Advertisement

The Digital Evidence discipline became part of the American Society of Crime Laboratory Directors/Laboratory Accreditation Board’s (ASCLD/LAB) accreditation program in April 2003. A laboratory conducting forensic analysis in any its four sub-disciplines (Audio Analysis, Computer Forensics, Digital Imaging Analysis, Video Analysis) must include Digital Evidence when it applies for accreditation or re-accreditation. The ASCLD/LAB Accreditation Manual includes all the appropriate standards and criteria that must be met to attain that accreditation.

Part 1 of this article series began with a background discussion of the Digital Evidence discipline and both of ASCLD/LAB’s accreditation programs as well as what should be considered evidence in this growing discipline, including rules and their practical application as they apply to Digital Evidence.

We now continue with suggested practices to attain compliance with select essential standards and criteria. Emphasis is placed upon the Computer Forensics sub-discipline. All criteria cited are derived from the 2003 ASCLD/LAB Legacy Manual.
(Note: Part 1 of this article can be viewed on Forensic Magazine’s website: www.forensicmag.com.)

Marking, Sealing, and Protection of Computers and Digital and Analog Media
Criterion 1.4.1.2 requires that, whenever practical, each individual item of evidence must be marked with a unique identifier for identification purposes. This is to ensure that evidence is not mistaken with other similar appearing evidence. In some instances, this may require the unique identifier to also include an item designator.

Criterion 1.4.1.3 requires that all evidence be stored under a proper seal. A container is considered properly sealed (via tape seal, heat seal, or other type of seal) when obvious damage or alteration occurs to the seal or its container when entering the container. The actual seal must be sufficient to prevent items from being removed or inadvertently lost from the container. In the Digital Evidence discipline, what or how to seal items of evidence is open to discussion. “Is it acceptable to tape seal all the ports, floppy drive, CD drive, etc. on a computer and not have to package it in another container?” “Can I tape seal multiple optical discs in a container without having to individually tape seal them in protective sleeves?” “Is it necessary to place a tape seal across the front of a videotape to prevent it from being accessed?”

Criterion 1.4.1.4 requires that evidence be protected from deleterious change. Questions arise concerning how to protect evidence: “Can several floppy disks or optical discs be packaged together without them having to be individually protected?” “How should hard drives be packaged to prevent potential damage?” “Can multiple forensic images from separate cases be stored and examined on a single forensic analytical computer’s hard drive?” “Can an internal file server connected to a local area network be used to storemultiple forensic images from multiple cases generated from multiple examiners?”

Examples illustrating marking, sealing, and packaging of computers, optical media, floppy diskettes, videotapes, and audiotapes are presented. They should be used as a guide for attaining compliance with criteria 1.4.1.2, 1.4.1.3, and 1.4.1.4. Other alternative methods may also be appropriate.

Computers Submitted For Analysis
Illustrated in Figure 1A is a computer with tape-seals across the sides of the case and across the power input. The tape-seals include initials and the date seized. The computer is not adequately marked for identification as no agency case number is indicated. Also, removing the top cover will allow access to its interior. This example does not comply with criteria 1.4.1.2, 1.4.1.3, or 1.4.1.4. The computer illustrated in Figure 1B is identified with the agency case number, item number, and initials. Additionally, the barcode label affixed to the plastic bag contains the agency case number, item number, initials, and the date seized. The plastic bag is tape-sealed and includes the initials of the person sealing the computer and the date sealed. This would be sufficient to comply with criteria 1.4.1.2, 1.4.1.3, and 1.4.1.4. Figure 1C depicts the same computer, except it is packaged in a taped-sealed box (opened for illustration purposes).

Hard Drives Submitted for Analysis
The plastic bag containing the hard drive illustrated in Figure 2A is marked with the agency case number, item number, initials, and the date seized. It is also tape-sealed and includes the initials of the person who sealed the plastic bag. The hard drive itself is identified with a case number, item number, and initials. This example is sufficient to comply with criteria 1.4.1.2 and 1.4.1.3. However, the hard drive is not protected from potential damage. To comply with criterion 1.4.1.4, it would need to be packaged in a manner to protect it, such as illustrated in Figure 2B, depicting the same hard drive wrapped in plastic anti-static “bubble-wrap.”

