Difference between revisions of "Journal:Digital transformation risk management in forensic science laboratories"

From LIMSWiki
Jump to navigationJump to search
(Saving and adding more.)
(Saving and adding more.)
Line 50: Line 50:


==Risks and remedies==
==Risks and remedies==
Many processes in forensic laboratories have become digitalized through the increased use of [[information management]] systems and software running analysis instruments. While these systems serve crucial functions in modern forensic laboratories, thet also have associated risks that must be managed.


===Data retention===
The computer systems used to store instruments' generated data files (raw and processed) can encounter problems that lead to loss of information.


====Data loss scenario====
In this scenario, Reust ''et al.''<ref name="ReustIdent08">{{cite journal |title=Identification and Reconstruction of Deleted, Fragmented DNA Digital Files |journal=Proceedings of the American Academy of Forensic Sciences |author=Reust, J.; Sommers, R.; Friedberg, S. et al. |volume=14 |pages=187–88 |year=2008 |url=https://www.aafs.org/wp-content/uploads/ProceedingsWashingtonDC2008.pdf |archiveurl=https://web.archive.org/web/20160429004454/https://www.aafs.org/wp-content/uploads/ProceedingsWashingtonDC2008.pdf |archivedate=29 April 2016}}</ref> presented a case study concerning a forensic laboratory that performed DNA analysis of a crime scene sample relevant to a multiple homicide and death penalty case, but did not retain a copy of the raw data files. To comply with a court order to provide the defense with original raw data, it was necessary to perform costly forensic data recovery on the computer used to perform the original processing of DNA. The authors developed a customized software utility to automatically search the computer hard drive for all fragments of the relevant raw data and reconstruct the original files. The resulting files were tested and validated with DNA analysis software.
As seen with Reust ''et al.'', original data files thought to be lost can, under certain circumstances, be recovered from hard disks using digital forensic methods, which can be costly and time-consuming. Even when digital data is retained, it is malleable and subject to undetected alterations of content or metadata. Lack of proper data retention processes makes it more difficult, sometimes impossible, to recover original data files and verify their integrity.
Generally, normal backup processes do not have the fidelity of digital forensic preservation mechanisms. To manage the risks of data loss and undetected alterations, traditional [[data retention]] practices in forensic laboratories can be updated to employ digital forensic preservation methods. Specifically, as part of routine data retention processes, digital forensic preservation of original data (raw and processed) and associated metadata (filesystem timestamps) allows the integrity of data to be verified more easily when there is a problem or inquiry. For instance, original files and associated metadata can be forensically preserved using the Advanced Forensic Format (AFF4), which is open-source and cross-platform. The following command and resulting output demonstrate how this method can be implemented on any type of computer system with a single command that can be part of a routine or automated process to forensically preserve all raw data files in a specified directory on a laboratory computer, while generating a unique identifier for the digital evidence container for evidence management purposes<ref name="CohenExtend09">{{cite journal |title=Extending the advanced forensic format to accommodate multiple data sources, logical evidence, arbitrary information and forensic workflow |journal=Digital Investigation |author=Cohen, M.; Garfinkel, S.; Schatz, B. |volume=6 |issue=Supplement 1 |pages=S57–S68 |year=2009 |doi=10.1016/j.diin.2009.06.010}}</ref><ref name="SchatzWire15">{{cite journal |title=Wirespeed: Extending the AFF4 forensic container format for scalable acquisition and live analysis |journal=Digital Investigation |author=Schatz, B.L. |volume=14 |issue=Supplement 1 |pages=S45–54 |year=2015 |doi=10.1016/j.diin.2015.05.016}}</ref>:
<tt>% aff4.py -cr s1-001-10April2020.aff4 RAWdata/s1-001
Creating AFF4Container: file://s1-001-10April2020.aff4
<aff4://c293153c-a317-4927-b1eb-6e3a5008ad0f>
Adding: RAWdata
Adding: RAWdata/s1-001/s1-001-sequence.sld
Adding: RAWdata/s1-001/s1-001-processed.pdf
Adding: RAWdata/s1-001/s1-001-ref.params
Adding: RAWdata/s1-001/s1-001.RAW</tt>
