Introduction to Forensic Science and the Scientific Method PDF
Document Details
Florida International University
Matt Ruddell
Tags
Summary
This document provides an introduction to forensic science and the scientific method, including information about the instructor, Matt Ruddell. It covers the basics of forensic science, including disciplines like crime scene analysis, DNA analysis, and digital forensics. It also delves into the scientific method and the historical development of forensic science.
Full Transcript
Introduction to Forensic Science and the Scientific Method EEL4802 - Introduction to Digital Forensics Introduction of Instructor Instructor name: Matt Ruddell Background: Trainer III at the National Forensic Science Technology Center a program at FIU Previously served as a Seni...
Introduction to Forensic Science and the Scientific Method EEL4802 - Introduction to Digital Forensics Introduction of Instructor Instructor name: Matt Ruddell Background: Trainer III at the National Forensic Science Technology Center a program at FIU Previously served as a Senior Crime Lab Analyst for the Florida Department of Law Enforcement in the Digital Evidence section Primary contact through Canvas Email Secondary contact [email protected] Introduction What is this course about? Forensic Science in general Digital Forensics What is involved in being a Forensic Analyst Finding artifacts and evidence on digital media Forensic Science What is the definition of “forensic”? The application of science and scientific principles to matters of the law. Two keywords in that definition - Forensic Disciplines Almost any science, that can be applied to matters of the law can be considered forensic. Crime Scene Biometric databases DNA Drug Chemistry DNA Database Toxicology Questioned Documents Digital Firearms (Ballistics) Fire and explosive Latent Prints analysis Forensic Disciplines Some are less common, and their validity as a forensic science is not universally recognized. Engineering Shoe and Tire Entomology Gunshot residue Psychology Trace Analysis Anthropology Odontology Scientific Method The scientific method, framework developed by Aristotle, involves: 1. Making observations 2. Developing a question. 3. Making conjectures (hypotheses) and predictions Scientific Method 4. Developing and performing experiments to test those hypotheses/predictions. 5. Making observations (results). 6. Validating or revamping those predictions or hypotheses based on the observations (analysis). Where are the jobs? Where is forensics done? Almost anywhere. Law Enforcement Local, State and Federal Other Government Agencies Not necessarily Law Enforcement SEC, HHS, FCC, Military, etc Private Practice Civil matters, incident response (digital) International Organizations Human rights violations, war crimes, etc Who does the forensics? Sworn law enforcement officers/first responders In the field triage and/or collection Crime scene technicians Specially trained to identify and collect evidence Forensic scientists Typically lab based analysis of evidence Brief History of Forensics The foundations of forensic science has been around for a long time. The ancient Chinese used fingerprints to identify business documents. In 1835, Scotland Yard's Henry Goddard became the first person to use physical analysis to connect a bullet to the murder weapon. In 1836, a Scottish chemist named James Marsh developed a chemical test to detect arsenic, which was used during a murder trial. First use in a court of law. http://science.howstuffworks.com/forensic-lab-technique1.htm KURT HUTTON/PICTURE POST/GETTY IMAGES Brief History of Forensics The foundations of forensic science has been around for a long time. In 1892, Sir Francis Galton established the first system for classifying fingerprints. Independently Sir Edward Henry, Commissioner of the Metropolitan Police of London, developed his own system in 1896 based on the direction, flow, pattern and other characteristics in fingerprints. http://science.howstuffworks.com/forensic-lab-technique1.htm Brief History of Forensics The foundations of forensic science has been around for a long time. Bullet examination became more precise in the 1920s, when American physician Calvin Goddard created the comparison microscope. August Vollmer, chief of the Los Angeles Police, established the first American police crime laboratory in 1924. In 1930, scientist Karl Landsteiner won the Nobel Prize for classifying human blood into its various groups which lead to the use of blood type evidence in court. FBI lab set up in 1932. http://science.howstuffworks.com/forensic-lab-technique1.htm Brief History of Forensics The foundations of forensic science has been around for a long time. In the 1970s, a team of scientists at the Aerospace Corporation in California developed a method for detecting gunshot residue using scanning electron microscopes. 1977 Personal Computers became more mainstream with the mass market release of three computers for home users including the Apple II 1981 the IBM PC was released Brief History of Digital Forensics What about Digital? Digital forensics is still in the early stages of development respective to the other disciplines. 