Digital Forensics Processing and Procedures
In this excerpt from Digital Forensics Processing and Procedures, the authors provide insight on areas that will need to be considered when setting up a forensic laboratory.
The following is an excerpt from the book Digital Forensics Processing and Procedures written by David Watson and Andrew Jones and published by Syngress. In this section from chapter 3, learn about the areas that must be considered when setting up a forensic laboratory.
SETTING UP THE FORENSIC LABORATORY
When initially setting up the Forensic Laboratory, there are a number of issues that will need to be considered. Many of these have been touched on in the previous chapters, and some are expanded here, others have dedicated chapters later in the book. Once the business case (or the equivalent if in government or law enforcement) has been developed, a range of issues will need to be addressed and these must be documented to describe the fundamental basis on which the Forensic Laboratory is being established and on which it will be run. The first issue that should be clearly documented is that of the Forensic Laboratory's Terms of Reference (ToR). There will also normally be a ToR for the project to develop and deliver to the Forensic Laboratory, but the concepts that are given below hold good for both cases.
3.1.1 Forensic Laboratory Terms of Reference
The ToR is the document that serves as the basis of the relationship between the owning organization of the Forensic Laboratory and the team responsible for carrying out the work. It describes the purpose and structure of the Forensic Laboratory and shows how the scope of the Forensic Laboratory will be defined and verified. It will also provide the yardstick against which the success of the Forensic Laboratory will be measured. It provides a documented basis for future decisions and for a common understanding of the scope among the stakeholders.
The ToR sets out a clear path for the operation of the Forensic Laboratory by stating what needs to be achieved, by whom and when. It identifies the set of deliverables that satisfy the requirements and the scope and any constraints should be set out in this document. The ToR for the operation of the Forensic Laboratory should be created during the earliest stages of the project for the establishment of the Forensic Laboratory immediately after the business case has been approved. Once the ToR has been approved, there is a clear definition of the scope of the Forensic Laboratory. The ToR will also identify the success factors, risks, and boundaries. The ToR needs to be written in some detail and should include the following:
Digital Forensics Processing and Procedures
Authors: David Watson and Andrew Jones
Learn more about Digital Forensics Processing and Procedures from publisher Syngress.
At checkout, use discount code PBTY14 for 25% off
- scope and objectives;
- boundaries, risks, and limitations;
- roles, responsibilities, authority, accountability, and reporting requirements;
- the regulatory framework;
- resources available;
- work breakdown structure and schedule;
- success factors;
- intervention strategies.
A description of the ToR is given in Appendix 1.
Once the ToR has been developed, a range of other elements that outline how the Forensic Laboratory is structured and how it will operate need to be developed.
3.1.2 The Status of the Forensic Laboratory
There should be clear statement of the status of the Forensics Laboratory. This should define the ownership, the services that it will offer, the structure of the laboratory, the standards that it will work to, and the expected customers. This should be prepared in some detail as it will be the foundation for future decisions.
3.1.3 The Forensic Laboratory Principles
The Forensic Laboratory shall be run in accordance with the following laboratory principles:
The Forensic Laboratory relies upon the Laboratory Manager to develop and maintain an efficient, high-quality forensic laboratory.
The Laboratory Manager holds a unique role in the balance of scientific principles, requirements of the Criminal Justice System, and the effects on the lives of individuals that may be subject of an investigation that relies on digital forensic evidence. The decisions and judgments that are made in the Forensic Laboratory must fairly represent all interests with which they have been entrusted.
Users of the Forensic Laboratory services must be able to rely on the reputation of the Forensic Laboratory, the abilities of their Forensic Analysts, and the standards of the profession.
The Forensic Team must be honest and truthful with their peers, supervisors, and subordinates. They must also be trustworthy and honest when representing the Forensic Laboratory to outside organizations.
The Forensic Team is responsible for implementing quality assurance procedures which effectively monitor and verify the quality of the work product of their laboratories.
