SOP:
The responsibility of a digital forensics lab is to take in requests to scientifically analyze pieces of digital media and in turn provide empirical and objective reporting based on the findings from those examinations. Like other organizations that provide a service, a digital forensics lab must establish a coherent and comprehensive structure of standard operating procedures (SOP). The purpose of a lab’s SOP is to clearly outline how the lab is to conduct business. This means to establish protocols that outline entire process beginning with how requests are to be filled out to delivering the final report. A lab’s SOP also outlines the mission, scope, responsibilities, and other factors that contribute to the overall business process. It’s imperative that a lab’s SOP be clearly defined so that the business process can be replicated from case to case resulting in a high level of consistency which is desired of any successful scientific process.
Establishing SOP:
When establishing a lab’s SOP, a lab manager’s previous digital forensic lab experience would be helpful in deciding best practices for handling evidence. However, organizations such as the National Institute of Standards and Technology (NIST) or Scientific Working Group on Digital Evidence (SWGDE) provide information for creating such guidelines after many years of cumulative industry reporting and test cases. It would be wise for a lab manager who is establishing a new digital forensics lab to use resources like the NIST to establish their lab’s SOP.
Forensic Requests:
A form should be made available for potential forensic examinations for customers to fill out. This form must include information such as Name, Organization, date filled out, date of incident, description of incident, type of examination, scope of examination, etc. Information provided on the initial forensic request will be used to establish an entry into the lab’s request management system. A lab must have some process to handle requests much as an IT department would handle ticket requests. This system must be able to forward the requests to the appropriate groups and provide consistent reporting throughout the forensics process. The initial form should also provide the severity of the request. This will allow the lab’s request management system to properly filter and execute requests based on the urgency of the request; the more urgent requests are given priority over the lesser.
Case Management:
Once the initial request is made, the request is assigned to an examiner. Depending on the size of the organization and scope of the lab, the request may be assigned to a team of examiners based on the requested area of examination. For example, a lab may have a team dedicated to mobile device or embedded device forensic examinations so a request for a cell phone acquisition would be directed to that team. The request made by the customer would be forwarded to the team and a case file would then be created and entered into the management system with the request attached. In the process of handling a case, different aspects of an investigation may need to be handled by multiple examiners. Every examiner that works a case must make note of any changes or contributions to the case with their unique identifier, whether it is with a signature or employee ID. This establishes the accountability for each team member to contribute accurate information.
Auditing SOP and Technologies:
In order to assure that a lab’s SOP is still relevant, periodic audits must be performed. An audit should be performed not only address the lab’s SOP, but also to examine state of the technologies that are being used for examinations. The audit should be performed by an outside third-party to ensure that the findings of the report are as objective as possible. Periodic audits of the SOP give insight into the business practices from an objective perspective. An examination of the tools used within a lab by an audit would encourage the organization to utilize the most up-to-date industry standards that they might not be aware of without the audit. This would help the lab revise protocols, procedures, and technologies as necessary to refine their business practices.
Public Documents. (2010). Retrieved March 22, 2015, from Scientific Working Group on Digital Evidence: https://www.swgde.org/documents/Current+Documents/SWGDE+QAM+and+SOP+Manuals/2012-09-13+SWGDE+Model+SOP+for+Computer+Forensics+v3
NIST. (2011, May 23). Informational Technology Labratory. Retrieved March 22, 2015, from Computer Forensics Tool Testing Project: http://www.nist.gov/itl/ssd/cs/cftt/