Saturday, December 4, 2010

Did We Make a Mistake?

The comments from my last blog post were excellent and you can read them hereTroy and Neil are quite correct. There is another accreditation issue looming over the digital forensics community other than digital forensic certification.  The accreditation of digital forensics labs is something that we need to start talking about more as a community.  As it stands right now, accreditation of digital forensic labs is voluntary and relatively rare. There are a small percentage of labs that have become accredited through organizations like ASCLD/LAB.  I’m curious about what others think about this issue.  Neil makes a very articulate argument, but I find myself sympathetic to Troy’s position.

My initial thought is that voluntary accreditation against a standard that is specifically tailored to digital forensics labs sounds reasonable enough.  However, I have concerns about the concept of mandatory accreditation. For example, it could easily be used to establish a guild system similar to what we see with some state licensing standards.  I am also concerned that mandatory lab accreditation standards could stifle innovation.  The way we do things in digital forensics changes so quickly that standards would almost certainly not keep up. Remember it wasn’t all that long ago where we were automatically pulling the plug from the back of Windows machines as a best practice. Now we’re in the age of live response and the tools and methods available have changed rapidly.

I wonder if we have made a mistake in the digital forensics community by calling our work areas “labs”. I started in traditional law enforcement where crime labs were places that forensic scientists tested all sorts of very perishable evidence that could easily be destroyed or contaminated if great caution wasn’t taken.  For example, it makes a great deal of sense to have strict controls in place when you are working with blood samples.  Improper storage and handling are likely to result in destroyed or tainted evidence.  

While there are very valid concerns relative to tainting digital forensics evidence that need to be continuously addressed, we’ve got it a lot easier than our colleagues in traditional crime labs.  We can easily create digital storage containers like forensic images with free and widely accessible tools that can be safely used outside of a controlled environment such as traditional crime lab.  One of the greatest gifts to digital forensics examiners is the simple hash value.  You can’t hash a blood sample, but you certainly can hash an image of a hard drive.  I can make an unlimited amount of identical copies of my digital evidence.  You can’t do that with blood. 

You can also put a forensic image of a hard drive on your laptop, bring the laptop down to Starbucks, and do a proper and defensible digital forensics exam while sipping your Gingerbread Latte.  Do that with a blood sample and you’re going to have a very uncomfortable court experience in your future. With digital evidence, I can take my evidence, put it on a external hard drive, leave it unsupervised on the floor of a busy shopping mall for days on end, and I can still show that nothing was altered by using hash values.  Blood? Not so much.

Consider an independent digital forensics consultant who works out of his house while traveling most of the time doing incident response work. Does he need to have his “lab” accredited?  Does that make any sense? What exactly constitutes his “lab”? His laptop where he does most of his forensics work in some hotel room? His home office where he spends less time than on the road?

How does this sort of thing scale into the future? What if a digital forensics lab uses some sort of Software-as-a-Service type provider for some of its examination work? Does that outside provider also need to be an accredited digital forensics lab?

I understand why traditional crime labs need to have very strict standards and why ASCLD/LAB accreditation style standards are embraced.  What I’m having a problem with is equating what we do with digital evidence to what these traditional forensic science labs do with their evidence.  If we adopt artificially stringent standards that weren’t originally intended for digital forensics, we could put a lot of private entities and smaller law enforcement organizations out of business at a time when we need more capacity to keep up with the increasing demand for digital forensics.