|John J. Barbara supervises the Computer Evidence Recovery Section at the Florida Department of Law Enforcement’s Tampa Bay Regional Operations Center. He has been an ASCLD/LAB inspector since 1993 and has presented lectures and authored articles concerning attaining ASCLD/LAB digital and multimedia evidence accreditation.
||A Standard Level of Acceptability for Computer Forensics
Computer forensics is a cutting edge technology discipline that can literally change from week to week. Computer forensics training, education, and analysis is widespread among forensic crime laboratories, law enforcement agencies, corporate America, the private sector, and colleges and universities. Computer forensic story lines have even become part of popular television shows.
Just what is computer forensics? The name implies (rightly or wrongly) that it refers to computers and the subsequent analysis of their hard drives (where the digital data resides). However, it is much more complicated. Many personal digital assistants, cellular telephones and digital cameras contain smart media cards that also store digital data. By definition, they are not computers. Likewise, compact discs and USB thumb drives also store digital data. They are not computers either.
The commonality between what we normally identify as a computer and the aforementioned devices is that they all store or contain digital data. Digital data is a series of zeroes and ones, stored in a particular sequence on some sort of media (computer hard drive, CD, etc.). Generally, the forensic software used to analyze a computer hard drive may be the same software that is used to analyze a CD, a smart media card or a personal digital assistant. Thus, a definition of computer forensics that encompasses all these devices could be “the application of specialized scientific techniques to the preservation, recovery and analysis of digital or electronic data that may be used in legal matters.”
However, even with this definition, not every type of digital analysis can necessarily be placed under computer forensics. For instance, does the analysis of analog or digital video fall under the heading of computer forensics? Analog video tapes are digitized prior to analysis and the software and analytical techniques used in video analysis are different from those used to analyze a computer’s hard drive. Is enhancing the digital audio track on a digital video tape a type of computer forensics? Again, software and analytical techniques used for audio enhancement and analysis are different from those used in computer analysis and video analysis.
To take it further, can the comparison of images of suspects on a digital video tape to known digital images of suspects also be considered a part of computer forensics? Image analysis techniques are different from those for computer analysis, video analysis and audio analysis. As previously stated, all the data being examined for possible evidentiary value is digital. Thus, a better way to categorize these diverse types of analyses would be to group them under a single discipline, which is exactly what the U.S. Department of Justice’s Scientific Working Group on Digital Evidence recommended several years ago. They named it the digital and multimedia evidence discipline, comprising four sub-disciplines: computer forensics, forensic audio, image analysis, and video analysis.
A computer forensic examiner has to find, recover, analyze, and evaluate digital data that may represent evidence from such diverse crimes as employee fraud, financial corruption, embezzlement, extortion, identity theft, bribery, theft of intellectual property or trade secrets, or pornography. Courtroom testimony often results from this analysis. The evidence in these cases consists primarily of the digital data itself and it is commonly referred to as digital evidence. Since it is evidence, it must be treated similarly to other physical evidence found at the scene of a crime. However, there is no actual physical evidence to visually assess for relevance as it is digital and may reside on almost any type of media. Although it cannot be seen by the naked eye, all the scientific principles related to the data’s collection, processing, and analysis must be followed to ensure both a proper chain of custody and accurate analytical results.
Forensic examiners use an array of methods or tools for discovering digital data that resides on a particular medium. Digital data may be active, deleted, hidden, encrypted, or, as is sometimes the case, partially overwritten. Any or all of this data may be necessary for litigation. For court purposes, the judicial system has to be assured of accurate, reliable, verifiable, and repeatable results. This involves more than just finding, collecting, and analyzing the data, generating a report and testifying in court. Although examiner testimony may become critical for successful prosecution, the testimony can be very technical and complex. Most jurors do not have the technical knowledge to assess the accuracy of the testimony provided. Thus, expert witness testimony often sounds credible and believable to jurors. However, from the perspective of the requirements of forensic science, many concerns can arise from expert witness testimony:
• Was the evidence tainted or compromised regarding how or where it was collected or stored?
• Is the chain-of-custody record for the digital data accurate and complete?
• Can an examiner automatically qualify as an expert for court purposes based on on-the-job experience only?
• Do written procedures exist such that another examiner can recreate the results of the analysis?
• What was the competence of the examiner?
• How are the forensic computers maintained?
• Are all the software tools used during an analysis legitimate (licensed copies, authorized copies, etc.) and were they validated and verified prior to use?
• Did the software tools (a) contain bugs? (b) alter or change the evidentiary data?
• Were scientific principles followed during the analysis of the data?
All these concerns need to have acceptable, accurate, and complete answers before convicting a suspect of a crime. Further, depending upon the case, the testimony may have to meet the requirements of Frye1 or Daubert2 regarding the admissibility of scientific expert testimony. In the United States most states have adopted one or the other of the rulings pertaining to the admissibility of scientific evidence into legal proceedings.
