17025 for Digital Forensics - Does it make sense?

  • We encourage our users to use Real Names to build a real community, friendships and networking opportunities.

    [more information]

RobertM

New Member
TRUSTED Contributor
Sep 30, 2018
21
Ratings
9
3
#1
ISO 17025 is a mandatory standard for Digital Forensics laboratories in the United Kingdom (UK) as of October 2017.

All labs that are not ISO 17025 certified must disclose their ‘non-compliance’ on every report produced.

The following article posted on Forensic Notes is meant to provide information on ISO 17025 and open the discussion around this topic.

This ISO 17025 accreditation will impact how Digital Forensic examinations are conducted in the future and by whom around the globe.

As it stands, views are mixed about the suitability of this standard for Digital Forensics.

Certainly, some Digital Forensic Examiners (DFE’s) believe that using ISO 17025 for Digital Forensics is like placing a square peg into a round hole.

iso-17025-square-peg-round-hole.jpg

But, is this belief based on fact or fear?

Read the article and then join the discussion:

ISO 17025 - Right for Digital Forensics?




This article will discuss:


What is ISO 17025?

ISO 17025 - Right Fit for Digital Forensics?

 

twicesafe

Administrator
Staff member
Sep 4, 2018
84
Ratings
20
8
Vancouver, Canada
www.computerforensicsworld.com
Twitter
Forensic_Notes
#2
ISO 17025 is a mandatory standard for Digital Forensics laboratories in the United Kingdom (UK) as of October 2017.
All labs that are not ISO 17025 certified must disclose their ‘non-compliance’ on every report produced.
The following article posted on Forensic Notes is meant to provide information on ISO 17025 and open the discussion around this topic.
This ISO 17025 accreditation will impact how Digital Forensic examinations are conducted in the future and by whom around the globe.
As it stands, views are mixed about the suitability of this standard for Digital Forensics.
Certainly, some Digital Forensic Examiners (DFE’s) believe that using ISO 17025 for Digital Forensics is like placing a square peg into a round hole.

iso-17025-square-peg-round-hole.jpg


But, is this belief based on fact or fear?
Read the article and then join the discussion:


Continue reading...
 

kalinko

New Member
Oct 27, 2018
4
Ratings
4
3
Germany
#4
I definitely think a Digital Forensics Lab needs a standard and needs to comply to it.

In my experience, ISO Standards (for ISO 9001 and ISO 27001, I don't have experience with ISO 17025 yet) are too expensive.
Also the ISO standards do not give you any content of the necessary processes, SOPs etc. So no best practices, and these are in my opinion the most important things to implement/to have in an Digital Forensics Lab.
I would prefer a smaller standard with guidelines for the general processes and quality controls including the necessary qualifications of the Analysts/Examiners. Also it is helpful when it is described in the standard where a company/laboratory can start with the implementation. You often cannot do it all at once or don't know where to start best.
E.g. for ISO 27001 there is VdS 3473 - Certificate in accordance with VdS 3473 - as an alternative for smaller companies. We use this in Germany for Information Security Management.

Additionally I would prefer Best Practices from the community. I get a lot of information out of the community and this is great. We should use it.
The standard could be also community driven. It's just a question how a Digital Forensics Lab can show the compliance with the standard in an cheap, fast and easy way.
 

athulin

Member
Experienced Member
Oct 18, 2007
730
Ratings
9
18
#5
I definitely think a Digital Forensics Lab needs a standard and needs to comply to it.
A question that needs to be answered is 'which practices of a digital-forensics lab falls within the scope of 17025?'. I suspect it is a lot less that is usually taken for granted, as digital forensics mixes investigative activities with test lab activities. A bit like the split between 'other' criminal investigations and wet forensics. 17025 would apply to 'wet forensics' lab tests and closely related practices like transporting, storing and perhaps also disposing of 'test samples' .

