Quality Assurance Practices for Computer Forensics – Part 2
Quality Assurance Practices are essential to ensure the overall quality of
services that a Computer Forensics unit provides. Two of the fundamentals of
quality assurance are a documented Quality Assurance Manual (QAM) and an individual
designated as the Quality Manager (QM) who, irrespective of other responsibilities,
has the authority and obligation to ensure that the requirements of the quality
system are implemented and maintained. These two fundamentals are essential
irrespective of whether the Computer Forensics unit is a stand-alone entity,
a section within a forensic laboratory, or is part of a private corporation
or business. Minimally, the QAM will include quality policies and describe
the various elements of the quality system and the quality practices that are
to be followed. The QAM can be, but does not necessarily need be, an all-encompassing
voluminous document. Rather it can include many detailed quality documents
while making reference to others that can be found elsewhere within the unit.
Over the past several years, I have reviewed both types of QAMs. As long as
all the quality assurance documents are readily available, either approach
will work.
The QAM must include all elements of the quality system and be readily available
to staff members to ensure that they understand its expectations. To the staff
member(s) assigned to develop a QAM, it is often viewed as a lengthy, detailed,
time-consuming process. (I am personally aware of many instances where it took
an agency one to two years to develop their QAM. This appears to be the norm
rather than the exception). Furthermore, once the QAM has been developed and
approved by management, it then becomes the responsibility of the QM to ensure
that its requirements are maintained. Often when management “designates” someone
as the QM, that person does not always understand what is expected of him/her.
Ideally, the QM should not be part of the management structure and whenever
possible, should be autonomous to the technical operations of the unit. In
addition, management should ensure that the QM has some training in the concepts
and techniques of quality assurance.
If a Computer Forensics unit is part of
an accredited laboratory, the existing laboratory’s QAM was probably
modified to include the unit’s quality practices. Additionally, the laboratory
QM would oversee the implementation of any additional practices necessary to
ensure that the unit complied with the requirements of the QAM. However, if
the Computer Forensics unit is not part of an accredited laboratory, then most
likely no QAM exists, nor has a person been designated as a QM to oversee the
unit’s quality practices. From personal knowledge, most non-accredited
Computer Forensics units in the law enforcement community and in the private
sector do not have a QAM in place nor do they have a QM. Likewise, there appears
to be a general lack of documentation concerning analytical policies and procedures
and quality practices. This could have potentially disastrous consequences
if legal challenges arise out of the unit’s analytical practices or the
unit resides in a state that requires any entity performing forensic analysis
to be accredited. The unit’s management needs to assess its mission,
beginning by asking some hard questions: Are we providing quality services?
How do we know that we are? What do we need to do to demonstrate that we can
provide quality results?
To avoid these potential consequences, any Computer Forensic unit operating
without a QAM should develop one as soon as possible, regardless of whether
or not the unit will seek accreditation. Listed below in outline form is
a suggested Table of Contents for a QAM. It has been compiled from several
different
sources and can be used as a guide:
1.0 INTRODUCTION
1.1 Agency/Management Authority and Management Related Issues.
1.2 Agency/Computer
Forensics Unit Mission Statement.
1.3 Quality Policy Statement and Objectives.
1.4 Organization and Management Structure (Organizational Chart).
1.5 Relationships and Responsibilities of Management, Technical Operations,
and Support Services.
1.6 Position Descriptions, Statement of Qualifications,
and Training Records.
1.7 Departures from Policy and Procedures and Exceptions to the QAM.
1.8 Communications within the Unit/Agency and with External Agencies.
2.0 QUALITY ASSURANCE
2.1 Control and Maintenance of Documentation of Case Records.
2.2 Control and Maintenance of Standard Operational Procedure Manual(s).
2.3 Measurement Traceability to Appropriate Standards (as applicable).
2.4 Types of Examinations Performed.
2.5 Validation/Verification and Methods Development.
2.6 Evidence Handling
and Control.
2.7 Use of Standards and Controls in Casework.
2.8 Calibration and/or Maintenance
of Analytical Instrumentation.
2.9 Case File Storage and Record Retention.
2.10 Proficiency Testing.
2.11 Technical Case File Review.
2.12 Technical Problems or Discrepancies in Case work.
2.13 Court Testimony Review.
2.14 Quality Manager/Quality Oversight.
2.15 Inventories and Inspections.
2.16
Disclosure of Information.
2.17 Quality Audits and Quality System Review.
2.18
Customer Satisfaction.
2.19 Documenting Policy Changes.
3.0 PERSONNEL TRAINING and CERTIFICATION
3.1 Training Program.
3.2 Training Coordination.
3.3 Certification.
3.4 Continuing Education and Training.
4.0 SPECIAL PROCEDURES
4.1 Physical Plant Security/Security of the Computer Forensic Unit.
4.2 Health and Safety Program.
4.3 Order to Seal/Expunge Records.
5.0 GLOSSARY
Define terms used in the QAM.
6.0 APPENDIX
Include copies of Evidence/Property Forms, Training Schedules, Testimony
Review Forms, Quality Audit Forms, etc.
The easy part is outlining what should be included in a QAM. The hard part
is writing up the specific policies and procedures that address the individual
quality elements. As previously indicated, not every document needs to be in
the QAM as long as it is referenced therein and the detailed information is
readily available elsewhere within the unit. For example, from the Table of
Contents above, 2.2 Control and Maintenance of Standard Operational Procedure
Manual(s) can be the policy on what to include in the analytical procedures
and make reference to a separate procedures manual. Similarly, 2.5 Validation/Verification
and Methods Development could include the unit’s policy on how to accomplish
a validation/verification and reference where the actual validation/verification
documentation studies are maintained.
John J. Barbara is a Crime Laboratory Analyst Supervisor with the Florida
Department of Law Enforcement (FDLE) in Tampa, FL. An ASCLD/LAB inspector since
1993, John has conducted inspections in several forensic disciplines including
Digital Evidence. John is the General Editor for the “Handbook of Digital & Multimedia
Evidence” to be published by Humana Press in 2007.
