UK FSR Digital fore...
 
Notifications
Clear all

UK FSR Digital forensics method validation: draft guidance

Page 1 / 2
dc1743
(@dc1743)
Junior Member

I have posted this elsewhere but I think this forums members may be interested in this.

The UK Forensic Science Regulator has issued the linked document for consultation.

https://www.gov.uk/government/consultations/digital-forensics-method-validation-draft-guidance

For UK practitioners, big or small, the implications are considerable. If you don't agree with what is proposed you need to respond by the end the month.

FWIW I think UK practitioners are sleep walking into a bureaucratic disaster in the years ahead.

Regards,

Quote
Topic starter Posted : 28/10/2014 2:05 pm
jaclaz
(@jaclaz)
Community Legend

I have posted this elsewhere but I think this forums members may be interested in this.
The UK Forensic Science Regulator has issued the linked document for consultation.

Very, very interesting. )

FWIW I think UK practitioners are sleep walking into a bureaucratic disaster in the years ahead.

Yep ), and IMHO as well all providers of related software and hardware tools will have a rather tough time. 😯

jaclaz

ReplyQuote
Posted : 28/10/2014 4:46 pm
Jonathan
(@jonathan)
Senior Member

Do you know who wrote this paper? It could have really done with the services of a copy editor.

ReplyQuote
Posted : 28/10/2014 6:38 pm
dan0841
(@dan0841)
Member

It does appear to be creating an absolute monster. It appears to treat a digital investigation like some sort of process production line in the private sector. Investigations are dynamic and often a wide range of tools and manual techniques are used.

I totally agree with maintaining the absolute highest standards and validating results but this appears to be such a bureaucratic and wasteful way to achieve it.

The vast vast array of tools, o/s, file systems and artefacts makes it all but impossible to blanket test before using tools. Think of the vast array of browser updates, chat program updates, phone apps, o/s changes etc etc. Surely the validation and testing should be done on a case by case basis during the investigation and before evidence is produced?

Either that or have a centralised body to do it as efficiently as possiblly. Even this has problems. Having seen the NIST document comparing 2 particular version of 2 popular mobile phone forensic tools I can appreciate the difficulty and challenge of the task.

To me it feels like the sort of document written by an academic with very little investigation experience.

ReplyQuote
Posted : 29/10/2014 12:14 am
ludlowboy
(@ludlowboy)
Member

Not everyone in the same laboratory validates every tool used in that laboratory.

Normally a new tool is validated by one member of staff and and then used by other members of the same team.

Whilst this approach is less demanding of resources it could be made even less demanding if we shared our results between laboratories and individual practitioners.

By making validations available to the the scrutiny of the whole forensic community we would each feel more confident with the results of our own validations.

Would it be possible to post validations on this forum where the work would benefit the whole of the forum / forensic community?

ReplyQuote
Posted : 29/10/2014 12:40 am
Chris_Ed
(@chris_ed)
Active Member

There are so many problems with it that it's difficult to know where to start. But possibly my favourite part is the comparison between computers vs phones. Apparently phones are varied enough that the process can be purposefully vague - but computer analysis has to strictly adhere to procedure. Wonderful!

ReplyQuote
Posted : 29/10/2014 12:01 pm
dc1743
(@dc1743)
Junior Member

There are so many problems with it that it's difficult to know where to start. But possibly my favourite part is the comparison between computers vs phones. Apparently phones are varied enough that the process can be purposefully vague - but computer analysis has to strictly adhere to procedure. Wonderful!

Totally agree with you - but the key thing now is for these observations to be recorded in the response document and sent back to the home office. The deadline is tomorrow.

Best regards,

ReplyQuote
Topic starter Posted : 29/10/2014 3:03 pm
jaclaz
(@jaclaz)
Community Legend

Totally agree with you - but the key thing now is for these observations to be recorded in the response document and sent back to the home office. The deadline is tomorrow.

I don't know 😯 , to be picky (as I notoriously am) that is a given deadline for submission of comments, but the whole procedure (as often happens with this kind of drafts/regulations) is - at least to me - completely "opaque".

