Digital Evidence: Standards and Principles, by SWGDE and IOCE (Forensic Science Communications, April 2000)
April 2000 - Volume 2 - Number 2
Standards and Principles
Scientific Working Group on Digital Evidence (SWGDE)International Organization on Digital Evidence (IOCE)
The Scientific Working Group on Digital Evidence (SWGDE) was established in February 1998 through a collaborative effort of the Federal Crime Laboratory Directors. SWGDE, as the U.S.-based component of standardization efforts conducted by the International Organization on Computer Evidence (IOCE), was charged with the development of cross-disciplinary guidelines and standards for the recovery, preservation, and examination of digital evidence, including audio, imaging, and electronic devices.
The following document was drafted by SWGDE and presented at the International Hi-Tech Crime and Forensics Conference (IHCFC) held in London, United Kingdom, October 4-7, 1999. It proposes the establishment of standards for the exchange of digital evidence between sovereign nations and is intended to elicit constructive discussion regarding digital evidence. This document has been adopted as the draft standard for U.S. law enforcement agencies.
The latter part of the twentieth century was marked by the electronic transistor and the machines and ideas made possible by it. As a result, the world changed from analog to digital. Although the computer reigns supreme in the digital domain, it is not the only digital device. An entire constellation of audio, video, communications, and photographic devices are becoming so closely associated with the computer as to have converged with it.
From a law enforcement perspective, more of the information that serves as currency in the judicial process is being stored, transmitted, or processed in digital form. The connectivity resulting from a single world economy in which the companies providing goods and services are truly international has enabled criminals to act transjurisdictionally with ease. Consequently, a perpetrator may be brought to justice in one jurisdiction while the digital evidence required to successfully prosecute the case may reside only in other jurisdictions.
This situation requires that all nations have the ability to collect and preserve digital evidence for their own needs as well as for the potential needs of other sovereigns. Each jurisdiction has its own system of government and administration of justice, but in order for one country to protect itself and its citizens, it must be able to make use of evidence collected by other nations.
Though it is not reasonable to expect all nations to know about and abide by the precise laws and rules of other countries, a means that will allow the exchange of evidence must be found. This document is a first attempt to define the technical aspects of these exchanges.
Acquisition of Digital Evidence: Begins when information and/or physical items are collected or stored for examination purposes. The term “evidence” implies that the collector of evidence is recognized by the courts. The process of collecting is also assumed to be a legal process and appropriate for rules of evidence in that locality. A data object or physical item only becomes evidence when so deemed by a law enforcement official or designee.
Data Objects: Objects or information of potential probative value that are associated with physical items. Data objects may occur in different formats without altering the original information.
Digital Evidence: Information of probative value stored or transmitted in digital form.
Physical Items: Items on which data objects or information may be stored and/or through which data objects are transferred.
Original Digital Evidence: Physical items and the data objects associated with such items at the time of acquisition or seizure.
Duplicate Digital Evidence: An accurate digital reproduction of all data objects contained on an original physical item.
Copy: An accurate reproduction of information contained on an original physical item, independent of the original physical item.
In order to ensure that digital evidence is collected, preserved, examined, or transferred in a manner safeguarding the accuracy and reliability of the evidence, law enforcement and forensic organizations must establish and maintain an effective quality system. Standard Operating Procedures (SOPs) are documented quality-control guidelines that must be supported by proper case records and use broadly accepted procedures, equipment, and materials.
Standards and Criteria 1.1
All agencies that seize and/or examine digital evidence must maintain an appropriate SOP document. All elements of an agency’s policies and procedures concerning digital evidence must be clearly set forth in this SOP document, which must be issued under the agency’s management authority.
Discussion. The use of SOPs is fundamental to both law enforcement and forensic science. Guidelines that are consistent with scientific and legal principles are essential to the acceptance of results and conclusions by courts and other agencies. The development and implementation of these SOPs must be under an agency’s management authority.
Standards and Criteria 1.2
Agency management must review the SOPs on an annual basis to ensure their continued suitability and effectiveness.
Discussion. Rapid technological changes are the hallmark of digital evidence, with the types, formats, and methods for seizing and examining digital evidence changing quickly. In order to ensure that personnel, training, equipment, and procedures continue to be appropriate and effective, management must review and update SOP documents annually.
Standards and Criteria 1.3
Procedures used must be generally accepted in the field or supported by data gathered and recorded in a scientific manner.
Discussion. Because a variety of scientific procedures may validly be applied to a given problem, standards and criteria for assessing procedures need to remain flexible. The validity of a procedure may be established by demonstrating the accuracy and reliability of specific techniques. In the digital evidence area, peer review of SOPs by other agencies may be useful.
