ACPO Principles Revised

I don't know if anyone else has noticed but the number of views of this thread has gone up by almost 1,000 in the last 24 hours

Yesterday it was at 3,934 now it's at 4,919

The FSR Guidance does refer to analysis but nothing for digital forensics. Moreover, the Guidance refers to experience and expertise in the subject matter, not testing or calibration. How will an expert, Doctor or Professor not involved in the examination of the device itself become iso17025 assessed - which again is a standard for lab work not opinion work?

FSR Codes

Table on page 4 - Standards/requirements for forensic science activity (2 of 6) - Extraction and analysis of data from digital media

All the doctor/professor area sits outside the remit of the codes
The Codes are for all forensic units supplying forensic science services to the CJS. Forensic science is taken to include the sciences performed by the police service, the public and private sector forensic science forensic units and, to a lesser extent, academia. They are intended to be able to cover sciences with scene and/or laboratory-based elements and therefore are not intended for disciplines such as forensic accountancy or psychiatry. Although the Codes could be extended to forensic medicine, they have not been drafted with that in mind.

20 The Codes currently cover the forensic units that includes the
a. initial forensic science activity at the scene;
b. scene examination strategy;
c. recovery, preservation, transport and storage of exhibits;
d. screening tests for use in the field;
e. assessment, selection, examination, sampling, testing and/or analysis of
exhibits;
f. testing activities using laboratory-based methods;
g. recording of actions taken;
h. assessment/review of examination and test results;
i. reporting and presentation of results and
j. interpretations and opinions.

Thanks for the post minime2k9. I do have the information you posted, but helpful you laid it out. Currently opinions and interpretation can only be made about the work involved or the results obtained e.g. from the target device where 20 emails were recovered. The opinions and interpretation focus on where they were found and not what the (potential) intention of the person or other evidence that put the emails there. The point being labs should not be partisan or seen to be partisan. Indeed as you will know iso17025 (which is what I am saying) does not cover any text about expert evidence. That is, there is no term 'expert' in it; nor has it been expressly by the terms of the text to exclude or include [it]. iso17025 does expressly state the lab personnel giving "analysis of results, including statements of conformity or opinions and interpretations;" but that is with respect to the email recovered not if it is fake due to injection of rogue content etc. It doesn't seem feasible these Police labs have the time to suddenly become network experts merely because they recovered data from a device.

The FSR Codes set out intention for Code of Conduct on page 12 of 67 (Issue 4) but this is not hampered or limited to a person working for an organisation that has its lab accredited to iso17025; it defines what is expected of an individual. More importantly, the FSR has no power to bind a Court as to which witnesses it will hear or not. The Code does not provide for an expert being excluded because the expert isn't personnel in the lab; the expert can still be employed to give expert evidence where the lab has no internal expert. That would also mean the expert being independent, objective and impartial - which would be difficult if the expert produced the test results and couldn't criticise his/her own work.

Its completely untrue - many of us were working with the Police for many years before the closure of the FSS.

Before even the Office of the Forensic Science Regulator ever existed. But I do think it is important to understand and recognise what the FSR is attempting to achieve.

So what do they do….blame it all on "unregulated" digital forensics and impose a silly standard that makes things worse in a variety of ways. It's counter-productive but those at the top of the tree will bang on about things being better now despite it being clearly untrue (because doing otherwise would make them look bad and solving the real issues isn't the aim).

As always your feedback is very enlightening. Are you in a position to (even if it is anonymous) provide substantive evidence or demonstratively, traceable example where things are not better due to iso17025 or FSR Codes?

So what do they do….blame it all on "unregulated" digital forensics and impose a silly standard that makes things worse in a variety of ways. It's counter-productive but those at the top of the tree will bang on about things being better now despite it being clearly untrue (because doing otherwise would make them look bad and solving the real issues isn't the aim).

As always your feedback is very enlightening. Are you in a position to (even if it is anonymous) provide substantive evidence or demonstratively, traceable example where things are not better due to iso17025 or FSR Codes?

