Bugs

Posted on June 8, 2012. Filed under: forensic | Tags: , , , , , , , , |

Well, it’s been an interesting couple of months since I last posted. We’ve been keeping busy with a couple of contracts from the Home Office. One is, of course, on digital evidence standards – but the other was a little bit different.

We were lucky enough to be awarded the contract to produce the entomology standard for the forensic science regulator. Since this isn’t part of our usual skillset, we did have to bring in a couple of the UK’s leading forensic entomologists to help with it. Fortunately, our network of contacts is big enough that we found them quickly enough and had the pleasure of working with both the Natural History Museum and Met. Police as a result.

Aside from technical content, the new standard isn’t that different to the others that the regulator already has in place. Most of the new material is designed to help interpret the “master” standard (ISO/IEC 17025) for applications relating to creepy-crawlies without specifying exactly how to do anything (this is a commonly misunderstood aspect of this whole regulatory system – the supplier and the customer are supposed to agree what will be done and how. In the whole, the regulators and assessors just want to see evidence that such an agreement has been reached and that things have been done that way).

Anyway, we delivered ahead of schedule and on budget. Something which some people seem to consider unusual for government contracts. But then, when you’re dealing with quality systems, can you afford not to hit the targets ?

For more information about standards development, regulation or uses of forensic science, please contact us via http://www.n-gate.net/

Read Full Post | Make a Comment ( None so far )

Excellent news

Posted on November 29, 2011. Filed under: All, Education, forensic | Tags: , , , , , , , , , , , , |

Yet again, other activities have kept me away from this blog for far too long. Personally, I think that’s probably a good thing. A mix of casework and research commissions means I can afford to eat properly again (and those who know me will know how important it is that I maintain my physique – particularly in the current high winds).

The major projects that are keeping me busy are on a new website : Forensic Excellence where work on two of the three major elements of “forensic” quality systems is underway. The other bit of news is that I have an interview for funding of some work on the third element, and hope to be able to kick that work off towards the middle of next year.

Onwards and sideways!

Read Full Post | Make a Comment ( None so far )

Valid conclusions?

Posted on July 12, 2011. Filed under: forensic | Tags: , , , , , , , |

WARNING : Initial thoughts on a recent situation ahead – incomplete  – more to follow, eventually !

Recently, the Casey Anthony trial in the USA has been a source of discussion in many fora, but most recently a bit of a “spat” seems to be in danger of breaking out between the developers of two of the tools used to analyse the web history.

Leaving aside the case itself, let’s start by looking at what the two developers have to say about the issue that came up during cross-examination :

http://blog.digital-detective.co.uk/2011/07/digital-evidence-discrepancies-casey.html

http://www.cacheback.ca/news/news_release-20110711-1.asp

No preference is implied by the ordering of those links, by the way, it’s just the order in which I became aware of them. I don’t use either tool – I have my own methods for doing these things when necessary.

Two issues arise from these two posts, for me :

i) Both developers admit that there were possible problems with their tools which may have resulted in incorrect results and no-one was aware of this until the two tools were run side by side

ii) Neither tool seems to have been validated for the case in question. I’m sure they were verified (i.e checked for conformance to design/specification) but not convinced that they were tested against the requirements for the case.

Here comes the repetitive bit : as far as I’m concerned under the requirements of current and proposed ISO standards, neither tool could be considered reliable. There is no clear documentation about errors nor is there evidence that either has been subjected to a proper structured validation process. Dual-tooling is not validation. It merely compares two implementations of methods designed to solve the same problem as the developers understand things. At no point does anyone check that the results are correct, just how similar they are. Two implementations of the same wrong algorithm are more likely than not to come up with the same wrong results.

This is typical of the issues we will see more and more of in the digital forensics world – we depend too much on third-party tools which use algorithms developed through reverse engineering and have not been completely tested.

