FYI
Information technology – Security techniques – Guidelines for identification, collection, acquisition and preservation of digital evidence
Information technology – Security techniques – Guidance on assuring suitability and adequacy of incident investigative method
Information technology – Security techniques – Guidelines for the analysis and interpretation of digital evidence
Information technology – Security techniques – Incident investigation principles and processes
Do you see the relevance of these standards to DF? That's why I believe that ISO 17020 and 17025 are irrelevant to DF Labs.
To top the above, there is also
ISO/IEC 27050-1 Overview and concepts
ISO/IEC 27050-2 Guidance for governance and management of electronic discovery
ISO/IEC 27050-3 Code of practice for electronic discovery
ISO/IEC 27050-4 ICT readiness for electronic discovery
I have been a certified assessor for ISO 17025 for a couple of years now. What it does is establish a general framework for the operation of a lab. Document control, sample (evidence) handling procedures, record keeping, etc. It does not go into specific processes of analysis. This can be seen as either a positive or a negative. To this degree, having been through each standard in depth, I think it does apply to the administration of a computer forensic lab.
I am also involved in law enforcement accreditation. The downside to a mandated accreditation standard that does address more specific procedures is that the accreditation body becomes the de facto admin over the lab. There is a balance to be struck, and that balance should provide sufficient guidance for operations, but leave the leeway for each lab to function in the most efficient way possible.
I'm sure that the reason for ISO 17025 is so that the government labs, who operate in many areas of forensic science, could be accredited under one standard for all functions.
A practical guidebook for meeting the requirements of laboratory accreditation
schemes based on ISO 170252005 or equivalent national standards
A 122 page Adobe Acrobat (pdf) doc by the
United Nations Industrial Development Organization (UNIDO)
I have been a certified assessor for ISO 17025 for a couple of years now. What it does is establish a general framework for the operation of a lab. Document control, sample (evidence) handling procedures, record keeping, etc. It does not go into specific processes of analysis. This can be seen as either a positive or a negative. To this degree, having been through each standard in depth, I think it does apply to the administration of a computer forensic lab. …
I'm sure that the reason for ISO 17025 is so that the government labs, who operate in many areas of forensic science, could be accredited under one standard for all functions.
To quote A. Marshall from a discussion in the
Both 17020 and 17025 are included in the Regulator's Codes, but 17020 is applied (when it is used at all) to non-lab. based activities such as activities at crime scenes.
There's a few reasons for this - firstly, existing forensic science disciplines such as DNA had already adopted 17025, especially if a lab. wanted to be able to submit profiles to NDNADB. Secondly, international bodies such as ILAC and ENFSI favour the use of 17025 and thirdly (whisper this one), there's an EC Council document that specifies the use of 17025 for DNA & fingerprinting and calls for member states to declare how they will implement it for digital.
Neither 17020 nor 17025 is enough is enough in its own right which is why the additional guidance in ILAC-G19, the Regulator's codes and the Regulator's guidance documents is needed.
Now - where it gets interesting for digital is the work that has been done (and I've been heavily involved in it) in ISO/IEC JTC1 SC27 (the Information Security committee) to produce equivalents for the info. sec. world. This has produced ISO/IEC 27037, 27041, 27042 and 27043 as "guidance" for investigations and launched 27050 as multi-part standard for eDiscovery. They've been carefully designed to be compatible with the 17025 regime, but easier to understand and apply in a digital world. Unfortunately, because they're "guidance" (and there are good reasons for that, related to national legal systems) they are not considered to be suitable as accreditation standards. My hope is that they will be adopted by businesses as standards for internal investigations, resulting in something which makes it easy to transfer the results of internal processing into law-enforcement processes if required...
Reading the UN Guidance document, it states that
"but it
would not, for example, be acceptable to pay them on the basis of the number of
samples analysed. "
So how does this apply to a self employed expert? Does it mean that they can't quote for example a single phone as clearly, that would breach the statement above?
