1. Hash the Forensic Software Partition or Hash the Imaging Tools Directory: A logical partition is created on a wiped forensic hard drive. Forensic software tools are installed into appropriate directories. An image and the hash value of the logical partition (or the directory containing the imaging tools) is obtained and archived onto a second hard drive in the forensic computer (which also contains imaging software). Prior to imaging evidentiary digital media, the examiner wipes the logical partition on the forensic hard drive (or the directory containing the imaging tools) and restores it from the archived image. After verifying that the hash values match, the examiner images the evidentiary digital media.
   
   Discussion: This method will indicate whether or not something changed in the logical partition or in the directory containing the imaging tools. It does not test any write blocker or any of the computers hardware devices or peripherals (optical drive, floppy drive, USB ports, multimedia ports, etc.) that would be used when imaging other digital media. This is not an appropriate standard and control.
   
   
2. Floppy Disk Method: A wiped floppy disk is prepared with several types of known files. The floppy disk is imaged and the hash values of the floppy disk and files are recorded. Prior to imaging evidentiary floppy disks, the examiner images the prepared floppy disk and verifies that the files are present and that the hash values match. Evidentiary floppy disks are then analyzed using the same floppy drive and imaging software.
   
   Discussion: This method will test the floppy disk drive for operability, applicable computer interfaces, and determine if the imaging software is working correctly. It does not test any write blocker or any other computer hardware device or peripheral (optical drive, USB ports, multimedia ports, etc.) that would be used when imaging other digital media. This is an appropriate standard and control to use for imaging floppy disks.
   
   
3. Hard Drive Method: Different types of laptop and desktop hard drives (SATA, IDE, etc.) are purchased. (The practice will be explained for one hard drive, but it applies to all). A hard drive is wiped and a logical partition created. Known data files are installed into the partition. The hard drive is connected to an interface connector (if necessary) which is connected to a hardware write blocker and imaged. The hash value of the physical hard drive, logical partition, and/or files are recorded. Prior to imaging an evidentiary hard drive, the examiner images an analogous standard and control hard drive (SATA, IDE, etc.) using an interface connector (if necessary) and a write blocker and verifies that the files are present and/or that the hash values match. Once verified, the evidence hard drive is imaged using the same hard drive interface connector (if necessary), the same write blocker, and the same interfaces on the forensic computer.
   
   Discussion: The method tests the interface connecting the hard drive to the write blocker (if used), the write blocker itself, the specific interfaces on/in the forensic computer, and the imaging software. However, the method does not test any other write blocker or any of the computer’s hardware devices or peripherals (floppy drive, optical drive, multimedia ports, etc.) that would be used when imaging other digital media. This is an appropriate standard and control to use for imaging hard drives.
   
   
4. Cellular Telephone Standard and Control: Several models covering GSM, CDMA, and PDA types should suffice. The GSM cellular telephone should have a SIM card and a camera feature. Known data is entered into the cellular telephone and/or onto its SIM card. There are some issues to consider regarding cellular telephones used as standards and controls: (a) they have to be turned on, thus the date and time will continually be updated; (b) commercially available analytical products do not provide a means to write-block a cellular telephone; and (c) hash values generated from cellular telephones will not be consistent from one analysis to the next because they include time and date information. One software product can provide an option to compare the acquisition and final hash values. Regardless of these issues, the known data can be viewed and/or recovered (and the hash values verified) from the cellular telephone standard and control. This provides assurances that the equipment and/or software are functioning correctly. Once this has been determined, then the evidentiary cellular telephone can be analyzed using the same equipment and/or software. SIM cards can be analyzed via a write blocker as indicated in Method 5 below.
   
   Discussion: The analysis of cellular telephones needs to be conducted in an environment that will block the receipt of incoming signals which could be new phone calls, text messages, etc. Generally, placing the phone in a Faraday bag or conducting analysis in a room that blocks RF will suffice. The applicable cellular telephone standard and control will test the connection(s) to the computer containing the analytical software or to a commercially available analytical product (if used). It will also provide assurances that the software is functioning correctly. This is an appropriate standard and control to use for examining cellular telephones.
   
   
5. Compact Flash Memory Media: Digital cameras and some cellular telephones often contain flash memory cards of varying sizes. Several different types are purchased (SD card, mini SD card, micro SD card, Compact Flash card, SIM card, etc.), wiped, and known data is placed on the media using the appropriate digital device. (The process will be explained for one flash memory card, but it applies to all). The memory card is inserted into the appropriate media port on an external USB flash memory card reader which is attached to a USB write blocker. It is imaged and the hash values of the media and/or files are recorded. Prior to imaging an evidentiary flash media card, the examiner images an analogous standard and control flash media card (SD, CF, etc.) using an external USB flash memory card reader and a USB write blocker attached to the forensic computer. After verifying that the hash values match, the evidence flash memory card is analyzed using the same USB flash memory card reader, the same USB write blocker and the same interfaces on the forensic computer.
   
