Laboratory Accreditation Programs in this article explain which of the accreditation using for forensic laboratory and what are there standards and also explain risk assesment, computer investigation methodology.
ISO IEC 17025 Accreditation:
ISO (the International Organization for Standardization) and IEC (the International Electrotechnical Commission) are part of the specialized system for worldwide standardization. They develop International Standards in association with technical committees established by the respective organization for particular fields of technical activity.
In 1999, the ISO Committee on conformity assessment (CASCO) developed the 150/IEC 17025, which specifies the general requirements for the competence to carry out tests and/or calibrations, including sampling. It covers testing and calibration performed using standard methods, non-standard methods, and laboratory-developed methods. This regulation is applicable to all laboratories with any extent of the scope of testing and/or calibration activities.
A forensic laboratory could and should pursue ISO accreditation to be strictly competent. This standard has five components: scope, normative references, terms and definitions, management requirements, and technical requirements. Management requirements and technic-al requirements are the important elements of ISO/IEC 17025. To comply with quality assurance and to obtain valid results, laboratories need to follow this standard.
Related Product : Computer Hacking Forensic Investigator
ASCLD/LAB Accreditation:
The American Society of Crime Laboratory Directors /LAB (ASCLO/LAB) is an international body that certifies forensics labs (not limited to digital forensics). Its main objective is to promote development of laboratory management principles, professional interests, and techniques; to acquire, preserve, and circulate forensic information; to improve and maintain easy communication between crime laboratory directors; and to promote, maintain, and encourage industrial standard practices.
The ASCLD provides guidelines for managing a forensics lab and for acquiring official crime-lab certification. This institution certifies forensics labs that examine other criminal evidence such as fingerprints and DNA samples. This kind of forensics lab is entirely different from a computer forensics lab, which conducts different types of forensic examinations. ASCLD also offers a detailed and wide-ranging certification program known as ASCLD/LAB. This board, called the Laboratory Accreditation Board (LAB), offers objective principles for evaluation of the quality of the work.
ASCLD/LAB recommends a certification track for digital forensics that integrates both ISO standard 17025 and a supplemental ASCLD requirement that is set explicitly to the laboratory operations. A crime laboratory can voluntarily approach the Crime Laboratory Accreditation Program of the ASCLD/LAB to prove that its management, operations, personnel, procedures, instruments, physical plant security, and personnel safety procedures are up to the standards. A laboratory with this accreditation ensures quality assurance. In addition, proficiency testing and training laboratory personnel can provide better services to the case investigation.
Data Destruction Industry Standards
Destruction of data using industry standard data destruction methods is essential for sensitive data that one does not want falling into the wrong hands. These standards depend on the levels of sensitivity. Data deletion and disposal on electronic devices is only virtual, but physically it remains, posing a security threat.
A hard disk stores the data in binary form and when the user tries to delete this data, it is possible to recover the data using recovery tools. Some high-end technology tools also have the provision to recover the overwritten data as well.
Methods like hard drive formatting or deleting partitions cannot delete the file data completely. However, it is important to destroy the data and protect it from retrieval, after the collection of evidence from the computer. Therefore, the only way to erase the data completely and protect it from recovery is to overwrite the data by applying a code of sequential zeroes or ones.
The following are some important standards for data destruction:
- (American) DoD 5220.22-M; This standard destroys the data on the drive’s required area by overwriting that sector three times with ones and zeros, again verifying whether data is destroyed or not.
- (American) NAVSO P-5239-26 (RLL): This is a three-pass overwriting algorithm that verifies in the last pass
- (American) NAV50 P-5239-2& {MFM): This is a three-pass overwriting algorithm that verifies in the last pass.
- (German) VSITR: This method overwrites in 6 passes with ones and zeros and then with the letter
- Russian Standard, COST P50739-95: It is a wiping method that writes zeros in the first pass and then random bytes in the next pass.
Also Read : Review Policies and Laws of Forensic Investigation
Risk Assessment
Risk assessment is useful to understand information security issues in a business context and to assess the impact to the business in case of a security breach.
Risk assessment helps senior management and decision makers in the organization to devise appropriate risk mitigation strategies according to the organization’s goals and resources. A proper risk assessment also helps in minimizing the impact of an incident.
Risk Assessment Matrix
A risk assessment matrix is a graphical representation of the risks of a particular incident and its impact. It helps to know about the likelihood of occurrence of the incident and severity of its consequences. This matrix is easy to view and understand, as all the information is available in a single table.
Investigation Phase
After obtaining the required permissions and having assessed the case pre-requisites, the investigators are ready to investigate the incident. The investigation phase includes various stages and processes that need careful and systematic execution to obtain better results.
Computer Forensics Investigation Methodology
The computer forensics investigation process is a collection of a wide variety of processes starting from incident response to analysis of the crime scene, gathering evidence to its analysis, and from documenting to reporting. Each step in this process is equally crucial for acceptance of the evidence in a court of law and prosecution of the perpetrators.
Investigation Process (Cont’d)
1. Experimental Design
After the formulating the hypothesis, investigators should prepare to experiment and test the plans in order to check that they work. They need to simulate an environment similar to that of the suspect machine to yield accurate results.
This process is a mock drill, and helps the investigator to experiment with various methods, select suitable ones for different cases as well as select the type of tools required for the process.
2. Tool Selection
Every case is different and needs different methods of approach, while tools also differ depending upon the platform, operating system, and type of the target device. Considerations for selecting a tool include:
- Digital forensic tools can be:
– Software or hardware
– Commercial or open source
– Designed for specific purposes or with a broader functionality - It is good to consider commercial tools that have a market value compared to open source tools.
- Using tools designed for specific purposes will allow a diverse and in-depth investigation.
- No single tool is all-inclusive; thus, it is recommended to have multiple tools at hand.
- Using multiple tools validates the findings, thus enhancing the reliability of the evidence.
- Forensic tools should undergo a validation process prior to using it for a case as well as each time it is modified or updated.
- The National Institute of Standards and Technology (NIST) has launched the Computer Forensic Tool Testing (CFTT) project, which establishes a methodology for testing digital forensic tools by developing general tool specifications, test procedures, test criteria, test sets, and test hardware.
First Responder
First response of the first action performed after occurrence of a security incident. Depending on the type of reaction, the first response can help the victim form future damage and can help investigators easily trace the suspect.
The term first responder refers to the persons who first arrive at the crime scene and access the victim’s computer system after the victim has reported the incident. A first responder may be a network administrator, law enforcement officer, or investigation officer. Generally, a first responder is a person who comes from the forensics laboratory or from the particular agency at the crime scene for initial investigation.
If an incident occurs in a company or on individual computers, the victim first contacts the forensics laboratory or a particular agency for crime investigation. Then, the laboratory or agency sends the first responder to the crime scene for initial investigation. The first responder is responsible for protecting, integrating and preserving the evidence obtained from the crime scene.
The first responder has complete knowledge of computer forensics investigation. He or she preserves all discovered evidence in a simple, protected, and forensically sound manner. First responders investigate the crime scene in a lawful manner so that the obtained evidence will be acceptable in a court of law.
Questions related to this topic
- How do computer forensic scientists find evidence?
- What are the investigative procedures involving computer forensics?
- What is a digital forensics lab?
- What are the four steps in collecting digital evidence?
This Blog Article is posted by
Infosavvy, 2nd Floor, Sai Niketan, Chandavalkar Road Opp. Gora Gandhi Hotel, Above Jumbo King, beside Speakwell Institute, Borivali West, Mumbai, Maharashtra 400092
Contact us – www.info-savvy.com
