ISO 17025 for Digital Forensics – Yay or Nay?

I'm still questioning the necessity to create a lab standard at all.

A digital forensics "lab" standard and/or accreditation is unreasonable as previously discussed. We should avoid attempts to create a standard for the sake of having a standard, when few will be able to comply.

It is the practitioner that matters to create standards in education, training, and experience.

An experience-standard can be difficult.
* Who's experience should matter?
* How are you gonna get new people into the field if experience is a requirement?

As long as it does not put the financial burden on the individual, i'm fine with the other requirements. If the financial aspect is not taken into consideration, few will be able to comply.

There is a reason why i do not have any SANS certification - the prices are just too damned high and i do not want to encourage that, even if i can afford them. It's like a tax to be able to get a job, imagine yourself starting out in Forensics today - that is why i do not like it.

I'm still questioning the necessity to create a lab standard at all.

A digital forensics "lab" standard and/or accreditation is unreasonable as previously discussed. We should avoid attempts to create a standard for the sake of having a standard, when few will be able to comply.

It is the practitioner that matters to create standards in education, training, and experience.

An experience-standard can be difficult.
* Who's experience should matter?
* How are you gonna get new people into the field if experience is a requirement?

As long as it does not put the financial burden on the individual, i'm fine with the other requirements. If the financial aspect is not taken into consideration, few will be able to comply.

There is a reason why i do not have any SANS certification - the prices are just too damned high and i do not want to encourage that, even if i can afford them. It's like a tax to be able to get a job, imagine yourself starting out in Forensics today - that is why i do not like it.

And within this post, lies the question about who would pay for the accreditation for an individual if it is based on the person and not the lab?

In many circumstances, I would see this training and certification paid for by the lab as it is done within many police organizations currently. But would this work within private organizations?

Do many private organizations currently pay for lots of training or is most of the training provided in-house?

Would certification for an individual be broken down by skills allowing them to do more aspects of the job?
Example Would they need to be certified in Chip-Off or ISP or JTag before they can perform these tasks? Is taking a course enough? If yes, does that course have to be certified to a certain level?

For analyzing SQLite DB's and recovering deleted records, will they need to be certified?

If yes to these questions, then I see the value of an experienced examiner going up substantially as they clearly provide value to any lab they work within allowing that lab to acquire more complex investigations.

As has been stated in previous posts, many organizations when outsourcing this work often look for the cheapest organization as accreditations is/was not currently taken into consideration within the courts.

With that in mind, will this lead to examiners leaving for higher paying jobs after being trained, thereby creating a reluctance by the lab to pay for the training?

In many ways, this is no different than the software industry where experienced developers move around from company to company for higher paying jobs or do contract work. However, the big difference with our work is that we can often be required for court 6-months to 5-years after we've done the work for a criminal case.

As we know, the court never goes as scheduled which can often result in hours or days of waiting within the court-house.

If accreditation of individuals leads to them moving around from organization to organization, how will those organizations plan and pay for that 'expert' to prepare and attend court in the future?

NOTE I recognize that this is potentially already an issue, but would this be a bigger issue if individuals were certified and required higher pay for each accreditation they obtain?

Obviously from an personal point of view, I am not against higher pay and better recognition of individual skills. However, in my opinion, we still need to ask these questions if we believe they could be an issue for organization we work for.

Brett Would you be able to share further details on how you see individual accreditation working so that we can begin to focus on possible solutions to this complex discussion?

I'm still questioning the necessity to create a lab standard at all.

A digital forensics "lab" standard and/or accreditation is unreasonable as previously discussed. We should avoid attempts to create a standard for the sake of having a standard, when few will be able to comply.

It is the practitioner that matters to create standards in education, training, and experience.

An experience-standard can be difficult.
* Who's experience should matter?
* How are you gonna get new people into the field if experience is a requirement?

As long as it does not put the financial burden on the individual, i'm fine with the other requirements. If the financial aspect is not taken into consideration, few will be able to comply.

There is a reason why i do not have any SANS certification - the prices are just too damned high and i do not want to encourage that, even if i can afford them. It's like a tax to be able to get a job, imagine yourself starting out in Forensics today - that is why i do not like it.

We are unrealistic to demand that entry into this field not to have a financial cost of entry.

My view on training, education, and experience requirements tie directly to government licensing of a DFIR practitioner, in that no licensing means not being able to practice DFIR, much like the medical field, legal field, and even the hair stylist field. Each requires the practitioner to spend time and money to meet minimum standards before even being able to apply for a job to work in their respective field.

There are more than enough colleges with degrees in various aspects of DFIR, with nearly every school able to provide financial aid. Students who can afford to pay without student loans can pay up front. Students who do not accept financial aid but also do not want to pay the cost of education are simply choosing to not get into DFIR via a college degree.

As far as licensing, most regulated fields do not require a specific class from a specific vendor, but rather a specific number of hours from any number of approved vendors or colleges. The govt regulatory agencies simply require the schools to be accredited and the choice of which to attend belongs to the student. Some less expensive than others, but the choice of how much to spend is up to the student newcomer.

