Abstract
Technology and digital evidence are at the forefront of nearly every criminal, civil, and corporate investigation in the world. For the past thirty years digital evidence such as computers, cellular phones, tablets, servers, GPS devices, gaming consoles, storage devices, and network infrastructure devices have been forensically analyzed and presented in legal proceedings. In many cases digital evidence has been the “smoking gun” leading to successful convictions, lawsuits, employment terminations, and exonerations.
Although digital forensics has been recognized as a legitimate forensic science and has been utilized in the criminal justice system for the same length of time that DNA has, the discipline is anything but disciplined. Within the United States, any law enforcement agency, business, or individual can open a forensic “laboratory” and begin providing services without having to demonstrate even foundational knowledge, skills, or abilities. To further evidence this, within the law enforcement community alone there are only 67 digital forensic laboratories accredited to the ISO 17025:2005 standards for the nearly 18,000 law enforcement agencies in the country.
The lack of requirements for digital forensic practitioners to be certified in their discipline, be accountable to industry best practices and standards, or work out of accredited laboratories places the credibility of this forensic science in jeopardy. This paper will discuss the risks and impacts associated with unskilled practitioners who perform digital forensic analysis. Also included will be an examination of some legal cases that highlight the risks identified within the paper. Research and practical experience will be drawn upon to provide the reader with proposed solutions to improve the quality of the digital forensic discipline. Topics such as forensic analyst training, proficiency testing, certification, best practices, policies and procedures, and laboratory standards and accreditation will be discussed.
The good news is that much of the work has already been done to identify digital forensic best practices and laboratory standards. This paper will provide a framework for digital forensic practitioners and managers to comply with best practices, standards, guidelines, and analyst certification and training within the discipline as well as minimum requirements that should be met before digital forensic evidence is allowed to be introduced into a legal proceeding.
Keywords: digital forensics, computer forensics, digital evidence, forensic laboratory accreditation, forensic certifications, digital forensic best practices
Invalid download ID.
Josh, for some time it seemed that ASCLD was the relevant lab standard for US forensics. How would compare the two standards and do you have an opinion regarding which path an organization should tackle first?
Hi Kirk. Just to clarify, what two standards are you referring to? In the past there used to be ASCLD’s own standards and then the ISO standards (17025). Several years ago, ASCLD got rid their non-international program and essentially adopted ISO 17025 but added a few additional requirements on top of it to fill in gaps they perceived as not adequately covered under ISO. There are really two main lab accrediting bodies that are generally accepted for digital forensics: the American Association for Laboratory Accreditation (A2LA) and ANSI-ASQ National Accreditation Board (ANAB), which recently merged with ASCLD/LAB. There is a recent article that some of my work was used in that you might want to check out here: https://articles.forensicfocus.com/2018/01/24/iso-17025-for-digital-forensics-yay-or-nay/ and you might also want to check out SWEDGE’s document about the topic here: https://www.swgde.org/documents/Current%20Documents/SWGDE%20Overview%20of%20the%20Accreditation%20Process%20for%20Digital%20and%20Multimedia%20Forensic%20Labs. Let me know if I can answer anything else, or if this was what you were looking for. Thanks!
Very Nice Thesis, Currently running Msc information security interested in Digital forensic @ my thesis too. Please can you kindly advice me on some latest area or materials Cloud storage Forensic any latest journals. Thanks
Thank you, I am glad you liked the thesis and good luck on your Msc program. I would certainly look at NIST’s document (http://csrc.nist.gov/publications/drafts/nistir-8006/draft_nistir_8006.pdf) and also look at ISC2’s Certified Cloud Security Professional (CCSP) information to start. Just doing a quick Google search I found several other whitepapers and information. I don’t have anything personally that I could give you on this subject, unfortunately.
Hello Josh, over in the UK we are about to experience the same issues you describe in this post and I was wondering if there was an update on the matter please.
Hi Sean, thanks for the comment. There is an update and you can follow all of it here: https://www.justice.gov/ncfs/accreditation-and-proficiency-testing-subcommittee-0. The latest recommendation from the subcommittee is available here: https://www.justice.gov/ncfs/page/file/918496/download. In summary, the subcommittee continues to recommend that all labs eventually become accredited under ISO 17025 standards, but recognizes challenges for universal accreditation and particularly for those smaller state and local labs. The subcommittee did recommend that U.S. Department of Justice labs be required to be accredited and that federal prosecutors only use accredited digital forensic labs for criminal prosecution cases. Hopefully there continues to be pressure for all labs, regardless of size, to be held to some minimum standards when conducting analysis of digital evidence for criminal cases.
Thanks again Josh, I am looking at this as a private “lab” rather than a government entity. At this stage, in the states, is it only classed as a recommendation rather than a requisite?
Sean, you are correct. At this point there is no requirement in the U.S. to be accredited for private labs. Recent developments by the new presidential administration call in to question this entire topic now. The new Attorney General recently disbanded the National Commission on Forensic Science (https://www.nytimes.com/2017/04/11/opinion/sessions-is-wrong-to-take-science-out-of-forensic-science.html?_r=0).
Cheers Josh, looks like were in for a similar ride over here too.
When I originally commented I clicked the “Notify me when new comments are added” checkbox and now each time a comment is added I get four e-mails with the same comment.
Is there any way you can remove me from that service?
Many thanks!
Thanks for the comment. I don’t see an original comment from you and I am not sure why you are getting this. I also don’t see you as a user on the website, so I have no idea why you are getting emails from my website. Do you know for sure the emails are coming from my site and not Facebook?