I do not think that regulation of digital forensics is a bad thing, I welcome it. I do however think that it should become a reality as a result of expertise and innovation by the practitioners and not by forces engaged in the art of politik.
At the moment, it appears that politik is the driver behind the attempts to solidify such an accreditation entity and I am of the opinion that this will deliver a system that is pretty meaningless at great cost.
We work in a very fluid environment and I am sure that we can find a better fit solution to give reassurance to those that require it without reliance on a framework that is best suited to less diverse areas. I am reasonably familiar with ISO17025 and can agree with many of its principles; my problem with it is that it's advocates are easily undermined when asked to justify it's implementation in a laboratory with many diverse methods and the 'naysayer' just as easily undermined when they argue it's unsuitability in said environs because the principle is all we know. This dichotomy seems to indicate that it is a flawed framework for digital forensics and may well go a long way in explaining why very little advancement has been made in its implementation in the last five years.
This is all very well I suppose and we can wait for this life cycle to reach it's zenith or we can encourage all serious digital forensic practitioners to remind themselves that we are the individuals that will leave a legacy for those that follow and that we should do all we can to make it a good one.
So what does all that mean?
I think we need to accept that there is more we can do in digital forensics to raise the bar in terms of quality systems, validation of methods, competency and the application of the fundamentals of scientific endeavor. We should accept that this is our job right now and that it can only be achieved from the ground up.
So what can we do?
I think that every lab should engage by setting up a few simple computers that have diverse operating systems and encourage staff to use, install and abuse them in every possible (legal) way and at the same time log, in a scientific manner, every detail of their activity. Forensic images should be made at regular points and supplied along with the logs to staff to examine, validate and observe the consequences of the activity. Staff should be encouraged in this and I would hope that the information derived from these experiments could help us in getting to a meaningful level of validation that may make the ISO17025 pill easier to swallow.
As with all discussions I have had on ISO17025; I always feel like I have given the impression that I disagree with a part of it only to have then followed up by proposing an alternative that is entirely compatible with that part!
That my friends is how devilish it is!
↧