Join Us!

CoE Electronic Evid...
 
Notifications
Clear all

CoE Electronic Evidence Guide  

  RSS
trewmte
(@trewmte)
Community Legend

6th March 2020 the Council of Europe published its document titled:

ELECTRONIC EVIDENCE GUIDE A BASIC GUIDE FOR POLICE OFFICERS, PROSECUTORS AND JUDGES
Version 2.1
Cybercrime Division
Directorate General of Human Rights and Rule of Law
Strasbourg, France
06 March 2020

https://rm.coe.int/c-proc-electronic-evidence-guide-2-1-en-june-2020-web2/16809ed4b4

The web URL highlights the date June 2020, presumably public availability. This is a guide nonetheless and, afterall, intended to advise Police Officers, Prosecutors and Judges. This document doesn't reference or elude to ISO17025 or ISO17020 etc. Instead Books/Guides identify ISO standards (which are very useful guides):

- ISO/IEC 27037: 2012: Guide for collecting, identifying, and preserving electronic evidence
- ISO/IEC 27041: 2015: Guide for incident investigations
- ISO/IEC 27042: 2015: Guide for digital evidence analysis
- ISO/IEC 27043: 2015: Incident investigation principles and processes

So as not to draw a veil of complete blankness over the Standard ISO.17025 the document does highlight the guide 'Interpol: Global Guidelines for Digital Forensics Laboratories', which itself refers to ISO.17025 on pages 56 and 57. Which means find it for yourself, but only if you know ISO.17025 has relevance.

CoE Electronic Evidence Guide references a section on the UK:

12.1.3 United Kingdom (Page 196)
- Crown Prosecution Service Legal Guidance. https://www.cps.gov.uk/prosecution-guidance
- The Association of Chief Police Officers (ACPO) Guide for Electronic Evidence.
https://www.7safe.com/docs/default-source/default-documentlibrary/acpo_guidelines_computer_evidence_v4_web.pdf

The ACPO Guidelines recommended reading is version v4. It might be helpful for FF members to read the comments made in 2014 @Jaclaz question and @BitHead response here: https://www.forensicfocus.com/forums/general/acpo-non-compliance/#post-6574703

Moreover, comments made by @Rupert in 2010 state "I have been heavily involved in ACPO E Crime work & NPIA. I did a critique of the ACPO Good Practice Guide for Computer Based Electronic Evidence. It is a strange beast that has far too much credibility for my liking. It is from neither the legislature, the executive nor the Judiciary. It is from a pseudo quango. It is not the law. Yet it is on the high altar. Since when has a chief police officer known about digital forensics?" https://www.forensicfocus.com/forums/legal-issues/critical-analysis-of-acpos-guidelines/#post-6546137

There a numerous Forensic Focus Forum Posting about ACPO, here are a few (although using Search will highlight other posts)
https://www.forensicfocus.com/forums/general/acpo-principles-revised/
https://www.forensicfocus.com/forums/education-and-training/computer-forensics-project/
https://www.forensicfocus.com/forums/education-and-training/npcc-guidelines/

Setting aside the 'for or against' arguments (ISO17025 vis-a-vis Digital Forensics Principles and Guidelines) the references to other ISO Guides (useful) but excluding ISO.17025 Standard (which has Regulatory impact) seems a little odd. If the CoE basic guide can highlight ISO-27037 to 27043 what was the difficulty in highlighting 17025 or 17020 (given the comment on page 40 "Remember that all activities should be in compliance with state and local laws as well as agency policy.")? The reference to an even more outdated ACPO Guidelines version (v4) than using the 'last' version (v5) just comes across as unfocused attention to detail given there is not a clear explanation or reference as to why the anomolies have been adopted.

The voice of those who should be heard concerning digital evidence are those in the digital forensic communities. Rarely, if at all, in these types of document do you read the experiences of a broad-based collection of practitioners and which, undoubtedly, if heard could furnish Police Officers, Prosecutors and Judges with most helpful and pragmatic views experienced from working/researching at the coalface of digital forensics today.

Quote
Posted : 02/07/2020 11:02 am
jaclaz
(@jaclaz)
Community Legend

elude ?

typo or subliminal wish? 

jaclaz

ReplyQuote
Posted : 02/07/2020 11:33 am
trewmte
(@trewmte)
Community Legend
Posted by: @jaclaz

elude ?

typo or subliminal wish? 

jaclaz

I take your point.

I use the term elude - is its absence intentionally applied as an escape for not having to mention it at all - e.g. this document doesn't say why Standard ISO.17025 having direct impact on evidence acquisition wasn't mentioned. Equally, the document doesn't refer directly to ISO.17025, generally, so why is that, a simple omission?