1978 Florida Computer Crimes Act – Unauthorized modification or deletion of data on a computer system Canada passed legislation in 1983 1984 FBI Computer Analysis and Response Team (CART) established US Federal Computer Fraud and Abuse Act in 1986 Brief History of Digital Forensics In his 1995 book, "High-Technology Crime: Investigating Cases Involving Computers", K Rosenblatt wrote: “Seizing, preserving, and analyzing evidence stored on a computer is the greatest forensic challenge facing law enforcement in the 1990s. Although most forensic tests, such as fingerprinting and DNA testing, are performed by specially trained experts the task of collecting and analyzing computer evidence is often assigned to patrol officers and detectives.” Brief History of Digital Forensics Courts and legislative bodies are still trying to catch up. Court rules against man who was forced to fingerprint-unlock his phone - Unlocking a phone like this "is no more testimonial than furnishing a blood sample. https://arstechnica.com/tech-policy/2017/01/court-rules-against-man-who-was-forced-to- fingerprint-unlock-his-phone/ Miami sextortion case asks if a suspect can be forced to decrypt an iPhone - Does the Fifth Amendment mean you don't have to hand over your password? https://arstechnica.com/tech-policy/2017/04/miami-sextortion-case-asks-if-a-suspect-be-forced- to-decrypt-an-iphone/ Man jailed indefinitely for refusing to decrypt hard drives loses appeal https://arstechnica.com/tech-policy/2017/03/man-jailed-indefinitely-for-refusing-to-decrypt-hard- drives-loses-appeal/ Brief History of Digital Forensics Courts and legislative bodies are still trying to catch up. Judge: Fifth Amendment doesn’t protect encrypted hard drives https://arstechnica.com/tech-policy/2012/01/judge-fifth-amendment-doesnt-protect-encrypted- hard-drives/ Appeals court: Fifth Amendment protections can apply to encrypted hard drives https://arstechnica.com/tech-policy/2012/02/appeals-court-fifth-amendment-protections-can- apply-to-encrypted-hard-drives/ Brief History of Digital Forensics Courts and legislative bodies are still trying to catch up. “Get a warrant”—Florida appeals court admonishes cops in two murder cases - Fourth District appeals court rules unanimously in suspects' favor. https://arstechnica.com/tech-policy/2018/09/get-a-warrant-florida-appeals-court- admonishes-cops-in-two-murder-cases/ License plate reader error leads to traffic stop at gunpoint, court case- Flagged vehicle did not even match the model of what the woman was driving. https://arstechnica.com/tech-policy/2014/05/after-being-held-at-gunpoint-due-to-lpr- error-woman-gets-day-in-court/ Locard’s Exchange Principle Locard’s Exchange Principle Paul L. Kirk expressed the principle as follows: "Wherever he steps, whatever he touches, whatever he leaves, even unconsciously, will serve as a silent witness against him. Not only his fingerprints or his footprints, but his hair, the fibers from his clothes, the glass he breaks, the tool mark he leaves, the paint he scratches, the blood or semen he deposits or collects. All of these and more, bear mute witness against him. This is evidence that does not forget. It is not confused by the excitement of the moment. It is not absent because human witnesses are. It is factual evidence. Physical evidence cannot be wrong, it cannot perjure itself, it cannot be wholly absent. Only human failure to find it, study and understand it, can diminish its value." Locard’s Exchange Principle Questions we need to ask ourselves: How does this principle apply to Digital Forensics? Does it even apply? Is Digital Evidence the same as Physical Evidence? What does it take to be a forensic analyst? Technical Ability Training and Education Personal Attributes Attention to Detail Organization Respect for the Process Ability to be unbiased Integrity Battling the CSI effect The CSI effect – unrealistic expectation of the capabilities, timelines, and general glamorousness of forensic science. Juries …and Judges Customers Lawyers Cops Overlords Public at large End Questions? Digital Forensic Science EEL4802 - Introduction to Digital Forensics What is Digital Forensics? According to Wikipedia: Digital forensics (sometimes known as digital forensic science) is a branch of forensic science encompassing the recovery and investigation of material found in digital devices, often in relation to computer crime. The Science part is important In order for our findings to be admissible in a court of law – we must meet certain standards Standards which include following the scientific method Quick recap on the Scientific Method 1. Making observations 2. Developing a question. 3. Making conjectures (hypotheses) and predictions 4. Developing and performing experiments to test those hypotheses/predictions. 5. Making observations (results/analysis). 6. Validating or revamping those predictions or hypotheses based on the observations (analysis/conclusion). Note – This graphic includes an additional step “Conclusion” which may be considered part of “Analysis” by some Digital Forensic Science Method 1. Observe – there was an incident (crime or otherwise) 2. Questions – How did this happen? Who did it? When was this file created? Etc. 3. Hypothesis – this is what we think happened 4. Test – what happens when I do this? What artifacts get left behind? 5. Results – this is what happened on my test device 6. Analysis - do I see the same thing on my suspect device? 7. Conclusion – do I need to do more testing? Digital Forensics – the search for Digital Evidence What is Digital Forensics all about? My answer: The analysis of digital media for the presence or absence of digital evidence – data that is useful to an investigation (criminal or civil) - the extraction and preservation of that data, and the presentation of that data in a readable format. Digital Crime Scene Crime scene analysts are trained to: 1. respond to a physical location where a crime was possibly committed 2. secure the scene to prevent changes 3. thoroughly document the scene 4. methodically search the scene to locate evidence of potential value 5. secure and collect physical evidence that may be relevant to the case Digital Crime Scene Digital Forensic analysts are trained to: 1. respond to a digital location where a crime was possibly committed 2. secure the data to prevent changes 3. thoroughly document the data 4. methodically search the data to locate evidence of potential value 5. secure and extract data that may be relevant to the case Digital Forensics What makes digital forensics unique in the world of forensics? Investigations try to answers the five W’s & H Digital Forensics DNA and finger prints can tell you who was there Chemistry, Toxicology, fire debris analysis can tell you what a substance is Crime Scene can tell you where and with the help of medical examiners, when Digital Forensics Digital can tell you why What was someone thinking? What was their state of mind? Is there any evidence this was premeditated? Where is Digital Evidence? Computers & Laptops Tablets, Netbooks, & eReaders Cell Phones & Smartphones iPods and MP3 players Gaming systems Flash media (thumb drives, memory cards…) DVRs GPS devices CDs/DVDs/Blu-ray Discs Others? What is Digital Evidence? Any data stored in a digital format that can be used in a criminal investigation Digital evidence artifacts can include: Chat/Email Pictures/Video Location Data Documents, financial statements, etc Web browsing history/searches Peer-to-Peer/Download information Etc. Business and Personal Documents Artifacts may include personal documents: Memos and Letters Diaries Picture Albums Financial Data Even if the investigation does not directly involve financial crimes, financial information can be valuable Investments and Stock Information Bank Account Information Tax Information Business Invoices Spreadsheets Financial transactions Contact and Schedule Information Develop pattern of life or establish connections to individuals Personal calendars Contact lists GPS Maps Travel Itinerary/ Reservations Communications Email, Chats, and Text Messages Call History from Cell Phone Many more… Personality Profiles Based on Internet Search History and/or documents found on the device Medical Conditions Travel Interests Fetishes Technical Docs (Schematics, Chemicals, Blueprints, etc) Contraband Scanned Money Checks and Signatures Drivers Licenses/ID’s Child Pornography Computer Viruses File Sharing Peer-to-Peer (P2P) Programs like, Frostwire, Shareaza, Ares, Kazaa, Bearshare, µTorrent, Spiral Frog, Ares, eMule... Torrents Files are downloaded piecemeal from multiple sources instead of just one source per file Websites Other ways to share files? Cloud Storage Digital Evidence, not stored on the device itself Upload your data for storage on a provider’s servers, freeing up space on your local drives and giving you access to your data from anywhere you have internet access What if the information is no longer on the device you are examining? Could it still be in the cloud? How do we get it from the cloud provider? Internet Service Provider or Website Host What information might the ISP have about a particular device that may be useful? IP address Email Logs Internet Service Provider or Website Host What information might the host of a web server have? Username or other information IP address Logs Evolution of Digital Forensics Changes in data storage/device media Flash media, volatility Decreasing size, increasing capabilities A wireless world More networking -> less privacy Digital World Creates Challenges Amount of data! MB -> GB -> TB -> PB -> ???? Encryption Getting better all the time Rapidly changing technology Makes it hard to keep up Privacy concerns Device manufacturers are paying attention… Remember we are Battling the CSI effect The CSI effect – unrealistic expectation of the capabilities, timelines, and general glamorousness of forensic science. Especially true for Digital We are not all hackers We are not all programmers Sometimes, the data just isn’t