I’m not suggesting that every tool needs to be tested in every possible configuration on every possible evidence source -that’s plainly impossible – but we do need to get to a position where properly structured validation is carried out, and records which document that validation – including areas which have NOT been tested – are maintained and made available.

An examiner should always be free to use new methods, tools & processes, but should be personally responsible for choosing them and justifying their use. Information about usage limits & limitations on testing are vital and any competent examiner should be able to carry out additional validation where it is needed.

Let the flamng (of this post) begin…

 

P.S. – I’ve been doing a lot of work on models & systems for validation recently – they’re currently commercially confidential but if you’ld like to discuss the issues more please do contact me via n-gate.net

Read Full Post | Make a Comment ( 10 so far )

Juries vs. the Internet – time for a change ?

Posted on June 13, 2011. Filed under: forensic | Tags: , , , , , , , |

This story caught my eye this morning : http://www.telegraph.co.uk/technology/facebook/8571855/Juror-in-Facebook-contempt-prosecution-after-contacting-defendant-during-trial.html

It highlights one of the problems we have with jury trials in the age of pervasive technology. It is only natural for someone involved in deciding the fate of another to want to obtain as much information as possible so that they can be sure they’ve made the right decision. No matter how often a judge reminds a jury not to discuss the case and not to attempt to carry out their own research or to make contact with anyone else involved in the case, the temptation to “break the rules” must be almost overwhelming.

This is particularly true when complicated scientific or business evidence is involved. Much of it can be so obscure to the uninitiated that they feel they cannot hope to understand it without help, but that help is not provided to them, so they go off and do their own research – using untested, unapproved and unvalidated sources. Either that, or they believe what they’ve seen in the mass-media and we get the results of the dreaded “CSI effect” creeping in.

Perhaps its time we revised the jury system – not to abolish them, and not to have expert jurors only, but to give them access to court-approved sources of information in the jury room. Independent advisors, completely isolated from the trial materials, who can speak on the underlying principles of the technical evidence, seeking permission from the court before commenting and keeping rigorous notes of everything they discuss so that all parties can be fully aware of the issues being raised by the jury. Of course, jurors might need to be kept in isolation to prevent them seeking the extra information anyway, but perhaps having a source “on tap” in the jury room could help speed up their deliberations by giving them confidence that they know the whole story.

Of course, it might lead to longer trials, but that could be a price worth paying if we  can eliminate uncertainty and reticence to make a decision introduced by jurors who feel they need more information or worse, hurried decisions made by those who already think they know it all.

Read Full Post | Make a Comment ( None so far )

ISO ISO baby – part 2

Posted on April 20, 2011. Filed under: forensic, security | Tags: , , , , , , , , , , , |

Well, I’m just about back on BST after spending last week in Singapore. In the words of Robin Williams – “IT’S HOT!” out there, and sticky, but the locals are very friendly, the food is excellent (Kopi & Kaya Toast highly recommended for breakfast).

Of course, I wasn’t just out there for a “jolly” (but thanks for dinner Microsoft – I promise to say nice things about you for a few hours at least), but was attending the latest meeting of ISO/IEC JTC1 SC27 working groups. This is the “Information Technology – Security Techniques” sub-committee responsible for the infamous 270xx family of standards.

My main responsibility was to assist with the ongoing task of editing the 27037 “Guidelines for the identification, collection, acquisition and preservation of digital evidence” document. It’s coming along nicely, but we still have considerable debate about whether this is a standard for law-enforcement, Infosec. or both.

My own view is that, because of the nature of the committee responsible, it needs to be an Infosec. document which can be useful for everyone – including law enforcement. This approach to it seems to be paying off as some of the resistance to it is falling away.

The problem with treating it as a document for law-enforcement is that any international standard in this area is bound to come into conflict with local law, local procedure etc. (you’ll see the truth of that when you read the final version and see how often we have had to include a reminder about local legislation  etc. overriding the guidance). Worse still is the possibility that an ISO document might try to tell judges how to deal with evidence & matters of law.