This digital forensic preservation process captures file system [[metadata]] and automatically computes MD5 and SHA1 [[Cryptography|cryptographic]] hash values of the acquired data for [[Data integrity|integrity]] verification purposes as the following excerpt shows:
<tt>% aff4.py -m s1-000-10April2020.aff4
... EDITED FOR BREVITY...
<aff4://c293153c-a317-4927-b1eb-6e3a5008ad0f/RAWdata/s1-001/s1-000.RAW>
a aff4:FileImage,
aff4:Image,
aff4:ImageStream;
aff4:birthTime “2020-04-10T22:41:03.949269+02:00”^◯sd:dateTime;
aff4:hash “1d2f7ff1ea563ceb6d2da0e168e90587”^âff4:MD5,
“427bc17e608fc493f0e2b3fed8fa55b36862ac31”^âff4:SHA1;
aff4:lastAccessed “2020-04-10T22:41:08.708498+02:00”^◯sd:dateTime;
aff4:lastWritten “2020-04-10T22:41:05.290019+02:00”^◯sd:dateTime;
aff4:originalFileName “RAWdata/s1-001/s1-000.RAW”^◯sd:string;
aff4:recordChanged “2020-04-10T22:41:07.694584+02:00”^◯sd:dateTime;
aff4:size 276196936.</tt>
These hash values are commonly used in digital forensic tools to enable future verification that the acquired data have not been altered since they were forensically preserved. The preserved metadata can also be useful for assessing the authenticity of the acquired data, including the original file name, size and creation timestamp.
Additionally, AFF4 assigns a unique identifier to the acquired data to support evidence management and provenance tracking.
===Evidence integrity===
The data files generated by laboratory equipment and stored on computers can be altered afterwards accidentally or intentionally.
====Data alteration scenario====
In this scenario, imagine data files stored on laboratory computers have been altered to conceal specific information in test results. Some alterations were detectable within the digital file, while others were not detected using available verification software. As a result, it was difficult to determine the full scope and specific impact of the alterations.
The motivation for editing the data files (raw and processed) might be to cover up mistakes, conceal unfavorable results (corruption), facilitate prosecution (bias), or inflate laboratory metrics (performance)<ref name="BidgoodChemist17">{{cite web |url=https://www.nytimes.com/2017/04/18/us/chemist-drug-cases-dismissal.html |archiveurl=https://web.archive.org/web/20170419100845/https://www.nytimes.com/2017/04/18/us/chemist-drug-cases-dismissal.html |title=Chemist’s Misconduct Is Likely to Void 20,000 Massachusetts Drug Cases |author=Bidgood, J. |work=The New York Times |date=18 April 2017 |archivedate=19 April 2017}}</ref> Forensic laboratory personnel might modify data to remove traces of contamination they considered to be insignificant, such as traces of investigators operating an evidential smartphone after the device was seized. Depending on the type of data and the method of modification, it might be possible to detect the alteration. However, some alterations may be undetectable using existing verification tools, making it more difficult to determine that modifications were made.
Normal backup processes, and even digital forensic preservation such as described in the previous section using AFF4, are not tamperproof because data can be forged to replace retained data, and a computer system can be backdated to make it seem to have occurred sometime in the past. Lack of a tamperproof chain of custody of primary data sources in a forensic laboratory makes it more difficult, sometimes impossible, to authenticate original data files that form the basis of forensic findings and reported results.
To manage the risks of inadvertent alteration and intentional tampering, traditional provenance tracking practices in forensic laboratories must be updated to employ digitalized chain of custody ledger solutions.<ref name="BurriChrono20">{{cite journal |title=Chronological independently verifiable electronic chain of custody ledger using blockchain technology |journal=Forensic Science International: Digital Investigation |author=Burri, X.; Casey, E.; Bollé, T. et al. |volume=33 |at=300976 |year=2020 |doi=10.1016/j.fsidi.2020.300976}}</ref><ref name="Jaquet-ChiffelleTamper20">{{cite journal |title=Tamperproof timestamped provenance ledger using blockchain technology |journal=Forensic Science International: Digital Investigation |author=Jaquet-Chiffelle, D.-O.; Casey, E.; Bourquenoud, J. |volume=33 |at=300977 |year=2020 |doi=10.1016/j.fsidi.2020.300977}}</ref> These digitalized chain of custody mechanisms can be implemented in a way that is tamperproof and independently verifiable.