there Digital Forensic Challenges Unrealistic expectations. Can you tell me who was behind the keyboard when this file was downloaded? I thought you guys could break any PIN lock. What do you mean you can’t recover that file that was deleted a year ago? Look for any illegal stuff. Can you enhance this face so we can get an ID? Digital is one Part of the Picture Forensic scientist do not work in a vacuum All disciplines and investigators must work together Remember – Digital may not be the only kind of forensic evidence found on a device Latent Prints? DNA? Who processes it first? End Any questions? Legal role of the Digital Forensic Analyst EEL4802 - Introduction to Digital Forensics The Law Forensic Analysts are not Lawyers! Legal questions need to be answered by Lawyers. However, we need to realize the end game of all our work is… Testimony in Court Digital Forensics – the search for Digital Evidence Remember this slide? What is Digital Forensics all about? My answer: The analysis of digital media for the presence or absence of digital evidence – data that is useful to an investigation (criminal or civil) - the extraction and preservation of that data, and the presentation of that data in a readable format. Evidence? What is “evidence?” noun: evidence 1. the available body of facts or information indicating whether a belief or proposition is true or valid. In this sense, it is not really a legal term. Evidence – in the eye of the beholder What is “evidence?” noun: evidence 1. the available body of facts or information indicating whether a belief or proposition is true or valid. 1. Who determines what is considered evidence during the forensic exam? 2. Who determines what is considered evidence during the investigation? 3. Are there differences between these two? Evidence in Court of Law Who determines what is considered evidence in court? Lawyers present it to the courts The Judge decides if it is admissible Rules of Evidence Oh yes! https://www.rulesofevidence.org/ Adopted by congress in 1975 (originated in 1972 by the Supreme Courts) Applies to US Federal Courts – however… Relevance, efficiency, reliability and overall fairness of evidence Digital Forensics / Investigation Digital Forensic Analyst versus Criminal Investigator Non-sworn versus sworn Roles and responsibilities Legal abilities Science? NAS Report In August 2009 National Academy of Sciences (NAS) issued a report “Strengthening Forensic Science in the United States: A Path Forward” Many recommendations were made to remove bias, improve scientific nature/study of forensics, and to standardize forensics nationally Recommendation #4 “To improve the scientific bases of forensic science examinations and to maximize independence from or autonomy within the law enforcement community, Congress should authorize and appropriate incentive funds to the National Institute of Forensic Science(NIFS) for allocation to state and local jurisdictions for the purpose of removing all public forensic laboratories and facilities from the administrative control of law enforcement agencies or prosecutors’ offices.” Strengthening Forensic Science in the United States: A Path Forward http://www.nap.edu/catalog/12589.html pg 24 What does recommendation #4 mean? The investigator should not be the person conducting the forensics. The person conducting the forensics should not be under the “administrative control” of the person conducting the investigation. What problems could this cause? Role of Law Enforcement Access to contraband: Don’t really want this stuff to exist outside of controlled environments Scanned Money Checks and Signatures Drivers Licenses/ID’s Child Pornography Computer Viruses Role of Law Enforcement Who has the authority to serve search warrants? Who has the authority to issue subpoenas? It sure isn’t the lab geek (despite what you see on TV) Role of the Forensic Scientist Expert Witness The ultimate role of the forensic scientist, in any discipline, is to testify in court – sometimes as an expert witness What is an “expert?” Expert Witness Noun: a person who is permitted to testify at a trial because of special knowledge or proficiency in a particular field that is relevant to the case. What does this mean? Expert Witness 1. Training or experience 2. Makes the evidence more accessible or understood by the trier of facts 3. Court may admit them as an expert witness. Experts can give opinions and interpretations in court. Defined and Regulated under the Federal Rules of Evidence Rule 702. Voir Dire Several definitions including: Questions asked of potential Jurors to determine possible bias or conflicts Series of questions asked by the attorneys to determine the qualifications and competence of an expert witness Any hearing outside the presence of the jury Voir Dire Series of questions asked by the attorneys to determine the qualifications and competence of an expert witness Training and Experience Formal Education Testimony Experience Have you ever been an expert before? Scientific Evidence The very nature of scientific evidence makes it difficult for judges and juries to understand Can’t be an expert in all things Difficult to determine if someone is an expert or their science is valid if you don’t understand it What qualifies as “scientific evidence” Frye Standard Frye is based on a 1923 Federal Court of appeals ruling involving the admissibility of polygraph evidence The Frye standard, Frye test, or general acceptance test is a test to determine the admissibility of scientific evidence. It provides that expert opinion based on a scientific technique is admissible only where the technique is generally accepted as reliable in the relevant scientific community. en.wikipedia.org/wiki/Frye_standard Daubert Standard Frye is fine, but then no new or novel science can be admissible as it can not be regarded as “generally accepted” in the scientific community In the landmark Supreme court case Daubert v. Merrell Dow Pharmaceuticals, in 1993 the court ruled that Rule 702 of the Federal Rules of Evidence did not incorporate the Frye "general acceptance" test as a basis for assessing the admissibility of scientific expert testimony. Instead it ruled that the rule incorporated a flexible reliability standard instead. Daubert Standard Guidelines for admitting scientific expert testimony: Judge is gatekeeper: Under Rule 702, the task of "gatekeeping", or assuring that scientific expert testimony truly proceeds from "scientific knowledge", rests on the trial judge. Relevance and reliability: This requires the trial judge to ensure that the expert's testimony is "relevant to the task at hand" and that it rests "on a reliable foundation". http://en.wikipedia.org/wiki/Daubert_standard Daubert Standard Scientific knowledge = scientific method/methodology: A conclusion will qualify as scientific knowledge if the proponent can demonstrate that it is the product of sound "scientific methodology" derived from the scientific method. Daubert Standard Illustrative Factors: The Court defined "scientific methodology" as the process of formulating hypotheses and then conducting experiments to prove or falsify the hypothesis, and provided a set of illustrative factors (i.e., not a "test") in determining whether these criteria are met: Daubert Standard “scientific methodology” Whether the theory or technique employed by the expert is generally accepted in the scientific community; Whether it has been subjected to peer review and publication; Whether it can be and has been tested; Whether the known or potential rate of error is acceptable; and Whether the research was conducted independent of the particular litigation or dependent on an intention to provide the proposed testimony Daubert versus Frye Frye Relies on the scientific community to determine what is “generally accepted” science Judges role as gatekeeper is limited – rely on the scientific community Daubert If a method is relevant, reliable and follows the rules of evidence it does not have to be “generally accepted as reliable” to be admissible Judges role as gatekeeper is much more liberal Why do we have these standards? Science is complicated, and the courts need experts they can rely on Standard help to prevent - Junk Science Pseudoscience Wrongful convictions Wrongful exonerations Unscrupulous “experts” Why do we have these standards? The court system places a lot of trust in the forensic expert. Judges and juries cannot be experts in all the sciences that go into Forensic analyses The consequences of getting it wrong are severe! Trouble in Forensics There have been lots of problems in the forensic science disciplines over the past several years Massachusetts Chemist charged in “dry-labbing” incident http://cen.acs.org/articles/90/i41/Chemist-Charged-Crime-Lab-Scandal.html North Carolina Lab agents “manipulated and withheld the results of hundreds of tests…” http://www.huffingtonpost.com/2012/05/14/north-carolina-state-bureau-of- investigation-duane-deaver_n_1516328.html Trouble in Forensics FDLE chemist stole evidence http://articles.orlandosentinel.com/2014-02-04/news/os-fdle-chemist- arrested-20140204_1_criminal-cases-fdle-commissioner-gerald-bailey- chemist FBI overstates analysis value of hair and trace analysis http://arstechnica.com/science/2015/04/the-science-and-lack-thereof- behind-the-fbis-retreat-on-hair-analysis/ Expert witness falsifies credentials http://www.fox13news.com/news/local- news/expert-witness-accused-of-lying-about- credentials Legal Issues As a newer forensic discipline, there is an ever shifting legal landscape when it comes to digital. Especially in regards to passwords: https://arstechnica.com/tech-policy/2018/10/court-teens-driving- killed-someone-but-he-cant-be-forced-to-give-up-passcode/ https://arstechnica.com/tech-policy/2017/05/judge-miami-reality- tv-star-must-unlock-her-iphone-in-extortion-case/ https://arstechnica.com/tech-policy/2017/05/jail-looms-large-for- suspects-ordered-to-reveal-forgotten-passwords/ Search Warrant issues The Search Warrant gives law enforcement the authority to search based on probable cause and signed off on by a judge This is in place to protect citizens from