This then raises the question of what standards or best practices are in place in the computer forensics community that can address these complex issues. Other forensic disciplines faced similar issues, however, they were or have been alleviated or mitigated somewhat by:
• Formalized, documented training programs;
• Competency testing examiners;
• Annual proficiency testing of examiners to evaluate competence and the quality performance of the section and laboratory;
• Documented, validated procedures that include the use of appropriate standards and/or controls;
• Policies and procedures for the identification, collection, preservation and protection of evidence from loss, alteration or change;
• Having discipline-recommended written standards (best practices) and recognized, accepted testing standards and methodology; and
• Attaining American Society of Crime Laboratory Directors/ Laboratory Accrediting Board accreditation.
ASCLD/LAB Accreditation Standards and Criteria
The American Society of Crime Laboratory Directors/Laboratory Accrediting Board has been accrediting forensic crime laboratories since 1982. Voluntary accreditation is offered in the forensic disciplines of biology (DNA), controlled substances, crime scene, digital and multimedia evidence, firearms and toolmarks, latent prints, questioned documents, toxicology, and trace evidence. Attaining accreditation allows a laboratory to demonstrate that its management, operations, personnel, procedures, equipment, physical plant, security, and health and safety procedures all meet established national and international standards. One of the objectives of accreditation is to identify those laboratories that have demonstrated that they can meet established standards. Both of ASCLD/LAB’s accreditation programs consist of standards that have to be met to attain accreditation. The uniqueness of these standards is that they are applicable and adaptable to virtually any laboratory of any size. Specifically, to attain accreditation in the legacy program, a stand-alone computer forensics section or unit would have to document and demonstrate compliance with at least 102 standards.
Applying ASCLD/LAB Standards to Computer Forensics
How to interpret and apply the applicable ASCLD/LAB standards to the computer forensics discipline requires both practical and realistic solutions. Some examples of standards from the 2003 ASCLD/LAB manual and the questions they raise:
• Standard 188.8.131.52: “A training program to develop the technical skills of employees is essential in each applicable functional area.”
What are the essential topics for a computer forensics training program?
• Standard 184.108.40.206: “New technical procedures must be validated to prove their efficacy in examining evidence material before being implemented on casework.”
How do you validate a procedure for extracting data from unallocated space?
• Standard 220.127.116.11: “Controls and standard samples must be used and documented in the case record to ensure the validity of the testing parameters and, thereby, the conclusion.”
What controls and standards are to be used when creating a forensic image of a computer’s hard drive?
• Standard 18.104.22.168: “Instruments/ equipment should be adequate for the procedures used.”
How do you determine if a hardware write-blocker is adequate?
• Standard 22.214.171.124: “Instruments/ equipment should be maintained in proper working order.”
What is considered proper working order for a forensic computer?
• Standard 126.96.36.199: “Instruments/ equipment must be properly calibrated and calibration records maintained for all calibrated instruments.”
How do you calibrate a forensic computer?
• Standard 2.11.4: “Examiners must have successfully completed a competency test.”
What constitutes competency testing in this diverse sub-discipline?
A Standard of Acceptability
Evidence submitted to a forensic crime laboratory often results in the prosecution and conviction of suspects for computer-related crimes. To ensure that the criminal justice system and the public as a whole have confidence in the results obtained, there must be a standard of acceptability that can be applied to those laboratories. Since the digital and multimedia evidence discipline is relatively new, there are no precedents to provide guidance. ASCLD/LAB has already set a standard of acceptability for accreditation that can ensure the promotion, encouragement and maintenance of the highest standards of practice.
Accreditation does provide a means to improve quality, assess performance, provide independent review, and meet established standards. Attaining ASCLD/LAB accreditation in the sub-discipline of computer forensics provides a standard of acceptability for the community. Courtroom testimony pertaining to a quality assurance system (where standards and controls are required) can assure the court that analytical results are accurate and error-free. External independent review can demonstrate management’s commitment to ensuring that its quality assurance system, procedures, personnel qualifications and physical plant meet or exceed documented standards of practice. Additionally, accreditation by ASCLD/LAB has and will continue to assist all forensic examiners in all disciplines in meeting the challenges of Frye or Daubert.
Even if a laboratory does not seek ASCLD/LAB accreditation, it still must be able to demonstrate that it is operating in a scientific manner. Examiners, accredited laboratories, the Scientific Working Group on Digital Evidence, the National Institute of Standards and Technology, and ASTM Committee E30 on Forensic Sciences are all recognized sources that can assist in addressing these issues. Eventually, a level of acceptability for written standards (best practices) and recognized, accepted testing standards and methodology for the computer forensics discipline will become clearer. However, this most likely will be an evolving process for the foreseeable future. //
1 Frye v. United States, 293 F. 1013 D.C. Cir. 1923.
2 Daubert v. Merrell Dow Pharmaceuticals, Inc., 509 U.S. 579 1993.