ISO 17025 for Digit...
 
Notifications
Clear all

ISO 17025 for Digital Forensics – Yay or Nay?

126 Posts
18 Users
0 Reactions
9,669 Views
(@merriora)
Posts: 44
Eminent Member
Topic starter
 

“Much of the digital forensic community desires to have their evidence seen in court as forensically sound and bulletproof, yet do not want to go through the rigors that other traditional forensic sciences have done to prevent evidence spoliation and other mishandling and misinterpretations.”
~ Josh Moulin
Deputy Chief Information Officer
US Federal Government, National

ISO 17025 is now the mandatory standard in the United Kingdom for all Digital Forensics Laboratories.

Will the Digital Forensics community in the United States, Canada, Australia and elsewhere adopt ISO 17025, another standard, or wait for one to be imposed on them by a government agency?
To find the best solution for those working outside the UK, the following article calls for an in-depth analysis of IS0 17025, and everything it represents.

Input from those working in ISO 17025 labs in the UK and other countries will help the rest of us better understand the reasons for and against this accreditation.

Please read the following article posted here on Forensic Focus and join the discussion by posting your comments here.
https://articles.forensicfocus.com/2018/01/24/iso-17025-for-digital-forensics-yay-or-nay/

Your input will help start the conversation on this important topic.

 
Posted : 24/01/2018 1:55 pm
minime2k9
(@minime2k9)
Posts: 481
Honorable Member
 

So there is a great deal of problems that are plaguing the implementation of this standard
Consistency across audits - major problem
Massively used to areas which have standard methods - as in British Standard/International methods not common use of IEF
Areas where terms are made to fit digital standard - uncertainty of measurement
Competency - based around the idea that each method is very different and separate and that someone needs to demonstrate how to do it. I would argue that running IEF or Regripper or other tools doesn't require a specific competency, but investigations require competent staff. A work instruction detailing the former covers ISO but never addresses someones actual competency.
Specific work instructions - doesn't allow flexibility for taking into account unknowns. How do you write a work instruction for something you don't know exists.
Pace - ISO 17025 is designed for areas which rarely change. Digital Investigators are already behind and technology changes pace rapidly.
Calibration - requirement to 'calibrate' computers used in investigations, a requirement of ISO but stupidly applied.

There are more areas than I can show here right now, but the audits have shown me how ridiculous the whole process is. I know more than one or two labs have been asked how they protect hard drives from solar flare activity!

 
Posted : 24/01/2018 5:48 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

There are more areas than I can show here right now, but the audits have shown me how ridiculous the whole process is. I know more than one or two labs have been asked how they protect hard drives from solar flare activity!

Not only, the > 1 meter thick reinforced concrete walls of underground laboratories would probably need to be certified as "solar flare proof" or at the very least "solar flare resistant", according to a standard grading system developed at the time for "glasshouses" (which is obviously "closely related"). wink

jaclaz

 
Posted : 24/01/2018 5:59 pm
bshavers
(@bshavers)
Posts: 211
Estimable Member
 

Isn't lab certification for computer work overkill and unnecessary?

Other lab types that work with chemical, biological, or nuclear substances surely need accreditation with substantial regulation for public safety measures. But certifying a computer lab?

I believe the "lab" should not be any part of regulation.

The path to make DFIR more like other forensic fields should be directed at the person, not the lab, as electronic evidence is different than any other type of evidence. Electronic evidence can be preserved in a static state (as if preserved in amber), reproduced, duplicated, transmitted, and copied without alteration. It can be examined countless times by countless persons using countless methods to obtain forensically sound results. The same cannot be said of other forensic fields. Once a physical substance has been tested (blood, drugs, a human body, etc..), it cannot be tested again as if it were never tested in the first place, nor can the substance be duplicated or preserved as electronic evidence can. Once preserved, electronic evidence does not spoil or rot.

For the computer "labs" having to comply with medical lab standards, I would expect compliance failures to be a regular occurrence, which will impact forensic admissibility in the courtroom for the simple fact of failure to follow an impossible-to-follow policy regardless of how perfect of a forensic exam was conducted.