We can do no more than issue some helpful information and try to set a minimum standard which will allow anyone involved in investigating digital incidents to have confidence that any organisation, working to the same standard, will use methods which are compatible. In that respect, ISO/IEC 27037 looks like it’s going to work. Ideally, of course, everyone will adopt is as a minimum standard – and that can only be good news, because there will better understanding of the issues surrounding digital evidence handling and fewer situations where examiners, like me, have to turn down cases because of problems in the early stages.

I just hope we can achieve the same with the three new projects that we’re hoping to launch in October – “Investigation Principles & Process”, “Guidelines for Analysis & Interpretation of Digital Evidence”, and “Guidance on assuring suitability and adequacy of investigation methods”.  We (the UK group) are also hopeful that our proposal for some new work on “Incident Readiness” (particularly investigate readiness) will also be launched in October.

If you have any suggestions for what should be included in those standards, please do let me know. These things are just written by “the great and the good” (proof : they let me play!) but are the result of debate, discussion and consensus. More ideas  = better results.

Read Full Post | Make a Comment ( 1 so far )

In the footsteps of Bob & Bing

Posted on April 7, 2011. Filed under: forensic, security | Tags: , , , , , , , , , |

Just 2 more days till I’m off to the ISO/IEC SC27 meeting in Singapore and I couldn’t resist the opportunity to use a clip from a relevant film;)

Anyway – some interesting new agenda items have appeared. Of these the most significant is new discussion slot on “Digital Forensic Processes”, suggesting there may be some new work items (aka drafting of new standards). It’s not clear where the request for this has appeared from or exactly what it relates to.

Given that I volunteered to be a rapporteur for study periods on “Digital Evidence Readiness & Analysis” and “Digital Evidence Validation & Verification” it seems a little redundant to me. We (the UK panel dealing with these) are proposing that readiness should be considered as part of Incident Management since it involves planning & auditing, Analysis should probably sit inside the existing draft 27037 document about evidence recovery, since it shares many common features and requirements, and that there should be a new standard for Validation & Verification.

With those in place, we think we cover all the critical phases of an investigation (and we are not going to say “forensic” because we now believe it is appropriate to broaden the standards so that every investigation is carried out to a high standard just in case it needs to go to court) – so I’m curious where the extra discussion has come from. Maybe the committee has realised just how much I like the sound of my own voice ?

 

Read Full Post | Make a Comment ( None so far )

Ready or not ?

Posted on March 25, 2011. Filed under: forensic, security | Tags: , , , , , , , , , , , , , |

In a couple of weeks time I’ll be off to Singapore, missing the Malaysian GP (but flying over it), to attend the next ISO/IEC SC27 meeting. Another week of sitting in meeting rooms in an exotic location.

While there, I’ll be proposing some new work that the UK delegation feels is necessary to complement the existing work on ISO 27037 (Identification, acquisition and preservation of digital evidence). Our view is that 27037 represents the middle of a 3-stage sub-process in Information Security Incident handling.

By the time you need to collect potential evidence, and incident has already occurred – and in order to be able to collect useful material you need a plan. Our view is that IS Incident Investigation should start with proper planning, then move on to collection and finally analysis & reporting. All of which should be properly underpinned by a robust validation & verification mechanism.

So – we are going to propose that some new work on IS Incident Investigation Readiness should be conducted, with a view to including it in ISO 27035 (Security Incident Management). Why there rather than in 27037 or a new standard ?

Well – Investigation is just one possible response to an incident – a common and useful one, but not the only one, so it makes sense to have it included in the management standard, which already includes risk assessment & management. Planning needs to come from an understanding of possible incidents and the systems which can be affected. Also, we know that many companies, particularly SMEs, will need to outsource the collection & analysis stages – which is perfectly acceptable – but still need to do their own planning to ensure that the organisation they call in can understand the nature of the incident and the systems affected, and that the methods to be employed in stages 2 & 3 meet the requirements of the plan.

