Professional Documents
Culture Documents
Angus M. Marshall*
n-gate Ltd, Oak House, Market Place, Bedale, North Yorkshire DL18 1AQ, United Kingdom
1. Introduction Justice Weir cited the opinion of Lord Lowry in R. v. Steenson &
Others3 that
In the world of forensic science there is an ongoing debate
about the use of quality standards as a means of demon- “Justice ‘according to law’ demands proper evidence. By that we
strating the suitability of scientific methods for the production mean not merely evidence which might be true and to a consider-
of material which can be used within the criminal justice able extent probably is true, but, as the learned trial judge put it,
system. To a large extent, the position in the UK can be “evidence which is so convincing in truth and manifestly reliable
summed up by the following statements from the “Forensic that it reaches the standard of proof beyond reasonable doubt.”
Science on Trial” report1
These, and other reports, suggest that there is perhaps
“171. Establishing the validity of new scientific techniques or a desire to adopt scientific methods too rapidly in the field of
theories, and the basis for their interpretation, is essential before criminal investigations. A side-effect of this rapid adoption is
evidence derived from them can be used in court.” a perception that proper review and validation of methods
“173. The absence of an agreed protocol for the validation of and processes is, to some extent, bypassed and this creates
scientific techniques prior to their being admitted in court is a situation where evidence produced by new methods can be
entirely unsatisfactory. challenged on the ground of lack of evidence of “fitness for
. purpose”. That is not to say that the evidence is inherently
and should build on the US Daubert test.” bad, but primarily that the evidence that it is good has not
“172.The Daubert principles require expert testimony to be been produced.
tested against four criteria: The problem is not unique to the UK. “Strengthening
Forensic Science in the United States”4 reports, in the execu-
- Whether the theory or technique can be (and has been) tive summary that
tested
“. in some cases, substantive information and testimony based
- Whether the theory or technique has been subjected to peer
on faulty forensic science analyses may have contributed to
review and publication
wrongful convictions of innocent people”
- In the case of a particular technique, what the known or
“There is no unformity in the certification of forensic practi-
potential rate of error is or has been; and
tioners, or in the accreditation of crime laboratories.”
- Whether the evidence has gained widespread acceptance
“There are often no standard protocols governing forensic practice
within the scientific community.”
in a given discipline.”
The process leading to this report was, itself, instigated Once again, this report expresses uncertainty about the validity
partly as a result of the controversy and confusion of many methods, noting a lack of agreement on what constitutes
surrounding the use of Low Template DNA following the a “licence to practice” as well as “best practice” across the US.
Omagh bombing case. In the final judgment of R. v. Hoey2,
3
[1986] NIJB 17.
4
* Tel.: þ44 1325 722602; fax: þ44 7092 372395. Strengthening Forensic Science in the United States : a path forward,
E-mail address: angus@n-gate.net. Committee on Identifying the Needs of the Forensic Sciences
1
Forensic Science on Trial, Seventh Report of Session 2004e2005, Community & National Research Council, 2009, National Acade-
House of Commons Science & Technology Committee. mies Press, (online athttp://www.nap.edu/openbook.php?record_
2
[2007] NICC 49. id¼12589 last checked 12th July 2011).
1742-2876/$ e see front matter ª 2011 Published by Elsevier Ltd.
doi:10.1016/j.diin.2011.11.001
142 d i g i t a l i n v e s t i g a t i o n 8 ( 2 0 1 1 ) 1 4 1 e1 4 4
processes and appropriate standards of process quality for the practices. Both approaches have their basis in common
context in which the investigation is being conducted. requirements of proficiency, competence and validation but
Ideally, an organisation which implements all five stan- do not, as yet, directly address how best to demonstrate that
dards will be equipped to deal efficiently and effectively with these requirements have been satisfied. At their most
any information security incident that may occur. prescriptive, the existing standards define these three
Fig. 1 shows the relationship between the family of 5 concepts in terms of requirements agreed with customers.
standards which may result. The underlying principles based on proficiency and
competence have been shown to be sound in other disciplines
ISO/IEC 27035 deals with all aspects of incident response, and should be applicable to digital investigations. The issue of
including pre-incident preparation for evidence gathering. validation is viewed by many who do not have experience of
“Investigation Principles and Processes” will define common ISO 17025 and equivalent quality systems as a major stum-
concepts and models for investigation. bling block. This seems to arise primarily through an under-
ISO/IEC 27037 deals with immediate response to an incident standing of the concepts of verification and validation derived
in order to gather and preserve as much potential evidence from software engineering, where these terms apply to
as is required. confirmation that a product conforms to specification and
ISO/IEC 27042 deals with post-incident processes used for meets the needs of the user. The problem seems to be that
investigation. there is an assumption that every feature of the product must
ISO/IEC 27041 deals, particularly, with issues such as veri- be tested in every conceivable condition and configuration in
fication and validation of tools, methods and processes. order for it to be considered validated. Close examination of
the wording of the relevant standards and guidance make it
The editorial groups responsible for ISO/IEC 20735 and ISO/ clear that this is not the case and that what is really required is
IEC 27037 have been careful not to produce a homogenized, the production of evidence that the process applied to
standardised procedure which presupposes judicial require- potential evidence (whether it involves the use of tools or not)
ments. Rather, they have sought to lay down a fundamental is "fit for purpose". i.e. the process must satisfy the require-
set of principles with guidance on how they can be applied in ments for its role in a particular investigation.
common scenarios. A similar approach will be used for the The proposed ISO/IEC 27041 draft available in October 2011
three proposed new standards. The groups involved in the proposes a three stage process using the terms Verification,
production of these standards are keen to see them progress Validation and Acceptance. Verification is a confirmation that
quickly, but not at the expense of correctness. a product (tool, etc.) conforms to its specification and may be
The existing work on all five standards makes reference to conducted by the producer of that product. Validation is the
competence, proficiency and validation, as described above, confirmation that a process is fit for purpose as described
and ISO/IEC 27037 makes clear that the implementer of above. ISO/IEC 27041 proposes that evidence produced for
a process is responsible for ensuring validation in the context verification may be used to simplify the validation process
in which they intend to apply that process. where there is clear mapping from the producer’s require-
ments & specification to the requirements for the intended
use within the process under validation. Finally, acceptance is
the formal process of confirming that a previously validated
5. Conclusion
process may be re-used in different circumstances because
the requirements are identical. Where the requirements are
There are two distinct, but closely related, approaches to the
substantially the same, ISO/IEC 27041 proposes that a process
production of standards and/or regulation of digital investi-
may be validated by a combination of acceptance (for the
gations. One is based on existing practice within the estab-
requirements which match the new requirements) and vali-
lished forensic science community, and the other is based on
dation (for the new requirements only).
a perceived need for improvements in information security
144 d i g i t a l i n v e s t i g a t i o n 8 ( 2 0 1 1 ) 1 4 1 e1 4 4
The process outlined in the draft ISO/IEC 27041 available at terminology used is somewhat different. It should be noted,
the time of writing seems to be compatible with that currently however, that only the concept of validation is defined in ISO/
used in Digital Forensics laboratories accredited to ISO/IEC IEC 17025 and thus the ISO Concepts Database prior to the
17025 (with the adoption of ILAC-G19) although the drafting of ISO/IEC 27041.