 
Posted : 24/01/2018 6:57 pm
(@mcman)
Posts: 189
Estimable Member
 

Isn't lab certification for computer work overkill and unnecessary?

Other lab types that work with chemical, biological, or nuclear substances surely need accreditation with substantial regulation for public safety measures. But certifying a computer lab?

I believe the "lab" should not be any part of regulation.

The path to make DFIR more like other forensic fields should be directed at the person, not the lab, as electronic evidence is different than any other type of evidence. Electronic evidence can be preserved in a static state (as if preserved in amber), reproduced, duplicated, transmitted, and copied without alteration. It can be examined countless times by countless persons using countless methods to obtain forensically sound results. The same cannot be said of other forensic fields. Once a physical substance has been tested (blood, drugs, a human body, etc..), it cannot be tested again as if it were never tested in the first place, nor can the substance be duplicated or preserved as electronic evidence can. Once preserved, electronic evidence does not spoil or rot.

For the computer "labs" having to comply with medical lab standards, I would expect compliance failures to be a regular occurrence, which will impact forensic admissibility in the courtroom for the simple fact of failure to follow an impossible-to-follow policy regardless of how perfect of a forensic exam was conducted.

As always Brett, you are a voice of reason. I agree 100% to this. While we have a lot of similarities to "traditional" forensic sciences, DFIR is unique and should be treated as such. Not forced into a bucket that doesn't fit.

 
Posted : 24/01/2018 8:12 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

Isn't lab certification for computer work overkill and unnecessary?

IMHO yes and no.

Yes, it makes no sense whatsoever because it is inherently a "moving target", and - provided that actual ISO17025 is applied (which I doubt) the consequence is that either the lab will "remain behind" or a lot of resources (which doesn't seem to be that much abundant) will be (should be) diverted to verification and compliance of tools and methods.

No, because - at least judging from the recent news - some (hopefully only isolated cases) laboratories (or analysts or both) make so sloppy (or plainly wrong or partial/incomplete) reports that *something* needs to be done about it.

Other lab types that work with chemical, biological, or nuclear substances surely need accreditation with substantial regulation for public safety measures.

Not only, it is much easier to create a standard for them, because the amount of variability in the "source" and the total number of possible tests are limited and - almost - always the "same" ones.

I believe the "lab" should not be any part of regulation.

The path to make DFIR more like other forensic fields should be directed at the person, not the lab, as electronic evidence is different than any other type of evidence.

Still that would amount to *needing* some "standard" certification of sorts linked to the person instead of the lab, a much better IMHO approach, but - without some good ideas on how exactly to have that - only moving the actual target without solving the issue.

Electronic evidence can be preserved in a static state (as if preserved in amber), reproduced, duplicated, transmitted, and copied without alteration. It can be examined countless times by countless persons using countless methods to obtain forensically sound results. The same cannot be said of other forensic fields. Once a physical substance has been tested (blood, drugs, a human body, etc..), it cannot be tested again as if it were never tested in the first place, nor can the substance be duplicated or preserved as electronic evidence can. Once preserved, electronic evidence does not spoil or rot.

Sure, but when possible and within limits even biological samples can be re-tested (and often are when there is an appeal or similar).
If the "scientific data" from the very first test has - and it increasingly seems like it is the case lately - the potentiality to put (and keep) innocent people in jail, or viceversa allow the culprit to get away free of charges, *something* in the quality assurance of these "scientific data" *needs* to be done.

For the computer "labs" having to comply with medical lab standards, I would expect compliance failures to be a regular occurrence, which will impact forensic admissibility in the courtroom for the simple fact of failure to follow an impossible-to-follow policy regardless of how perfect of a forensic exam was conducted.

Yes, and that is IMHO the worst aspect.

Since the "other part" (be it prosecution or defense) is essentially made by lawyers, i.e. people that by trade look for and find even minimal defects in whatever/whoever the other part brings in court (be that eyewitnesses, expert witnesses or reports), this would open a whole Pandora's Vase of "procedural exceptions" or similar.

