ISO 17025 for Digital Forensics – Yay or Nay?

By insisting that Police forces could only outsource to 17025 labs, I think it was used as leverage in an attempt to get labs to go down this route on a "market forces" route without the regulator having formal powers.

That strategy surely has to be questioned now as this is hardly a great advert. So, in future we have either 17025 as a legal requirement or a review of the situation? or just tread water for a few years?

https://www.thetimes.co.uk/article/police-foot-the-bill-after-collapse-of-forensics-firm-key-forensic-services-limited-bg5nbxkxt

Police have been forced into a multimillion-pound bailout of a private forensics company whose collapse jeopardised thousands of cases that include rape and murder, The Times has learnt.

What's the relevance with the article?

I see no possible way to regulate the digital forensics "lab" without irreparably harming the field.

…

The only thing that can be realistically regulated is that of the training/education standards of the examiner.

…

If you have ever seen emergency medicine conducted in the field, then you have the best analogy to this discussion. A competent doctor performing an unexpected emergency surgery on a mountain trail will always surpass that of an incompetent doctor failing at a surgery using the best equipment in the best operating room. It is the person, not the lab or equipment that should be the focus.

I think this is a really good example which clearly shows that we must first worry about ensuring the examiner is competent and well trained before we worry about the environment they are working in.

As it has been stated here by many others, DFIR can happen in any location, not only in pristine labs that are accredited. Unless the ISO 17025 standard is flexible, which doesn't appear to be the case, very few labs will be able to operate effectively.

https://www.thetimes.co.uk/article/police-foot-the-bill-after-collapse-of-forensics-firm-key-forensic-services-limited-bg5nbxkxt

Police have been forced into a multimillion-pound bailout of a private forensics company whose collapse jeopardised thousands of cases that include rape and murder, The Times has learnt.

What's the relevance with the article?

As far as I know, Key Forensics did not undertake traditional Digital Forensics rather, 'Forensic Video and Image Analysis Services'. According to the UKAS website they are not accredited for this type of work or more traditional digital forensics work either.

I do not see the link between the 'failure' of Key Forensics and whether or not ISO 17025 is an appropriate standard in digital forensics either.

Key Forensics are however accredited to ISO 17025 in a significant number of other forensic disciplines (21 page scope). I would imagine that this required a significant amount of time, money and resources as well as a huge amount of hard work to achieve.

I don't see any link between Key Forensics current difficulties and accreditation.

There will also be lots of employees at Key Forensics extremely worried about their jobs and livelihoods and I wish them all the best.

Hi,

I thought I would chirp in again.

In response to the location issue, 17025 isn't intended to be flexible in this respect. This is a principal difference between it and ISO 17020.

When I worked in a pharmaceutical lab, different substances used in tests had to be kept in different environments. We even had a special low humidity store for certain highly reactive substances. Environment was crucial and you couldn't conduct any meaningful tests outside of that physical environment. If equipment were moved, very sensitive moving parts might have been affected and the unit would need calibrating. As has been expressed in this thread, the environment isn't the issue for us.

17020 is being proposed for scene attendance work, with a date of 2020 to become compliant. Although we can work to '17025 methodologies' out in the field right now, it's a bit of a fudge to say that work is in any way compliant with 17025 because of what 17025 was written for.

Possibly there is room within 17020 for digital forensics but i still think we are looking at a lot of adaptations for it to provide tangible improvements.

Right now funding is the greatest threat to the quality of forensics in the CJS. Key Forensics is a concerning situation and other smaller companies have either fallen by the wayside already or pulled out of the CJS market entirely. Unlike fingerprint and DNA, there is a huge corporate market for digital investigations.

RTS shows us that ISO 17025 cannot guarantee quality or reliability but is costly for companies to attain. Clearly many companies have thought to themselves why spend this money if we don't have to?

Micro companies make up the bulk of digital experts who do defence work and they simply cannot afford to attain ISO 17025. I know a lot of people who used to do defence work but have decided not to accept any more CJS work, not at £72 /hr and certainly not at £72 /hr and having to fund 17025 from it.

The loss of these defence experts concerns me greatly and what will happen when a prosecution report is produced, the defendant is permitted legal aid but then can't find a defence expert? If they can, what kind of defence expert will they get at that price? One who cannot afford to fund forensic tools and/or training quite possibly.

Issues of disclosure are the current hot topic. Quantities and the complexity of data to assess is the biggest problem, followed by a lack of training for disclosure officers in dealing with communications and open source data and digital evidence. Training is also a funding issue.

I think the Regulator is going to find it harder to push for statutory powers when the vast majority of potential miscarriages of justice involving forensics were carried out by an accredited laboratory and when funding is causing forensic providers and police units to fail and in more than one way.

2018 will be an interesting year.

Steve

Hi,

I thought I would chirp in again.

In response to the location issue, 17025 isn't intended to be flexible in this respect. This is a principal difference between it and ISO 17020.

When I worked in a pharmaceutical lab, different substances used in tests had to be kept in different environments. We even had a special low humidity store for certain highly reactive substances. Environment was crucial and you couldn't conduct any meaningful tests outside of that physical environment. If equipment were moved, very sensitive moving parts might have been affected and the unit would need calibrating. As has been expressed in this thread, the environment isn't the issue for us.

17020 is being proposed for scene attendance work, with a date of 2020 to become compliant. Although we can work to '17025 methodologies' out in the field right now, it's a bit of a fudge to say that work is in any way compliant with 17025 because of what 17025 was written for.

Possibly there is room within 17020 for digital forensics but i still think we are looking at a lot of adaptations for it to provide tangible improvements.

Right now funding is the greatest threat to the quality of forensics in the CJS. Key Forensics is a concerning situation and other smaller companies have either fallen by the wayside already or pulled out of the CJS market entirely. Unlike fingerprint and DNA, there is a huge corporate market for digital investigations.

RTS shows us that ISO 17025 cannot guarantee quality or reliability but is costly for companies to attain. Clearly many companies have thought to themselves why spend this money if we don't have to?

Micro companies make up the bulk of digital experts who do defence work and they simply cannot afford to attain ISO 17025. I know a lot of people who used to do defence work but have decided not to accept any more CJS work, not at £72 /hr and certainly not at £72 /hr and having to fund 17025 from it.

The loss of these defence experts concerns me greatly and what will happen when a prosecution report is produced, the defendant is permitted legal aid but then can't find a defence expert? If they can, what kind of defence expert will they get at that price? One who cannot afford to fund forensic tools and/or training quite possibly.

Issues of disclosure are the current hot topic. Quantities and the complexity of data to assess is the biggest problem, followed by a lack of training for disclosure officers in dealing with communications and open source data and digital evidence. Training is also a funding issue.

I think the Regulator is going to find it harder to push for statutory powers when the vast majority of potential miscarriages of justice involving forensics were carried out by an accredited laboratory and when funding is causing forensic providers and police units to fail and in more than one way.

2018 will be an interesting year.

Steve

Steve as always a very sensible and highly reasoned opinion from you. Some of the single-person advisors and micro business are still around but the CJS digital forensic market is much smaller. The impact of that is why case reviews of criminal cases is taking place due to inappropriate lack of evidential scrutiny.

Yes, Steve, spot on,

slight tangent but it's interesting that, on forums and wider, we talk about the CJS and the Corporate Market as if there is a clear dividing line with no crossover. We all know that crime exists in all walks of life and, in the real World, there is no dividing line with Corporate investigations uncovering criminal evidence, civil cases escalating to criminal, etc etc,

I'm interested in how any possible future legal requirement for 17025 would deal with this scenario.

Yes, Steve, spot on,

slight tangent but it's interesting that, on forums and wider, we talk about the CJS and the Corporate Market as if there is a clear dividing line with no crossover. We all know that crime exists in all walks of life and, in the real World, there is no dividing line with Corporate investigations uncovering criminal evidence, civil cases escalating to criminal, etc etc,

I'm interested in how any possible future legal requirement for 17025 would deal with this scenario.

Indeed, this is probably something the Regulator hasn't thought of.

Even big due diligence projects where company A wants to buy company B could result in a criminal matter coming to light during an e-Discovery process.

I know a lot of people advising on corporate security where they started out in digital forensics within the CJS. They've tried to move outside of 17025's reach, but perhaps they haven't succeeded after all!

Steve

"Indeed, this is probably something the Regulator hasn't thought of."

Not sure if you're are being ironic -)

How much time have they had? If 17025 does become a legal requirement, defence lawyers will jump on any occasion when data was captured. stored , viewed etc by non-17025 parties. And when exactly does a civil case become criminal? We all know it's a complex issue.

There is literally, practically, and virtually no difference in "doing forensics" using a laptop in a conference room of a business on a remote island and that of "doing forensics" in an ISO certified lab in an underground bunker. The only real difference is that of the examiner, in that the examiner either follows or does not follow community accepted analysis guidelines. Even the guidelines are recommendations since every approach to a computer system may be different from the last and different from the next one, each requiring a slightly different response using different tools and methods. Even the goals to each response are different.

Electronic evidence is not like any other evidence; there is nothing even close to it. Electronic evidence is virtual. You can't touch it. You can't see it. When preserved, you can examine it, duplicate it, replicate it, and transmit ad infinitum without ever changing it one bit. We only see the interpretation of electronic data via software and hardware.

This is the crux of the matter.

Digital evidence is unlike other other evidence. Other evidence types need regulation to reduce spoliation and provide accurate tests results which rely on a controlled physical environment.

I fear that some in the DFIR field may want DFIR to be treated as if it were like scientific fields for the sake of notoriety (as in, "I am a scientist!") without understanding that regulating the physical work environment of digital forensics would be as effective as regulating the movement of clouds (real clouds, not computer servers…). You can make regulations, but they won't work because the DFIR field will be unable to comply with them.