   Discussion: This method tests the appropriate flash memory card port on the USB flash memory card reader, the USB write blocker, the interfaces on the forensic computer, and the imaging software. However, the method does not test any other write blocker or any of the computer’s hardware devices or peripherals (floppy drive, optical drive, multimedia ports, etc.) that would be used when imaging other digital media. This is an appropriate standard and control to use for imaging flash memory cards and/or SIM cards.
   
   
6. Optical Digital Media: Known files are burned onto a CD and a DVD. The optical media is then imaged and the hash values of the media and/or files recorded. Prior to imaging an evidentiary CD or DVD, the analogous optical digital media (CD or DVD) standard and control is inserted into the forensic computer’s optical drive and imaged. After verifying that the hash values match, the evidentiary digital optical media is then analyzed using the same optical media drive on the forensic computer.
   
   Discussion: The ability to generate a hash value for the standard and control optical media may not be possible if multiple sessions or file systems are present on the optical media. However, if the session was closed on the optical media, the hash values should match and/or the hash value of the individual files that are imaged can be used. This method tests the optical drive’s operability and the imaging software. However, it does not test any write blocker or any of the computer’s hardware devices or peripherals (floppy drive, USB ports, multimedia ports, etc.) that would be used when imaging other digital media. This is an appropriate standard and control to use for imaging a particular type of optical disc.
   
   
7. USB Flash Drive (Thumb Drive): Known files are copied onto a wiped USB flash drive. The USB flash drive is connected to a USB write blocker which is connected to a USB port on the forensic computer. It is then imaged and the hash values of the flash drive and/or files are recorded. Prior to imaging an evidentiary USB flash drive (or USB device with internal memory), the prepared USB flash drive is imaged using a USB write blocker and USB port on the forensic computer. After verifying that the hash values match, the USB flash drive is removed and replaced with the evidentiary USB flash drive (or USB device with internal memory) and imaged using the same USB write blocker and USB port on the forensic computer.
   
   Discussion: This method tests the USB write blocker, the USB port on the forensic computer, and the imaging software. However, it does not test any other write blocker or any of the computer’s hardware devices or peripherals (floppy drive, optical drive, multimedia ports, etc.) that would be used when imaging other digital media. This is an appropriate standard and control for imaging USB Flash Drives or any other USB device with internal memory (digital camera, etc.).
   
   
8. Using the Evidence Itself: As this method implies, the actual evidentiary digital evidence media itself is used as its own standard and control. For example, an evidence hard drive is attached to a write blocker, imaged, and its acquisition hash value verified by the imaging software. When the image file is opened for analysis, the hash value is verified by the software. The hash value should be the same as the acquisition hash value. After analysis, the image file is re-verified and if the hash values match, than the presumption is that no changes occurred during the analysis of the image.
   
   Discussion: This method has several inherent problems. First, no other forensic science discipline uses the submitted evidence as its own standard and control during its analysis. This is not an accepted scientific practice.

Second, submitted digital evidence cannot be its own standard and control since it has unknown properties. A standard is a prepared sample that has “known properties.” The hash value of evidentiary digital media will not be determined until it is imaged. Many factors can influence the hash value obtained, or if the digital media is actually recognized by the forensic computer or its forensic software. There are known instances of different hash values being generated from the same digital media when it was imaged using different software and/or hardware write blockers, using different USB ports on a forensic computer, or using different forensic computers.

Third, since submitted digital evidence is not a sample with known results (it contains unknown files, images, etc.), it cannot be considered a control. The purpose of a control is to demonstrate that a procedure is working correctly. For our purposes, a procedure is inclusive of all the hardware and software necessary to image and examine the digital media. Even though the acquisition and verification hash values may match after analysis, there are no assurances that it actually was/is the hash value of the digital media. The hash value generated is assumed to be correct. The method does demonstrate that the image file on the forensic computers hard drive has not been altered. This could be important in certain circumstances. This is not an appropriate method or standard and control for imaging digital media.

APPLYING APPROPRIATE STANDARDS AND CONTROLS TO COMPUTER FORENSIC ANALYSIS
Now that we have a better understanding of standards and controls, let us review the previous two scenarios and determine which ones could have been used to ensure reliable results. In Scenario #1, two digital cameras with flash memory cards, a computer containing two SATA hard drives, one DVD, a GSM cellular telephone with a SIM card, and a USB flash drive were submitted for analysis.

