ByeSO
Last week I had to step down from my role as the UK’s Principal Expert on Digital Evidence to ISO/IEC JTC1 SC27 WG4 (to give it the full title – with incorrect punctuation before any reminds me).
It wasn’t something I particularly wanted to withdraw from, but the economics of it just didn’t make sense any more.
Since 2011 I’ve been attending editorial meetings, in various cities around the world, twice a year and also attended numerous meetings of BSI committees in London. The cost of doing this has come out of my business, with occasional (infrequent) small contributions from government agencies.
I’ve had to allocate at least 2 months a year to this, and it’s cost something in the region of £5k to £10k each year to support it.
It was a worthwhile activity. I’ve met and worked with some great people to develop some really useful standards, and I’ll miss them and that whole process – but the lack of support from the UK has just become unsustainable.
Unlike many of the participants, I’m from a micro-business. If I’m not doing or bringing in the work, the cash isn’t coming in either. So, I’ve had to take my accountant’s advice and stop donating to commercial bodies (the publishers and assessors make profits from the resulting standards) for standards development.
It’s a shame. Standards are genuinely useful things, especially for small businesses as they let us show that we are, at least, equivalent to the big boys. If only we could find a way to fund small businesses’ participation in standards development, instead of relying on the big multi-nationals to do it all for us.
Meanwhile, if you want to know the true intent behind ISO/IEC 27041 and 27042, please do get in touch – I was editor for them during most of the development time and I know what the words really mean (ISO English, as I may have mentioned before, is not what you think it is.)
Read Full Post | Make a Comment ( None so far )Bugs
Well, it’s been an interesting couple of months since I last posted. We’ve been keeping busy with a couple of contracts from the Home Office. One is, of course, on digital evidence standards – but the other was a little bit different.
We were lucky enough to be awarded the contract to produce the entomology standard for the forensic science regulator. Since this isn’t part of our usual skillset, we did have to bring in a couple of the UK’s leading forensic entomologists to help with it. Fortunately, our network of contacts is big enough that we found them quickly enough and had the pleasure of working with both the Natural History Museum and Met. Police as a result.
Aside from technical content, the new standard isn’t that different to the others that the regulator already has in place. Most of the new material is designed to help interpret the “master” standard (ISO/IEC 17025) for applications relating to creepy-crawlies without specifying exactly how to do anything (this is a commonly misunderstood aspect of this whole regulatory system – the supplier and the customer are supposed to agree what will be done and how. In the whole, the regulators and assessors just want to see evidence that such an agreement has been reached and that things have been done that way).
Anyway, we delivered ahead of schedule and on budget. Something which some people seem to consider unusual for government contracts. But then, when you’re dealing with quality systems, can you afford not to hit the targets ?
For more information about standards development, regulation or uses of forensic science, please contact us via http://www.n-gate.net/
Read Full Post | Make a Comment ( None so far )Excellent news
Yet again, other activities have kept me away from this blog for far too long. Personally, I think that’s probably a good thing. A mix of casework and research commissions means I can afford to eat properly again (and those who know me will know how important it is that I maintain my physique – particularly in the current high winds).
The major projects that are keeping me busy are on a new website : Forensic Excellence where work on two of the three major elements of “forensic” quality systems is underway. The other bit of news is that I have an interview for funding of some work on the third element, and hope to be able to kick that work off towards the middle of next year.
Onwards and sideways!
Read Full Post | Make a Comment ( None so far )Nothing else of significance…
This week I was approached to quote for a defence case. Helpfully, the solicitor sent me a copy of the prosecution statement so I could prepare a realistic quote. Unfortunately, for the “other side”, I’ve spent most of the week working on a couple of proposals for new ISO standards – including something on content of reports for various purposes – so was particularly sensitive to languages issues.
As soon as I saw the source of the statement, I knew I was going to find a phrase that troubles me – and there it was, near the end “Nothing else of significance was found”.
The report details the material upon which the case is based, but gives little in the way of context or other material found. It builds the case for the prosecution solicitor nicely, but doesn’t allow anyone else to form an opinion about the significance of the material because it doesn’t actually give any detail of anything except the “significant” material as determined by the report’s writer.
It’s a format and form of words that I’ve seen several times over the years, and every time I see it, it sounds an alarm.
I’ve always been told that my responsibility as an “expert witness” is to the court (or whoever is going to make a final judgment based on all the reports submitted), and is to state the facts and my interpretation as best I can based on the information available to me. If I find evidence of guilt, I should state it, if I find evidence of innocence, I should state that. I also believe that I should try to make as much information as possible available so that a proper judgment can be made.
To this end, I don’t just list things of “significance” but I try to give an indication of the context in terms which a non-practitioner can understand.
For example, if an email relates directly to the case, I don’t just list that email. I give the total number of emails found and the number found which involve the same people in the “significant” one. If illegal images are found, I try to determine how they have been downloaded, whether they’ve been deliberately saved or just cached, and whether there’s a pattern of searching or browsing that relates to them.
I try never to build a case directly myself but I will, quite happily, poke holes in someone else’s case – especially if they are concealing, deliberately or accidentally, useful information behind statements like “nothing else of significance was found”.
In my book, saying something like that is almost tantamount to dissembling. A digital evidence examiner rarely has the full facts and circumstances of the case available. A prosecution examiner or first responder will have no idea of possible defences or excuses. Limiting the report to the most damning evidence doesn’t help anyone.
Well – it doesn’t help anyone except the “other side”. A good independent examiner will read that sort of report and realise that there’s a lot more work they could do, and SHOULD do, to determine if a proper rebuttal can be produced – and that means more time and bigger fees. I’m not a fan of the use of Bayesian ratios in reports because I know how few people really understand them, but I know why some forensic disciplines use them – they force the reporting scientist to think about the evidence and alternative explanations, resulting in a closer examination of “insignificant” material at times.
At a time when pressure is on to reduce spending on legal aid, perhaps it’s time someone looked more closely at standard reports coming from both sides to see if they are really fit for purpose ? The better those reports are, the less work needs to be done performing re-examination, re-analysis and re-interpretation.
Read Full Post | Make a Comment ( None so far )ISO ISO baby – part 2
Well, I’m just about back on BST after spending last week in Singapore. In the words of Robin Williams – “IT’S HOT!” out there, and sticky, but the locals are very friendly, the food is excellent (Kopi & Kaya Toast highly recommended for breakfast).
Of course, I wasn’t just out there for a “jolly” (but thanks for dinner Microsoft – I promise to say nice things about you for a few hours at least), but was attending the latest meeting of ISO/IEC JTC1 SC27 working groups. This is the “Information Technology – Security Techniques” sub-committee responsible for the infamous 270xx family of standards.
My main responsibility was to assist with the ongoing task of editing the 27037 “Guidelines for the identification, collection, acquisition and preservation of digital evidence” document. It’s coming along nicely, but we still have considerable debate about whether this is a standard for law-enforcement, Infosec. or both.
My own view is that, because of the nature of the committee responsible, it needs to be an Infosec. document which can be useful for everyone – including law enforcement. This approach to it seems to be paying off as some of the resistance to it is falling away.
The problem with treating it as a document for law-enforcement is that any international standard in this area is bound to come into conflict with local law, local procedure etc. (you’ll see the truth of that when you read the final version and see how often we have had to include a reminder about local legislation etc. overriding the guidance). Worse still is the possibility that an ISO document might try to tell judges how to deal with evidence & matters of law.
We can do no more than issue some helpful information and try to set a minimum standard which will allow anyone involved in investigating digital incidents to have confidence that any organisation, working to the same standard, will use methods which are compatible. In that respect, ISO/IEC 27037 looks like it’s going to work. Ideally, of course, everyone will adopt is as a minimum standard – and that can only be good news, because there will better understanding of the issues surrounding digital evidence handling and fewer situations where examiners, like me, have to turn down cases because of problems in the early stages.
I just hope we can achieve the same with the three new projects that we’re hoping to launch in October – “Investigation Principles & Process”, “Guidelines for Analysis & Interpretation of Digital Evidence”, and “Guidance on assuring suitability and adequacy of investigation methods”. We (the UK group) are also hopeful that our proposal for some new work on “Incident Readiness” (particularly investigate readiness) will also be launched in October.
If you have any suggestions for what should be included in those standards, please do let me know. These things are just written by “the great and the good” (proof : they let me play!) but are the result of debate, discussion and consensus. More ideas = better results.
Read Full Post | Make a Comment ( 1 so far )Ready or not ?
In a couple of weeks time I’ll be off to Singapore, missing the Malaysian GP (but flying over it), to attend the next ISO/IEC SC27 meeting. Another week of sitting in meeting rooms in an exotic location.
While there, I’ll be proposing some new work that the UK delegation feels is necessary to complement the existing work on ISO 27037 (Identification, acquisition and preservation of digital evidence). Our view is that 27037 represents the middle of a 3-stage sub-process in Information Security Incident handling.
By the time you need to collect potential evidence, and incident has already occurred – and in order to be able to collect useful material you need a plan. Our view is that IS Incident Investigation should start with proper planning, then move on to collection and finally analysis & reporting. All of which should be properly underpinned by a robust validation & verification mechanism.
So – we are going to propose that some new work on IS Incident Investigation Readiness should be conducted, with a view to including it in ISO 27035 (Security Incident Management). Why there rather than in 27037 or a new standard ?
Well – Investigation is just one possible response to an incident – a common and useful one, but not the only one, so it makes sense to have it included in the management standard, which already includes risk assessment & management. Planning needs to come from an understanding of possible incidents and the systems which can be affected. Also, we know that many companies, particularly SMEs, will need to outsource the collection & analysis stages – which is perfectly acceptable – but still need to do their own planning to ensure that the organisation they call in can understand the nature of the incident and the systems affected, and that the methods to be employed in stages 2 & 3 meet the requirements of the plan.
I think it’s necessary work – certainly based on reports I’ve heard over the years from companies who complain that intellectual property breaches and acquisition of commercially sensitive data have not been investigated or prosecuted properly. In every case I’ve considered there has been a failing from day 1 on the part of the company – they didn’t take proper actions to secure the information or data, and they had no mechanism in place to prevent or investigate. As someone once said “Fail to plan and you plan to fail”.
There’s nothing really new in this – Incident Response guides recommend investigation as well as post-incident clean-up as good practice. It helps the organistion to learn from mistakes. The only real difference is that we are planning to set an international minimum standard for it – to help people understand the basic requirements.
If you haven’t already done some planning for incident investigation – why not start now ? or give me call or e-mail ? It needn’t take long, or be hugely expensive – but it could save a fortune if something untoward does happen.
P.S. – note that I haven’t said “forensic” anywhere in this note – not every investigation results in court action – sometimes it just results in improvements internally.
Read Full Post | Make a Comment ( 1 so far )ISO ISO baby – part 1
As I write this, it’s 8:50 a.m. on Friday in Berlin. I’ve been here since Sunday night attending a meeting of ISO/IEC JTC1 SC27 (that’s the Information Technology – Security Techniques sub-committee to anyone who isn’t fluent in standards committee numbers).
It’s my first time at an event of this type, though I’ve been to a few BSI meetings to discuss the work that’s going on within ISO that relates to “forensic” work. More on that in the next post.
What I’ve found fascinating this week, though, is the way language is being used. Within ISO the convention is to use english for all meetings and documents – but it isn’t quite the english that you or I know. It isn’t the Queen’s english, it isn’t American english, it isn’t even Euro-english – it’s something quite strange. It’s ISO english.
Words that we think we know the meaning of have to be defined and, much like Humpty Dumpty, when a drafting committee (the body responsible for defining a standard) uses a word, it means exactly what that committee wants it to mean, no more and no less.
As a result, ISO has had to produce a Concepts Database to manage the definitions. Try it – see if the words you thought you understood have the same meaning(s). You’ll find it at http://cdb.iso.org/ Don’t bother looking for “forensic”, by the way – it isn’t there.
Read Full Post | Make a Comment ( None so far )
Forensically sound(ing off) 