Each time that I hear potential newcomers to DFIR cannot afford the software or the training or the education, I can only reply that it-is-what-it-is. Some things can be had for free, most things in DFIR are not (and they are many times expensive). Try opening a barbershop when you can't afford to buy a pair of scissors and can't afford to take a class in how to cut hair. The cost of doing business is a literal financial cost to do business.

Licensing (based on training/education/standards) does not need to be anything more than ensuring that those practicing such a serious job have the basic knowledge to infer potential competence. Competence can't be regulated, but the training standards can, such as requiring a certain number of hours in basic digital forensics or incident response education/training. As for experience, the Catch-22 remains as it does in any field, but colleges have plenty of internships available and there are avenues outside of colleges to gain experience.

I have seen "practitioners" sell their wares without so much as spending a few days in a forensic class and thereby putting the entire DFIR field at risk of a govt agency over-regulating the rest of us out of a career. The entry barriers are placed for a reason; to reduce the risk of fraud and incompetent work product, both of which affect the public at large, and just as important, to pay for the training, education, and tools.

@bshavers
All good, fine and dandy in theory, BUT
1) I have yet to see someone in a "regulated" profession just coming out of college having a proper preparation/knowledge [1] before having gathered a few years experience in practice, even if they passed - sometimes brilliantly - each and every test/exam/whatever the government asks before providing them with a license for their profession

2) If you (not someone else, you) were accused of a serious crime, how would you choose your defense lawyer[2], please choose

a. I would just look for the first one I can find under "criminal defense lawyer" on the yellow pages. (they all have a government license of some kind, they all studied and passed exams in Uni, they are all good)

b. I would ask friends/people I know about a known one with a long successful record, or anyway I would do anything I can do to find the "best" one I can afford. (no matter how many exams all people in the profession passed and how may certifications they all have, there are among them good ones and bad ones)

What has been done in these years, in a number of other "regulated professions" is to continuously raise the bar in an attempt to filter the "best" out of the mass, adding requirements (degrees, courses, exams, etc.), i.e. - essentially - making it more difficult to the newcomers to "enter the club".

Has it worked? (not to limit the admissions to the club, but to have "better" professionals)

Do we really think that the same "model" will work for digital forensics?

jaclaz

[1] Not so casually, due mainly to the lack of competence (not much the fault of the kids, but rather of the people/institutions that teach them) in a number of professions there is the need of a compulsory period, like 2/3 years of "apprenticeship" or "internship"

[2] Or, should you need to undergo non-trivial medical cures or surgery or even dentist intervention, how would you try to find the doctor/surgeon/dentist?

Just to widen the discussion slightly (this applies to regulating labs or individuals)

statutory regulation requires legals defintions and I have seen very little discussion on how such definitions would come about and how they would be applied in the real World. These are more impoirtant when you consider a good defence barrister will look at the defintions in an attempt to show that requirements have not been met (and, thereor, the evidence is not reliable)

Legal defintion of digital forensics.

Legal defintion of criminal evidence (can unregulated labs deal with intel?, civil case becoming criminal etc)

Juristiction (evidence from outside of legal borders)

When exactly does data become criminal evidence?

Without the ability to create useable and practical defintions of these, then it's going to be very hard to come up with a regulatory statute.

These are all issues that need discussion and something that the regulator has not really come to grips with yet IMHO. I would hate to be the one who, starting with a plain sheet of paper, had to draft a watertight statute, knowing it would be tested at some point by some of the finest barristers available.

PS of course, many of these questions equally apply to other forms of forensics.

I agree that the quality of some examiners are s**t, some people working for 3/4 letter high prestige government agencies cant even find a piece of common bloody malware that some antivirus locked up in isolation, and their speciality is crunching DD images, while mine is network forensics. (You know who you are).

It is possible to have exams done at job interviews to assert what your current skill level is, like "How would you proceed to investigate X"?

As well as pragmatic tests like executive functioning and problem solving skills, which are quite revealing of the persons capabilities.

In other aspects, jaclaz just said it better than me. We do not need more paperwork, we need practical qualifying tests of knowledge that could have been acquired at a training facility or at home at the desk during nightly online courses or tinkering with project honeynet or similar material, even references can be useful "This guy did catch the intruder while working as a network tech".

But then, i do not have an interest in selling online training courses so what do i know?

The most important thing is to have a genuine interest in the field, if that exists then that person will learn everything there is to know about the field. Monkeys with certificates only interested in doing the bare minimum is not a measure of quality, they have been overflowing the IT industry as a whole for years.

It makes me happy to see discussion of the practitioner over the "lab". It makes me even happier to see a discussion of minimum standards of the practitioner over beliefs of no standards at all.

My only thought in a minimum standard is that some bottom line of knowledge should be met to allow licensing, and more importantly, created by the DFIR community and not by a regulatory agency. If your state requires a PI license to do forensics, you know what I mean.

A minimum standard can be anything, from a certain number of college courses to on-the-job experience or anything in between.