There was - seemingly - a "competitive tendering process" 😯 (When/Who/What/Where?) that was *somehow* awarded to the "academic with very little investigation experience" (as in dan0841's nice description, the one that clearly - in my opinion - didn't actually write anything but made one of his/her student jolt down it instead wink ) and there are no hints anywhere about the process that is expected to be carried to move from the draft to the actual final document, and it's enforcement.

I would expect that a document with such a potential disruptive effect on court cases and on the profession of digital forensic investigators would go through several "loops" of revisions/drafts, with successive edits, comments, corrections and adjustments implemented before being released.

Otherwise (and I may be of course very wrong about this) it seems to me a lot like the typical "suggestion box" with integrated shredder. (

jaclaz

ReplyQuote
Posted : 29/10/2014 5:01 pm
dc1743
(@dc1743)
Junior Member

I don't know 😯 , to be picky (as I notoriously am) that is a given deadline for submission of comments, but the whole procedure (as often happens with this kind of drafts/regulations) is - at least to me - completely "opaque".

There was - seemingly - a "competitive tendering process" 😯 (When/Who/What/Where?) that was *somehow* awarded to the "academic with very little investigation experience" (as in dan0841's nice description, the one that clearly - in my opinion - didn't actually write anything but made one of his/her student jolt down it instead wink ) and there are no hints anywhere about the process that is expected to be carried to move from the draft to the actual final document, and it's enforcement.

I would expect that a document with such a potential disruptive effect on court cases and on the profession of digital forensic investigators would go through several "loops" of revisions/drafts, with successive edits, comments, corrections and adjustments implemented before being released.

Otherwise (and I may be of course very wrong about this) it seems to me a lot like the typical "suggestion box" with integrated shredder. (

jaclaz

Maybe but UKAS is already advertising the assessors job

http//www.ukas.com/Careers/Technical_Assessor_Vacancies/Assessors_Digital_Forensic.asp

The document envisages method validation for imaging by next year 2015 and for everything else I understand the planned implementation date is 2017.

Regards,

ReplyQuote
Topic starter Posted : 29/10/2014 10:46 pm
dan0841
(@dan0841)
Member

There was - seemingly - a "competitive tendering process" 😯 (When/Who/What/Where?) that was *somehow* awarded to the "academic with very little investigation experience" (as in dan0841's nice description, the one that clearly - in my opinion - didn't actually write anything but made one of his/her student jolt down it instead wink )
jaclaz

Sorry - I didn't mean it in that way! The point I was trying to make was that in an academic environment there are many things that are taught (or were to me as a student) that are not necessarily practical, cost-effective or realistic in a real world environment.

In an ideal world it would be amazing to be able to pick up scientific peer-reviewed documents which validate most aspects of most of the main forensic tools (Including all versions and iterations). However, given the range of tools, the range of O/S, File Systems, forensic artefacts it seems a very difficult and potentially unacheivable ideal.

I would expect that a document with such a potential disruptive effect on court cases and on the profession of digital forensic investigators would go through several "loops" of revisions/drafts, with successive edits, comments, corrections and adjustments implemented before being released.

Otherwise (and I may be of course very wrong about this) it seems to me a lot like the typical "suggestion box" with integrated shredder.
jaclaz

I hope it does get a lot more thought and revisions! D

ReplyQuote
Posted : 30/10/2014 1:13 am
trewmte
(@trewmte)
Community Legend

Below are observations.

The document is only a draft so understandable the consultation document (metaphorically) speaks in a language at times undesirable to the technical specifics of the field of science or forensics it is referring. Always difficult to create a concept using language that if too widely ranged waters down the concept to mushy nothing-ness or too tight and it can narrow the scope making the concept unreasobale to produce any observed possible outcomes.

I must say I do like the fact the document language strives to make sure those producing evidence having recorded test results after an event has happened (e.g. cell site analysis) the respondent's report should avoid old evidential cliches e.g. 'the evidence is consistent with the defendant's mobile phone being at ….' and similar types of opinionated.

It would have been helpful to have identified those people involved in submitting the content as opposed to only knowing the collated content submitted in the draft was produced by the FSR. This would have been helpful to know to see whether the document has a swing in favour of public sector bias for their aims and ambitions or a free, undominated market where no one particular, or no handful of, orgainsation(s) or private company(ies) are influencing production line (bang it on, bang it out) evidence.