Revision as of 20:30, 29 March 2021

Full article title Digital transformation risk management in forensic science laboratories
Journal Forensic Science International
Author(s) Casey, Eoghan; Souvignet, Thomas R.
Author affiliation(s) University of Lausanne
Primary contact Email: thomas dot souvignet at unil dot ch
Year published 2020
Volume and issue 316
Article # 110486
DOI 10.1016/j.forsciint.2020.110486
ISSN 0379-0738
Distribution license Creative Commons Attribution 4.0 International
Website https://www.sciencedirect.com/science/article/pii/S0379073820303480
Download https://www.sciencedirect.com/science/article/pii/S0379073820303480/pdfft (PDF)

Abstract

Technological advances are changing how forensic laboratories operate in all forensic disciplines, not only digital. Computers support workflow management and enable evidence analysis (physical and digital), while new technology enables previously unavailable forensic capabilities. Used properly, the integration of digital systems supports greater efficiency and reproducibility, and drives digital transformation of forensic laboratories. However, without the necessary preparations, these digital transformations can undermine the core principles and processes of forensic laboratories. Forensic preparedness concentrating on digital data reduces the cost and operational disruption of responding to various kinds of problems, including misplaced exhibits, allegations of employee misconduct, disclosure requirements, and information security breaches.

This work gives pertinent examples of problems and risks involving technology that have occurred in forensic laboratories, along with opportunities and risk mitigation strategies, based on the authors’ experiences. It also presents recommendations to help forensic laboratories prepare for and manage these risks, to use technology effectively, and ultimately strengthen forensic science. The importance of involving digital forensic expertise in risk management of digital transformations in laboratories is emphasized. Forensic laboratories that do not adopt forensic digital preparedness will produce results based on digital data and processes that cannot be verified independently, leaving them vulnerable to challenge. The recommendations in this work could enhance international standards such as ISO/IEC 17025, which are used to assess and accredit laboratories.

Keywords: forensic science, digital transformations, forensic laboratories, forensic preparedness, forensic digital preparedness, risk management, ISO/IEC 17025

Introduction

Forensic science laboratories are becoming more reliant on computers and data for both administrative and analytical operations. These technological advances create new opportunities and risks for all forensic disciplines, not only to digital evidence.[1] With proper preparation and management, forensic laboratories can employ technology effectively to improve performance and quality, while mitigating the associated risks. However, many forensic laboratories do not understand the subtlety and expertise required to manage risks of digital transformation, inadvisedly treating it as simply a technical component of existing quality management processes. Forensic laboratories that fail to realize the need for forensic digital preparedness to actively manage risks associated with digital transformations are vulnerable to significant expense, disruption, and liability when problems arise.

Forensic laboratories rely on technology for much more than communication and routine business functions. Sophisticated equipment for processing chemical and biological materials are operated using computers and save results in digital form. Mass spectrometers, DNA analysis systems, and other laboratory equipment save their results in raw data files. Digital evidence is processed using specialized hardware and software, although not all forensic laboratories have integrated this new discipline. Forensic laboratories are using computerized case management systems for tracking treatment of all evidential exhibits and forensic results. Automated systems with artificial intelligence (AI) are being used to support forensic analysis. In reality, digital transformations—the use of digital technology to make existing processes more efficient and effective, and to develop new solutions to emerging problems—are well underway, and forensic laboratories require a robust strategy to manage the associated risks and realize the opportunities.

This increased dependence on digital technology creates risks and opportunities for forensic laboratories. Potential pitfalls include loss of data needed to perform forensic analysis, errors in analysis of physical traces (e.g., DNA, fingerprint, face) caused by computer hardware or software, ability to tamper with raw data files generated by laboratory equipment, and incorrect information input into laboratory information management systems (LIMS). Possible benefits are traceability and integrity of traces, reliability and reproducibility of results from information extracted from traces and stored as raw data, and use of AI to support forensic analysis.

Lessons can be learned from the digital forensic domain, including forensic digital preparedness and accreditation challenges. Primary challenges encountered by digital forensic laboratories adopting quality standards include[2]:

  • Inaccurate or insufficient information in technical records, including chain of custody, and no mechanism to detect subsequent changes to records.
  • Problems with the security of information technology systems and the backup processes of data.
  • Missing or insufficiently detailed procedures for treating digital data, and personnel not following documented procedures consistently.
  • Lack of robust quality checking mechanisms, and issues with validation of methods.