Hi - I can

In 1999 we developed some in-house software that was able to recognise bankcard magnetic strip data at very high speed from a computer image copy data file. It was also able to recognise the bank and the country that issued each recovered record.
The banks heard about it and called us up to a meeting in London. At the meeting we demonstrated the software to the police and the banks. In a couple of seconds we recovered 341 bankcard records from an image copy of a floppy disk.
The banks said “This is exactly what we're looking for. At the moment there is a nine month backlog to examine any computer and then it takes a year to come to court and then maybe somebody tells us the bank accounts that were found. This means that we are exposed to fraud for almost 2 years on each account which results in a loss to the banks.
What if we pay you to examine the computers and extract the account numbers and get them up to us within 24 hours so that we can block the accounts and investigate any fraud spend, and then we'll pay you to examine the computers and produce an evidential pack for the police in 6 to 8 weeks.”
The police said “So we get a free evidential pack in 6 to 8 weeks instead of nine months?”
So that's what we did - any police force seizing computers or computer equipment that were suspected of being used to defraud the banks could send it to us for rapid examination.
So the police could arrest a suspect, and deliver the computers to us and we could extract a comprehensive list of all the bank cards found within it.
The police have a 24-hour custody clock, and have to release suspects, unless they get a 12 hour extension, if they don't get enough evidence to charge.
Many of the OCGs involved in bank card fraud are operating across national borders, so when released “on bail” or “under investigation” the suspects simply disappear.
We could give the police a schedule of compromised card numbers and a witness statement in a matter of hours which could be put to the CPS for a charging decision within the custody clock time.
Now we are no longer operating, the police cannot obtain this free and fast service, and many of the suspects simply disappear.
There is no way that this can be described as an “improvement” because of the introduction of ISO17025.
And we did it many hundreds of times for 18 years and recovered hundreds of thousands of compromised account details which meant that they could not be used to raise funds for further OCG use.

Curiously, is it the testing of tools which people think is a bigger issue or the evaluation of whether people are interpreting the output correctly? Slightly outside of the scope of things but I bet the discovery of substantial tools errors would be far less than discovering misinterpreted (even partially) findings.

Curiously, is it the testing of tools which people think is a bigger issue or the evaluation of whether people are interpreting the output correctly? Slightly outside of the scope of things but I bet the discovery of substantial tools errors would be far less than discovering misinterpreted (even partially) findings.

Depends if you deny the tools should be validated or the opinion/interpretation?

I think tools should/need to be tested. I do also think this is a very difficult task. I think how a practitioner interprets findings needs to be tested.

I dont know which is the bigger task/bigger threat.

At the moment I think there is a lot of focus on tool-testing, on the assumption that they need to be validated. This suggests theres an expectation to find error. My question is, is it assumed that tested tools is all we need to do? I see very little narrative around the practitioner. A fully working tool does not guarantee quality results.

If we assume the vendors are doing some testing of their tools, I suspect there is little to none in regards to testing practitioner interpretation. So where are the resources better spent? It seems at the moment we are doubling up with vendors to test, and nothing on the other issue i raised.

I think tools should/need to be tested. I do also think this is a very difficult task. I think how a practitioner interprets findings needs to be tested.

I dont know which is the bigger task/bigger threat.

At the moment I think there is a lot of focus on tool-testing, on the assumption that they need to be validated. This suggests theres an expectation to find error. My question is, is it assumed that tested tools is all we need to do? I see very little narrative around the practitioner. A fully working tool does not guarantee quality results.

If we assume the vendors are doing some testing of their tools, I suspect there is little to none in regards to testing practitioner interpretation. So where are the resources better spent? It seems at the moment we are doubling up with vendors to test, and nothing on the other issue i raised.

Very good, and insightful tootypeg. iso17025 and FSR Codes both identify training. Using clauses from iso170252017

6.2.5 The laboratory shall have procedure(s) and retain records for
a) determining the competence requirements;
b) selection of personnel;
c) training of personnel;
d) supervision of personnel;
e) authorization of personnel;
f) monitoring competence of personnel.

6.2.6 The laboratory shall authorize personnel to perform specific laboratory activities, including but
not limited to, the following
a) development, modification, verification and validation of methods;
b) analysis of results, including statements of conformity or opinions and interpretations;
c) report, review and authorization of results

Do you see these as the relevant clauses to your observations "I suspect there is little to none in regards to testing practitioner interpretation." and "I see very little narrative around the practitioner."?

