ISO 17025 for Digital Forensics – Yay or Nay?

I could also touch the metallic ground pin in a standard European powerstrip connector

[Image removed for page formatting]

(Its the shiny metallic part in the plug that is 90' offset from the connector holes)

That would probably not suffice in a theoretical world of standards and procedures, but it is enough for anyone who ever has taken a basic class about electronics.

You mean a non-standard European power strip.

That kind of socket is called CEE 7/3 socket (Schuko), it is the "only" standard in - say - Germany, Sweden, Spain and Portugal (but not - say - in Italy or in UK, provided that UK is EU).

https://en.wikipedia.org/wiki/Schuko

Particularly both the Italian (other) standard (as nowadays the use of multi-standard sockets is increasingly common) and the UK (only) standard sockets do not expose the ground terminal, so you cannot even use that - anyway unorthodox[1] - trick.
https://en.wikipedia.org/wiki/AC_power_plugs_and_sockets

And still, how often do you check that the ground (of the wristband or of the socket) is effective?
How do you test it? (with which instrument)
How often do you calibrate that instrument?

JFYI, generically here in Italy (and limited to the electrical "fixed" wirings, not to appliances such as an extension cord or a wristband would be) in workplaces the periodicity is 5 years or 2 years in some particular environments (including many with high fire risk), and the control is made by certified engineers, using some equipment tested/calibrated yearly.

It would only be sensible to have a much shorter interval in a forensics laboratory, like three or six months and of course test also the wristband.

jaclaz

[1] unorthodox because an anti-static wristband is connected to ground through (usually) a set of resistors as the idea is to safely connect to ground without any risk of electric shock (possible when touching directly a ground in some circumstances), if you adopted (in a work environment) your method you would be in serious violation of safety rules.

Computer forensics is now mature enough to have expertise in different areas and, matching this, forensic experts who are not experts in certain areas. So its a complex issue re regulating individuals as experts.

Expertise in malware, phones, sat navs, verhicles etc etc and also backgrounds in different areas so they can work well within different legal and/or physical contexts.

I think we are way beyond the point where any one person can claim to be an expert on all areas of computer forensics.

Only courts qualify experts.

Police outsource digital forensic work to unaccredited labs

Police outsource digital forensic work to unaccredited labs

It looks like the Regulator isn't the primary problem at the end of the day. Public opinion may very well be the hammer that causes some to close up shop, enable the Regulator to obtain the enforcement powers she is vying for, or both. Those trying to make a difference in the accreditation debate and hopeful reform could have the rug pulled from underneath them and the Regulator didn't have to actually do anything.

I do not remember who specifically (may have been several), but this has been an unmitigated risk, a huge concern, shared by several for a while now. Accreditation or not, the behavior of some (right, wrong, or indifferent) would be what does the whole industry in (at least in the public/law enforcment sector). Hopefully this is just a hiccup and not the risk being irreparably exposed.

For those of us in the States, take heed.

With reference with the mentioned article the issue remains that the journalist (and the public) believe (and are led to believe) that accreditation means "better quality" (while in reality means only "same quality").

It is not like an accredited laboratory necessary and always makes a "good" or "better" investigation/report when compared to a non-accredited one, or - viceversa - that a non-accredited one necessary and always makes a "bad" or "worse" investigation/report.

There are only some - BTW high in theory, much lower in practice - additional guarantees that the devices are handled properly and data extracted following a pre-set procedure, but that won't do anything about the "cherry-picking" or the "failure to disclose", or the attempts to do "as little work as possible up-front".

This is more or less what happened with ISO 9001, and still today only few people understand that quality assurance means conformity to a set level, and has nothing to do with "good" or "bad" quality.

jaclaz

With reference with the mentioned article the issue remains that the journalist (and the public) believe (and are led to believe) that accreditation means "better quality" (while in reality means only "same quality").

It is not like an accredited laboratory necessary and always makes a "good" or "better" investigation/report when compared to a non-accredited one, or - viceversa - that a non-accredited one necessary and always makes a "bad" or "worse" investigation/report.

