Global Standardization of Forensics will Decrease the Bias Factor of Evidence Collection Procedures and Court Rulings

Interviews – 2018

Angus Marshall, Digital Forensic Scientist

via Angus Marshall
Angus, tell us a bit about yourself. What is your role, and how long have you been working in digital forensics?

Where to begin? I have a lot of different roles these days, but by day I’m a Lecturer in Cybersecurity – currently at the University of York, and also run my own digital forensic consultancy business. I drifted into the forensic world almost by accident back in 2001 when a server I managed was hacked. I presented a paper on the investigation of that incident at a forensic science conference and a few weeks later found myself asked to help investigate a missing person case that turned out to be a murder. There’s been a steady stream of casework ever since.

I’m registered as an expert adviser and most of my recent casework seems to deal with difficult to explain or analyse material. Alongside that, I’ve spent a lot of time (some might say too much) working on standards during my time on the Forensic Science Regulator’s working group on digital evidence and as a member of BSI’s IST/033 information security group and the UK’s digital evidence rep. on ISO/IEC JTC1 SC27 WG4, where I led the work to develop ISO/IEC 27041 and 27042, and contributed to the other investigative and eDiscovery standards.

You’ve recently published some research into verification and validation in digital forensics. What was the goal of the study?

It grew out of a proposition in ISO/IEC 27041 that tool verification (i.e. evidence that a tool conforms to its specification) can be used to support method validation (i.e. showing that a particular method can be made to work in a lab). The idea of the 27041 proposal is that if tool vendors can provide evidence from their own development processes and testing, the tool users shouldn’t need to repeat that. We wanted to explore the reality of that by looking at accredited lab processes and real tools. In practice, we found that it currently won’t work because the requirement definitions for the methods don’t seem to exist and the tool vendors either can’t or won’t disclose data about their internal quality assurance.

The effect of it is that it looks like there may be a gap in the accreditation process. Rather than having a selection of methods that are known to work correctly (as we see in calibration houses, metallurgical and chemical labs etc. – where the ISO 17025 standard originated) which can be chosen to meet a specific customer requirement, we have methods which satisfy much fuzzier customer requirements which are almost always non-technical in nature because the customers are CJS practitioners who simply don’t express things in a technical way.

We’re not saying that anyone is necessarily doing anything wrong, by the way, just that we think they’ll struggle to provide evidence that they’re doing the right things in the right way.

Where do we stand with standardisation in the UK at the moment?

Standardization is a tricky word. It can mean that we all do things the same way, but I think you’re asking about progress towards compliance with the regulations. In that respect, it looks like we’re on the way. It’s slower than the regulator would like. However, our research at York suggests that even the accreditations awarded so far may not be quite as good as they could be. They probably satisfy the letter of the regulator’s documents, but not the spirit of the underlying standard. The technical correctness evidence is missing.

ISO 17025 has faced a lot of controversy since it has been rolled out as the standard for digital forensics in the UK. Could you briefly outline the main reasons why?

Most of the controversy is around cost and complexity. With accreditation costing upwards of £10k for even a small lab, it makes big holes in budgets. For the private sector, where turnover for a small lab can be under £100k per annum, that’s a huge issue. The cost has to be passed on. Then there’s the time and disruption involved in producing the necessary documents, and then maintaining them and providing evidence that they’re being followed for each and every examination.

A lot of that criticism is justified, but adoption of any standard also creates an opportunity to take a step back and review what’s going on in the lab. It’s a chance to find a better way to do things and improve confidence in what you’re doing.

In your opinion, what is the biggest stumbling block either for ISO 17025 specifically, or for standardizing digital forensics in general?

Two things – as our research suggests, the lack of requirements makes the whole verification and validation process harder, and there’s the confusion about exactly what validation means. In ISO terms, it’s proof that you can make a process work for you and your customers. People still seem to think it’s about proving that tools are correct. Even a broken tool can be used in a valid process, if the process accounts for the errors the tool makes.