- How do you envisage educating deep-level skills and experiences?
- Does that include Metrology and so on?
- Is it solely focussing on data interpretation with relevance to the outside world and/or data found in the device?
- Do you foresee this only for Police labs or accredited service providers, also?

In the alternative, do you envisage the use of expert subcontractors to an accredited lab (Police/Private)?

So what do they do….blame it all on "unregulated" digital forensics and impose a silly standard that makes things worse in a variety of ways. It's counter-productive but those at the top of the tree will bang on about things being better now despite it being clearly untrue (because doing otherwise would make them look bad and solving the real issues isn't the aim).

As always your feedback is very enlightening. Are you in a position to (even if it is anonymous) provide substantive evidence or demonstratively, traceable example where things are not better due to iso17025 or FSR Codes?

Hi - I can

In 1999 we developed some in-house software that was able to recognise bankcard magnetic strip data at very high speed from a computer image copy data file. It was also able to recognise the bank and the country that issued each recovered record.
The banks heard about it and called us up to a meeting in London. At the meeting we demonstrated the software to the police and the banks. In a couple of seconds we recovered 341 bankcard records from an image copy of a floppy disk.
The banks said “This is exactly what we're looking for. At the moment there is a nine month backlog to examine any computer and then it takes a year to come to court and then maybe somebody tells us the bank accounts that were found. This means that we are exposed to fraud for almost 2 years on each account which results in a loss to the banks.
What if we pay you to examine the computers and extract the account numbers and get them up to us within 24 hours so that we can block the accounts and investigate any fraud spend, and then we'll pay you to examine the computers and produce an evidential pack for the police in 6 to 8 weeks.”
The police said “So we get a free evidential pack in 6 to 8 weeks instead of nine months?”
So that's what we did - any police force seizing computers or computer equipment that were suspected of being used to defraud the banks could send it to us for rapid examination.
So the police could arrest a suspect, and deliver the computers to us and we could extract a comprehensive list of all the bank cards found within it.
The police have a 24-hour custody clock, and have to release suspects, unless they get a 12 hour extension, if they don't get enough evidence to charge.
Many of the OCGs involved in bank card fraud are operating across national borders, so when released “on bail” or “under investigation” the suspects simply disappear.
We could give the police a schedule of compromised card numbers and a witness statement in a matter of hours which could be put to the CPS for a charging decision within the custody clock time.
Now we are no longer operating, the police cannot obtain this free and fast service, and many of the suspects simply disappear.
There is no way that this can be described as an “improvement” because of the introduction of ISO17025.
And we did it many hundreds of times for 18 years and recovered hundreds of thousands of compromised account details which meant that they could not be used to raise funds for further OCG use.

Being as this is your business case, it doesn't benefit the wide ranging level of practitioner in the marketplace. The outline is good about your previous success but in itself it would be an uphill struggle for you to succeed in the current climate. What you could do is to an give up-to-date foundation to your claim to precisely define which iso17025 and FSR parts, clauses and codes are flawed when analysed against the business outline you have given above.

Equally, you may think it a good idea to be in-touch with the College of Policing and the NPCC to flat-plan (layout) the process of flaws or even failures. The representation might include subcontractor to an accredited lab and do not rule out tying in with a existing accredited service provider. I suggest the last point because I think there is something of an opportunistic opening for you that could be a take away from the Police Chief's comments to you about paying "once".

As a prospective subcontractor you would need to show support and adherence to the laboratory quality and compliance principles in addition to gauging how you fit into the FSR Code (Issue 4) provision

Code of Practice for forensic units providing forensic science services

1. Introduction

1.1.1. This Code of Practice is aimed at all those providing forensic science services to the Criminal Justice System (CJS), whether individual practitioners, academics, public or private sector forensic science providers. Previous versions of the Codes referred to these as providers, however as this is interpreted by some as commercial providers. This version of the Codes refers to all as forensic units in line with the terminology used in ILAC G1908/2014. These can be small teams in larger organisations, sole practitioners or large providers and can be instructed by the prosecution or the defence.