When govt agencies decide to regulate the DF field in which they may be ignorant, the regulation will be far too difficult to meet, will negatively affect those with years of experience, and wipe out a massive number of potential newcomers to the field due inability to meet the minimum standards. I do not feel a college degree is necessary, but I also do not think that just buying a dongle is enough either.

We can prevent over-regulation by having a community wide standard of something minimally agreeable sooner than later. The standard can be virtually anything to show that a minimum required amount of time and effort was completed; perhaps a combination of education hours, OJT, or alternative methods of testing (in effect, to "test out"), certifications, or related experience.

Competence cannot be regulated. But requiring a minimum amount of exposure to important DF*IR information can be. We have to separate competence and education standards as a regulatory goal; let's leave competence determination to the hiring managers where it should be.

*To clarify a bit on the "F" part of DFIR. I do not see a reason to regulate or license the aspects of the field that do not relate to forensics. A system admin does not need certification in forensics; nor does the help desk. Incident response may or may not need it depending on whether or not their job requires investigating incidents with the intention of legal proceedings (thereby, it is 'forensics').

There is a distinct difference in work that requires forensics versus the exact same work that does not require forensics. IT can image a hard drive using the exact methods and tools as a DF examiner does, but one has nothing to do with a legal proceeding and the other has everything to do with it.

When the job posting states 'gathering evidence' or 'testimony', then we have opened the door where personal harm to the public is in the hands of the practitioner, and at that point, the practitioner should know what 'forensics' is. And forensics is not being able to image a hard drive, but rather the legal concepts surrounding it.

… and their speciality is crunching DD images, while mine is network forensics.

There is a distinct difference in work that requires forensics versus the exact same work that does not require forensics. IT can image a hard drive using the exact methods and tools as a DF examiner does, but one has nothing to do with a legal proceeding and the other has everything to do with it.

Can we all agree that when it comes to making (at least from standard mass storage devices) a DD image, it represents the simpler, most basic part of digital forensics work (more like a pre-requisite than anything else)?

If Yes, do you both realize that the community (at large) has completely failed in years to provide a definite guideline and tools/methodology outside the (IMHO poor and outdated) NIST tests and the needed "acts of faith" in this or that (hardware write blocker) vendors?

In this (little?) sub-community at forensicsfocus we have here and there references to WinPe (not so casually also thanks to bshavers ) ), we have customized Linux distro's (like the Passmark/Osforensics, which are seemingly far from having been properly tested), we have patches for them (see TheFuf's work).

Yet, we cannot even produce one (or two) definite, verified, foolproof, basic tool(s) guaranteed (by the consensus of the community) to make a stupid dd-like image without altering the source.

Heck!
We cannot even fully agree on some basic definitions (example)
https://www.forensicfocus.com/Forums/viewtopic/t=15714/

A rose by any other name will still smell as sweet wink , but calling things with their names has traditionally been the very first step to start communicating.

Do you really expect that out of nowhere something like

We can prevent over-regulation by having a community wide standard of something minimally agreeable sooner than later. The standard can be virtually anything to show that a minimum required amount of time and effort was completed; perhaps a combination of education hours, OJT, or alternative methods of testing (in effect, to "test out"), certifications, or related experience.

will ever (as opposed to sooner or later) come out?

And now a set of (legit ? ) ISO 17025 question
Do you use an anti-static/earthing wristband when disassembling a PC to extract a HDD or SSD (or whenever you touch any electronic device, including, but not limited to USB sticks)
How is the wristband tested and certified?
Does it need periodical verification?

https://en.wikipedia.org/wiki/Antistatic_device#Antistatic_wrist_strap

jaclaz

And now a set of (legit ? ) ISO 17025 question
Do you use an anti-static/earthing wristband when disassembling a PC to extract a HDD or SSD (or whenever you touch any electronic device, including, but not limited to USB sticks)
How is the wristband tested and certified?
Does it need periodical verification?

https://en.wikipedia.org/wiki/Antistatic_device#Antistatic_wrist_strap

jaclaz

Following on from the useful comments by jaclaz - https://www.forensicfocus.com/Forums/viewtopic/p=6592586/#6592586

And now a set of (legit ? ) ISO 17025 question
Do you use an anti-static/earthing wristband when disassembling a PC to extract a HDD or SSD (or whenever you touch any electronic device, including, but not limited to USB sticks)
How is the wristband tested and certified?
Does it need periodical verification?

https://en.wikipedia.org/wiki/Antistatic_device#Antistatic_wrist_strap

jaclaz

First as for the DD comment, that was just an all encompassing remark about doing forensics on media, not a reference to a particular tool or anything.

As for ESD When disassembling PC and related hardware, even when not working with it for investigative purposes, i have one around. I touch it to make sure any static buildup is gone, there is no need to actually wear it. I could also touch the metallic ground pin in a standard European powerstrip connector

(Its the shiny metallic part in the plug that is 90' offset from the connector holes)

That would probably not suffice in a theoretical world of standards and procedures, but it is enough for anyone who ever has taken a basic class about electronics.