I guess I’ve had the benefit of seeing how standards are produced and learning how to use the ISO online browsing platform to find the definitions that apply. Standards writers are a lot like Humpty Dumpty. When we use a word it means exactly what we choose it to mean. Is there a way to properly standardise tools and methods in digital forensics?

It’s not just a UK problem – it’s global. There’s an opportunity for the industry to review the situation, now, and create its own set of standard requirements for methods. If these are used correctly, we can tell the tool makers what we need from them and enable proper objective testing to show that the tools are doing what we need them to. They’ll also allow us to devise proper tests for methods to show that they really are valid, and to learn where the boundaries of those methods are.

Your study also looked at some existing projects in the area: can you tell us about some of these? Do any of them present a potential solution?

NIST and SWGDE both have projects in this space, but specifically looking at tool testing. The guidance and methods look sound, but they have some limitations. Firstly, because they’re only testing tools, they don’t address some of the wider non-technical requirements that we need to satisfy in methods (things like legal considerations, specific local operational constraints etc.).

Secondly, the NIST project in particular lacks a bit of transparency about how they’re establishing requirements and choosing which functions to test. If the industry worked together we could provide some more guidance to help them deal with the most common or highest priority functions.

Both projects, however, could serve as a good foundation for further work and I’d love to see them participating in a community project around requirements definition, test development and sharing of validation information.

Is there anything else you’d like to share about the results?

We need to get away from thinking solely in terms of customer requirements and method scope. These concepts work in other disciplines because there’s a solid base of fundamental science behind the methods. Digital forensics relies on reverse-engineering and trying to understand the mind of a developer in order to work out how extract and interpret data. That means we have a potentially higher burden of proof for any method we develop. We also need to remember that we deal with a rate of change caused by human ingenuity and marketing, instead of evolution.

Things move pretty fast in DF, if we don’t stop and look at what we’re doing once in a while, we’ll miss something important.

Read Angus Marshall’s paper on requirements in digital forensics method definition here. Angus Marshall

The hottest topic in digital forensics at the moment, standardisation is on the tip of everyone’s tongues. Following various think pieces on the subject and a plethora of meetings at conferences, I spoke to Angus Marshall about his latest paper and what he thinks the future holds for this area of the industry. You can […]

via Angus Marshall talks about standardisation — scar

Advertisements

These are the 4 personality types that describes almost everyone, study says —

New research out of Spain suggests that almost all of humanity can fit into one of four types of personalities: optimistic, pessimistic, trusting or envious.

via These are the 4 personality types that describes almost everyone, study says —

The truth about lies and deception…….honest. Can you Spot a Lie?

THE TRUTH ABOUT LIES AND DECEPTION…….HONEST.

I have read the terms and conditions. Surely the single greatest lie ever told, certainly in terms of the volume of us who have ticked that box knowing that really we haven’t.  However, deception breeds deception and with now defunct computer game shopGamestation taking advantage of the aforementioned ‘fib’ by fiendishly incorporating into the smallprint of their online terms and conditions- that they owned the very soul of anyone whom blindly ticked the box -‘the immortal soul clause’ as it was called.  Over 7.500 people were caught out on April 1st 2010- they were refunded their soul in an email.

6a00d8341c00c753ef0133ef9c3556970b

However lying, deception, untruthful, false, dishonest, mendacious, perfidious, duplicitous, dissimulating, dissembling and double Janus-facedness is a normal human behaviour, not just human, animals deceive too. Koko the Gorilla had been taught sign language and ruthlessly blamed the ripping out of a sink from a wall on her pet kitten (Koko signed on the return of her keepers…..”The cat did it!”).  If we are to take an evolutionary view it is asurvival mechanism, a simple smile to someone you despise or you feel threatened by is a useful tactic to hide any weaknesses that may be exploited by them and hide, deceive them of your true feelings. However false smiles can be detected if you know where to look – the muscles that generate a warm and honest smile are different to those that are created  when creating a false smile. It’s all in the eyes…you see.

Those lying eyes

real-eyesThe eyes truly are the window to the soul. However don’t be fooled by so called Neuro Linguistic Programming techniques  (a good example of pseudoscience) that if someone is looking up when telling you something then they are lying there is little evidence to support this but is something that your hear still being pedled around every now and then.

And there lies the crux of the matter…are there any reliable physical cues to deceptiouniversal-facial-expressionsn?  Maybe a more fundamental question is are there any universal responses of facial expression or body language? (The eyebrow flash for recognition of someone  is thought to be pretty universal as an involuntary response.)   Certainly classic research by Ekmaninto facial expression has suggested that there are a handful of truly universal expressions. However deceivingly there is a long tradition ofsupposed cues to deception or ‘tells’ as gamblers would say little unconscious signs of anxiety, uncertainty due to knowingly attempting to convince someone of something you know not to be true. Going red, not being able to look someone in the eye, looking at someone for too long in the eye, rubbing the back of the neck, rubbing the ear lobes, scratching the nose, excessive blinking (note that psychopaths reportedly blink less and maybe that is why they are better at deceiving people) are all ways many think they can spot a liar – but where does the truth lie?

Bad Lie detectors

Many of these are signs of anxiety not necessarily deception, blinkinghowever Polygraphs (aka lie detectors)  have been used for many years in criminal investigations in the United States (and on the Jeremy Kyle show) and provided as evidence, however it measures variations in physiological arousal (not lying) and therefore fundamentally flawed, the American Psychological Association concluded:

The development of currently used “lie detection” technologies has been based on ideas about physiological functioning but has, for the most part, been independent of systematic psychological research. Early theorists believed that deception required effort and, thus, could be assessed by monitoring physiological changes. But such propositions have not been proven and basic research remains limited on the nature of deceptiveness. Efforts to develop actual tests have always outpaced theory-based basic research. Without a better theoretical understanding of the mechanisms by which deception functions, however, development of a lie detection technology seems highly problematic.

For now, although the idea of a lie detector may be comforting, the most practical advice is to remain skeptical about any conclusion wrung from a polygraph.                                          Cited; http://www.apa.org/research/action/polygraph.aspx

truth_9
F.B.I advice for detection

Good lie detectors

Where humans on average can detect lies at marginally above chance level – 54% but surely professionals such as Police officers are better?  When Samantha Mannconducted research into a new area of ‘highstake_liars‘ and found some interesting results, there seemed to be a greater emphasis on story cuesrather than the historic notion  body language cues of the more experienced and stronger lie detectors used in the research.

Watch the slide show giving an overview of the study below…or read the full highstake_liars article.

The fun of deception

However the detection of lies can be fun……………..in a light entertainment kind of way.  The story cues on the clip below may seem so far fetched that it must be a lie…it must be………..mustn’t it?

Psychlite

I have read the terms and conditions. Surely the single greatest lie ever told, certainly in terms of the volume of us who have ticked that box knowing that really we haven’t.  However, deception breeds deception and with now defunct computer game shop Gamestation taking advantage of the aforementioned ‘fib’ by fiendishly incorporating into the smallprint of their online terms and conditions- that they owned the very soul of anyone whom blindly ticked the box -‘the immortal soul clause’ as it was called.  Over 7.500 people were caught out on April 1st 2010- they were refunded their soul in an email.

6a00d8341c00c753ef0133ef9c3556970b

However lying, deception, untruthful, false, dishonest, mendacious, perfidious, duplicitous, dissimulating, dissembling and double Janus-facedness is a normal human behaviour, not just human, animals deceive too. Koko the Gorilla had been taught sign language and ruthlessly blamed the ripping out of a sink from a wall on her pet kitten (Koko signed…

View original post 675 more words