ReplyQuote
Posted : 02/07/2020 11:51 am
jaclaz
(@jaclaz)
Community Legend

I thought you were saying allude to, not elude (that doesn't have the to)?

jaclaz

ReplyQuote
Posted : 02/07/2020 2:41 pm
Rich2005
(@rich2005)
Senior Member
Posted by: @trewmte

The voice of those who should be heard concerning digital evidence are those in the digital forensic communities. Rarely, if at all, in these types of document do you read the experiences of a broad-based collection of practitioners and which, undoubtedly, if heard could furnish Police Officers, Prosecutors and Judges with most helpful and pragmatic views experienced from working/researching at the coalface of digital forensics today.

And this is the entire problem. Continually they force things downwards without consulting those with the most knowledge and experience of doing the job day in day out.

To quote the recent article on this site, quoting the forensic regulator:

Done well, with appropriate leadership and support, they can lead to great improvement; done poorly, however, they might amount to nothing more than assigned tasks, box-ticking, and progress that grinds to a halt.

In the same speech at DFRWS 2020, the regulator cites justification for standardisation, as R v Allen, and then goes on to say accreditation actually wouldn't have made any difference to that!

Fundamentally ISO17025 is a bit of a joke and they need to separate things into practically achievable categories and areas that require excessive process following with no meaningful gain.

The software/tool testing aspect is a giant duplication of effort, under the guise of achieving reliability (or to provide the illusion of it), which it simply isn't going to do.

In a paper by the forensic regulator and others, cited in the article on this board, they acknowledge this (finally) to a degree:

Central resources for tool testing, such as that at the National Institute for Standards and Technology (NIST), have the potential to reduce duplication of effort (accepting that organisations would still need to validate their end to end methods). Similarly, the provision of central resources for development and validation of standard methods has the potential to substantially reduce, although not eliminate, the validation burden on each organisation.

There needs to be the acceptance that forensic tools ARE NOT reliable in an absolute sense and that's not achievable.

Shifting the focus of ISO for digital forensics, to having documents and processes, for standard operations, allowing for deviation from that, when those processes don't work or apply, and accepting that the analysis of generated data is something that is not infalible, no matter how much you test, would be a significant improvement.

I think if they engaged more (or at all) with examiners, I don't think you'd find many people who're arguing against having a process, and documenting their work.

They cite the NIST example, and I still think they really need to change tack from enforcing largely futile limited testing on everyone, and perform both centralised testing of most of the common forensic tools, in tandem with allowing a centralised bug reporting system.

I would venture that having a list of current problems in the tools, contributed to by everyone, would help avoid errors in data far more than the current system of testing a piece of software against the same limited data set, once in a while.

If it was mandatory for an analyst to report problems that they identify, both to the software vendor, as well as a shared public resource. I suspect there would be increased effort on resolving these bugs on the part of the vendors and it would be far easier for analysts to be aware of problems and avoid them.

This post was modified 1 month ago 2 times by Rich2005
ReplyQuote
Posted : 02/07/2020 3:07 pm
trewmte
(@trewmte)
Community Legend

@Rich2005 it is my suspicion that the CoE document is an attempt to make good on any Guides out there that suggest, by taking a global view, avoids fettering the document with localised restrictions, leaving it to others to do that. However, CoE is European in origin but it is not a state, nor a country and so adoption of global guidelines needs to be placed in context with why in Europe ISO.17025 was pushed so much. 

It is confusing where these bodies keep producing there own version of events which they prescribe is 'how things are', whereas in reality most of the digital forensics community would say stop doing this and we require one document that collectively includes not just policy makers or process walkers opinions but those who work at the coalface. The heros of the digital forensics community are being neglected and that isn't 'fairness' (perhaps akin to the right to fairness under s78 PACE 1984). As an anology, this situation is like the person who wheels the patient in on a trolley into hospital surgery theatre to then set down the guidance how brain surgeons should to do their jobs and how hospital administrates need guidance on that. It is the brain surgeons who are being ignored.

ReplyQuote
Posted : 02/07/2020 4:28 pm
Rich2005
(@rich2005)
Senior Member

Indeed.

It's extremely frustrating.

It seems like every time an untrained officer does some forensics or interprets it (instead of a DF analyst) or someone doesn't disclose something, the answer seems to be ISO17025 and accreditation (despite obviously never being able to give any justification why that would help resolve those issues).

I think it's pretty disrespectful the way the forensic regulator talks about digital forensics and bluntly doesn't really seem to understand the field very well (if at all).

ReplyQuote
Posted : 02/07/2020 5:45 pm
trewmte liked
trewmte
(@trewmte)
Community Legend

Perhaps then band together as FF contributors using each of our own skillsets to produce our own Digital Forensics Field Guidelines containing real-world experience. 

ReplyQuote
Posted : 02/07/2020 6:05 pm
thefuf
(@thefuf)
Active Member

Also, they don't know how hidden volumes of TrueCrypt work: https://twitter.com/errno_fail/status/1278694882853486592

ReplyQuote
Posted : 02/07/2020 8:45 pm
trewmte liked
Share: