Bugs
Well, it’s been an interesting couple of months since I last posted. We’ve been keeping busy with a couple of contracts from the Home Office. One is, of course, on digital evidence standards – but the other was a little bit different.
We were lucky enough to be awarded the contract to produce the entomology standard for the forensic science regulator. Since this isn’t part of our usual skillset, we did have to bring in a couple of the UK’s leading forensic entomologists to help with it. Fortunately, our network of contacts is big enough that we found them quickly enough and had the pleasure of working with both the Natural History Museum and Met. Police as a result.
Aside from technical content, the new standard isn’t that different to the others that the regulator already has in place. Most of the new material is designed to help interpret the “master” standard (ISO/IEC 17025) for applications relating to creepy-crawlies without specifying exactly how to do anything (this is a commonly misunderstood aspect of this whole regulatory system – the supplier and the customer are supposed to agree what will be done and how. In the whole, the regulators and assessors just want to see evidence that such an agreement has been reached and that things have been done that way).
Anyway, we delivered ahead of schedule and on budget. Something which some people seem to consider unusual for government contracts. But then, when you’re dealing with quality systems, can you afford not to hit the targets ?
For more information about standards development, regulation or uses of forensic science, please contact us via http://www.n-gate.net/
Read Full Post | Make a Comment ( None so far )Excellent news
Yet again, other activities have kept me away from this blog for far too long. Personally, I think that’s probably a good thing. A mix of casework and research commissions means I can afford to eat properly again (and those who know me will know how important it is that I maintain my physique – particularly in the current high winds).
The major projects that are keeping me busy are on a new website : Forensic Excellence where work on two of the three major elements of “forensic” quality systems is underway. The other bit of news is that I have an interview for funding of some work on the third element, and hope to be able to kick that work off towards the middle of next year.
Onwards and sideways!
Read Full Post | Make a Comment ( None so far )ISO ISO baby – part 2
Well, I’m just about back on BST after spending last week in Singapore. In the words of Robin Williams – “IT’S HOT!” out there, and sticky, but the locals are very friendly, the food is excellent (Kopi & Kaya Toast highly recommended for breakfast).
Of course, I wasn’t just out there for a “jolly” (but thanks for dinner Microsoft – I promise to say nice things about you for a few hours at least), but was attending the latest meeting of ISO/IEC JTC1 SC27 working groups. This is the “Information Technology – Security Techniques” sub-committee responsible for the infamous 270xx family of standards.
My main responsibility was to assist with the ongoing task of editing the 27037 “Guidelines for the identification, collection, acquisition and preservation of digital evidence” document. It’s coming along nicely, but we still have considerable debate about whether this is a standard for law-enforcement, Infosec. or both.
My own view is that, because of the nature of the committee responsible, it needs to be an Infosec. document which can be useful for everyone – including law enforcement. This approach to it seems to be paying off as some of the resistance to it is falling away.
The problem with treating it as a document for law-enforcement is that any international standard in this area is bound to come into conflict with local law, local procedure etc. (you’ll see the truth of that when you read the final version and see how often we have had to include a reminder about local legislation etc. overriding the guidance). Worse still is the possibility that an ISO document might try to tell judges how to deal with evidence & matters of law.
We can do no more than issue some helpful information and try to set a minimum standard which will allow anyone involved in investigating digital incidents to have confidence that any organisation, working to the same standard, will use methods which are compatible. In that respect, ISO/IEC 27037 looks like it’s going to work. Ideally, of course, everyone will adopt is as a minimum standard – and that can only be good news, because there will better understanding of the issues surrounding digital evidence handling and fewer situations where examiners, like me, have to turn down cases because of problems in the early stages.
I just hope we can achieve the same with the three new projects that we’re hoping to launch in October – “Investigation Principles & Process”, “Guidelines for Analysis & Interpretation of Digital Evidence”, and “Guidance on assuring suitability and adequacy of investigation methods”. We (the UK group) are also hopeful that our proposal for some new work on “Incident Readiness” (particularly investigate readiness) will also be launched in October.
If you have any suggestions for what should be included in those standards, please do let me know. These things are just written by “the great and the good” (proof : they let me play!) but are the result of debate, discussion and consensus. More ideas = better results.
Read Full Post | Make a Comment ( 1 so far )Ready or not ?
In a couple of weeks time I’ll be off to Singapore, missing the Malaysian GP (but flying over it), to attend the next ISO/IEC SC27 meeting. Another week of sitting in meeting rooms in an exotic location.
While there, I’ll be proposing some new work that the UK delegation feels is necessary to complement the existing work on ISO 27037 (Identification, acquisition and preservation of digital evidence). Our view is that 27037 represents the middle of a 3-stage sub-process in Information Security Incident handling.
By the time you need to collect potential evidence, and incident has already occurred – and in order to be able to collect useful material you need a plan. Our view is that IS Incident Investigation should start with proper planning, then move on to collection and finally analysis & reporting. All of which should be properly underpinned by a robust validation & verification mechanism.
So – we are going to propose that some new work on IS Incident Investigation Readiness should be conducted, with a view to including it in ISO 27035 (Security Incident Management). Why there rather than in 27037 or a new standard ?
Well – Investigation is just one possible response to an incident – a common and useful one, but not the only one, so it makes sense to have it included in the management standard, which already includes risk assessment & management. Planning needs to come from an understanding of possible incidents and the systems which can be affected. Also, we know that many companies, particularly SMEs, will need to outsource the collection & analysis stages – which is perfectly acceptable – but still need to do their own planning to ensure that the organisation they call in can understand the nature of the incident and the systems affected, and that the methods to be employed in stages 2 & 3 meet the requirements of the plan.
I think it’s necessary work – certainly based on reports I’ve heard over the years from companies who complain that intellectual property breaches and acquisition of commercially sensitive data have not been investigated or prosecuted properly. In every case I’ve considered there has been a failing from day 1 on the part of the company – they didn’t take proper actions to secure the information or data, and they had no mechanism in place to prevent or investigate. As someone once said “Fail to plan and you plan to fail”.
There’s nothing really new in this – Incident Response guides recommend investigation as well as post-incident clean-up as good practice. It helps the organistion to learn from mistakes. The only real difference is that we are planning to set an international minimum standard for it – to help people understand the basic requirements.
If you haven’t already done some planning for incident investigation – why not start now ? or give me call or e-mail ? It needn’t take long, or be hugely expensive – but it could save a fortune if something untoward does happen.
P.S. – note that I haven’t said “forensic” anywhere in this note – not every investigation results in court action – sometimes it just results in improvements internally.
Read Full Post | Make a Comment ( 1 so far )Contracting
Just recently I’ve been having discussions about possibly becoming a contractor for a little while and it’s thrown up a question that’s haunted me ever since I started examining other people’s computers.
I’m a fan of open-source software and I really do believe that one of the benefits I offer as a consultant is the fact that I don’t use the same examination kit as everyone else. It means that when I check their results or they check mine we are using significantly different tools, and mine are open for anyone to scrutinise at the source-code level. So, if we find a discrepancy we can dig deep into at least one the tools, if necessary, to find the reason why. It’s proper dual-tooling, or as close as we can get for now.
Now, in the past I’ve had to explain this (because there are two or three tools that everyone expects to see and eyebrows are raised when I don’t mention them ) but it has never stopped me getting an expert witness job. The critical word there is “expert” – in that role I am supposed to exercise my judgment to select the best tools and methods for the job.
However, a contractor is different creature – if I do get offered this job, I have to fit into someone else’s working environment and do things their way with their tools. I can do it. In my academic life I had to learn new skills, tools etc. very quickly and be able to teach them to other people. It’s a knack that a good lecturer picks up soon, or they don’t survive in labs. for long. The question is, will the client believe I can do it or will they wait until they find someone with the right piece of paper instead ?
My argument, for what it’s worth, is that I can learn the tool quickly and, because I have a background in computer science and am used to creating little ad-hoc tools whenever I need them, I can check the tool’s results in a way that someone who just know the program might not be able to.
We shall see.
Meanwhile, in the world of standards and regulation things have gone quiet in the Regulator’s office. His contract has been extended for another 3 years, but I rather think he’s suffering from budget cuts elsewhere. No matter, plans are well underway for the next ISO meeting in Singapore where we will be trying to get some new work approved to go beyond the current ISO/IEC 27037 and ensure we have guidance for a complete process from planning through acquisition to analysis, with proper validation all the way through.
Read Full Post | Make a Comment ( 4 so far )Ideas beginning to sprout
Last week, I was in Brussels for the launch of the latest Framework Programme 7 security call. In amongst all the usual work proposals for activities on counter-terrorism, border controls, communications and collaboration, there are a couple of items with the “F” word in them. (calm down Mr. Ramsay – I mean Forensic, of course).
They are “Digital Forensic Capability” and “Advanced Forensic Framework”. Both topics call for exploration of methods to improve the perceived reliability of evidence, demonstrate competence of scientists and allow for greater portability of evidence from one jurisdiction to another.
As I read through the topic summaries, it struck me that forensic science may not be in quite the poor state that they seem to imply. Generally, there is an acceptance that ISO17020 & ISO17025 standards can be applied to crime scene & forensic science (through the addition of intrepetive guidance documents such as ILAC G19) and most good conventional labs are already accredited to those standards.
In England we have the Code of Conduct being produce by the Forensic Science Regulator, which serves as further clarification and it looks like the the ISO SC27 group’s work on Digital Forensic Standards (More on that when I get back from Berlin next month) may well produce something very concrete for digital forensics in the next year or two.
However, those deal with the short to medium term situation. These projects are an opportunity for the forensic science community to come together to share experiences across disciplines, involving the litigators and the investigators too, to look to the future and agree frameworks for validation of future methods. They’re also a great chance for use to take a step back and look more closely at how we train & educate our scientists, investigators and legal representatives to see if we can agree some common minimum standards which will allow evidence & professionals to move more freely around Europe, if not the world. If we can reach agreement, we can reduce time and cost wasted in dealing with material which should either never exist, or is completely non-contentious.
Best of all, it’s a requirement that any project proposals must involve several countries and the very nature of these projects means that they will be multi-disciplinary too. Even if we don’t get the money (I have two outlines circulating for comments already – email me if you would like to get involved), there are some great opportunities to establish new partnerships just through the bidding process.
Read Full Post | Make a Comment ( None so far )Requirement acquirement
In a few recent posts, I’ve talked about the “fitness for purpose” challenge and the fact that it seems to be causing confusion or consternation amongst those who haven’t dismissed it as irrelevant. Partly, I think, this is because of misunderstanding about what the regulatory environment really means. The Forensic Science Regulator’s primary role is to produce Quality Standards for Forensic Science, not to define procedures. In that context, “fitness for purpose” is a test of whether or not something passes tests to show that it is fit for whatever purpose the forensic science provider wishes to use it for. Nothing more. There is no complex or secret agenda here. It’s simply a question of demonstrating that anything being used (method, process or tool) meets the requirements defined by the person using it, or by their customers.
Having recently written a “complementary evidence” report, in which I gave an independent view of some deviation from accepted procedures, I am now convinced that the approach we came up with at the meeting in December (see http://www.n-gate.net/ under “Regulation”) is right – we need to consider whether or not we can produce a set of industry-wide requirements which can be used as a starting point or menu by each provider. If we can get them agreed by the industry, we have the potential to standardise testing of methods, processes and tools as well as identifying gaps in current practice, and laying the groundwork for the future.
“Where to begin?” has been the stumbling block for the last couple of months, but now I have an idea. Watch this space and http://www.n-gate.net/ for progress.
Unrelated : I’ve been playing with a product called ZumoDrive on my Mac, Palm Pre (thankyou HP – WebOS has a future it seems!) and Linux server for a few weeks now. At the basic level it’s a free 2Gb cloud filespace which can link folders across multiple machines so they are always in sync as well as appearing as a targetable drive on all machines. It hasn’t fallen over yet and is providing me with an online backup for some important, but not confidential, files as well as taking over as a music storage service. Highly recommended. Upon installation, you get 1Gb free, but if you complete the online “dojo” training, you get another 1Gb. ( http://www.zumodrive.com/ ). Don’t rely on it as your only backup – but if you need to have access to different types of files in multiple locations, try it out – it even has version tracking and a web interface. (Apparently, it works on some lesser smartphones too ;P )
Read Full Post | Make a Comment ( None so far )Fitness for Purpose revisited
I posted a hint, a few weeks ago, that I was intrigued by differing attitudes to the validation task which is effectively required by ISO17025 and the Forensic Science Regulator’s standards.
The two attitudes seem to be :
- “Well, it’s just testing isn’t it ? How hard can it be ? “
- “We have to do it, but think of the complexity! How many hardware and software configurations do we need to consider ? “
One comes from end-users of the tools, one from developers. I’ll let you decided which is which. the second response, though, is particularly interesting in light of some stories I’ve heard from teams who have tried to get accreditation for mobile phone work. There has been a suggestion that they have to test every handset which their systems claim they support – even the American spec. phones which don’t work in the UK.
Interestingly, in spite of the requirement to do this validation, there doesn’t seem to be much work going on to determine what we mean by “valid”. Personally, I fall back on software engineering definitions of validation and verification in this situation – it has to do the right thing in the right way. How do we find out how commercial software is doing something anyway ?
Back in December, I hosted a meeting of some industry representatives – mainly people I know or who were recommended to me, to look at the problem more closely. To start the ball rolling, I asked a couple of questions
- What do we mean by fitness for purpose ?
- What do we mean by purpose ?
Fairly obviously, the second questions needs to be answered before the first can be dealt with, but the outcome of the discussions we had was quite fascinating to me. You can find a copy of the full report in the “Regulation” section at http://www.n-gate.net/, but the short version is – we struggled to define purpose.
As we considered the various phases of a digital forensic investigation, and the different types of devices, methods and data which might have to be considered it became clear that relatively few people have sat down and done a proper old-fashioned requirements analysis. The view of the group was that we should launch a pilot programme to see if a requirements-led approach can work. The group recommended starting with the data acquisition phase (carefully chosen phrase as it encompasses non-digital data too) as this is the foundation of everything else that can be done.
Thinking more about this process has led me to start challenging accepted wisdom in digital forensics – for example, do we always have to try to get a complete image of every storage device ? Even the ACPO guide doesn’t say it, but anyone who doesn’t can rely on their methods being challenged in court. A proper requirements analysis, determined in part by the type of case might help here.
As always, though, we have the golden question – who has the gold to pay for this ?
(If you have any to spare, let me know – I’d love to get my teeth into this problem properly)
Read Full Post | Make a Comment ( None so far )Websites and fitness for purposes tests
Websites : new material on the book website – now up to chapter 6 with the exercises! (bet it’ll take me longer to do the model answers though) – see http://www.digital-forensics.org.uk/
Fitness for pupose tests In the last week or so I’ve been talking to a lot of people about the “fitness for purpose (ffp)” requirement that the regulator’s working group have recommended for the digital evidence standard. We’ve been kicking around ideas about how this can be demonstrated. At one level, the vendors could go for ISO17025 or CESG CTM (CTM) certification themselves – but this only really tests the product “out of the box” as they ship it, with no real accounting for how it is used in the field. This is a particular problem, I think, for anything which includes scripting capabilities as each script will still need to pass the ffp test. It gets worse when we start to think about all the really good open source, non-forensic software and tools produced by small companies without the budget or resources for performing their own ffp testing.
I am more convinced than ever that we need to introduce a national ffp testing service which can deal with the complexities of non-standard hardware and software combinations, in-house developed tools and rapid deployment of vital patches.
It’ll be a heck of challenge to get it right, but you know something ? – I really want to try to make it work!
Read Full Post | Make a Comment ( None so far )
Forensically sound(ing off) 