1. Cellular Telephone: The examiner had to download software, update the forensic computer, and purchase a data cable. After the download, the software should have been scanned for viruses and then verified using a prepared standard and control GSM cellular telephone. Once it was determined that the data was present and/or the acquisition hash values matched the final hash values, there would have been assurances that the forensic hardware and software were performing correctly. Only then should the evidence GSM cellular telephone have been analyzed. Since this was not done, the results are questionable.
2. Flash Memory Cards: Since the examiner did not use a USB write blocker, it is unknown if the ports on the external multi-port USB flash card reader or the USB port on the forensic computer were functioning correctly. Likewise, it is unknown if the flash card media reader on the stand-alone commercial cellular telephone product was working properly. The examiner should have connected the external multi-port USB flash card reader to a USB writer blocker connected to a USB port on the forensic computer. After testing everything with standard and control flash memory cards analogous to the evidence flash memory cards (SD and SIM), the examiner should have imaged the evidentiary flash memory cards from the camera and cellular telephone. Since this was not done, no determination can be made as to whether the evidence flash memory cards were new, wiped, defective, or actually contained potential probative data.
3. SATA hard drive “A”: The hard drive was not recognized by the forensic imaging software on the second forensic computer. There is no indication as to whether the SATA adaptor or the write blocker was functioning correctly. The examiner should have imaged an appropriately prepared standard and control SATA hard drive attached to a SATA adaptor and a write blocker. After verifying that the files were present and/or that the hash values matched, the evidence hard drive should have been analyzed using the same SATA adaptor, the same write blocker, and the same interfaces on the forensic computer. If the evidence hard drive was not recognized, than it may have been new, wiped, unformatted, or defective.
4. DVD: The evidence DVD was not recognized by the forensic computer. The examiner should have attempted to image a prepared standard and control DVD first. If it were not recognized by the operating system, then this would have been an indication that the optical drive was possibly defective or that there were problems with the operating system and/or with the forensic software. Since this was not done, there is no way to know if the evidence DVD was new, defective, blank, etc.
5. USB Flash Drive: The examiner inserted the USB flash drive into one of the USB ports on the forensic computer, but it was not recognized by the operating system. The examiner should have used a prepared standard and control USB flash drive connected to a USB write blocker attached to the USB port on the forensic computer. If the USB flash drive was not recognized, this would have been an indication that the USB write blocker and/or the USB port on the forensic computer was defective. Additionally, there could have been problems with the operating system and/or with the forensic software. Since this was not done, there is no way of knowing whether or not the evidence USB flash drive was new, wiped, or defective.

In Scenario #2, the examiner connected the proficiency test USB flash drive directly to a USB port on the forensic computer’s motherboard and used a software write blocker to determine its hash value (which was different from the expected hash value). Previously, the imaging software was verified by the use of the floppy disk standard and control. However, its use does not determine if the USB flash drive, the USB port on the forensic computer or if the software write blocker were performing correctly. The examiner should have used a prepared standard and control USB flash drive connected to a USB write blocker attached to the USB port on the forensic computer. Upon imaging, if the hash value of the standard and control USB flash drive was correct, he then should have removed the flash drive and replaced it with the proficiency test USB flash drive and determined its hash value. By doing so, there would have been assurances in place to indicate that the software and hardware were performing correctly. This could then point to the proficiency test and/or the software write blocker as being the cause of the different hash values. Since this was not done, a review committee was appointed to determine the cause of the error. It was determined that the software write blocker was not compatible with the particular brand of USB flash drive.

SUMMARY
There are many standards and controls that can be used in Computer Forensics. Minimally, these include several different types of hard drives and flash media cards, a USB flash drive, a CD and DVD, a floppy disk, and several GSM, CDMA, and PDAs, all of which contain known files. Others (such as a zip disk) may become necessary when those particular types of digital media are submitted for analysis. The prepared standards and controls are analogous to the different types of evidentiary digital media that could be submitted for examination. Prior to using standards and controls in casework, it is important to check their reliability by acquiring and verifying the presence of the files and/or their hash values (using the appropriate adaptors and interfaces) on at least two forensic computers to ensure that they are consistent and reproducible. A Computer Forensics unit needs to prepare and have available several of each media type. If a standard and control fails to provide the correct hash value or is not recognized by the forensic computer’s operating system or its forensic software, it is incumbent upon the examiner to test another identically prepared standard and control. Doing so will enable the examiner to determine if the first standard and control itself was defective or if there are hardware and/or software problems associated with the forensic computer.

After imaging evidentiary digital media, additional standards and controls do not necessarily need to be used during the examination of the forensic image generated. Subsequent analysis of the image may involve the use of additional software tools to extract potential probative data. The use of these additional tools is an extension of the analytical method or procedure itself. Therefore, the use of additional standards and controls to coincide with the use of additional forensic tools used in this situation may not be necessary. This would be true as long as each forensic tool (including updates or different versions) was verified and/or validated in the laboratory prior to being used in casework. It is not appropriate to use an externally verified and/or validated software tool or analytical method or procedure in the laboratory unless some sort of performance verification was conducted in-house prior to its use in casework. The use of appropriate standards and controls will be necessary to perform that testing and verification.

Standards and controls serve many functions. They test and verify that appropriate adaptors and write blockers used to connect digital media to forensic computers are not defective. They provide assurances that the applicable forensic computers USB ports, optical drive, floppy drive, etc. are functioning properly. They indicate whether or not the forensic computers operating system and its imaging/analysis software were functional. Lastly, they provide assurances that the examinations were conducted using scientific practices and principles.

John J. Barbara is a Crime Laboratory Analyst Supervisor with the Florida Department of Law Enforcement (FDLE) in Tampa, FL. An ASCLD/LAB inspector since 1993, John has conducted inspections in several forensic disciplines including Digital Evidence. John is the General Editor for the “Handbook of Digital & Multimedia Evidence” published by Humana Press in 2007.