And an expert who owns shares in a company so, they clearly benefit financially from the number of samples analysed
Overall, reading the UN document, two things came across.
The doc was never written with digital forensics in mind (many references to test tubes etc) and it was not written with small organisations in mind (many references to managerial structures etc)
I have so many more question regarding this whole topic but I wont go on as I know there are so few answers at the moment…best of luck everyone
"Square peg - round hole"
The doc was never written with digital forensics in mind (many references to test tubes etc) and it was not written with small organisations in mind (many references to managerial structures etc)
Well, ISO 17025 was designed for Forensic Labs , not individuals .. so that would be expected roll
But the two are not mutually exclusive. A self employed computer forensics expert working on his/her own is working in a lab (irrespective of his/her location) according to how the standard has been applied? Just by working on digital evidence, their location becomes a lab.
Happy to be corrected.
I have met some experts working on the periphery of forensics (we also need to discuss exact definitions) , who have formed the opinion that the requirement does not apply to them as they don't work within a forensic laboratory.
But the two are not mutually exclusive. A self employed computer forensics expert working on his/her own is working in a lab (irrespective of his/her location) according to how the standard has been applied? Just by working on digital evidence, their location becomes a lab.
Happy to be corrected.
You are right, even though lab in this context can be a home office ..
By the way, it seems I am not the only one suggesting the use of ISO 27xxx instead of 17025.
The is the
We agree with the concept of the use of accreditation or certification to provide evidence that bodies and practitioners providing evidence for criminal justice purposes are competent, proficient and use methods which are fit for purpose, but have concerns about the use of ISO 17025 as the standard.
This is a very broad standard and leaves many issues open to interpretation. In particular, the concept of validation is poorly understood, even in those countries (such as the UK), where the process of adopting this standard for digital and multimedia evidence has been ongoing for several years. The UK's Forensic Science Regulator has had to allow deadlines for compliance to "slip" several times, and there is minimal evidence to suggest that the majority of laboratories have made significant progress towards achieving accreditation - mainly because of the problems around validation.
There is confusion about whether processes or tools should be validated - and then that confusion is overcome, the terminology around verification causes further confusion as it conflicts with normal software development and testing concepts. We suggest that the term "verification" (and similar terms), as used in ILAC G19, should be replaced with "confirmation".
We would suggest that, in addition to the ILAC G19 guidance the DoJ should consider including ISO/IEC standards 27037,27041 and 27042 as part of the accreditation and/or certification scheme as these have been written to align with ISO 17025, but have been produced specifically to address the needs of practitioners in digital domains, and to provide clearer guidance on how ISO 17025 type quality systems can be applied to digital investigations.
We also recommend that consideration is given to exploring how bodies which have achieved certification to the 270xx standards can be allowed to provide evidence - i.e. to show how compliance with the 270xx model provides evidence of a 17025 compatible scientific regime.
Taken from the first Regulator's Business Plan
"Utilising informal sanctions at the disposal of CJS users of the services; for example
•
Developing a climate within which suppliers who are unable to evidence compliance
with quality standards will find it difficult to
secure contracts to supply forensic science
services to police forces and others;
•
Encouraging courts and counsel to expect testimony given by expert witnesses to be
underpinned by evidence that the science comp
lies with the requisite quality standards. "
If digital forensic experts in the private sector chose to reject 17025 and go down the 27xxx route, surely, that would not render their evidence inadmissible? It is still a respected, recognised and perhaps more relevant standard?
If digital forensic experts in the private sector chose to reject 17025 and go down the 27xxx route, surely, that would not render their evidence inadmissible?
The tendency (US/UK) is to move compliance with 17025 from 'voluntary' to 'mandatory', and that will probably create such problems roll
Its like telling all fruit (forensic providers) to comply and include the tomatoes (digital forensics) with the fruit (which they are technically) .. ?