Standards and Criteria 1.4
The agency must maintain written copies of appropriate technical procedures.
Discussion. Procedures should set forth their purpose and appropriate application. Required elements such as hardware and software must be listed and the proper steps for successful use should be listed or discussed. Any limitations in the use of the procedure or the use or interpretation of the results should be established. Personnel who use these procedures must be familiar with them and have them available for reference.
Standards and Criteria 1.5
The agency must use hardware and software that is appropriate and effective for the seizure or examination procedure.
Discussion. Although many acceptable procedures may be used to perform a task, considerable variation among cases requires that personnel have the flexibility to exercise judgment in selecting a method appropriate to the problem.
Hardware used in the seizure and/or examination of digital evidence should be in good operating condition and be tested to ensure that it operates correctly. Software must be tested to ensure that it produces reliable results for use in seizure and/or examination purposes.
Standards and Criteria 1.6
All activity relating to the seizure, storage, examination, or transfer of digital evidence must be recorded in writing and be available for review and testimony.
Discussion. In general, documentation to support conclusions must be such that, in the absence of the originator, another competent person could evaluate what was done, interpret the data, and arrive at the same conclusions as the originator.
The requirement for evidence reliability necessitates a chain of custody for all items of evidence. Chain-of-custody documentation must be maintained for all digital evidence.
Case notes and records of observations must be of a permanent nature. Handwritten notes and observations must be in ink, not pencil, although pencil (including color) may be appropriate for diagrams or making tracings. Any corrections to notes must be made by an initialed, single strikeout; nothing in the handwritten information should be obliterated or erased. Notes and records should be authenticated by handwritten signatures, initials, digital signatures, or other marking systems.
Standards and Criteria 1.7
Any action that has the potential to alter, damage, or destroy any aspect of original evidence must be performed by qualified persons in a forensically sound manner.
Discussion. As outlined in the preceding standards and criteria, evidence has value only if it can be shown to be accurate, reliable, and controlled. A quality forensic program consists of properly trained personnel and appropriate equipment, software, and procedures to collectively ensure these attributes.
SWGDE’s proposed standards for the exchange of digital evidence will be posted on the National Forensic Science Technology Center, Law Enforcement Online, and IOCE Web sites in the near future.
Comments and questions concerning the proposed standards may be forwarded to email@example.com or firstname.lastname@example.org.
International Organization on Computer Evidence (IOCE)
The International Organization on Computer Evidence (IOCE) was established in 1995 to provide international law enforcement agencies a forum for the exchange of information concerning computer crime investigation and other computer-related forensic issues. Comprised of accredited government agencies involved in computer forensic investigations, IOCE identifies and discusses issues of interest to its constituents, facilitates the international dissemination of information, and develops recommendations for consideration by its member agencies. In addition to formulating computer evidence standards, IOCE develops communications services between member agencies and holds conferences geared toward the establishment of working relationships.
In response to the G-8 Communique and Action plans of 1997, IOCE was tasked with the development of international standards for the exchange and recovery of electronic evidence. Working groups in Canada, Europe, the United Kingdom, and the United States have been formed to address this standardization of computer evidence.
During the International Hi-Tech Crime and Forensics Conference (IHCFC) of October 1999, the IOCE held meetings and a workshop which reviewed the United Kingdom Good Practice Guide and the SWGDE Draft Standards. The working group proposed the following principles, which were voted upon by the IOCE delegates present with unanimous approval.
The international principles developed by IOCE for the standardized recovery of computer-based evidence are governed by the following attributes:
- Consistency with all legal systems;
- Allowance for the use of a common language;
- Ability to cross international boundaries;
- Ability to instill confidence in the integrity of evidence;
- Applicability to all forensic evidence; and
- Applicability at every level, including that of individual, agency, and country.
These principles were presented and approved at the International Hi-Tech Crime and Forensics Conference in October 1999. They are as follow:
- Upon seizing digital evidence, actions taken should not change that evidence.
- When it is necessary for a person to access original digital evidence, that person must be forensically competent.
- All activity relating to the seizure, access, storage, or transfer of digital evidence must be fully documented, preserved, and available for review.
- An individual is responsible for all actions taken with respect to digital evidence while the digital evidence is in their possession.
- Any agency that is responsible for seizing, accessing, storing, or transferring digital evidence is responsible for compliance with these principles.
Other items recommended by IOCE for further debate and/or facilitation included:
- Forensic competency and the need to generate agreement on international accreditation and the validation of tools, techniques, and training;
- Issues relating to practices and procedures for the examination of digital evidence; and
- The sharing of information relating to hi-tech crime and forensic computing, such as events, tools, and techniques.