Digital forensics

QA, Certification, & Accreditation in Computer Forensics

Infosec
August 1, 2018 by
Infosec

Introduction

The purpose of digital forensics is to answer one or more investigative or legal questions, with the purpose of using the evidence to disprove or prove a case in court. To ensure that innocent parties in a case are not convicted or that guilty parties are convicted, it is mandatory to apply quality assurance processes to all phases of digital forensic examination. These processes include the use of standards, quality controls, documentation, test forensic environment quality, properly trained personnel and appropriate equipment and tools.

This article goes deeper in this topic and will answer the following questions:

Learn Digital Forensics

Learn Digital Forensics

Build your skills with hands-on forensics training for computers, mobile devices, networks and more.
  • What quality controls are used in Computer Forensics?
  • What standards are used for lab quality control?
  • What ways can you test tool quality?
  • How is the quality of security personnel measured?

What quality controls are used in Computer Forensics?

To maintain the integrity of digital evidences, each phase of the forensics examination should be subject to controls. Quality control measures whether the forensics process follows the standards set by the laboratory. Reviews at a peer, administrative, and program level are quality control components used in computer forensics.

The peer review process is when forensic examination results are examined by one or more other forensic scientists. It helps protect against inaccuracy of the findings by using other experts in the field to identify errors and shortcomings with regards to the forensic examination conclusions before their submission to court. Peer review, also called technical review, should answer the following questions: Was the appropriate examination performed? Does the report describe sufficiently all the findings? Were proper procedures followed?

Documentation is critical to ensuring quality in the computer forensic process. Each step conducted during the investigation is reported in a document; thus, the documentation should be reviewed for the quality of its evidence. The reporting is the last stage of a forensic examination. It shows the process that justifies the conclusion, findings, and results based on the evidence. In the reporting stage, quality can be assured by subjecting the reports to rigorous administrative review before submission to court in order to ensure its completeness, accuracy, and efficiency. The review can be performed by another person and should include the following: agency/client name, case number, accurately described items, spelling and grammar.

A program demonstrates that the laboratory is operating under accepted standards to ensure quality assurance and should be also subject to review. In addition to documentation and review, it should also include the following components: goals, management, personnel training, and equipment calibration.

What standards are used for lab quality control? (FBI, RCFL, American Society of Crime Laboratory Directors)

There exist many possible quality assurance standards that can be adopted to heighten the quality of forensics service.

The American Society of Crime Laboratory Directors

Accreditation is a “stamp of approval” that demonstrates that a laboratory is operating under accepted standards in order to ensure quality assurance. The objective of the American Society of Crime Laboratory Directors (ASCLD) LAB accreditation program is to improve the quality of forensics laboratory services. A laboratory can benefit from a total operational review by providing an independent, impartial, and objective system. This will show that the lab follows established standards and maintains and develops the criteria used to grade the performance and strengthen its operation. For each standard, a criterion is given which is used to evaluate if the laboratory meets the standard. It consists of:

  • 91 essential standards affecting work product of the laboratory or evidence integrity
  • 45 important standards key indicators of the laboratory quality.
  • 16 desirable standards enhance the professionalism of the laboratory.

To meet accreditation standards, the forensics laboratory must achieve 100% compliance with the essential standards, 75% compliance with the important standards, and 50% compliance with the desirable standards.

The Regional Computer Forensic Laboratory (RCFL) was established by Federal Bureau of Investigation (FBI) as a full service forensic laboratory devoted entirely to the examination of computer evidence in support of criminal investigations.

How is the quality of security personnel measured? (training, education & background checks)

Laboratory personnel should have the education, training, and experience necessary to perform examinations and provide testimony. They must be fully prepared to be able to provide court-admissible evidence. Certification and Licensing are two means of demonstrating the competency of security personnel. Certification is the recognition that an individual has skills and knowledge required to practice computer forensics. Certification can be divided into 2 categories: professional certification and vendor certification. Professional certification tests and validates the knowledge in various stages of digital forensics. It does not focus on a specific tool to perform forensics examination; however, vendor certifications focus on the vendor’s proprietary products. Certification may target one specific forensic discipline or a variety of fields.

The following is a non-exhaustive list of professional certifications:

  • Certified Forensic Computer Examiner (CFCE)
  • Certified Computer Forensic Examiner (CCFE)
  • Certified Computer Examiner (CCE)
  • Global Information Assurance Certification Forensic Examiner (GCFE)
  • Global Information Assurance Certification Forensic Analyst (GCFA)

The following is a non-exhaustive list of vendor certifications:

  • EnCase® Certified Examiner (EnCE®)
  • AccessData Certified Examiner® (ACE®)

Practicing computer forensics may require a license in certain jurisdictions. This ensures the credibility of the forensics results in a court.

In what ways can you test tool quality? (conduct a known test & test against a known tool)

Tool quality is an important element of quality assurance in computer forensics. If the practioner uses a specific tool conduct a forensic examination, he or she must prove that the tool meet forensic standards. Forensics tools must be validated in order to prove that the tool functions correctly as intended.

Trusting and using only one forensic tool may create an opportunity for the opposing side in court to target the tool instead of the process. The National Institute of Standards and Technology, or NIST’s, Computer Forensic Tool Testing project (CFTT) provides various methodologies that can be used. One way to test tool quality is to verify the examination results with another known tool by conducting the same examination steps using the other tool. This technique is also called cross-validation, and it aims to verify a forensic tool with another one. Computer forensic tools are often multi-featured, and testing is organized by feature. As an example, we should verify that a data acquisition tool acquires the entire partition or disk, and that the acquired data matches the original data and block all modifications to protected disks. In case of omitted data, such as bad sectors, the tool must identify and log these discrepancies.

Conclusion

The most crucial aspect of digital forensic examination is the quality of its results. Quality, in this case, means the measurement of the results of a forensic examination as well as compliance with the defined procedures, methodologies, policies, and standards. Hence, to ensure the reliability and the accuracy of a digital forensic examination, effective quality control must be established and maintained. Quality assurance can guarantee that forensics examination results can successfully be admitted into a court of law. This should be implemented at every step of the forensic procedure. The acquisition phase must be carried out correctly by ensuring the use of documented and standard procedures, verified forensic tools, and technical competencies of the examiner and the technical capabilities of the laboratory. In the analysis phase, results must be verified by performing the same steps using another forensic tool. In addition, documented procedures must still be followed for this step. In the reporting phase, quality can be assured by subjecting the reports and analysis to rigorous peer review before submission to court.

 

References

NIST CFTT: Testing Computer Forensics Tool

www.cftt.nist.gov

Guidelines for Forensic Document Examination

https://archives.fbi.gov/archives/about-us/lab/forensic-science-communications/fsc/april2000/swgdoc7.htm

ASCLD-LAB: The American Society of Crime Laboratory Directors-Laboratory Accreditation Board.

SWGDE Model Quality Assurance Manual for Digital Evidence Laboratories Version: 3.0 (September 13, 2012)
https://www.swgde.org/documents/Current%20Documents/SWGDE%20QAM%20and%20SOP%20Manuals/SWGDE%20Model%20QAM%20for%20Digital%20Evidence%20Laboratories

Learn Digital Forensics

Learn Digital Forensics

Build your skills with hands-on forensics training for computers, mobile devices, networks and more.

SWGDE Recommended Guidelines for Validation Testing
https://www.swgde.org/documents/Current%20Documents/SWGDE%20Recommended%20Guidelines%20for%20Validation%20Testing

Infosec
Infosec