There are only some - BTW high in theory, much lower in practice - additional guarantees that the devices are handled properly and data extracted following a pre-set procedure, but that won't do anything about the "cherry-picking" or the "failure to disclose", or the attempts to do "as little work as possible up-front".

This is more or less what happened with ISO 9001, and still today only few people understand that quality assurance means conformity to a set level, and has nothing to do with "good" or "bad" quality.

jaclaz

I 100% agree. This is the factual truth. However, as you yourself noted, that is what the journalist (and ergo the public) seem to/could believe. When coupled with the televised meeting between the committee and the Regulator, it would appear to the layman law maker (logically so without additional information) that she was in fact correct. Even though the issue is far more complex, this type of news can be used as corroboration to her testimony before the committee. I was merely acknowledging the reality of the situation.

When coupled with the televised meeting between the committee and the Regulator, it would appear to the layman law maker (logically so without additional information) that she was in fact correct. Even though the issue is far more complex, this type of news can be used as corroboration to her testimony before the committee. I was merely acknowledging the reality of the situation.

Yep, the problem I was trying to underline is that if not even the law makers (and possibly the judges and other professionals involved in a criminal trial) can fully grasp the real situation, the real laymen (the jury) will - understandably - start their duty with the pre-conception that since laboratory has been certified then it is infallible and its results cannot be doubted, or - viceversa - that since laboratory is not fully accredited/certified then results are surely wrong and should be dismissed.

If you prefer the reliability of whatever comes out as the result of a digital forensics investigation by the Prosecution or the Police may be taken for granted if coming from an accredited laboratory (thus risking to increase the number of innocent wrongly convicted) or rejected if coming from a non-accredited laboratory (thus risking to increase the number of guilty people being acquitted).

jaclaz

Yes, all good points.

If you take these points further, there is a danger that 17025 could have exaclty the opposite effect than desired that evidence produced by accredited labs is automatically assumed to be sound and, therefore, not challenged (as 17025 is seen as a stamp of quality)

I can easily see that members of the Commons Tech committee would be lead down this route as would the media. Also, how many lawyers and barristers have a decent grasp of the situation and will just look for "17025" within the witness statement?

another article

https://www.theguardian.com/law/2018/feb/12/justice-system-at-breaking-point-over-digital-evidence?CMP=share_btn_tw

Yes, all good points.

If you take these points further, there is a danger that 17025 could have exaclty the opposite effect than desired that evidence produced by accredited labs is automatically assumed to be sound and, therefore, not challenged (as 17025 is seen as a stamp of quality)

I can easily see that members of the Commons Tech committee would be lead down this route as would the media. Also, how many lawyers and barristers have a decent grasp of the situation and will just look for "17025" within the witness statement?

another article

https://www.theguardian.com/law/2018/feb/12/justice-system-at-breaking-point-over-digital-evidence?CMP=share_btn_tw

This is obviously a very real concern. The facts of accreditation should always be at the forefront of any discussion. A disingenuous conversation about accreditation actually undercuts those who are for and those who may be against the idea because it is not accurately addressing what is real and what is hyperbole or flat out wrong…on both sides of the debate.

As far as the articles being shared, it should be apparent that this is not a simple as the media would make it seem. For instance, these articles may seem to be blowing up on their face about digital evidence, when in reality it was/is a break down in the investigative and disclosure process between prosecution and defense. You wouldn't know that if you only got the headline. Obviously, this is typical media behavior in headline drafting but any breakdown like this invariably ripples out. This kind of incident is not unique to DF, but to all disciplines where such a breakdown occurs. For example, in the States, this kind of thing can be problematic with rape and sexual assault cases with the rape kits and DNA testing. Breakdowns with these cases are always front page news.

Has anyone (UK) given any thought to next steps in the wake of these events? I think whether you are for or against accreditation it is moot at this juncture. It seems more appropriate to seek accurate representation and facilitate a better standard by which DF work is assessed. Otherwise, it could be downhill from here…