Optical Discs Submitted for Analysis
The plastic bag containing the five optical discs illustrated in Figure 3A is marked with the agency case number, item number, initials, and the date seized. It is also tape-sealed and includes the initials of the person who sealed the plastic bag and complies with criterion 1.4.1.3. However, the five optical discs are not identified nor protected from potential damage. To comply with criteria 1.4.1.2 and 1.4.1.4, they should be individually marked for identification (since they all appear the same) and be packaged in a manner to protect them from moving around within the package. One method of protecting the five optical discs is illustrated in Figure 3B. They are correctly marked, individually identified, and sealed in plastic sleeves.This example complies with all three criteria.

Floppy Diskettes Submitted for Analysis
The plastic bag containing the five floppy diskettes illustrated in Figure 4A is marked with the agency case number, item numbers, initials, and the date seized. Although the plastic bag is tape-sealed, it does not have any initials across the seal and thus would not comply with criterion 1.4.1.3. The floppy diskettes are not marked for identification and are not protected from potential damage. To comply with criteria 1.4.1.2 and 1.4.1.4, they should individually marked for identification (since they all appear the same) and be packaged in a manner to protect them from moving around within the package. The five floppy disks illustrated in Figure 4B are individually identified and bound together to prevent them from moving against each other. The plastic bag is appropriately marked and tape-sealed. This example would comply with all three criteria.

Analog Videotapes Submitted for Analysis
The plastic bag containing the videotapes illustrated in Figure 5A includes the agency case number, item numbers, initials, and the date seized. However, the tapes are not identified. This does not comply with criterion 1.4.1.2. Although the plastic bag is tape-sealed and includes the initials of the person who sealed the plastic bag and complies with criterion 1.4.1.3, the two videotapes are not individually protected from potential damage. To comply with criteria 1.4.1.2 and 1.4.1.4, they should be correctly marked (agency case number, item number, initials, etc.) and be packaged individually or placed in hard plastic videotape containers as is illustrated in Figure 5B.

Digital Audiotapes Submitted for Analysis
The plastic bag containing the audiotapes illustrated in Figure 6A is marked with the agency case number, item numbers, initials, and the date seized. Since the audiotapes are not marked or identified, this example would not comply with criterion 1.4.1.2. The initialed tape-sealed plastic bag complies with criterion 1.4.1.3. However, the audiotapes are not protected from potential damage, thus the example may not comply with criterion 1.4.1.4. The tape illustrated in Figure 6B is correctly identified, labeled, sealed, and is in a hard plastic case and would comply with all three criteria.
In summary, it is the responsibility of the laboratory to ensure that all evidence received and/or returned is properly identified, properly packaged, and protected from potential damage. A well-written evidence policy will include appropriate language to address all three of these critical issues.

Protection of Digital Forensic Images
There is no analytical reason that would prohibit forensic images from multiple cases to reside on one analytical forensic hard drive. The key would be to ensure that the images are in separate directories or partitions on the hard drive. Likewise, there is no analytical reason that would prohibit the use of a file server attached to a LAN to store forensic images from multiple cases generated by multiple examiners. Again, there would have to be assurances, such as each examiner having his/her own partition space on the file server, no other examiners being able to access another examiners partition, etc. that would reduce the risk of unauthorized access to the digital data. However, care must be taken to ensure that neither the forensic computers, file server, nor the LAN have direct access/connection to the Internet. If examiners follow these practices, there should not be any conflicts concerning criteria 1.4.1.2, 1.4.1.3, or 1.4.1.4.

