Accreditation of a Constantly Developing Science Matthew Jackson Provides an Overview of the Current Attempts to Regulate Digital Forensic Evidence
I
n October 2017 the Forensic Science Regulator (FSR) it became a mandatory requirement for all digital evidence produced by the Prosecution to comply with the ISO 17025 standard. The requirement for those producing such evidence to a standard originally introduced in 1999 has caused and continues to cause significant issues and limitations. When I speak to any of the number of Police Forces that I deal with up and down the country, the main topic of conversation is the work involved in moving towards, obtaining and maintaining the ISO 17025 standard. Hi-Tech Crime Unit’s and businesses have been required to employ additional members of staff to replace experienced examiners needed to move from their normal roles to solely focussing on the ISO standard or, where they could not be replaced, the number of staff conducting examinations has simply reduced. Obviously smaller organisations simply cannot afford to devote such amounts of time and resources to attaining the standards set by the FSR even if they employ experienced experts and practitioners. This increased level of ‘red tape’ is being introduced within an environment that involves a continually changing and fluid science and which generates an increase in workload for those units of approximately 20% year on year, whilst annual budgets to Police Forces are being consistently reduced. The difficulty when ISO 17025 is used to accredit digital forensics is that, unlike fingerprint or DNA forensics, computers, mobile phones and the programs and files present upon them are continually changing. Whilst ‘wet’ forensics, such as DNA and fingerprint, is normally based upon
a finite substance or print that cannot be copied, once a forensic copy of a device has been taken it can be verified as being accurate and complete and becomes the best evidence that can be copied as many times as necessary and whilst any alteration is difficult it can be easily identified. Digital forensics has always involved the continual development of new techniques and procedures in order to keep up with the changes and development of the subject matter, every year a new raft of software is released along with continuous development of the devices upon which to use it, whereas fingerprints, though techniques may change over time, the subject does not. To expect completely different sciences to fall under the same ISO standard, particularly when one of those sciences (digital forensics) was developed after the introduction of that standard, simply because another more relevant standard is not available, will not fulfil the intended purpose of raising standards and may actually have adverse effects on the identification and interpretation of evidence. The main issue that arises from the introduction of the standard specifically for digital forensics is the amount of work and the level of resources involved in firstly attaining but then continually involved in the validation of processes and techniques under ISO 17025.
Even the examination of two different mobile phones for the same data can involve completely different processes in order to retrieve the evidence from them. Some computers are now cloud based, meaning that no data is stored on a hard drive within them, instead the user data is retained online. Therefore, an examination of that of a normal computer requires different techniques and procedures in order to retrieve the evidence than a normal desktop computer. Under ISO 17025 it is not possible to complete the examination of any devices or data without each process first being validated. When a new technology, application or file system is encountered by a practitioner or unit, which it often does particularly when software updates and changes in user activity are accounted for, under ISO 17025, an experienced practitioner is required to carry out various validation techniques and then produce a validation plan that is then reviewed and assessed by a further experienced practitioner. Only then can the new process be used. This inflexible approach is difficult and time consuming to undertake, even an update to forensic software, most are updated monthly to keep pace with changes in technology, or the change of a component in a forensic computer, requires a full validation check. Given that a verified forensic copy of the data contained on the device should already have been taken and cannot be edited, validation of any extraction techniques can normally be made by comparing the data taken with the data contained on the forensic copy. Where data cannot be interpreted correctly either as it is a new process or as it is not recognised by standard forensic software, the process becomes one of resource. Does the unit now follow the validation process when it encounters any new problem or does it avoid it altogether and ignore that source of information.
The identification of a suitable technique to retrieve and interpret evidence is based upon a vast number of variants not least the device containing it, the type of data involved and the location of it.
One example of this is, due to cost and time constraints, evidence from mobile phones and computers is now often being recorded by the officer in the case rather than the digital forensic unit, to avoid it being sent to the overworked digital forensic units with lengthy backlogs.
The examination of Internet history on a computer hard drive, for example, is completely different to the process involved in examining a mobile phone for WhatsApp chat messages.
Just this week I dealt with a case where the Prosecution evidence in the case has been produced by the officer in the case rather than the digital forensic
26 the barrister Michaelmas Term 2018