The Forensic Laboratory complies with the requirements of ISO 9001 and ISO 17025.
The Forensic Team should ensure that the Forensic Laboratory's products and services are provided in a manner which maximizes organizational efficiency and ensures an economical expenditure of resources and personnel.
The Laboratory Manager should establish reasonable goals for the production of forensic casework in a timely fashion. Highest priority should be given to cases which have a potentially productive outcome and which could, if successfully concluded, have an effective impact on the enforcement or adjudication process.
18.104.22.168 Meet Organizational Expectations
The Laboratory Manager must implement and enforce the relevant organizational policies and procedures and should establish additional internal procedures designed to meet the ever-changing needs of forensic case processing.
22.214.171.124 Health and Safety
The Laboratory Manager shall be responsible for planning and maintaining systems that reasonably assure safety in the Laboratory as well as when the Forensics Team are in the field. Such systems should include mechanisms for input by the Forensic Team, maintenance of records of injuries, and routine safety inspections as defined by existing Health and Safety procedures.
The Forensic Laboratory complies with the requirements of OHSAS 18001.
126.96.36.199 Information Security
The Laboratory Manager shall be responsible for planning and maintaining the security of the Forensic Laboratory. Security measures should include control of access both during and after normal business hours.
The Forensic Laboratory complies with the requirements of ISO 27001.
188.8.131.52 Management Information Systems
The Laboratory Manager shall be responsible for developing management information systems. These systems should provide information in a timely manner regarding current and past work carried out by the Forensic Laboratory.
Read the full excerpt
Download the PDF of chapter 3 to learn more!
The Laboratory Manager must hire employees of sufficient academic qualifications or experience to provide them with the fundamental scientific principles for work in the Forensic Laboratory and must be assured that they are honest, forthright, and ethical in their personal and professional life.
The Laboratory Manager shall provide training in the principles and the details of forensic science as it applies to the Forensic Laboratory requirements.
Training must include handling and preserving the integrity of physical evidence. Before analysis and casework are performed, specific training for the processes and procedures as well as for the specific tools to be utilized must be undertaken. A full training program for all Forensic Analysts and Investigators must be developed.
184.108.40.206 Maintaining Employee Competency
The Laboratory Manager must monitor the skills and proficiency of the Forensic Analysts on a continuing basis as well as on an annual basis as required by Human Resources procedures. The Forensic Laboratory has an ongoing program of training, awareness, and competency.
220.127.116.11 Employee Development
The Laboratory Manager must foster the development of the Forensic Analysts and Investigators for greater job responsibility by supporting internal and external training, providing sufficient library resources to permit the Forensic Analysts and Investigators to keep abreast of changing and emerging trends in forensic science, and encouraging them to do so. The Forensic Laboratory has an ongoing program of training, awareness, and competency.
The Laboratory Manager must ensure that a safe and functional work environment is provided with adequate space to support all the work activities required by the Forensic Laboratory. Facilities must be adequate so that evidence under the control of the Forensic Laboratory is protected from contamination, tampering, or theft.
The Laboratory Manager must provide the Forensic Analysts and Investigators with adequate supervisory review to ensure the quality of their work product. The Laboratory Manager must be held accountable for the performance of the Forensic Analysts and Investigators and the enforcement of clear and enforceable processes and procedures.
The Forensic Analysts and Investigators should be held to realistic performance goals which take into account reasonable workload standards.
The Laboratory Manager must ensure that the Forensic Analysts and Investigators are not unduly pressured to perform substandard work through case load pressure or unnecessary outside influence. The Forensic Laboratory shall have in place a performance evaluation process.
18.104.22.168 Conflicts of Interest
The Laboratory Manager, the Forensic Analysts, and the Investigators must avoid any activity, interest, or association that interferes or appears to interfere with their independent exercise of professional judgment.