Validation/Verification of Procedures
Validation is often defined as a process in which a series of experiments are performed that demonstrates the reliability and effectiveness of a technique or procedure. In most forensic disciplines, the validation of procedures is well established. This process is normally conducted prior to utilizing the procedures in casework. Since criterion 1.4.2.6 requires technical procedures to be validated before being used in casework, this also applies to the Digital Evidence discipline. However, in most instances, the term verification can be substituted for validation.

Proper validation/verification requires that procedures be subjected to a study that includes a complete understanding of the methodology. This is to ensure that an assessment of the specificity and limitations of the procedure can be determined, along with predicting possible sources of errors. When validating/verifying a procedure, known samples that closely approximate actual evidentiary items must be used. Documentation that the validation/verification was performed and the results of the study must be maintained for historical reference.

In the Digital Evidence discipline, every forensic tool needs to be validated/verified prior to being used in casework. The study does not have to be an extensive process for each tool and would only need to be performed once (as long as the tool remained the same). Specifically, regarding the validation/verification of an imaging tool, it is recognized that this approach may not extensively or exhaustively test its total functionality. To do so would subject the process to a potentially months-long validation/verification study. Each new upgrade would require the process to be performed again and it could not be used in casework until the testing was completed. This is not a reasonable or realistic expectation. The point is to demonstrate that the imaging tool did not alter, add, or delete any of the known data. Once this has been demonstrated, the conclusion would be that the tool has been validated/verified and can be used in casework. Similar validation/verification studies can easily be performed for virtually all the current forensic data recovery tools used in the Digital Evidence discipline. A simple example: A new tool that can extract emails from a forensic image is purchased. After preparing a floppy diskette containing different types of active and deleted email files, the diskette is imaged. Using the new email tool, emails from the forensic image of the diskette are carved out and reviewed. If the tool worked as expected, it would extract the emails and not have altered, added, or deleted any of the data. Once the results had been documented, the tool could then be used in casework.

Use of Appropriate Standards and Controls
To ensure the validity of results and conclusions, analytical procedures should include the use of standards and controls. Standards are prepared known samples used for the purpose of a control when using the procedure. Traditionally, standards and controls are run in parallel at the time of analysis with the unknown(s). The use of standards and controls as required by criterion 1.4.2.8 is well defined in other disciplines. An example is the use of known alcohol standards and controls along with reagent blanks when performing quantitations of unknown blood alcohol samples in the Toxicology discipline.

Pertaining to the Digital Evidence discipline, the use of standards and controls must be specified in the analytical procedures and their use documented in the case record. For example, in the Computer Forensic sub-discipline, their use can ensure that both the instrumentation and imaging tool are working correctly prior to imaging evidentiary digital media. However, practicality dictates that additional standards and controls would not necessarily need to be run for every additional forensic tool that may be used in the analysis of the forensic image(s) generated. Subsequent analysis involves using whatever tools are necessary to extract analytical data from the forensic image. Depending on what data is to be carved from the forensic image, it may be necessary to use as many as five or ten (or more) tools. The use of these additional tools is an extension of the analytical procedure. Therefore, the use of additional standards and controls for each additional forensic tool used in this situation is not warranted. This would be true as long as each forensic tool was validated/verified prior to being used in casework. Once the analysis is completed, it would be necessary to run another standard and control prior to imaging evidentiary digital media submitted from another case. Thus, only one standard and control need to be run per case.

“What would be an appropriate standard and control in a Computer Forensics procedure?” Although a number of methods can be utilized, the most widely used one is known as the “Floppy Diskette Method.” A floppy diskette is prepared containing several types of known files. It is image/hashed and the information is recorded for future reference. Prior to imaging evidentiary digital media in a case, the examiner would image the prepared floppy diskette and verify that the files are present and/or that the hash value was accurate. (This result must be documented in the case folder by the examiner). Once this has been done, the examiner would proceed with imaging the evidentiary digital media.