I think it’s necessary work – certainly based on reports I’ve heard over the years from companies who complain that intellectual property breaches and acquisition of commercially sensitive data have not been investigated or prosecuted properly. In every case I’ve considered there has been a failing from day 1 on the part of the company – they didn’t take proper actions to secure the information or data, and they had no mechanism in place to prevent or investigate. As someone once said “Fail to plan and you plan to fail”.

There’s nothing really new in this – Incident Response guides recommend investigation as well as post-incident clean-up as good practice. It helps the organistion to learn from mistakes. The only real difference is that we are planning to set an international minimum standard for it – to help people understand the basic requirements.

If you haven’t already done some planning for incident investigation – why not start now ? or give me call or e-mail ? It needn’t take long, or be hugely expensive – but it could save a fortune if something untoward does happen.

P.S. – note that I haven’t said “forensic” anywhere in this note – not every investigation results in court action – sometimes it just results in improvements internally.

Read Full Post | Make a Comment ( 1 so far )

Contracting

Posted on March 10, 2011. Filed under: forensic, life | Tags: , , , , , , , , , , , |

Just recently I’ve been having discussions about possibly becoming a contractor for a little while and it’s thrown up a question that’s haunted me ever since I started examining other people’s computers.

I’m a fan of open-source software and I really do believe that one of the benefits I offer as a consultant is the fact that I don’t use the same examination kit as everyone else. It means that when I check their results or they check mine we are using significantly different tools, and mine are open for anyone to scrutinise at the source-code level. So, if we find a discrepancy we can dig deep into at least one the tools, if necessary, to find the reason why. It’s proper dual-tooling, or as close as we can get for now.

Now, in the past I’ve had to explain this (because there are two or three tools that everyone expects to see and eyebrows are raised when I don’t mention them ) but it has never stopped me getting an expert witness job. The critical word there is “expert” – in that role I am supposed to exercise my judgment to select the best tools and methods for the job.

However, a contractor is different creature – if I do get offered this job, I have to fit into someone else’s working environment and do things their way with their tools. I can do it. In my academic life I had to learn new skills, tools etc. very quickly and be able to teach them to other people. It’s a knack that a good lecturer picks up soon, or they don’t survive in labs. for long. The question is, will the client believe I can do it or will they wait until they find someone with the right piece of paper instead ?

My argument, for what it’s worth, is that I can learn the tool quickly and, because I have a background in computer science and am used to creating little ad-hoc tools whenever I need them, I can check the tool’s results in a way that someone who just know the program might not be able to.

We shall see.

Meanwhile, in the world of standards and regulation things have gone quiet in the Regulator’s office. His contract has been extended for another 3 years, but I rather think he’s suffering from budget cuts elsewhere. No matter, plans are well underway for the next ISO meeting in Singapore where we will be trying to get some new work approved to go beyond the current ISO/IEC 27037 and ensure we have guidance for a complete process from planning through acquisition to analysis, with proper validation all the way through.

Read Full Post | Make a Comment ( 4 so far )

Ideas beginning to sprout

Posted on September 15, 2010. Filed under: Education, forensic | Tags: , , , , , , , , , , |

Last week, I was in Brussels for the launch of the latest Framework Programme 7 security call. In amongst all the usual work proposals for activities on counter-terrorism, border controls, communications and collaboration, there are a couple of items with the “F” word in them. (calm down Mr. Ramsay – I mean Forensic, of course).

They are “Digital Forensic Capability” and “Advanced Forensic Framework”. Both topics call for exploration of methods to improve the perceived reliability of evidence, demonstrate competence of scientists and allow for greater portability of evidence from one jurisdiction to another.

As I read through the topic summaries, it struck me that forensic science may not be in quite the poor state that they seem to imply. Generally, there is an acceptance that ISO17020 & ISO17025 standards can be applied to crime scene & forensic science (through the addition of intrepetive guidance documents such as ILAC G19) and most good conventional labs are already accredited to those standards.