This paper presents risks and opportunities associated with digital transformation of forensic laboratories, providing examples based on the authors’ experiences. Examples have been anonymized, as the intention is to illustrate general lessons learned rather than critique specific laboratories. This work then presents forensic digital preparedness, a set of recommendations to help laboratories navigate risks associated with digital transformations, including mishandled exhibits, allegations of employee misconduct, and disclosure requirements. The role of digital forensic capabilities and expertise in risk management of digital transformations in laboratories is discussed. This work culminates with broader implications for international standards such as ISO/IEC 17025, which are used to assess and accredit laboratories.

Risks and remedies

Many processes in forensic laboratories have become digitalized through the increased use of information management systems and software running analysis instruments. While these systems serve crucial functions in modern forensic laboratories, thet also have associated risks that must be managed.

Data retention

The computer systems used to store instruments' generated data files (raw and processed) can encounter problems that lead to loss of information.

Data loss scenario

In this scenario, Reust et al.[3] presented a case study concerning a forensic laboratory that performed DNA analysis of a crime scene sample relevant to a multiple homicide and death penalty case, but did not retain a copy of the raw data files. To comply with a court order to provide the defense with original raw data, it was necessary to perform costly forensic data recovery on the computer used to perform the original processing of DNA. The authors developed a customized software utility to automatically search the computer hard drive for all fragments of the relevant raw data and reconstruct the original files. The resulting files were tested and validated with DNA analysis software.

As seen with Reust et al., original data files thought to be lost can, under certain circumstances, be recovered from hard disks using digital forensic methods, which can be costly and time-consuming. Even when digital data is retained, it is malleable and subject to undetected alterations of content or metadata. Lack of proper data retention processes makes it more difficult, sometimes impossible, to recover original data files and verify their integrity.

Generally, normal backup processes do not have the fidelity of digital forensic preservation mechanisms. To manage the risks of data loss and undetected alterations, traditional data retention practices in forensic laboratories can be updated to employ digital forensic preservation methods. Specifically, as part of routine data retention processes, digital forensic preservation of original data (raw and processed) and associated metadata (filesystem timestamps) allows the integrity of data to be verified more easily when there is a problem or inquiry. For instance, original files and associated metadata can be forensically preserved using the Advanced Forensic Format (AFF4), which is open-source and cross-platform. The following command and resulting output demonstrate how this method can be implemented on any type of computer system with a single command that can be part of a routine or automated process to forensically preserve all raw data files in a specified directory on a laboratory computer, while generating a unique identifier for the digital evidence container for evidence management purposes[4][5]:

% aff4.py -cr s1-001-10April2020.aff4 RAWdata/s1-001

Creating AFF4Container: file://s1-001-10April2020.aff4

<aff4://c293153c-a317-4927-b1eb-6e3a5008ad0f>

Adding: RAWdata

Adding: RAWdata/s1-001/s1-001-sequence.sld

Adding: RAWdata/s1-001/s1-001-processed.pdf

Adding: RAWdata/s1-001/s1-001-ref.params

Adding: RAWdata/s1-001/s1-001.RAW

This digital forensic preservation process captures file system metadata and automatically computes MD5 and SHA1 cryptographic hash values of the acquired data for integrity verification purposes as the following excerpt shows:

% aff4.py -m s1-000-10April2020.aff4

... EDITED FOR BREVITY...

<aff4://c293153c-a317-4927-b1eb-6e3a5008ad0f/RAWdata/s1-001/s1-000.RAW>

a aff4:FileImage,

aff4:Image,

aff4:ImageStream;

aff4:birthTime “2020-04-10T22:41:03.949269+02:00”^◯sd:dateTime;

aff4:hash “1d2f7ff1ea563ceb6d2da0e168e90587”^âff4:MD5,

“427bc17e608fc493f0e2b3fed8fa55b36862ac31”^âff4:SHA1;

aff4:lastAccessed “2020-04-10T22:41:08.708498+02:00”^◯sd:dateTime;

aff4:lastWritten “2020-04-10T22:41:05.290019+02:00”^◯sd:dateTime;

aff4:originalFileName “RAWdata/s1-001/s1-000.RAW”^◯sd:string;

aff4:recordChanged “2020-04-10T22:41:07.694584+02:00”^◯sd:dateTime;

aff4:size 276196936.

