Question

How is being familiar with digital forensic best practices and criminal justice standards benefit you, even if you worked in a non-criminal justice digital forensics position?

Answer 1

As technology has become more portable and powerful, greater amounts of information are created, stored, and accessed. Modern devices can serve as huge repositories of personal information yet be carried in a pocket and accessed with a single hand or even voice command.

It has become very necessary to adapt certain practices in order to secure your digital information . Bad guys are waiting to exploit you in a crime.

One has to be very careful and aware of the digital forensic best practices & criminal justice standards that will help him not trap in any unwanted uncalled situation.

I am outlining certain aspects of Digital forensic & criminal justice standards :

Integrity & authenticity of data:

Integrity ensures that the information presented is complete and unaltered from the time of acquisition until its final disposition. Files that are copied from storage and processed result in new files. These files also must have their integrity maintained.

Integrity differs significantly from authentication. Authentication is the process of substantiating that the content is an accurate representation of what it purports to be. For example, authentication of a digital image of a gun on a table could be authenticated by a person at the scene stating that the picture fairly and accurately represents the gun on the table. The integrity of the image can be established by methods covered in this document. For further information on image authentication.

The integrity of a digital image or video file is best demonstrated through a combination of methods. Maintaining integrity requires both documentation and security of the files throughout the work flow. A standard operating procedure (SOP) should describe the work flow.

Maintaining and Demonstrating Integrity

When working with digital image and video files, one needs to maintain the integrity of the files and also demonstrate that the steps taken were effective. Maintaining integrity requires security of the files during transport and storage. Demonstrating integrity uses methods to show that the file has not changed.

When a digital image or video file is obtained, a reference is created for future demonstrations of integrity.

The file is then transported to a storage device or location. When it is removed from storage for use, the integrity is demonstrated by the method used to create the reference.

We have to think of the file , data stored are secure .

Forensics & standard:

Computer forensics is a cutting edge technology discipline that can literally change from week to week. Computer forensics training, education, and analysis is widespread among forensic crime laboratories, law enforcement agencies, corporate America, the private sector, and colleges and universities. Computer forensic story lines have even become part of popular television shows.

Just what is computer forensics? The name implies (rightly or wrongly) that it refers to computers and the subsequent analysis of their hard drives (where the digital data resides). However, it is much more complicated. Many personal digital assistants, cellular telephones and digital cameras contain smart media cards that also store digital data. By definition, they are not computers. Likewise, compact discs and USB thumb drives also store digital data. They are not computers either.

The commonality between what we normally identify as a computer and the aforementioned devices is that they all store or contain digital data. Digital data is a series of zeroes and ones, stored in a particular sequence on some sort of media (computer hard drive, CD, etc.). Generally, the forensic software used to analyze a computer hard drive may be the same software that is used to analyze a CD, a smart media card or a personal digital assistant. Thus, a definition of computer forensics that encompasses all these devices could be “the application of specialized scientific techniques to the preservation, recovery and analysis of digital or electronic data that may be used in legal matters.”

However, even with this definition, not every type of digital analysis can necessarily be placed under computer forensics. For instance, does the analysis of analog or digital video fall under the heading of computer forensics? Analog video tapes are digitized prior to analysis and the software and analytical techniques used in video analysis are different from those used to analyze a computer’s hard drive. Is enhancing the digital audio track on a digital video tape a type of computer forensics? Again, software and analytical techniques used for audio enhancement and analysis are different from those used in computer analysis and video analysis.