The document could have usefully stated that "accuracy of original evidence" is paramount and thus those producing the original evidence would themselves be subject to standards for compliance. The politics of the matters (but I could be wrong on this) suggests avoid historic references or inferring to e.g. repealed S69 PACE (the computer working properly at the material time) removing obligations on the network operators etc (a presumption of everything is ok) - thus no fornsic standard imposed - but requiring a similar approach to the old repealed s69 PACE for the examiner's equipment producing results using information from the original source to prove it is working properly at the material. I am not against the latter, but a forensic standard produce requires a quality in an unbroken (end-to-end) chain of evidence. It is hoped that the FSR defines the importance of the accuracy of information from original sources and underpins the important that those producing original evidence should meet that standard. I mentioned politics because s69 PACE was bemoaned as causing too high a standard on those producing evidence and too expensive for corporate or private companies.

There was at one time a principle operated in English law that e.g. an [SIC]operator could not profit from crime. The analogy of the millions of calls made by drug dealers and other crimes who paid the full profit price of those calls to the operator. The principle suggests the operator could only deducted that amount for the cost of running the calls and not keep the profit. The trade-off used to be provision of call records etc and a standard applied in their production as evidence. That was blown out of the water by repelaing at least one attempt at a safety net (the repealed S69 PACE). Things change in life, we all understand this. Until the Forensics arena gets to grips with quality in an unbroken chain of evidence there will a guarded approach to over-commit to new standards as the Forensic person or groups will not want to be savaged by unrecoverable running costs. To not take a stance can play into the hands of a Forensic oligarchy controlling the arena and that dreaded political utopia we are told about of 'living of the crumbs falling from the oligarchy's table'.

A well intentioned document and lots of positives, but it would benefit from the Forensics arena en masse setting out known pitfuls where the quality in the evidence is poor at the outset yet the examiner's report implies the original source material was accurate at the outset.

ReplyQuote
Posted : 30/10/2014 11:19 am
neddy
(@neddy)
Active Member

It would have been helpful to have identified those people involved in submitting the content as opposed to only knowing the collated content submitted in the draft was produced by the FSR. This would have been helpful to know to see whether the document has a swing in favour of public sector bias for their aims and ambitions or a free, undominated market where no one particular, or no handful of, orgainsation(s) or private company(ies) are influencing production line (bang it on, bang it out) evidence.

Some info here https://www.gov.uk/government/organisations/forensic-science-regulator/about/our-governance

ReplyQuote
Posted : 30/10/2014 2:55 pm
dan0841
(@dan0841)
Member

It would have been helpful to have identified those people involved in submitting the content as opposed to only knowing the collated content submitted in the draft was produced by the FSR. This would have been helpful to know to see whether the document has a swing in favour of public sector bias for their aims and ambitions or a free, undominated market where no one particular, or no handful of, orgainsation(s) or private company(ies) are influencing production line (bang it on, bang it out) evidence.

Some info here https://www.gov.uk/government/organisations/forensic-science-regulator/about/our-governance

A number of very respected names on the digital group.

ReplyQuote
Posted : 30/10/2014 4:59 pm
Chris_Ed
(@chris_ed)
Active Member

Then why are they making such a pig's ear of it?

Edit is it not an enormous, glaring conflict of interest to have a software vendor on the panel? I wonder if Magnet were asked to send a representative? Or Guidance?

Edit 2 Oh, I suppose this is why NetAnalysis v2 has words like "validating procedure" everywhere. And why the unworkable example in the documentation was for web browsing.

ReplyQuote
Posted : 30/10/2014 6:00 pm
trewmte
(@trewmte)
Community Legend

Some info here https://www.gov.uk/government/organisations/forensic-science-regulator/about/our-governance

Thanks Neddy.

I didn't find the details of the names who make up the digital evidence group but only saw minutes of meetings. Do you have a weblink for the names and companies who make the digital evidence group. I want to trace who the likely candidates are who produced the content about cell site analysis and mobile phones.

ReplyQuote
Posted : 30/10/2014 11:14 pm
Page 1 / 2
Share:
Share to...