unlawful search and seizure (4th Amendment) Search Warrant Issues The Search Warrant often defines: What items may be searched Who may do the searching Where the search is to take place A general time frame in which the search must be conducted Search Warrant Issues What items may be searched “When electronic storage media are to be searched because they store information that is evidence of a crime, the items to be seized under the warrant should usually focus on the content of the relevant files rather than the physical storage media” (Searching and Seizing Computers and Obtaining Evidence in Criminal Investigations, Computer Crime and Intellectual Property Section, Criminal Division, U.S. Department of Justice, Washington, D.C (3rd ed 2009) at 72) Search Warrant Issues What items may be searched Care must be taken by the forensic analyst not to exceed the scope of the warrant Investigator may need to get a second warrant based on what is found “in plain view” Search Warrant Issues Who may do the searching Search warrants generally list a law enforcement officer of the particular agency as the conductor of the search Other agencies Crime lab analysts Search Warrant issues Where the search is to take place Language should include removing the items offsite to conduct the forensic analysis Search Warrant issues A general time frame in which the search must be conducted The Federal Rules of Criminal Procedure require a search warrant be executed within 10 days of issuance. Forensics in 10 days? I don’t think so… Fourth Amendment only requires the forensic analysis of a seized item be conducted within a reasonable time See United States v. Mutschelkaus, 564 F. Supp. 2d 1072, 1077 (D.N.D. 2008 End Any questions? Best Practices - Digital Forensics EEL4802 - Introduction to Digital Forensics Best Practices …not the only practices What you do will depend heavily on where you work Battlefield is very different than a cozy crime lab Best Practices Include Standard Operating Procedures Must be written down This is what I did, and this is why I did it Maintain some consistency from analyst to analyst or lab to lab Should be revised periodically Exceptions to SOP may be granted on a case by case basis Best Practices Include Quality Control Must be written down Entire Program of Quality Individual in charge of Quality Accreditation to prove Quality Best Practices Include Validation Testing Must be written down How do you know the tools you are using work? How do you know the next version of the tool doesn’t have some critical bug that will effect your results? Maintain a list of validated and approved tools Best Practices Include Proficiency Testing Testing the individual Testing the system Maintaining proficiency – especially important in this field Keeping up with new technology Verifiable, documented proof that you can do the job Documentation Documentation Everything must be carefully documented and saved If it is not written down, it didn’t happen Training A clear and well defined training program should be in place A qualified trainer should be designated Training should cover all fundamentals of the discipline with competency tests to demonstrate mastery of each topic Outcomes and metrics of all training exercises and tests should be clearly defined Training Training should include an overview of Forensic Science and the scientific method Training should include courtroom testimony or public speaking component Training should have well defined benchmarks and a clear end date Training Ongoing training is critical to maintain proficiency in this field Training plans and requirements should be written down and clearly understood Training can be external or internal, as long as the training is provided by qualified trainers Examination Environment Several factors to consider Adequate power and cooling Work space free of contaminates Limited/controlled access Mechanisms to prevent cross contamination Examination Equipment Workstation considerations Should be powerful enough to run the tools Should provide enough ports of various kinds to attach peripherals In most cases should allow the examiner unfettered access to the OS Should be familiar to the analyst Several options built specifically for forensics Examination Equipment Other Forensic tools Cables and batteries Write blockers Adapters Storage media Documentation tools (pens, paper, digital camera with all accessories) Preparing to Begin Analysis Review any documentation submitted Search Warrant Consent to search Service Request Case summary Preparing to Begin Analysis Prevent the “open ended” analysis Look for anything illegal or useful. When am I done? Standard Operating Procedures What is the purpose of an SOP? Clear set of guidelines for analysts to follow Sets out limitations and requirements that must be met Keeps everyone in their lanes Inform observers Standard Operating Procedures When you sit down to write you SOPs consider the following: Standard Operating Procedures Scope of your lab resources Equipment Capabilities of the personnel Standard Operating