The Forensic Laboratory Conflict of Interest Policy is given in Appendix 3.
22.214.171.124 Legal Compliance
The Laboratory Manager shall establish and publish, with appropriate training, operational procedures in order to meet good procedural, legislative, and good practice requirements.
The Laboratory Manager and the Lead Forensic Analyst must be accountable for their decisions and actions. These decisions and actions should be supported by appropriate documentation and be open to legitimate scrutiny.
126.96.36.199 Disclosure and Discovery
The Forensic Laboratory records must be open for reasonable access when legitimate requests are made by Officers of the Court or other legitimate requesters.
Specific requirements are necessary for the release of unlawful material.
188.8.131.52 Work Quality
The Laboratory Manager must establish a quality assurance program.
The Forensic Analysts and Investigators must accept responsibility for evidence integrity and security; validated, reliable methods; and casework documentation and reporting.
The Forensic Laboratory complies with the requirements of ISO 9001 and ISO 17025.
184.108.40.206 Accreditation and Certification
The Laboratory Manager shall achieve and maintain whichever certifications and accreditation that the Top Management deem necessary.
220.127.116.11 Membership of Appropriate Organizations
The Laboratory Manager shall ensure that the Forensic Team joins appropriate professional organizations and that they are encouraged to obtain the highest professional membership grade possible.
More on digital forensics from SearchSecurity
Monitoring network traffic and network forensics
An inside look at security log management forensics investigations
Network Forensics: Tracking Hackers through Cyberspace
18.104.22.168 Obtain Appropriate Personal Certifications
The Laboratory Manager shall ensure that the Forensic Team achieves appropriate certifications of both generic and tool-specific types to demonstrate their skill levels.
3.1.4 Laboratory Service Level Agreements
A Service Level Agreement (SLA) is a part of a service contract where the level of service that will be provided by the digital forensics laboratory is formally defined. The SLA is sometimes used to refer to the contracted delivery time for the services offered by the Forensic Laboratory (usually called the "Turn Round Time") or the quality of the work. The SLA should be considered from the start of the planning and development process to ensure that the Forensic Laboratory will be structured to the appropriate level. Service providers normally include SLAs within the terms of their contracts with customers to define the level of service that is being provided in plain language using easily understood terms. Any metrics included in a SLA must be measurable and should be tested on a regular basis. The SLA will also normally outline the remedial action and any penalties that will take effect if the delivered service falls below the defined standard. The SLA forms an essential element of the legal contract between the Forensic Laboratory and the customer. The actual structure of the SLA will be dependent on the services offered by the Forensic Laboratory, but the general structure of the agreement is as follows:
- service description;
- service availability;
- customer support;
- service performance;
- change management procedures;
- service reviews;
- amendment sheet.
If the Forensic Laboratory takes services from either an external supplier (e.g., Internet Access or utility supplier) or from the owning organization (e.g., human resources or logistics), then suitable SLAs will need to be agreed with the service provider.
3.1.5 Impartiality and Independence
In order to obtain and retain accreditation to ISO 17025 (general requirements for the competence of testing and calibration laboratories), there is a requirement for the Forensic Laboratory to be able to show evidence that its work and results are "free from undue influence or pressure from customers or other interested parties" and that "laboratories working within larger organizations where influence could be applied (such as police laboratories), are free from such influence and are producing objective and valid results."
3.1.6 Codes of Practice and Conduct
In the United Kingdom, the Forensic Regulator has produced Codes of Practice and Conduct for forensic science providers and practitioners in the Criminal Justice System. These Codes of Practice and Conduct were the first stage in the development of a single quality standards framework for forensic science for use in the Criminal Justice System to replace the ad hoc approach to standards that had been used in the past. These Codes of Practice and Conduct were built on the internationally recognized good practice of ISO 17025 as the preferred standard for forensic science laboratories.
An appendix to these Codes of Practice and Conduct provides guidance to deal with the specific requirements for the providers of forensic science services at scenes of incidents based on ISO 17020 (general criteria for the operation of various types of bodies performing inspection). This standard for inspection bodies is gradually being adopted across Europe as the most appropriate standard for crime scene investigations.
The requirements that are described in the Codes of Practice and Conduct and the associated appendices are targeted at three levels:
- the organization: to outline what is required of it, particularly from the management, with regard to quality assurance and compliance. Most forensic services are supplied by people working in organizations and the organizational culture with regard to quality is a major factor. Accountability for quality rests with the management, and each organization is required to nominate a senior manager as the "accountable person";
- the practitioner: to outline the professional standards to which they are expected to perform; and
- the scientific methodology: to ensure that the methodology is robust and will reliably produce, and continue to produce, valid results.
These Codes of Practice and Conduct were developed so that they can be applied to all organizations and practitioners whose primary role is the provision of forensic services into the Criminal Justice System in England and Wales. While these Codes of Practice and Conduct were designed for the UK community, they are based on sound principles and international standards, are a good guideline and a basis for codes of practice for other regions, and have been adopted by the Forensic Laboratory.
3.1.7 Quality Standards
Quality standards in forensic science are essential to ensure that the highest possible standards are maintained by the Forensic Laboratory as a supplier of forensic services. This should include resourcing, training, equipment, processes, and integrity benchmarks such as accreditation. Unless these standards are maintained, there is an increased possibility that those guilty of crimes may not be brought to justice or that those who are innocent may be convicted. Quality standards in forensic science are best attained through accreditation to the international standard ISO 17025, which builds on the older ISO 9001 standard. However, on its own, ISO 17025 will not guarantee quality, as it does not cover areas like setting of the Forensic Laboratory strategy for a case, or the interpretation of the results, or the presentation of the evidence in the Court. A cross reference between ISO 9001 and ISO 17025 is given in Appendix 2. This clearly shows a close correlation, but ISO 17025 has more technical competences in it than ISO 9001.
A professional Forensic Analyst or Investigator, when providing any service, must determine whether there are any threats to compliance with the fundamental principle of objectivity. These threats will normally result from the Forensic Analyst, Investigator (or the Forensic Laboratory itself) having interests in, or a relationship with any member of the Client organization. An example of a familiarity threat to objectivity could be created from a family or close personal or business relationship. Independence of thought is necessary to enable the professional Analyst or Investigator to express a conclusion, without bias, conflict of interest, or undue influence from others.
The existence of threats to objectivity when providing any professional service will depend upon the specific circumstances of the engagement and the nature of the work. A professional Forensic Analyst or Investigator must evaluate the significance of any threats and, when necessary, ensure that suitable measures are taken to eliminate threats or reduce them to an acceptable level. Examples of the types of measures that may be considered include the following:
- advising the management of the Forensic Laboratory of the potential threat;
- the Forensic Analyst or Investigator removing themselves from the case;
- the Forensic Laboratory having in place suitable peer review and supervisory procedures;
- terminating the relationship that gives rise to the threat.
If the measures that have been put in place to eliminate or reduce threats to an acceptable level are not effective, the Forensic Laboratory management must either decline or terminate the contract with the customer. The Forensic Laboratory Conflict of Interest Policy is given in Appendix 3.
3.1.9 Management Requirements
There are many ways in which management requirements can be expressed. The Forensic Laboratory has implemented an Integrated Management System (IMS) based on the Publicly Available Specification 99 (PAS 99). Full details of the IMS are given in Chapter 4.
This has allowed the Forensic Laboratory to implement the following ISO standards:
- ISO 15489 -- Information and documentation -- Records management;
- ISO 17020 -- Conformity assessment -- Requirements for the operation of various types of bodies performing inspection;
- ISO 17025 General requirements for the competence of testing and calibration laboratories;
- ISO 22301 -- Societal security -- Business continuity management systems;
- ISO 27001 -- Information technology -- Security techniques -- Information security management systems—Requirements;
- ISO 9001 -- Quality management systems -- Requirements;
- OHSAS 18001 -- Occupational Health and Safety Management Systems;
- In-house digital forensic procedures.
