and as additional requirements have must recover associated timestamps, must correctly interpret such timestamps etc. Multiply each test by each file system you want to examine, and potentially each version of the file system, operating system etc you would end up with thousands of tests.
This is because 17205 requires a rigid procedure to follow and that does not work with investigations and general principles and why it is the wrong standard.
I wanted to point out that the naive idea that ISO 17025 "standardisation" will not work in a real world commercial environment
Best wishes
N
Hi! I agree with that, particularly for small organisations, one-person businesses.
I wanted to point out that the naive idea that ISO 17025 "standardisation" will not work in a real world commercial environment
Best wishes
N
Hi! I agree with that, particularly for small organisations, one-person businesses.
Or for larger ones wink
Take a tool like Axiom. Used by the majority of labs I would imagine.
With its hundreds/thousands of artefacts being searched for and then interpreted. Then there's all the potential source evidence types, from thousands (or tens of thousands) of mobile phone types, the various different file-systems on them, the various different types of computer and their file-systems, and so on and so forth. Multiply up the combinations where the tool will be being practically used to identify data and it's an astronomic number.
To meaningfully validate the tool properly would essentially be impossible in practical terms.
In practice I imagine it's either simply not validated, or fudged with some pointless test, which covers the tiniest part of what it does, to claim validation and achieve accreditation.
The Criminals we were looking at were continually evolving and developing new techniques to compromise the payment systems.
The banks would spend a lot of time and money to deploy a solution and then the criminals would get round it in a matter of days.
That's life in the real world.
The Criminals we were looking at were continually evolving and developing new techniques to compromise the payment systems.
The banks would spend a lot of time and money to deploy a solution and then the criminals would get round it in a matter of days.
That's life in the real world.
I guess that the next idea of the Regulator could be issuing a licence for Criminals, including the requirement to validate their tools according to ISO 17025, so that also their development is slowed down to a crawl.
This would be life in an unreal (but unfortunately not so distant from the real) world.
jaclaz
The Criminals we were looking at were continually evolving and developing new techniques to compromise the payment systems.
The banks would spend a lot of time and money to deploy a solution and then the criminals would get round it in a matter of days.
That's life in the real world.
I guess that the next idea of the Regulator could be issuing a licence for Criminals, including the requirement to validate their tools according to ISO 17025, so that also their development is slowed down to a crawl.
jaclaz
What a good idea
I guess that the next idea of the Regulator could be issuing a licence for Criminals, including the requirement to validate their tools according to ISO 17025, so that also their development is slowed down to a crawl.
This would be life in an unreal (but unfortunately not so distant from the real) world.
jaclaz
The badass cybercriminals are increasing the cost of their tools…so they will be able to afford iso17025 and absorb the costs within their commercial concerns… https://
The badass cybercriminals are increasing the cost of their tools…so they will be able to afford iso17025 and absorb the costs within their commercial concerns…
Naah, only a small subset of honest Criminals[1] will do that without an intervention by the Regulator, not entirely unlike what UK forensic firms did at the time (or did I miss anyone actually volunteering for ISO 17025 [2]?)
jaclaz
[1] yes, this is an oximoron
[2] and yes, "volunteering for ISO 17025" more than an oximoron is a logical impossibility