Friday, June 1, 2018

Digital Evidence Collection Standards

In the “missed an announcement in December category”, the US National Institute for Standards and Technology (NIST) released federated testing tools that are “designed to help law enforcement and forensic practitioners”…”in making a copy of the data from a seized electronic device”.

Since courts deal with evidence, we need to discuss this below…


In a press release on December 12, 2017 NIST announced that they have prepared a software suite that “aims to make sure this digital evidence will hold up in court”.

“The federated testing tools allow authorities to run tests in advance on their digital forensic software to make sure ahead of time that it will not fail them when a suspect’s personal computer, media or device arrives in the forensic science lab. Guttman describes the suite as the three most critical tools for evidence acquisition and preservation, each addressing one aspect of the copying process.

One tool tests software for copying computer disks, while another tests mobile device data extraction software. These two test protocols were available previously, but the suite is now completed with a new third test for “write blockers,” which are a sort of one-way valve for data-copying software. An effective write blocker allows data to flow only from the seized device to the copying computer, not the other way around. Later updates to the suite will address additional forensic functions, Guttman said.

The full suite is a freely available Linux file that anyone can download and burn to a blank CD. They can use the disk to boot their workstation and test their copying tools via a user-friendly interface.”

“The NIST software also allows different forensics labs to exchange the results of their tests with each other, so that they can share the burden of exploring how well a copying method works on a specific platform and operating system. Running copying software through its paces generates a report that disparate organizations can share among themselves or with the world, allowing them to indicate whether they found anomalies during the testing or not.”

In addition, this past month (May, 2018) NIST released the “Quick Start Guide for Populating Mobile Test Devices” that “provides procedures for documenting and populating various data elements typically found within the contents of a mobile device, e.g., mobile phone, tablet, etc. The guide discusses techniques and considerations for preparing the internal memory of a mobile device for use in testing a mobile forensic tool.”

Many questions come to mind.   Where is this digital evidentiary information stored for your court?  Is it only on media or are their online systems? Are multiple DVD/CD’s allowed? If so, how are the contents authenticated and made available to the defense?  Are the entire contents of the forensic copy made available, submitted to the court or, only the part that is to be submitted into evidence? Would a summary report be sufficient without the full data?

So we end our article today with a question: does your court or court system have a plan for criminal case digital evidence?  If so, I’m sure that our CTB readers would greatly appreciate learning about it? 

No comments:

Post a Comment