Wednesday, June 18, 2014

Who gets DME better, SWGIT or SWGDE?

Yesterday's post featured an avalanche of new documents from SWGDE. One of note, Digital and Multimedia Evidence (Digital Forensics) as a Forensic Science Discipline, raised a few eyebrows around here. "Video Forensics" has largely been the domain of SWGIT. Now, out of the blue, comes SWGDE with their take on DME.

From the SWGDE document: "The purpose of this paper is to provide an abstract to assist the reader in understanding that digital forensics is a forensic science and to address confusion about the dual nature of the application of digital forensics techniques as both a forensic science and as an investigatory tool."

I love that they break down what they mean in clear terms: "As with other forensic science disciplines, the key attributes of digital forensics applied throughout the entire examination process, from collection through analysis and reporting, are:

  • Use of a quality management system containing standard operating procedures and an effective quality assurance program.
  • Proficient analysts with appropriate training, expertise, and experience.
  • Use of validated tools, processes, and methodologies.
  • Objectivity – the forensic analyst must be insulated from work-related undue pressures that could compromise the quality of work.
To help translate the document a bit, they try to differentiate between "forensic science" and "investigatory tool." I would argue that there should be no such difference. To me, when I hear "investigatory tool," I think "just trying to get something done." I think, untested, unvalidated, unreliable. 

By way of example, let's take mobile phones. An officer recovers a mobile phone from a suspect. He takes the phone, starts browsing through the messages and photos, and finds a photo in the gallery that seems to aid in the investigation. Not having training in mobile phone analysis, nor access to someone within that "search incident to arrest" time frame, the officer takes a picture of the phone's display with his own mobile phone.

For many investigations, it stops there. They have the picture they need. No further analysis is requested ... or maybe they don't have an analyst on staff or lack proper tools.

But, how can you answer questions about the photo on the suspect's phone? How did it get there? Did the phone generate it? Did an app generate it? Is it contextually authentic? You won't know without the phone and the original photo. You got something done, but you might have gotten it completely wrong.

Just something to consider.

No comments: