co-authored by Zan Rees, UK Regional Technical Support, Cellebrite
Change is hard to manage in any organization, including law enforcement agencies. When agencies begin or continue the process of auditing digital forensic workflows to obtain accreditation, the change process becomes more prominent—and concerns and negative feelings among officers and staff may also rise.
To law enforcement teams that have not yet been through the accreditation process, audits and performance management sound a lot like, “We’re checking up on you, and wondering if you’re good enough at your job to keep you around.”
It might be a logical misinterpretation, but it’s one that managers need to be nip in the bud if the department is to adopt audits and performance milestones. The bottom line is that such audits and accreditations go a long way toward development of sound digital forensics practices, as well as greater acceptance of digital forensic evidence in courtrooms.
Accreditation helps establish standards
If you’re not familiar with the process of obtaining accreditation for a law enforcement agency, or conducting audits, here are the basics. Just as companies can receive accreditations for processes and practices, crime labs, law enforcement agencies, and medical examiner offices can be certified. The accreditation standards are managed by the International Organization for Standardization (ISO), which is a global organization. The ANSI National Accreditation Board (ANAB) provides accreditation services for public and private sector labs and testing facilities.
To receive an accreditation for digital forensics, agencies submit to audits where every step of every evidence-gathering process is examined and recorded. Audits are very detailed, covering every minute step in a workflow, even down to documenting things such as placing a cell phone in a Faraday bag. The attention to incremental steps might seem persnickety, but by ensuring that law enforcement officers, and forensic examiners and investigators carry out evidence-gathering tasks with precision, evidence becomes as conclusive and air-tight as possible.
Simply obtaining accreditation means that your evidence can enter into the court system more smoothly and without as many questions. The law enforcement agency shows its due diligence and high-level understanding of quality.
And by going through an audit and realizing the benefits of efficiency and time-savings, the concerns about being “checked up on” should evaporate.
Another benefit of accreditation is not simply knowing how to manage and examine evidence, but knowing what you don’t need to examine. As part of an audit, examiners can create a scoring system for the priority level of digital evidence in an investigation. Evidence involving a crime like kidnaping or Internet crimes against children (ICAC) would merit a higher score, of course. But other factors can be taken into account, like the importance of the expected evidence to the investigation. Perhaps the evidence isn’t critical to building a case, so the score goes lower. The scoring system allows investigators and examiners to objectively assess devices and evidence, and consider what needs to be analyzed with no delay – or what should be put on the back burner.
How and when audits are done
External auditors visit an agency yearly to update accreditation. Internally, agencies often conduct their own audits quarterly or even monthly to ensure progress is on track. External audits can also cover very specific digital forensic lab workflows, such as accreditation for examination of a cell phone SIM card.
The internal agency employees who are managing regular audits might choose to keep track of major crimes, or particularly important cases such as ICAC, where lab examination and analysis fell short in some way. For instance, if examiners discovered some of their digital forensic equipment cables weren’t working, impacting the ability to complete their work, that’s a detail worth noting. Future internal audits could examine ways to eliminate such problems.
The precision of audits and documentation
As mentioned earlier, audits can involve some very specific and seemingly small steps – but ones that have a major impact on the results. Let’s again take that example of examining a SIM card. If you haven’t done it yourself or watched it being done, you’d think it would be a minor process with few steps – mostly because SIM card technology hasn’t changed much over the years.
But think about what goes on before and after the SIM card data is parsed and analyzed. When the process is considered for accreditation, auditors will ask how an agency performs and documents these processes:
- How is a SIM card removed from a device and stored?
- How is it secured?
- Who signs the bag that the card is stored in?
- How is the bag opened?
- How is the card physically handled?
- Is the card cleaned?
- Do agents and examiners use gloves when examining the card?
This list is just the beginning – and it doesn’t even address staff training, an important component of auditing and accreditation. All of this information would be contained in a document that law enforcement agency employees would follow throughout the entire lifecycle of a SIM card examination.
The ABCs, KPIs and SLAs
Key performance indicators (KPIs) and service level agreements (SLAs) are also part of the audit process, and help agencies determine if the protocols they’re following help digital forensics labs improve their performance. For example, an agency might decide that for a high-level case, analysis of an associated device needs to begin within 24 hours – that’s the expected SLA. The related KPI might be that the digital forensics team would process 30 phones every month.
The KPIs and SLAs can be adjusted as needed. In addition, if the agency is falling short of its goal, an internal audit could reveal which roadblocks (like dead cables or missed training) were responsible for the shortfall, and the actions that need to be taken.
Streamlining the audit process for better results
When defense attorneys are able to poke holes in digital evidence, gaps in process are often the cause. Audits and performance monitoring are critical for closing these gaps – that is, understanding where there are nonconforming processes, or staff members who aren’t adequately trained.
Fortunately for today’s law enforcement agencies, automation can streamline many of these processes – like using barcode scanning to check items into and out of secure storage. Software platforms can store audit data so it’s easily accessible and can’t get misplaced like messy paper check-in sheets can. If your agency announces an audit and accreditation is on the way, expect to see tools that will make your role in the process much easier.
Forensic's monthly column, Digital Intelligence in the 21st Century, is authored by Heather Mahalik, Senior Director of Digital Intelligence at Cellebrite. With over 18 years of experience in digital forensics, Mahalik has been an expert of choice for many law enforcement and intelligence agencies. She has worked high profile cases from child exploitation to Osama Bin Laden’s digital media.