With the consequence that digital investigators may shift their competence and focus from actually finding out what is contained in the evidence to making sure that the methods through which this content is extracted and interpreted is compliant as much as possible to the "impossible-to-follow" policy, i.e., in a nutshell, provide less or worse data.

jaclaz

 
Posted : 24/01/2018 8:46 pm
JaredDM
(@jareddm)
Posts: 118
Estimable Member
 

This conversation makes me glad I moved into data recovery and stayed out of DF. I'm happy the government(s) neither understand or care enough about data recovery to even attempt regulation.

I find it hilarious when other data recovery labs try to post their "accreditation" of a certain ISO standard. Last time I checked DriveSavers was showing off their latest ISO certificate. But if you looked up the number it was just relating to cloud storage and has nothing to do with data recovery at all.

If ISO 17025 is like most ISO accreditation processes I've researched in past jobs, half the requirements are clearly written by bureaucrats who have no understanding of practical application at all.

Computer calibration. That's funny. Better make sure that your clock isn't running .23ms fast. That could get the whole case thrown out. lol

 
Posted : 24/01/2018 9:56 pm
minime2k9
(@minime2k9)
Posts: 481
Honorable Member
 

No, because - at least judging from the recent news - some (hopefully only isolated cases) laboratories (or analysts or both) make so sloppy (or plainly wrong or partial/incomplete) reports that *something* needs to be done about it. [\quote]

Except the recent mistakes, assuming the rape trials, relate to non-disclosure of data. The phone extraction had been done and no evidence it wasn't done correctly. The accreditation wouldn't have stopped it. The other instance related to facebook messages extracted by a front line officer. Again outside the accreditation scope. So ironically wouldn't have affected them

 
Posted : 24/01/2018 10:46 pm
MDCR
 MDCR
(@mdcr)
Posts: 376
Reputable Member
 

0710 2018-01-25

Once preserved, electronic evidence does not spoil or rot.

Given enough time (decades), digital media, even preserved on the best of whatever we have today will degrade and become unusable. I'm part of a retro community that deals with preservation of software, and many are reporting some disks are reported as being unable to read from.

Not to forget, hardware go away and is replaced by new technology, requiring hardware also to be stored for media to be recovered in the future, and hardware has a shorter shelf life (i.e. electrolytic capacitors go bad and leak, as well as batteries that barf acid all over the motherboard). I know of one company that has been storing tech since the 60s and their technology storage is significant, I'd call it a museum.

No, because - at least judging from the recent news - some (hopefully only isolated cases) laboratories (or analysts or both) make so sloppy (or plainly wrong or partial/incomplete) reports that *something* needs to be done about it.

So it's more of a people problem. Can also be taken care of by having 2-hand sign-off instead of forcing people to pay for a piece of paper.

Computer calibration. That's funny. Better make sure that your clock isn't running .23ms fast. That could get the whole case thrown out. lol

That kind of stuff. People applying standards because of knee j**k reaction on things that are outside the standard and someone trying to make money on certification/accreditation. It's the PE licensing idiocracy thing all over again.

 
Posted : 25/01/2018 7:24 am
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

The accreditation wouldn't have stopped it.

Exactly. )

Maybe I expressed myself poorly ? , I referenced those recent case to point out how "digital data" have a great relevance in Police and Courts decisions and thus mistakes revolving around these "digital data" (both inside and outside the laboratory) may have serious consequences. thus it makes little sense to have very strict norm on the way the data is acquired in a laboratory if data can be acquired outside the laboratory or can be mishandled by other actors in the process.

The decision to apply ISO 17025 to digital forensics laboratories - besides and before discussing whether the norm is applicable/right or not (it is not IMHO) - only patches a small part of what is involved in a fair and correct trial.

A "better" or "more suitable" standard (or however guideline or procedure) is - as I see it - however needed and should cover the whole process of discovery and reporting not only the mere activities in the laboratory.

At the end of the day the people - righteously - expect that the judiciary system will punish (adequately) the guilty and leave the innocent free, i.e. they want justice to be - as much as possible - just.

jaclaz

 
Posted : 25/01/2018 2:26 pm
Page 1 / 13
Share: