Athena Forensics | Digital Forensics Measured to Generic ISO Standards

In October 2017 the Forensic Science Regulator (FSR) made it a mandatory requirement for all digital evidence produced by the Prosecution to comply with the ISO 17025 standard.The requirement for those producing such evidence to a standard originally introduced in 1999 has caused and continues to cause significant issues and limitations.When I speak to any of the number of Police Forces that I deal with up and down the country, the main topic of conversation is the work involved in moving towards, obtaining and maintaining the ISO 17025 standard.Hi-Tech Crime Unit’s and businesses have been required to employ additional members of staff to replace experienced examiners needed to move from their normal roles to solely focussing on the ISO standard or, where they could not be replaced, the number of staff conducting examinations has simply reduced. Obviously smaller organisations simply cannot afford to devote such amounts of time and resources to attaining the standards set by the FSR even if they employ experienced experts and practitioners.This increased level of ‘red tape’ is being introduced within an environment that involves a continually changing and fluid science and which generates an increase in workload for those units of approximately 20% year on year, whilst annual budgets to Police Forces are being consistently reduced.The difficulty when ISO 17025 is used to accredit digital forensics is that, unlike fingerprint or DNA forensics, computers, mobile phones and the programs and files present upon them are continually changing.Whilst ‘wet’ forensics, such as DNA and fingerprint, is normally based upon a finite substance or print that cannot be copied, once a forensic copy of a device has been taken it can be verified as being accurate and complete and becomes the best evidence that can be copied as many times as necessary and whilst any alteration is difficult it can be easily identified.Digital forensics has always involved the continual development of new techniques and procedures in order to keep up with the changes and development of the subject matter, every year a new raft of software is released along with continuous development of the devices upon which to use it, whereas fingerprints, though techniques may change over time, the subject does not.To expect completely different sciences to fall under the same ISO standard, particularly when one of those sciences (digital forensics) was developed after the introduction of that standard, simply because another more relevant standard is not available, will not fulfil the intended purpose of raising standards and may actually have adverse effects on the identification and interpretation of evidence.The main issue that arises from the introduction of the standard specifically for digital forensics is the amount of work and the level of resources involved in firstly attaining but then continually involved in the validation of processes and techniques under ISO 17025.The identification of a suitable technique to retrieve and interpret evidence is based upon a vast number of variants not least the device containing it, the type of data involved and the location of it.The examination of Internet history on a computer hard drive, for example, is completely different to the process involved in examining a mobile phone for WhatsApp chat messages.Even the examination of two different mobile phones for the same data can involve completely different processes in order to retrieve the evidence from them.Some computers are now cloud based, meaning that no data is stored on a hard drive within them, instead the user data is retained online. Therefore, an examination of that of a normal computer requires different techniques and procedures in order to retrieve the evidence than a normal desktop computer.Under ISO 17025 it is not possible to complete the examination of any devices or data without each process first being validated.When a new technology, application or file system is encountered by a practitioner or unit, which it often does particularly when software updates and changes in user activity are accounted for, under ISO 17025, an experienced practitioner is required to carry out various validation techniques and then produce a validation plan that is then reviewed and assessed by a further experienced practitioner. Only then can the new process be used.This inflexible approach is difficult and time consuming to undertake, even an update to forensic software, most are updated monthly to keep pace with changes in technology, or the change of a component in a forensic computer, requires a full validation check.Given that a verified forensic copy of the data contained on the device should already have been taken and cannot be edited, validation of any extraction techniques can normally be made by comparing the data taken with the data contained on the forensic copy.Where data cannot be interpreted correctly either as it is a new process or as it is not recognised by standard forensic software, the process becomes one of resource. Does the unit now follow the validation process when it encounters any new problem or does it avoid it altogether and ignore that source of information.One example of this is, due to cost and time constraints, evidence from mobile phones and computers is now often being recorded by the officer in the case rather than the digital forensic unit, to avoid it being sent to the overworked digital forensic units with lengthy backlogs.Just this week I dealt with a case where the Prosecution evidence in the case has been produced by the officer in the case rather than the digital forensic unit. They did not want to seize the phone from the complainant as that would leave them without their phone for months, instead they decided to photograph key messages on that phone that the complainant showed them on the handset.A year later, the Defendant now having been charged, claims that other messages on that mobile phone not recorded by the Police officer were relevant to his case and would assist his defence.Neither the phone nor the other messages contained on the device are available to the defence as they were not recorded by the Officer and a forensic copy or extraction of the content of the phone was not taken and it is no longer being used by the Complainant who, presumably along with the Defendant, has replaced it with a newer version within the last 12 months.Therefore, the Defendant does not have the ability to provide the evidence that he suggests was available to the Police at the time of their investigation, as it is no longer available.One highly publicised failure within the legal system in December 2017 occurred at Croydon Crown Court and involved the disclosure of mobile phone text messages. Messages that assisted the Defence case were not disclosed by the Prosecution until after the Trial had commenced and led to acquittal. However, this issue was not as a result of the method of examination of the device, it was the failure for the Police to disclose the data from the phone that caused the case to collapse after the Trial had begun.The introduction of the ISO 17025 standard to digital forensics will not assist in the two cases above as the evidence, consisting of mobile phone messages, had either not been obtained by the Police or had been obtained but not disclosed. Both meant that the defence did not have the ability to review and use text based messages from a complainant that could be relevant to their case but not to that of the Prosecution.Perhaps a new standard should be developed to better reflect the requirements involved in examining and investigating digital forensic evidence.Perhaps, that standard could help to ensure that the forensic copies of an Exhibit are produced accurately and with integrity, as it is those forensic copies that form the basis of investigations and cases. Any challenge of the interpretation of that data from that point can be reviewed and assessed by an independent practitioner as long as a verified and accurate forensic copy of the Exhibit was initially acquired.Whilst ISO 17025 may indicate the processes followed by a laboratory are in accordance with that standard, it does not mean the interpretation of the evidence by the examiner was correct which is, when full disclosure has taken place, almost always where the main disagreement between experts lies in disputed cases.Focus may also be better spent on increasing the knowledge, experience and technical ability of the examiners and practitioners, which has already improved greatly over the last 15 years.This would make those professionals involved in the examination of digital evidence more responsible for verifying and validating their work and the evidence produced from it which would ensure more thorough examinations of digital devices as well as more accurate interpretation of the data which is almost always a subjective process.Focussing on the individuals would also provide better trained and informed expert witnesses at court who would be better placed to identify and develop more suitable examination techniques whilst still maintaining the high standard that those in the legal system should expect.The adherence to certain forensic standards is not new and the improvement of standards within the forensic arena, particularly in relation to the legal system, should certainly be encouraged.However, when that ‘improvement’ consists of the introduction of a dated ‘best fit’ ISO standard to a new and continually developing science, causing increased work levels and backlogs, it will not improve the quality of work produced by the Prosecution, in fact it may well have the opposite effect.Matthew Jackson BSc (Hons) MCSFS MBCS MEWI Director, Senior Forensic Consultant and Expert Witness at Athena Forensics. 0845 882 7386 e-mail: m.jackson@athenaforensics.co.ukhttps://athenaforensics.co.uk/https://athenaforensics.co.uk/service/computer-forensic-experts/https://athenaforensics.co.uk/service/mobile-phone-forensic-experts/