Digital forensics lack standards

Lack of checks by police on digital investigators jeopardising evidence

Courts could throw out evidence

Court cases involving digital evidence are at risk of collapsing because some police forces fail to check the security of computer forensics suppliers.

A Computing investigation has revealed that while some firms providing conventional forensics services must attain an ISO standard, there is no such requirement for handling digital evidence.

Joel Tobias, managing director of forensics firm Cy4or, says most forensics specialists maintain high standards, but there are some that may not have had their security checked by police.

‘Some forces make a little bit more of an assumption over a company’s security than I am comfortable with,’ he said.

‘There is definitely a possibility that a company that did not have adequate security or expertise might be able to slip through the net and be used by the police.’

Vendor LGC performs digital and non-digital analysis for police forces. Non-digital work must adhere to the ISO 17025 standard.

But LGC says that customers, including the police, do not demand ISO 17025 accreditation when awarding digital contracts.

One senior manager at a major UK forensics firm describes the way digital forensic outsourcing operates as a ‘sham’.

If a piece of evidence was tampered with or stolen, there would be no case to answer in a court,’ said the manager.

‘We have worked for 20 law enforcement agencies in Britain and have only ever had visits by two of them. Technically, we have no security clearance whatsoever.’

It has also emerged that practices vary widely between forces. The Metropolitan Police rigorously inspects all firms it uses, according to another source in the digital forensics industry who points out that some forces often use suppliers on a recommendation from colleagues in other regions.

‘They will put in a phone call to another force to check our credentials, but would not necessarily send someone to check on us,’ said the source. ‘This creates a danger that once a company is in the loop, forces will no longer bother to check their security credentials.’

The Council for the Registration of Forensic Practitioners only accredits individuals and not companies. Its accreditations are not obligatory for undertaking digital forensic work.