How little can you get away with? ISO 17025 have some requirements that simply must be present. But the actual 'how do we do this, that and the other?' is not covered by 17025, except as regards some fairly minor formalia. Thus, a 17025 system that contains all the required stuff + one single method/process should formally pass a certification.

The rest could be left to improvement activities. Customer A requires that there is a method for forensic collection of Facebook artifacts. So add it once the issue arises. Customer B requires a method of forensic collection from a particular SCADA system. Add it then.

After all, that's how the system is supposed to work: 1. run your ISO 17025 lab; 2. identify improvements or errors; 3. correct existing processes and methods; 4. introduce them in lab work; and start over at 1.

If you know that customer X in addition to proof of certification needs methods M1, M2, and M3 to do business, add them. But don't do more than you need. This means talking to the prospective customer to establish those needs. Basic processes -- imaging, keeping evidence from different cases separate, erasing media to avoid contamination from previous cases, etc. are probably already in use: it's mainly a matter of documenting them. But again, unless they are required at day 0, wait.

This is, after all, something that should work in the long haul. Doing everything, as some kind of big-bang effort pre-certification is madness from a business perspective, and I doubt that anyone (except perhaps a competing digital forensic company) is interested in pushing anyone out of the market, except on grounds of lack of valid test results.

Also it is helpful when it is described in the standard where a company/laboratory can start with the implementation. You often cannot do it all at once or don't know where to start best.
That is something that any interest organization for digital forensic practitioners should have on its agenda. If they don't ... what use or relevance are they? And how do they expect to survive for the future? Or is it a field of lone wolves? That more or less by definition precludes cooperation.
 

RobertM

New Member
TRUSTED Contributor
Sep 30, 2018
21
Ratings
9
3
#6
The standard could be also community driven. It's just a question how a Digital Forensics Lab can show the compliance with the standard in an cheap, fast and easy way.
I think community driven is the key here.

As we've seen with the recent news regarding the Japanese Cyber-Security Minister (Japan's cyber-minister 'never used computers'), many countries have people in power making decisions that don't really understand the issues or HOW technology can help or not work. Combine this with the CSI effect (CSI effect - Wikipedia) and we get solutions and laws written that are extremely difficult to follow, time-consuming or impossible to implement given the quickly changing nature of our field.

By working together as a community, sharing ideas and work-processes, we can hopefully work towards our own standards that are accepted within the courts taking what we can from ones that are currently being implemented.

For those countries that have already moved to 17025, it will be hard to change anytime soon, but for those of us in countries that haven't gone the standards route (yet), we have a chance to work together and determine our own path for the future.

... ISO standards do not give you any content of the necessary processes, SOPs etc. So no best practices,
I've attempted to read over the ISO 17025 standard and as you stated, it just doesn't have any substance to help small Digital Forensics Organizations or individuals understand what exactly they need to do in order to work in this environment.

As we are starting to see in the UK, this will make it extremely difficult for these small organizations to exist.
 

RobertM

New Member
TRUSTED Contributor
Sep 30, 2018
21
Ratings
9
3
#7
A question that needs to be answered is 'which practices of a digital-forensics lab falls within the scope of 17025?'. ... A bit like the split between 'other' criminal investigations and wet forensics. 17025 would apply to 'wet forensics' lab tests and closely related practices like transporting, storing and perhaps also disposing of 'test samples' .
I think you have a ton of great ideas in this post. The key is a clear line between scientific procedures and day to day work with detailed SOP's for how the work should be completed taking into account the many complexities of the data we deal with.
 

About us

  • Our community began in 2004. Since this time, we have grown to have over 29,000+ members within the DFIR & Cyber Security community.

    We are happy to announce that this forum is now under new ownership with the goal to once again become the main Digital Forensics Forum on the internet for DFIR, OSINT and Cyber Security.

    If you can think of ways to help us improve, please let us know.

    We pride ourselves on offering unbiased, critical discussion among people of all different backgrounds.

    We are working every day to make sure our community is one of the best.

Quick Navigation

User Menu