These hash values are commonly used in digital forensic tools to enable future verification that the acquired data have not been altered since they were forensically preserved. The preserved metadata can also be useful for assessing the authenticity of the acquired data, including the original file name, size and creation timestamp.

Additionally, AFF4 assigns a unique identifier to the acquired data to support evidence management and provenance tracking.

Evidence integrity

The data files generated by laboratory equipment and stored on computers can be altered afterwards accidentally or intentionally.

Data alteration scenario

In this scenario, imagine data files stored on laboratory computers have been altered to conceal specific information in test results. Some alterations were detectable within the digital file, while others were not detected using available verification software. As a result, it was difficult to determine the full scope and specific impact of the alterations.

The motivation for editing the data files (raw and processed) might be to cover up mistakes, conceal unfavorable results (corruption), facilitate prosecution (bias), or inflate laboratory metrics (performance)[6] Forensic laboratory personnel might modify data to remove traces of contamination they considered to be insignificant, such as traces of investigators operating an evidential smartphone after the device was seized. Depending on the type of data and the method of modification, it might be possible to detect the alteration. However, some alterations may be undetectable using existing verification tools, making it more difficult to determine that modifications were made.

Normal backup processes, and even digital forensic preservation such as described in the previous section using AFF4, are not tamperproof because data can be forged to replace retained data, and a computer system can be backdated to make it seem to have occurred sometime in the past. Lack of a tamperproof chain of custody of primary data sources in a forensic laboratory makes it more difficult, sometimes impossible, to authenticate original data files that form the basis of forensic findings and reported results.

To manage the risks of inadvertent alteration and intentional tampering, traditional provenance tracking practices in forensic laboratories must be updated to employ digitalized chain of custody ledger solutions.[7][8] These digitalized chain of custody mechanisms can be implemented in a way that is tamperproof and independently verifiable.



References

  1. Pollitt, M.; Casey, E.; Jaquet-Chiffelle, D.-O. et al. (February 2019). "A Framework for Harmonizing Forensic Science Practices and Digital/Multimedia Evidence" (PDF). OSAC. https://www.nist.gov/system/files/documents/2018/01/10/osac_ts_0002.pdf. 
  2. Tully, G.; Cohen, N.; Compton, D. et al. (2020). "Quality standards for digital forensics: Learning from experience in England & Wales". Forensic Science International: Digital Investigation 32: 200905. doi:10.1016/j.fsidi.2020.200905. 
  3. Reust, J.; Sommers, R.; Friedberg, S. et al. (2008). "Identification and Reconstruction of Deleted, Fragmented DNA Digital Files". Proceedings of the American Academy of Forensic Sciences 14: 187–88. Archived from the original on 29 April 2016. https://web.archive.org/web/20160429004454/https://www.aafs.org/wp-content/uploads/ProceedingsWashingtonDC2008.pdf. 
  4. Cohen, M.; Garfinkel, S.; Schatz, B. (2009). "Extending the advanced forensic format to accommodate multiple data sources, logical evidence, arbitrary information and forensic workflow". Digital Investigation 6 (Supplement 1): S57–S68. doi:10.1016/j.diin.2009.06.010. 
  5. Schatz, B.L. (2015). "Wirespeed: Extending the AFF4 forensic container format for scalable acquisition and live analysis". Digital Investigation 14 (Supplement 1): S45–54. doi:10.1016/j.diin.2015.05.016. 
  6. Bidgood, J. (18 April 2017). "Chemist’s Misconduct Is Likely to Void 20,000 Massachusetts Drug Cases". The New York Times. Archived from the original on 19 April 2017. https://web.archive.org/web/20170419100845/https://www.nytimes.com/2017/04/18/us/chemist-drug-cases-dismissal.html. 
  7. Burri, X.; Casey, E.; Bollé, T. et al. (2020). "Chronological independently verifiable electronic chain of custody ledger using blockchain technology". Forensic Science International: Digital Investigation 33: 300976. doi:10.1016/j.fsidi.2020.300976. 
  8. Jaquet-Chiffelle, D.-O.; Casey, E.; Bourquenoud, J. (2020). "Tamperproof timestamped provenance ledger using blockchain technology". Forensic Science International: Digital Investigation 33: 300977. doi:10.1016/j.fsidi.2020.300977. 

Notes

This presentation is faithful to the original, with only a few minor changes to presentation. In some cases important information was missing from the references, and that information was added.