Procedures Not every situation can be addressed Should be specific enough to provide clear guidance Should be vague enough to allow some flexibility Don’t box yourself in Standard Operating Procedures Plain language Trainees Overlords Assessors Standard Operating Procedures If you want people to do it – write it into the SOP Standard Operating Procedures Look to the future SOP revisions can and do happen, but how often? What do you have coming down the pipe? Are your SOPs going to handle that? Standard Operating Procedures Format Different sections to address each process or major point Section 1 – Introduction/Glossary/Definitions Section 2 – Evidence Handling Section 3 – Approved Tools Section 4 – Forensic Imaging of Hard Drives Etc. Standard Operating Procedures Format Each section should be clear and concise (nobody likes 100+ page SOPs) Organization is key Try to group things to avoid repeating yourself Remember – people will need to read this thing Keep in mind any agency or accreditation requirements Standard Operating Procedures Format Numbering schemes can be good, but they can also bite you If a change is made to add a section all the numbering can change 3.1.2 is added means the previous 3.1.2 becomes 3.1.3 Previous 3.1.2.12 becomes 3.1.3.12 Etc. References to other sections can help, but they can also bite you If section 5.2 referenced section 3.1.2 – well that is now 3.1.3 so now 5.2 needs to change to reflect that Best practices – Tool requirements Write blockers What are they? How do they work? Why do we need to use one? Validation Testing Why validate your tools? Which tools need to be validated? How do you validate a tool? Write Blocker Write blockers are hardware devices or software programs that prevent data from being written to a device. Data Data Hardware Write blockers Most write blockers work one of two ways It denies all write attempts to the device and reports to the OS that the write was a failure It caches all write attempts and reports to the OS that the write is successful, but the data never makes it to the device Whether it is software or hardware the write blocker needs to tell the OS something! Why use one? Every time you boot your computer thousands of files have their date/time stamps updated Windows likes to reach out and “touch” any device that is attached to it often trying to create “Recycle Bins” and other system files on the drive These actions constitute manipulation of the data by the analyst – a big problem Why use one? In the legal sense this is an issue because you have to be able to prove what you modified, and what you didn’t. Any good attorney would question how you could prove that you didn’t change the data in question on the drive. This is why the use of write blockers is so important. Validation Testing Validation testing is a very common concept software engineering project management software testing It is “…the process of checking that a software system meets specifications and that it fulfills its intended purpose.” http://en.wikipedia.org/wiki/Software_verification_and_validation Validation Testing It is important for you as a forensic analyst to validate the tools you use Rely on these tools to make interpretations of the data how they work that they work that we have some way to test them Which tools need to be validated? No simple answer (It depends) Does your write blocker need to be validated? Yes Does your primary forensic tool need to be validated? Yes - but can you really test all the functionality of a complex forensic suite? Which tools need to be validated? Does a tool that carves data from unallocated need to be validated? Yes – more than likely Does a tool that interprets a database need to be validated? Yes – see Casey Anthony case Does your operating system need to be validated? Probably not Which tools need to be validated? Does a video player need to validated? Probably not Does Microsoft office need to be validated? Probably not It really depends on your agency, the SOPs you have in place, how much record keeping is required and a number of other factors Which tools need to be validated? Bottom line: If in doubt, it is always better to validate, than not to validate Validation Test Plan The plan should have several components: The item to be validated including version number if appropriate A description of what the tool does (or is supposed to do) A general description of how you plan to test the functionality of the tool A list of equipment you need to complete the testing Validation Testing Once the validation plan is approved, you can proceed to the testing Keep in mind, the testing should be thorough and as complete as possible Document everything Digital Camera/Screenshots Also keep in mind, it may not be possible to test EVERY single variable that may exist in an experiment, but do your best to explore all options DO NOT FORGET – Digital Forensics is a SCIENCE Your testing should follow the scientific method as closely as possible NIST Welcome to the Computer Forensics Tool Testing (CFTT) Project Web Site. http://www.cftt.nist.gov/