The Need for Standardization

Digital evidence is just another form of "latent" evidence that must be handed with scientific principles and legal boundaries. There is an investigative component for electronic crimes and a laboratory component for the digital evidence associated with those crimes. (Carrie Whitcomb, 2001, "A Forensic Science Perspective on Digital Evidence Training, Education, and Certification," National Center of Forensic Science)

In 1994, the O.J. Simpson trial exposed many of the weaknesses of criminal investigation and forensic science. The investigation was hampered from the start with incomplete evidence collection, documentation and preservation at the crime scenes. Arguably, as a result of these initial errors, experienced forensic scientists were confused by and incorrectly interpreted important exhibits, introducing sufficient doubt for the jurors. The controversy surrounding this case made it clear that investigators and forensic scientists were not as reliable as was previously believed, undermining not just their credibility but also that of their profession. This crisis motivated many crime laboratories and investigative agencies to revise their procedures, improve training, and make other changes to avoid similar problems in the future. More recently flaws have been found in the fingerprint and DNA analysis performed by some crime laboratories, calling many convictions into questions and creating doubts about the analytical techniques themselves.

A similar crisis is looming in the area of digital evidence. The lack of generally required standards of practice and training allows weaknesses to persist, resulting in incomplete evidence collection, documentation and preservation as well as errors in analysis and interpretation of digital evidence. Innocent individuals may be in jail as a result of improper digital evidence handling and interpretation allowing the guilty to remain free. Failures to collect digital evidence have undermined investigations, preventing the apprehension or prosecution of offenders and wasting valuable resources on cases abandoned due to faulty evidence. If this situation is not corrected, the field will not develop to its full potential, justice will not be served, and we risk a crisis that could discredit the field. The only reason we have not already encountered such as crisis is that our mistakes have been masked by obscurity. As more cases become reliant on digital evidence and more attention is focused on it, we must take steps to establish standards of practice and compel practitioners to conform to them.

There have been several noteworthy developments toward standardization in this field. The International Organization of Computer Evidence (www.ioce.org) was established in the mid-1990s "to ensure the harmonization of methods and practices among nations and guarantee the ability to use digital evidence collected by one state in the courts of another state." In 1998, the Scientific Working Group on Digital Evidence (www.swgde.org) was established to "promulgate accepted forensic guidelines and definitions for the handling of digital evidence." In 2001, the first Digital Forensics Research Work Shop (www.dfrws.org) was held, bringing together knowledgeable individuals from academia, military and the private sector to discuss the main challenges and research needs in the field. This workshop also gave new life to an idea proposed several years earlier — a peer-reviewed journal - leading to the creation of the International Journal of Digital Evidence (www.ijde.org). In 2003, the American Society of Crime Laboratory Directors/Laboratory Accreditation Board (ASCLD/LAB) updated its accreditation manual to include standards and criteria for digital evidence examiners in US crime laboratories. In 2004 the UK Forensic Science Service plans to develop a registry of qualified experts, and several European organizations, including the European Network of Forensic Science Institutes (ENFSI) will publish examination and report writing guidelines for digital investigators. Also, Elsevier will begin publishing Digital Investigation: The International Journal of Digital Forensics and Incident Response (http://www.compseconline.com/digitalinvestigation/).

Historically, Forensic Science disciplines have used certification to oversee standards of practice and training. Certification provides a standard that individuals need to reach to qualify in a profession and provides an incentive to reach a certain level of knowledge. Without certification, the target and rewards of extra effort are unclear. This is not to say that everyone who handles digital evidence requires the same level of skill or training. A strong certification program needs to have tiered levels of certification facilitating progression upwards, setting basic requirements for crime scene technicians, and setting higher standards for specialists in a laboratory and for investigators who are responsible for analyzing evidence.

Although there are a growing number of certification programs for digital investigators, many are only available to law enforcement personnel and none are internationally accepted. In 2004, representatives from around the world convened to discuss the feasibility of an internationally accepted certification for digital investigators. The outcome is not decided and there are obstacles to such a certification. Some feel that proposed training requirements are too high while others fear that certification will enable anyone to enter the field and obtain specialized knowledge, even individuals who work for the defense on criminal cases. There is also the fear that setting standards and placing additional requirements on practitioners will make it more difficult to get digital evidence admitted in court.

Paradoxically, some of those concerned that training requirements will exclude them also want to exclude individuals who perform criminal defense work. In addition to being unethical, any attempt to withhold knowledge from criminal defense attorneys and experts stifles improvement and progress in the field by allowing misunderstandings and poor practices to persist. If we cannot work together despite our differences to improve the field, the only winners will be the criminals and the losers will be the innocents. The aim of everyone in this field should be to ensure the best reasonable standards and quality. In the long run, digital evidence processed properly by certified professionals is less likely to be impeached or cause an injustice.

The investigation into the Starnet Internet gambling company provides a good example of the successes of proper training and preparation. The August 1999 raid of Starnet's offices in Vancouver, BC, was the culmination of more then a year's worth of investigative effort and preparation by the Royal Canadian Mounted Police. Over 100 personnel from all over Canada were brought together to search and seize Starnet's systems. Search teams were trained to implement standard operating procedures to ensure consistency and were given sufficient equipment to store the large amounts of data that were anticipated. As a result of this planning, Starnet's office building and the network it contained were secured in a few minutes. Although it took several days, digital evidence from more than 80 computers was preserved. In 2001, Starnet pled guilty to violating Section 202 (1) b of the Canadian criminal code by having a machine in Canada for gambling or betting.

Although professionalization may not be desirable for some, it is necessary for all. Without generally accepted standards, there is no basis to judge work. Without certification, there is no basis upon which to assess qualifications. Our community has a duty to agree upon standards of practice and training, and to require practitioners to meet these standards through certification.

This duty exists because in the forensic disciplines our opinions and interpretations are allowed to impact whether people are deprived of their liberties, and potentially whether they live or die. (Turvey, B., 2000, "The Professionalization of Criminal Profiling" in Criminal Profiling, Academic Press)