Building best practice on digital evidence in North America

Change brings challenges

Digital forensics, including cell site analysis, is an ever-changing technical environment; new types of network come along every 10 years or so,  which isn't too difficult to keep up with, but new devices, new apps, new methods of communicating are released all the time, leading to new forms of analysis, new tricks and tools that can be used to examine the data from those services; and also, inevitably, new forms of fraud and other criminal behaviour that are developed to exploit those new technologies.

It's difficult for an individual digital forensic expert or even a whole company of experts to keep up with all this change, which means that we end up with separate islands of experience and knowledge of how to deal with this welter of technology.

Some experts understand their area of activity better than others; some experts only look at some areas occasionally and don't have the opportunity to hone their skills on it to the degree that they might wish to. Lack of experience with a technology or a technique can lead to misinterpretation and, at worst, incorrect evidence being presented at court.

The role of SWDGE

In such a fast-changing environment, it is therefore vital that knowledge sharing takes place and that agreed best-practice guidelines are drawn up.

In the US, for digital forensics, this activity is coordinated by SWGDE - the Scientific Working Group on Digital Evidence (officially pronounced 'swig-dee', but there are multiple variations, including ‘swedge’ and ‘swidge’!).

SWGDE is partly funded by NIST (the National Institute for Science & Technology) and its membership consists of a mix of law enforcement personnel, academics and representatives from private industry - my colleague Martin Griffiths and I are fortunate enough to have been accepted for membership of the organisation and attend up to three meetings a year in various parts of the US.

SWGDE's role is to develop agreed best-practice guidelines for the handling, interpretation and analysis of a variety of digital evidence types; from images and video, to handset downloads and cell site analysis, via audio, computer examination and several other disciplines.

Martin and I contribute to the cell site analysis work stream and have collaborated with others to develop best practice documents for cell site analysis in general and for forensic RF surveying (aka drive scans) in particular, with forays into technical papers that describe Timing Advance and Distributed Antennas Systems as well.

SWGDE papers set out an agreed position on the evidential value of particular types of data; they provide guidelines for the agreed best practice methods of processing, interpreting, analysing and presenting conclusions based on those data types and in general seek to ensure that all practitioners working in a specific digital forensics discipline conduct their work and draw their conclusions in the same way.

Part of the reasoning behind this is to reduce the scope for disagreement between experts - if everyone works using the same definitions and best practice guidelines, then every expert will reach similar conclusions.

Impartial and Independent

SWGDE documents, and investigations conducted following the recommendations contained in those documents, are widely accepted in courts in the US, but they aren't accepted by everyone. Some defence attorneys and some digital forensics experts who work predominately for the defence argue that SWGDE is 'dominated' by representatives of the prosecution and that the organisation and its output are 'biased' in favour of law enforcement.

I don't subscribe to this view.

Forensic Analytics is a private sector organisation; we have customers on both sides of the criminal justice divide, serving both the prosecution and the defence. Around 50% of the membership of our particular SWGDE committee are also from the private sector or from academia, only about half the participants are related to law enforcement, which is a ratio that extends to the organisation as a whole.

As independent experts, we wouldn't put our names (and our reputations) to documents that we believed were flawed or biased and I'm sure the same is true for the other members of SWGDE, whatever their professional affiliations are.

SWGDE members, in our experience, want to help develop a proper understanding of the technologies, techniques, services or data types they work with and create recommendations for the fair, balanced and accurate interpretation of those artifacts as a guide for other practitioners.

No doubt, there will continue to be those who criticise SWGDE and its recommendations and to them we say 'come and join us. If you don't like what SWGDE recommend, come to a meeting and help us work on an output that we can all agree on’.

Next stop Arlington

I'm off to Arlington, Virgina this week for the Autumn SWGDE session, for four days of technical discussion, impassioned arguments about exactly where to put the full stop in a sentence and, hopefully, a developing consensus about how best to handle the various types of data we'll be discussing. It's hard work, but it’s a great atmosphere and a fantastic group of people, all dedicated to producing recommendations that help all sides of the criminal justice system understand what 'best practice' looks like for their particular discipline.