Determining Proper Working Order and Calibration of Instruments
Criterion 1.4.2.12 states that analytical instruments should be maintained in proper working order and criterion 1.4.2.13 states that instruments are to be properly calibrated. Both of these criteria are applicable to the Digital Evidence discipline. As it applies to forensic analytical instruments or equipment, calibrate means to standardize by determining the deviation from a standard so as to ascertain the proper correction factors. The analytical instruments or equipment are then adjusted accordingly. In most forensic disciplines where analytical instrumentation is utilized, maintenance/calibration logbooks are maintained for each instrument. These logbooks often contain information such as: (1) when the instrument was placed into operation; (2) its operating parameters; (3) a listing of any repairs that were made to the instrument; (4) documenting upgrades to the software; (5) notations that the instrument was in proper working order; and (6) calibration results.

When a computer is turned on, it automatically performs a series of tests, called a Power On Self Test (POST), which checks the primary components in the system: the central processor unit, read only memory, the motherboard support circuitry, random access memory, and major peripherals (floppy diskette, CD-ROM, hard drive, etc.). If the POST encounters a problem severe enough to keep the system from operating properly, it halts the system boot process and generates an error message that often identifies the cause of the problem. If no problems are encountered during POST, the system will proceed to boot to the operating system. If no problems are encountered in loading the operating system, the computer will then be ready to use. For the Digital Evidence discipline, a successful POST and a successful boot into the operation system should be sufficient to determine that the computer is in proper working order (1.4.2.12) and it is properly “calibrated” (1.4.2.13). This information would need to be recorded for historical purposes.

In the Video Analysis and Audio Analysis sub-disciplines, the same POST and boot into the operating system of computer controlled instrumentation would suffice for compliance with both criteria. Additional instrumentation can be calibrated and conform to traditional calibration methods. For example, a known color test pattern can be used to check/calibrate video equipment prior to using it in casework. Likewise, a known audio frequency pattern can be used to check/calibrate audio equipment prior to using it in casework. Again, this information would need to be recorded for historical purposes.

Summary: A Standard of Acceptability for All Forensic Disciplines
Evidence submitted to a forensic crime laboratory often results in the prosecution and conviction of suspects for crimes committed. To ensure that the criminal justice system and the public as a whole have confidence in the results obtained, there must be a standard of acceptability that can be applied to the work product produced by those crime laboratories. Both of ASCLD/LAB’s accreditation programs can offer a means to attain a standard of acceptability. The accreditation programs can ensure the promotion, encouragement, and maintenance of the highest standards of practice in the forensic community. Further, the accreditation programs can improve quality, assess performance, provide independent review, and meet established standards. The selected criteria discussed above are included in both programs.

Through it’s Legacy Program, ASCLD/LAB has set the standard of acceptability for forensic crime laboratory accreditation. The addition of Digital Evidence to the Legacy Program further enhanced the accreditation process. With the initiation of its International Program, ASCLD/LAB has further extended the standard of acceptability to include internationally accepted standards inclusive in ISO/IEC 17025:1999(E) as they apply to testing and calibration laboratories. An increasing number of laboratories will be seeking ASCLD/LAB Legacy or ASCLD/LAB-International accreditation for their Digital Evidence disciplines. Future inspections will potentially lead to new interpretations and approaches regarding how criteria are interpreted and applied.

(Note: This article has not been authorized nor approved by ASCLD/LAB and may not necessarily represent their viewpoints on attaining compliance with the standards and criteria discussed. It represents the viewpoints of the author.)

John Barbara is a Crime Laboratory Analyst Supervisor at the Florida Department of Law Enforcement’s (FDLE) Tampa Bay Regional Operations Center, Tampa Regional Crime Laboratory. Mr. Barbara became an ASCLD/LAB inspector in 1993 and has participated in over 20 laboratory inspections. In December 2003, he was appointed by the ASCLD/LAB Board as Chairperson of the Digital Evidence Proficiency Review Committee. Mr. Barbara has inspected two federal Computer Forensic laboratories, the latter being ASCLD/LAB’s first under its International program.

Advertisement
Advertisement