Elevating digital forensics: The importance of best practices and standard operating procedures
When it comes to admissibility, your training, experience and documentation may be on trial
By Ryan Parthemore
I have watched the evolution of forensic sciences and the rise of digital forensics over the past 20 years in law enforcement. The definition of forensic science, according to the National Institute of Standards and Technology (NIST), is the application of scientific methods to investigate crimes and examine evidence that may be presented in court. While mature standards and requirements exist in other areas of forensic sciences, such as ballistics, drugs and toxicology, digital forensics is a relatively new field of critical importance to today's investigations.
Digital forensics may be new, but we cannot take shortcuts or make assumptions. It is not enough to push a button to dump a phone and copy the result to external media. As digital forensic practitioners, it is crucial that we elevate the science by building standard operating procedures based on known best practices. The evidence we uncover must not only be admissible in court but also strengthen public trust. This requires ongoing training and education to stay up to date with the latest devices and forensic methodologies.
The International Organization for Standardization (ISO) 27037 provides a framework for the collection, analysis, and presentation of digital evidence. This framework outlines four principles that ensure evidence is relevant, reliable and sufficient:
- Auditability begins with thoroughly documenting all actions, methods and tools used during the examination. Much like an accountant readying for a financial audit, the digital forensics examiner must prepare for an audit of their methods and procedures.
- Repeatability requires that the steps used to uncover the evidence must be repeatable to be considered reliable.
- Reproducibility means that another expert should be able to arrive at the same evidentiary conclusion.
- Justifiability requires that you explain and defend all actions and methods used during the examination.
The case file must speak for itself. A complete tool log, written narrative, record of steps taken, methods used and chain of custody logs make the difference between admissibility and suppression of digital evidence. Thankfully, spreadsheets, sticky notes and paper forms are not required to comply with this framework. Instead, agencies can leverage cloud-based solutions designed within an accredited digital forensics laboratory to streamline workflow, increase efficiency and decrease backlog.
Cloud-based solutions are unique as they allow users to access data from any physical location while bridging the network gap between examiners, investigators and prosecutors. These tools, specifically those designed within an accredited digital forensics laboratory so that compliance is built in at its core, can be used to help agencies comply with the ISO 27037 framework through each step of the investigation by:
- Auditability: Providing a real-time repository – documenting all actions performed and creating an unbreakable end-to-end chain of custody. Online worksheets build the necessary documentation while providing a vehicle to produce tool logs, packing the case file with critical data to survive any challenge. The chain of custody is effortlessly forged link by link, including everyone who has moved, reviewed, or worked on evidence.
- Repeatability & reproducibility: A quick review of worksheets and templated reporting allows for effortless duplication of results, by you or another expert. The use of templated reporting affords each submission with a compliance-inspired forensic narrative and automatically leverages case data to generate readable reports, so you can work more efficiently.
- Justifiability: Cloud-based solutions ensure you have every bit of information needed to take the stand confidently in court, preparing you to answer every question related to your digital forensics examination.
We have a responsibility to continuously evaluate and elevate our work. Best practices must become memorialized in the standard operating procedure while we embrace new technology to establish compliance.
Remember, when it comes to admissibility, your training, experience and documentation may be on trial.
About the author
Ryan Parthemore joined Cellebrite as a SaaS evangelist following his extended tenure with law enforcement. A veteran in the industry, Ryan has over 20 years of experience as a patrol officer, detective and technical lead in a government digital forensics laboratory. During his time in law enforcement, Ryan completed hundreds of hours of training in digital forensics, performed thousands of digital forensics examinations, represented his unit through ANAB ISO 17025 accreditation, and testified as an expert witness in state and federal courts. Ryan joined Cellebrite to help others in law enforcement find more effective ways to resolve cases.