Documenting Computer Forensic Procedures
There are examiners working today in some agencies that do not have documented technical standard operating procedures ( SOPs) for the analysis of digital media. Most likely, this is because there are no Quality Assurance Practices (QAP) being followed and no Quality Assurance Systems (QAS) in those agencies to provide oversight. One requirement of a QAS is the development of a comprehensive Quality Assurance Manual (QAM). The QAM would include the assertion that SOPs must be documented and available for examiners use. SOPs could be incorporated into the QAM itself or documented in a stand-alone manual. It is unacceptable for any agency to be analyzing digital media without having a QAS, a QAM, and documented SOPs. Without these three critical components, there are no assurances to demonstrate that QAPs are in place and being utilized to provide resultsthat are accurate, repeatable, and reliable.
When an examiner is made aware that documented SOPs are needed, he or she generally asks two questions: “What type of outline or format do I use?” and “How much detail should I put into my technical SOPs?” In a previous Digital Insider column, an outline was discussed concerning the style or format for writing policy statements. It can also serve as a template for documenting technical SOPs. Using that outline, a policy and procedure for the analysis of removable hard drives is shown below. It is not intended to be all-inclusive and should beviewed as a guide to writing technical SOPs.
COMPUTER FORENSICS OPERATIONAL MANUAL
- Policy Name: Imaging Removable Hard Drives
- Policy Number/Version: 1.0
- Subject: Imaging and analysis of removable evidence hard drives.
- Purpose: Document the procedure for imaging and analyzing different types of evidence hard drives removed from desktop or laptop computers.
- Document Control:Approved By/Date:
Revised Date/Revision Number:
- Responsible Authority: The Quality Manager (or designee).
- Related Standards/Statutes/References:
A) ASCLD/LAB Legacy standards 126.96.36.199, 188.8.131.52, 184.108.40.206, 220.127.116.11, 18.104.22.168, and 22.214.171.124.
B) ASCLD/LAB International Supplemental requirements: 3 (Terms and Definitions), 126.96.36.199, 188.8.131.52, 184.108.40.206, 220.127.116.11.
C) ISO/IEC 17025:2005 clauses: 4.1.5 (a, f, g, h, and i), 4.2.1, 4.2.2 (d), 4.2.5, 4.3.1, 4.15.1, 5.3.2, 5.4.1, 5.4.4, 18.104.22.168, 22.214.171.124 (a - c), all of 5.5, all of 5.8, and 5.9.1 (a).
- Scope: Imaging and examining different types of hard drives (SATA, SCSI, and IDE) removed from desktops and laptops.
- Policy Statement:
A) No analysis will be performed without legal authority (search warrant or consent form). If not submitted, the examiner must contact the investigator to obtain the necessary legal authority.
B) Forensic computers are not connected to the Inter-net.
C) All forensic archives created and data recovered during examinations are considered evidence.
D) Changes to this procedure can be made if approved by the Quality Manager, who will document the changes and ensure the revised procedure is validated, if necessary, prior to its use in casework.
1. Section Supervisor
a) Only trained examiners are assigned to work
b) Performs administrative and technical case file
a) Report directly to the section supervisor.
b) Must be familiar with all types of hard drives
that may be encountered as evidence.
c) Responsible for the chain of custody record,
evidence handling, evidence marking and
security, and analysis of evidence.
d) Generate reports and testify in court.
B) Examination Preparation
1. Legal Authority: Examiners are to review the
search warrant or consent form to determine the
scope of the examination. Contact the investigator
to obtain a list of keywords if none is provided.
2. Chain of Custody: All evidence transfers are
documented in the evidence tracking system
3. Safety: All applicable parts of the agency Safety
Manual and the unit’s “Handling Digital Media”
policy and procedure will be followed as
4. Equipment and Materials:
a) Marking pens, evidence tape, anti-static
packaging material, worksheets, etc.
b) Forensic computers
c) Approved forensic software
d) New/sterilized digital media (CDs, DVDs, hard
e) Verified/validated hardware write blockers and
f) Crossover cables
g) Assembly/disassembly toolkits
h) Digital camera
i) Appropriate hard drive standards and controls
5. Special Allowances:
a) If hard drives are not removed or a RAID
configuration exists, refer to the “Cable
Imaging,” “RAID Imaging,” and/or “DOI
b) Hard drives may be password protected. Refer
to the “Breaking Passwords” procedure.
6. Evidence Documentation, Handling, and
a) Photograph and print pictures of evidence for
the case file.
b) Inventory/describe evidence. Record serial
numbers in case file.
c) Mark evidence according to the “Handling
Digital Evidence” procedure.
C) Hard Drive Analysis:
- Select appropriate hard drive standard and control and interface/write blocker.
- Record the forensic computer’s POST in the instrument logbook.
- Image the hard drive standard and control. Record the hash value in both the instrument logbook and case file.
- Complete the “Hardware Documentation Worksheet.”
- Remove evidence hard drive(s).
- Obtain BIOS information from evidence computer.
- Attach evidence hard drive(s) to appropriate interfaces and/or write blockers and image onto wiped hard drive(s).
- Verify hash values and create forensic archive(s) on non-alterable digital media whenever possible.
- Examine the image using in-house verified/validated approved software tool(s).
- Complete the “Analysis Worksheet.”
- Export probative data onto digital media (CD/DVDs, hard drives, etc.).
- Prepare report and submit case file for review, repackage evidence and return to property room.
The policy and procedure example is written in an outline format and references worksheets and other procedures where more detailed information can be obtained. Agencies or units may decide to use a narrative style and incorporate the referenced procedures into one detailed procedure. That would be their choice. Regardless of the amount of detail included, the most important consideration is that all technical standard operating procedures must be documented.
John J. Barbara is a Crime Laboratory Analyst Supervisor with the Florida Department of Law Enforcement (FDLE) in Tampa, FL. An ASCLD/LAB inspector since 1993, John has conducted inspections in several forensic disciplines including Digital Evidence. John is the General Editor for the “Handbook of Digital & Multimedia Evidence” published by Humana Press.