3.1.10 Forensic Laboratory Policies
In order to assure the integrity of their results, the Forensic Laboratory must have appropriate policies in place. The implementation of these policies will be in the form of practices and procedures that define how the Forensic Laboratory will operate to meet the relevant good practice and forensic science and quality standards. The constant developments in technology mean that there is an ongoing need to update the policies in order to meet changing laws and regulations in order to prevent unfairness and wrongful conviction. The Forensic Laboratory policies must ensure the integrity of any results produced.
The main purpose of policies within the Forensic Laboratory is to assure the integrity of results and to prevent miscarriages of justice. There are many examples of mistakes within laboratories. One example is the analysis of the data in the Casey Anthony trial in July 2011, when the number of times that she had accessed the internet to search for the word "Chloroform" was initially reported as 84 times but was later found to be only one time. Another example is the CD Universe case where the evidence was compromised because the chain of custody was not properly established. Policies are also necessary to ensure that the employees within the Forensic Laboratory receive and are able to maintain a suitable level of training and certification, and they should also address funding levels and the policy on investigation of allegations of misconduct or negligence. The policies should also contain sections on the code of ethics and the relevant standards and regulations.
3.1.11 Documentation Requirements
The relevant standards implemented within the Forensic Laboratory will dictate much of the required documentation for everyday operations. Documented procedures are included in the relevant chapters in this book.
3.1.12 Competence, Awareness, and Training
All management standards have requirements for competence, awareness, and training. All Forensic Laboratory employees must also be aware of client requirements and the relevance of their activities. They should understand how their actions contribute to achieving the Forensic Laboratory's Quality Policy and objectives. This is normally achieved by awareness training, performance reviews, and employee participation in internal audit processes. Top Management should define the necessary skills, experience, and training required for each role and identify the records of education, training, skills, and experience that need to be maintained. The Forensic Laboratory Quality Policy is given in Appendix 4.
About the authors:
David Lilburn Watson heads up Forensic Computing Ltd, a specialist forensic recovery and investigation company. He is responsible for the coordination and efficient delivery of the computer forensic and electronic evidence recovery services, digital investigations, and provides support for a broad range of investigative, security and risk consulting assignments. He is a Certified Fraud Examiner (CFE) and a Certified Information Forensic Investigator (CIFI), a Certified Computer Crime Investigator (CCCI), an Advanced Certified Computer Forensics Technician (CCFT). In addition to specialised forensic certifications he is a Certified Information Security Systems Professional (CISSP), a Certified Information Systems Manager (CISM) and a Certified Information Systems Auditor (CISA). David has also led Forensic Computing Ltd to ISO 27001 and ISO 9001 certification, making FCL one of very few consultancies to hold such important credentials in the field of forensic services.
After 25 years service with the British Army's Intelligence Corps, Andy Jones became a business manager and a researcher and analyst in the area of Information Warfare and computer crime at a defence research establishment. In Sept 2002, on completion of a paper on a method for the metrication of the threats to information systems, he left the defence environment to take up a post as a principal lecturer at the University of Glamorgan in the subjects of Network Security and Computer Crime and as a researcher on the Threats to Information Systems and Computer Forensics. At the university he developed and managed a well equipped Computer Forensics Laboratory and took the lead on a large number of computer investigations and data recovery tasks. He holds a Ph.D. in the area of threats to information systems. In January 2005 he joined the Security Research Centre at BT where he became a Chief Researcher and the head of information. Andy now holds a post as a visiting Professor at Edith Cowan University in Perth, Australia and he is currently the Programme Chair for the M.Sc. in Information Security at Khalifa University in Sharjah, UAE.