To take it further, can the comparison of images of suspects on a digital video tape to known digital images of suspects also be considered a part of computer forensics? Image analysis techniques are different from those for computer analysis, video analysis and audio analysis. As previously stated, all the data being examined for possible evidentiary value is digital. Thus, a better way to categorize these diverse types of analyses would be to group them under a single discipline, which is exactly what the U.S. Department of Justice’s Scientific Working Group on Digital Evidence recommended several years ago. They named it the digital and multimedia evidence discipline, comprising four sub-disciplines: computer forensics, forensic audio, image analysis, and video analyse.
A computer forensic examiner has to find, recover, analyze, and evaluate digital data that may represent evidence from such diverse crimes as employee fraud, financial corruption, embezzlement, extortion, identity theft, bribery, theft of intellectual property or trade secrets, or pornography. Courtroom testimony often results from this analysis. The evidence in these cases consists primarily of the digital data itself and it is commonly referred to as digital evidence. Since it is evidence, it must be treated similarly to other physical evidence found at the scene of a crime. However, there is no actual physical evidence to visually assess for relevance as it is digital and may reside on almost any type of media. Although it cannot be seen by the naked eye, all the scientific principles related to the data’s collection, processing, and analysis must be followed to ensure both a proper chain of custody and accurate analytical results.

Forensic examiners use an array of methods or tools for discovering digital data that resides on a particular medium. Digital data may be active, deleted, hidden, encrypted, or, as is sometimes the case, partially overwritten. Any or all of this data may be necessary for litigation. For court purposes, the judicial system has to be assured of accurate, reliable, verifiable, and repeatable results. This involves more than just finding, collecting, and analyzing the data, generating a report and testifying in court. Although examiner testimony may become critical for successful prosecution, the testimony can be very technical and complex. Most jurors do not have the technical knowledge to assess the accuracy of the testimony provided. Thus, expert witness testimony often sounds credible and believable to jurors. However, from the perspective of the requirements of forensic science, many concerns can arise from expert witness testimony:

• Was the evidence tainted or compromised regarding how or where it was collected or stored?
• Is the chain-of-custody record for the digital data accurate and complete?
• Can an examiner automatically qualify as an expert for court purposes based on on-the-job experience only?
• Do written procedures exist such that another examiner can recreate the results of the analysis?
• What was the competence of the examiner?
• How are the forensic computers maintained?
• Are all the software tools used during an analysis legitimate (licensed copies, authorized copies, etc.) and were they validated and verified prior to use?
• Did the software tools (a) contain bugs? (b) alter or change the evidentiary data?
• Were scientific principles followed during the analysis of the data?

All these concerns need to have acceptable, accurate, and complete answers before convicting a suspect of a crime. Further, depending upon the case, the testimony may have to meet the requirements of Frye¹ or Daubert² regarding the admissibility of scientific expert testimony. In the United States most states have adopted one or the other of the rulings pertaining to the admissibility of scientific evidence into legal proceedings.

This then raises the question of what standards or best practices are in place in the computer forensics community that can address these complex issues. Other forensic disciplines faced similar issues, however, they were or have been alleviated or mitigated somewhat by:

• Formalized, documented training programs;
• Competency testing examiners;
• Annual proficiency testing of examiners to evaluate competence and the quality performance of the section and laboratory;
• Documented, validated procedures that include the use of appropriate standards and/or controls;
• Policies and procedures for the identification, collection, preservation and protection of evidence from loss, alteration or change;
• Having discipline-recommended written standards (best practices) and recognized, accepted testing standards and methodology; and
• Attaining American Society of Crime Laboratory Directors/ Laboratory Accrediting Board accreditation.

ASCLD/LAB Accreditation — Standards and Criteria
The American Society of Crime Laboratory Directors/Laboratory Accrediting Board has been accrediting forensic crime laboratories since 1982. Voluntary accreditation is offered in the forensic disciplines of biology (DNA), controlled substances, crime scene, digital and multimedia evidence, firearms and toolmarks, latent prints, questioned documents, toxicology, and trace evidence. Attaining accreditation allows a laboratory to demonstrate that its management, operations, personnel, procedures, equipment, physical plant, security, and health and safety procedures all meet established national and international standards. One of the objectives of accreditation is to identify those laboratories that have demonstrated that they can meet established standards. Both of ASCLD/LAB’s accreditation programs consist of standards that have to be met to attain accreditation. The uniqueness of these standards is that they are applicable and adaptable to virtually any laboratory of any size. Specifically, to attain accreditation in the legacy program, a stand-alone computer forensics section or unit would have to document and demonstrate compliance with at least 102 standards.

Reference:http://www.astm.org , www.fbi.gov

Thanks