In England we have the Code of Conduct being produce by the Forensic Science Regulator, which serves as further clarification and it looks like the the ISO SC27 group’s work on Digital Forensic Standards (More on that when I get back from Berlin next month) may well produce something very concrete for digital forensics in the next year or two.

However, those deal with the short to medium term situation. These projects are an opportunity for the forensic science community to come together to share experiences across disciplines, involving the litigators and the investigators too, to look to the future and agree frameworks for validation of future methods. They’re also a great chance for use to take a step back and look more closely at how we train & educate our scientists, investigators and legal representatives  to see if we can agree some common minimum standards which will allow evidence & professionals to move more freely around Europe, if not the world. If we can reach agreement, we can reduce time and cost wasted in dealing with material which should either never exist, or is completely non-contentious.

Best of all, it’s a requirement that any project proposals must involve several countries and the very nature of these projects means that they will be multi-disciplinary too. Even if we don’t get the money (I have two outlines circulating for comments already – email me if you would like to get involved), there are some great opportunities to establish new partnerships just through the bidding process.

Read Full Post | Make a Comment ( None so far )

Requirement acquirement

Posted on May 19, 2010. Filed under: All, forensic | Tags: , , , , , , , , |

In a few recent posts, I’ve talked about the “fitness for purpose” challenge and the fact that it seems to be causing confusion or consternation amongst those who haven’t dismissed it as irrelevant. Partly, I think, this is because of misunderstanding about what the regulatory environment really means. The Forensic Science Regulator’s primary role is to produce Quality Standards for Forensic Science, not to define procedures. In that context, “fitness for purpose” is a test of whether or not something passes tests to show that it is fit for whatever purpose the forensic science provider wishes to use it for. Nothing more. There is no complex or secret agenda here. It’s simply a question of demonstrating that anything being used (method, process or tool) meets the requirements defined by the person using it, or by their customers.

Having recently written a “complementary evidence” report, in which I gave an independent view of some deviation from accepted procedures, I am now convinced that the approach we came up with at the meeting in December (see http://www.n-gate.net/ under “Regulation”) is right – we need to consider whether or not we can produce a set of industry-wide requirements which can be used as a starting point or menu by each provider. If we can get them agreed by the industry, we have the potential to standardise testing of methods, processes and tools as well as identifying gaps in current practice, and laying the groundwork for the future.

“Where to begin?” has been the stumbling block for the last couple of months, but now I have an idea. Watch this space and http://www.n-gate.net/ for progress.

Unrelated : I’ve been playing with a product called ZumoDrive on my Mac, Palm Pre (thankyou HP – WebOS has a future it seems!) and Linux server for a few weeks now. At the basic level it’s a free 2Gb cloud filespace which can link folders across multiple machines so they are always in sync as well as appearing as a targetable drive on all machines. It hasn’t fallen over yet and is providing me with an online backup for some important, but not confidential, files as well as taking over as a music storage service. Highly recommended. Upon installation, you get 1Gb free, but if you complete the online “dojo” training, you get another 1Gb. ( http://www.zumodrive.com/ ). Don’t rely on it as your only backup – but if you need to have access to different types of files in multiple locations, try it out – it even has version tracking and a web interface. (Apparently, it works on some lesser smartphones too ;P )

Read Full Post | Make a Comment ( None so far )

« Previous Entries

    About

    This is the weblog of Angus M. Marshall, forensic scientist, author of Digital Forensics : digital evidence in criminal investigations and MD at n-gate ltd.

    RSS

    Subscribe Via RSS

    • Subscribe with Bloglines
    • Add your feed to Newsburst from CNET News.com
    • Subscribe in Google Reader
    • Add to My Yahoo!
    • Subscribe in NewsGator Online
    • The latest comments to all posts in RSS

    Meta

Liked it here?
Why not try sites on the blogroll...

%d bloggers like this: