Upload
others
View
5
Download
3
Embed Size (px)
Citation preview
OSBI DIGITAL EVIDENCE UNIT QUALITY MANUAL
DEQM_REV03 Page 1 of 50 Effective Date: 08/16/2019
QUALITY MANUAL INDEX
DEQM-0 Foreword, Management, and Organization
DEQM-1 Definitions and Abbreviations
DEQM-2 Laboratory Personnel
DEQM-3 Purchasing Supplies and Services
DEQM-4 Proficiency Testing
DEQM-5 Reserved for Future Use
DEQM-6 Approved Examination Tools
DEQM-7 Equipment and Tool Maintenance Records
DEQM-8 Reserved for Future Use
DEQM-9 Function Testing and Performance Verifications
DEQM-10 Reserved for Future Use
DEQM-11 Reporting Examination Results
DEQM-12 Administrative and Technical Reviews
DEQM-13 Retention of Evidence and Data
DEQM-Attached DEQM Attached Documents
DEQM-References DEQM Document References
DEQM-History DEQM Document History
DEQM-Approval DEQM Document Approval
OSBI DIGITAL EVIDENCE UNIT QUALITY MANUAL
DEQM-0: FOREWORD, MANAGEMENT, AND ORGANIZATION
DEQM_REV03 Page 2 of 50 Effective Date: 08/16/2019
0.1 FOREWORD
0.1.1 The OSBI Digital Evidence Unit (DEU) and the AT&T Digital Forensic
Laboratory (ATTDFL) are firmly committed to quality performance and strict
conformance to recognized current best practices of the digital forensic
community. It is imperative that the digital forensic laboratory quality standards
evolve and improve parallel with new and improved methods of scientific
examination and analysis as they are developed to meet the expanding needs of
the criminal justice system. The DEU and the ATTDFL are dedicated to the
implementation of policy and procedure changes required to ensure quality in all
facets of digital forensics laboratory operation.
0.1.2 This Quality Manual is based on the ISO/IEC 17025:2017 standard
complemented by the AR3125 ANAB Forensic Science Testing Laboratories
Accreditation Requirements, which are wholly relevant to the function and work
of the DEU and the ATTDFL. This DEU Quality Manual is subordinate to all
policies, procedures, practices, and/or requirements issued by the OSBI
Criminalistics Services Division (CSD) level and above.
0.1.3 All DEU Supervisors and Managers are responsible for the incorporation
of the quality practices and procedures specified within this Quality Manual into
the daily operation of the DEU and the ATTDFL. All DEU and ATTDFL
employees share in the responsibility for adherence to these established quality
measures and are crucial to the overall success of the quality management
program.
0.2 SCOPE
The DEU Quality Manual applies to all DEU and OSBI CSD personnel who
perform digital evidence examinations and to all personnel assigned to the ATTDFL.
The DEU Quality Manual also applies to all digital evidence examinations performed at
the ATTDFL and all other OSBI laboratory locations digital evidence examinations are
performed by OSBI CSD personnel.
0.3 MANAGEMENT
0.3.1 The immediate managerial staff of the DEU and the ATTDFL will consist
of the DEU Supervisor and the DEU Technical Manager.
OSBI DIGITAL EVIDENCE UNIT QUALITY MANUAL
DEQM-0: FOREWORD, MANAGEMENT, AND ORGANIZATION
DEQM_REV03 Page 3 of 50 Effective Date: 08/16/2019
0.3.1.1 In addition to the responsibilities and authority outlined in the
OSBI CSD Quality Manual QP 1, the DEU Supervisor shall:
Be responsible for overall oversight and administration of the DEU
and the ATTDFL
Oversee laboratory access control
Oversee the receipt and prioritization of requests for examination
Oversee the assignment and workflow of laboratory casework
Be responsible for the accountability and inventory of property
assigned to the DEU and the ATTDFL
0.3.1.2 In addition to the responsibilities and authority outlined in OSBI
CSD Quality Manual QP 1, the DEU Technical Manager shall:
Maintain familiarity with the current best practices of the digital
forensic community
Stay abreast of evolving changes and trends in technology which
have the potential to impact digital forensic examinations
0.3.2 The DEU and the ATTDFL will provide assigned personnel with the
authority and resources required to carry out the duties of their position(s)
including the implementation, maintenance, and improvement of the quality
system. All DEU and ATTDFL personnel will share the responsibility to identify
departures from the quality system and initiate actions to prevent or minimize
such departures.
0.3.3 Examination procedures followed by all DEU and ATTDFL examiners will
be specified in the DEU Technical Procedures Manual.
0.4 ORGANIZATION
0.4.1 The ATTDFL is organized as a task force facility under the direction and
administration of the OSBI Criminalistics Services Division and the DEU. As a
task force facility, the ATTDFL provides laboratory workspace and resources for
digital forensic examiners from partner law enforcement agencies. References to
the ATTDFL will refer to the facility as a whole and include all DEU and partner
law enforcement agency assigned examiners.
OSBI DIGITAL EVIDENCE UNIT QUALITY MANUAL
DEQM-0: FOREWORD, MANAGEMENT, AND ORGANIZATION
DEQM_REV03 Page 4 of 50 Effective Date: 08/16/2019
0.4.2 The organization and oversight of the ATTDFL Task Force will be
governed by the current Memorandum of Understanding (MOU) that exists
between all participating agencies and entities.
0.4.3 The organization and management structure of the DEU and the ATTDFL
will be clearly defined and the relationships between laboratory management,
technical management, and technical operations are illustrated in the OSBI CSD
organizational chart.
OSBI DIGITAL EVIDENCE UNIT QUALITY MANUAL
DEQM-1: DEFINITIONS AND ABBREVIATIONS
DEQM_REV03 Page 5 of 50 Effective Date: 08/16/2019
1.1 DEFINITIONS AND ABBREVIATIONS
In addition to the following definitions and abbreviations, any relevant terms and
definitions given in ISO/IEC 17025, the ANAB ISO/IEC 17025:2005 – Forensic Science
Testing Laboratories Accreditation Requirements, and the OSBI Criminalistics Services
Division Quality Manual apply:
ATTDFL – The AT&T Digital Forensics Laboratory.
CSD – The OSBI Criminalistics Services Division.
DEU – The OSBI Digital Evidence Unit. Unless otherwise specified, all
references to the “DEU” will include and/or apply to all ATTDFL examiners and
facilities as well as to all OSBI CSD digital evidence examiners and facilities.
Examiner – An individual who conducts and/or directs the examination and
analysis of digital evidence, interprets data, reaches conclusions, and issues
reports concerning conclusions.
Exhibit Report - A collection or group of electronic reports and corresponding
data, files, and/or information produced by forensic tools during digital evidence
examinations. Exhibit Report(s) are produced from either the forensic copies and
extractions obtained from ODE items or from the ODE items themselves and are
identified as derivative evidence.
Extraction – The collective group of files and data extracted from the digital
storage capacity of an item of evidence.
Forensic Copy – A copy of the digital storage capacity of a device that contains
an exact copy of the data from every data storage location on the device from the
first place data can be stored to the last.
Function Test – A test or series of tests based upon an approved Function Test
Plan conducted to determine if a forensic tool or device performs its intended
function and is suitable for use in examination casework.
Function Test Plan – A detailed plan which describes the methodology used to
test forensic tools or devices and any potential impacts or additional
requirements associated with the plan.
HDD – “Hard Disk Drive”; also abbreviated HD.
OSBI DIGITAL EVIDENCE UNIT QUALITY MANUAL
DEQM-1: DEFINITIONS AND ABBREVIATIONS
DEQM_REV03 Page 6 of 50 Effective Date: 08/16/2019
Preview – A basic search of the data storage area of a device conducted to
quickly eliminate devices with no files or data of immediately apparent evidentiary
value from full forensic examination or to confirm the device requires full forensic
examination.
Triage – Triage is the reduction of the number of items and volume of data
associated with examination requests by reviewing case details and eliminating
items from the request which likely contain no data of evidentiary value or
interest.
ODE – “Original Digital Evidence” is the original item of digital evidence
submitted by the requestor for forensic examination.
OSBI DIGITAL EVIDENCE UNIT QUALITY MANUAL
DEQM-2: LABORATORY PERSONNEL
DEQM_REV03 Page 7 of 50 Effective Date: 08/16/2019
2.1 All personnel who perform digital evidence examinations in OSBI CSD facilities
and in the ATTDFL will follow the requirements set forth in the OSBI CSD Quality
Manual, the DEU Quality Manual, the DEU Technical Manual, and the DEU Training
Manual.
2.2 All agencies and personnel assigned to or associated with the ATTDFL will
additionally adhere to the provisions of the ATTDFL Memorandum of Understanding
(MOU), which defines the responsibilities of all participating entities.
2.3 The ATTDFL operates as a task force facility and, as such, provides laboratory
workspace and resources for digital evidence examiners from partner law enforcement
agencies.
2.4 All ATTDFL personnel will be subject to OSBI Agency Directives, Policies, and
Procedures for matters that affect or directly impact the laboratory casework of the
ATTDFL.
2.5 If an event, incident, or situation arises that is not specifically addressed by the
ATTDFL MOU or an applicable OSBI policy or procedure, ATTDFL personnel will be
governed by their respective agency’s applicable policies and procedures.
2.6 ATTDFL assigned examiners will continue to be accountable to their partner law
enforcement agency for administrative, discipline, and payroll purposes.
2.7 Partner law enforcement agencies will be responsible for providing examiners
from their agencies assigned to the ATTDFL with the digital forensic examination
equipment, software, and tools necessary for the examiner to perform digital forensic
examination work within the ATTDFL.
OSBI DIGITAL EVIDENCE UNIT QUALITY MANUAL
DEQM-2: LABORATORY PERSONNEL
DEQM_REV03 Page 8 of 50 Effective Date: 08/16/2019
2.8 All digital forensic equipment, software, and tools provided by partner law
enforcement agencies for use by ATTDFL assigned examiners must meet and be
subject to all requirements established by the DEU Quality Manual, the DEU Technical
Manual, and the OSBI CSD Quality Manual.
2.9 ATTDFL assigned examiners will retain the capability to perform examination
casework from their parent agency as priority casework. All examination casework
performed in requests from parent law enforcement agencies will adhere to the DEU
Quality Manual, the DEU Technical Manual, and the OSBI CSD Quality Manual.
2.10 ATTDFL assigned examiners will perform examination casework assigned by the
DEU Supervisor in accordance with DETM-0: Administrative Procedures, when
practical, given the examiner’s caseload from their parent agency.
2.11 Any concerns by examiners assigned to the ATTDFL on the day-to-day operation
of the laboratory will be addressed in accordance with the ATTDFL MOU and normally
be directed to the DEU Supervisor.
2.12 The day-to-day supervision of matters pertaining to the ATTDFL will be the
responsibility of the DEU Supervisor and be handled in accordance with the ATTDFL
MOU.
2.13 Responsibility for personal and professional conduct of personnel assigned to
the ATTDFL is the responsibility of each respective participating agency and will be
handled in accordance with each agency’s policies regarding conduct and the ATTDFL
MOU.
OSBI DIGITAL EVIDENCE UNIT QUALITY MANUAL
DEQM-3: PURCHASING SUPPLIES AND SERVICES
DEQM_REV03 Page 9 of 50 Effective Date: 08/16/2019
3.1 SCOPE
3.1.1 This protocol will apply to the purchase of equipment, hardware, software,
and supplies which are required to meet certain technical specifications in order
to properly and efficiently perform digital evidence examinations.
3.1.2 This protocol shall apply to the purchase of all equipment, hardware,
software, and supplies for use in the DEU to perform or in support of digital
evidence examinations which meet the following criteria:
3.1.2.1 All hardware items which require Function Testing as defined in
DEQM-9.
3.1.2.2 All hardware items used in the repair or maintenance of items
which require Function Testing as defined in DEQM-9.
3.1.2.3 All software which requires Performance Verification Testing as
defined in DEQM-9.
3.1.2.4 All digital storage devices used to store copies of digital evidence
or in the processing of items of digital evidence.
3.2 CRITICAL EQUIPMENT AND CONSUMABLES
There are no equipment items or supplies identified as critical equipment or
critical consumables used by the DEU. There are no supplies used by the DEU which
are considered consumable supplies that affect the quality of testing.
3.3 CRITICAL SERVICES
There are no critical services utilized within the DEU, as routine maintenance,
performance checks, verifications, and validations are performed by the assigned
laboratory examiners.
OSBI DIGITAL EVIDENCE UNIT QUALITY MANUAL
DEQM-3: PURCHASING SUPPLIES AND SERVICES
DEQM_REV03 Page 10 of 50 Effective Date: 08/16/2019
3.4 PURCHASING
3.4.1 The DEU does not have any defined critical consumables, services, or
supplies and, therefore, is not required to evaluate or maintain lists of suppliers
as defined in OSBI CSD QP9.
3.4.2 All purchase requests for items to be used in the DEU as defined in
DEQM-3.1 must contain sufficient information and data to fully identify the item(s)
and provide detailed specifications for each item.
3.4.3 Purchase requests for items to be used in the DEU as defined in DEQM-
3.1 will be prepared by the examiner requesting the item(s) and routed to the
DEU Supervisor for approval.
3.4.4 All purchase requests which require funding from OSBI sources will follow
OSBI Policy 208 and OSBI Internal Purchase Request rules.
3.4.5 Purchase requests from ATTDFL Assigned Examiners will follow the
assigned examiners parent agency purchasing policy and rules after approval by
the DEU Supervisor.
3.5 RECEIVING
3.5.1 Once purchased items are received, the item(s) will be inspected to verify
they meet the specifications and requirements of the purchase request and
match the items listed on the packing list.
3.5.2 The DEU Technical Manager will establish a Maintenance Record as
required in DEQM-7 for the item(s), if applicable.
3.5.3 The item(s) received will be documented and labeled in accordance with
the purchasing agency’s inventory accountability policies and procedures.
3.5.4 The item(s) received shall not be used in laboratory casework until
successfully Function Tested or Performance Verification Tested in accordance
with DEQM-9, if applicable.
OSBI DIGITAL EVIDENCE UNIT QUALITY MANUAL
DEQM-3: PURCHASING SUPPLIES AND SERVICES
DEQM_REV03 Page 11 of 50 Effective Date: 08/16/2019
3.6 PURCHASING RECORDS
The DEU Technical Manager will ensure purchasing records for item(s) requiring
Maintenance Records are entered and maintained in the items Maintenance Record
and Maintenance Log for the respective item(s) in accordance with DEQM-7.
3.7 STORAGE
3.7.1 All items purchased for use by DEU personnel as defined in DEQM-3.1
will be stored in a secure location assigned or designated for the items by the
DEU Supervisor, DEU Technical Manager, or the CSD Supervisor of the facility
where the items are being stored and used.
3.7.2 Purchased items may be stored within the workspace of the examiner
assigned to use the item, or in another specified location designated by the DEU
Supervisor, DEU Technical Manager, or the CSD Supervisor of the facility where
the items are being stored and used.
OSBI DIGITAL EVIDENCE UNIT QUALITY MANUAL
DEQM-4: PROFICIENCY TESTING
DEQM_REV03 Page 12 of 50 Effective Date: 08/16/2019
4.1 All DEU examiners will follow the requirements set forth in OSBI CSD QP30 –
Proficiency Tests.
4.2 All DEU examiners will complete at least one (internal or external) proficiency
test per year whenever practical.
4.3 All DEU examiners will undergo proficiency testing in a digital evidence sub-
category(s) of testing the examiner is authorized to perform examinations.
4.4 Newly qualified and assigned examiners will begin participation in the proficiency
testing program within one year of the date of their qualification.
4.5 Proficiency Tests will be completed individually by the examiner to whom the test
is assigned.
4.6 Examiners will be notified of the final test results of each completed proficiency
test and the notification will be documented prior to being assigned any subsequent
proficiency test.
4.7 All information and records associated with proficiency testing will be maintained
in accordance with OSBI CSD QP 30 – Proficiency Testing.
OSBI DIGITAL EVIDENCE UNIT QUALITY MANUAL
DEQM-6: APPROVED EXAMINATION TOOLS
DEQM_REV03 Page 13 of 50 Effective Date: 08/16/2019
6.1 FORENSIC EXAMINATION TOOLS
6.1.1 Forensic Examination Tools will be defined as hardware and software
tools which are used in digital evidence examinations.
6.1.2 The Forensic Examination Tools utilized by the DEU to perform and
conduct digital evidence examinations will be classified into one of the following
three categories:
Forensic Software Tools
Forensic Computers
Forensic Hardware Tools
6.1.3 Common Use Software will be defined as software tools which are used in
a support capacity and from which no direct results are reported in examination
casework.
6.2 APPROVED FORENSIC SOFTWARE TOOLS
6.2.1 Forensic Software Tools will be further classified into the following two
sub-categories:
Computer Forensic Tools: Examination software tools which are
designed for and used primarily to examine computers and data
storage devices, but may be used to examine mobile devices as
well.
Mobile Device Forensic Tools: Examination software tools which
are designed for and used primarily to examine cellular telephones
and other mobile devices, but may be used to examine data from
other sources as well
6.2.2 The following Computer Forensic Tools are approved for use in digital
forensic examination casework:
Forensic ToolKit (FTK) – AccessData
FTK Imager – AccessData
Registry Viewer – AccessData
Password Recovery ToolKit (PRTK) – AccessData
EnCase Forensic – Guidance Software
Magnet Acquire – Magnet Forensics
OSBI DIGITAL EVIDENCE UNIT QUALITY MANUAL
DEQM-6: APPROVED EXAMINATION TOOLS
DEQM_REV03 Page 14 of 50 Effective Date: 08/16/2019
Axiom – Magnet Forensics
Tableau Disk Monitor – Tableau
HxD Hexeditor – Maël Hörz
osTriage2 – Eric Zimmerman (Feeble Industries)
Windows Forensics Environment (WinFE) – Microsoft
6.2.3 The following Mobile Device Forensic Tools are approved for use in digital
forensic examination casework:
UFED Physical Analyzer – Cellebrite
UFED 4PC – Cellebrite
GrayKey – Grayshift
6.2.4 Examiners limited to Mobile Device Examinations on their Authorization to
Work document may only use the Mobile Device Forensic Tools listed in section
6.2.3 for mobile device examination casework.
6.2.5 The DEU Technical Manager will monitor the support site of each software
manufacturer or vendor for releases of updates of new versions of approved
forensic examination software tools. The Technical Manager will determine
which versions or updates will be further reviewed, tested, and approved for use
in examination casework.
6.2.6 The DEU Technical Manager will review the release notes and ensure
new versions of forensic software examination tools are function tested and/or
performance verified in accordance with DEQM-9: Function Testing and
Performance Verifications prior to approving the version of the tool for use in
examination casework.
6.2.7 The DEU Technical Manager will not approve a new version of a forensic
software examination tool for use in examination casework within the first seven
days of the new version release date. If a new version of a tool is approved
within the first seven days of its release, the reason for the early approval will be
documented in the Maintenance Log of the tool in accordance with DEQM-7:
Equipment and Tool Maintenance Records.
6.2.8 The DEU Technical Manager will obtain the installation and update
software as well as any supporting documentation or release notes for approved
forensic examination software tools only from the official site or location
designated by the manufacturer or vendor of the software.
6.2.9 The DEU Technical Manager will establish and maintain an “Approved
Software” local storage resource accessible to all DEU examiners for the
OSBI DIGITAL EVIDENCE UNIT QUALITY MANUAL
DEQM-6: APPROVED EXAMINATION TOOLS
DEQM_REV03 Page 15 of 50 Effective Date: 08/16/2019
purpose of storing the installation files and media for currently approved versions
of forensic examination software tools.
6.2.10 When a new version of a forensic examination software tool is approved
for use in examination casework, the DEU Technical Manager will post the
installation or update software to the local storage resource and post any
documentation or release notes associated with the newly approved version to
the Maintenance Record of the software tool in accordance with DEQM-7:
Equipment and Tool Maintenance Records.
6.2.11 The DEU Technical Manager will send a notification email to all DEU
examiners who perform digital evidence examinations within the sub-category of
testing that corresponds with the software tool informing them that a new version
of a software tool has been approved for use in examination casework. The DEU
Technical Manager will attach or provide a reference to the release notes
corresponding with the newly approved version and include any additional
guidance or information pertaining to the new features, use, or installation of the
software.
6.2.12 Examiners will only install forensic examination software tools from the
designated storage resource “Approved Software” installation files and media.
6.3 APPROVED FORENSIC COMPUTER SYSTEM TYPES
The following forensic computer system types are approved for use in digital
forensic examination casework:
FRED Workstations – Digital Intelligence (Windows 10)
MacPro Workstations – Apple (macOS v10.14/ Windows 10)
6.4 APPROVED FORENSIC HARDWARE TOOLS
The following forensic hardware write blocking tools are approved for use in
digital forensic examination casework:
SuperChief (USB3) – Digital Intelligence
Ultrabay 4d T356789iu IDE/SATA Write Blocker (PCIe) – Digital
Intelligence/Tableau
UltraBay 3D T35689iu IDE/SATA Write Blocker (USB3) – Digital
Intelligence/Tableau
OSBI DIGITAL EVIDENCE UNIT QUALITY MANUAL
DEQM-6: APPROVED EXAMINATION TOOLS
DEQM_REV03 Page 16 of 50 Effective Date: 08/16/2019
UltraBay II T34589is IDE/SATA Write Blocker (FW800) – Digital
Intelligence/Tableau
Forensic Media Card Reader (USB2/USB3) – Digital Intelligence
T3iu SATA Write Blocker – Tableau
T8 USB Write Blocker – Tableau
T8U USB3 Write Blocker – Tableau
T9 Firewire Write Blocker – Tableau
T35 IDE/SATA Write Blocker – Tableau
T35U IDE/SATA Write Blocker - Tableau
TD1 Forensic Duplicator – Tableau
TD2U Forensic Duplicator - Tableau
6.5 APPROVED COMMON USE SOFTWARE
Common use software with no direct forensic function may be made available by
the DEU Technical Manager through the approved common use software storage
location without being specifically listed in this policy section and without an approved
deviation to this policy. The following are examples of software designated as common
use and approved for use on digital forensic examination workstations:
7Zip
IrfanView
Microsoft Office
Adobe Acrobat
VLC Media Player
Nero Burning ROM
OSBI DIGITAL EVIDENCE UNIT QUALITY MANUAL
DEQM-7: EQUIPMENT AND TOOL MAINTENANCE RECORDS
DEQM_REV03 Page 17 of 50 Effective Date: 08/16/2019
7.1 PURPOSE
The purpose of this protocol is to establish a standardized procedure for the
creation, use, and maintenance of the Maintenance Records associated with the
forensic examination hardware and software tools identified in DEQM-6 as Approved
Examination Tools.
7.2 SCOPE
This procedure will apply to all records, data, and information which will be
maintained in each specific item’s Maintenance Record for all approved Forensic
Examination Tools used in the DEU to perform digital evidence examinations.
7.3 EQUIPMENT
Equipment will consist of the following types of Forensic Examination Tools
identified in DEQM-6 as Approved Examination Tools:
Forensic Examination Software Tools
Forensic Computer System Types
Forensic Examination Hardware Tools
7.4 EQUIPMENT MAINTENANCE NUMBERS
7.4.1 All Forensic Hardware Tools and Forensic Computer Systems identified
and listed in DEQM-6 will be assigned a unique identification number by the DEU
Technical Manager for indexing and reference. This unique number will be
referred to as the Maintenance Number assigned to the item and will be used as
a reference or index number for all Function Testing, Performance Verification,
and maintenance related testing and records.
7.4.2 The first two digits in the Maintenance Number will be “FC” for Forensic
Computer or “WB” for Write-Blocking devices and will be followed by a dash or “-“.
7.4.3 Digits 4-6 in the Maintenance Number will be a sequential three digit
number assigned by the DEU Technical Manager which corresponds with a
OSBI DIGITAL EVIDENCE UNIT QUALITY MANUAL
DEQM-7: EQUIPMENT AND TOOL MAINTENANCE RECORDS
DEQM_REV03 Page 18 of 50 Effective Date: 08/16/2019
single specific Forensic Computer, Write-Blocking Device, or forensic software
item.
7.4.4 Examples of Maintenance Numbers:
FC-001, FC-002, FC-003 for forensic computers
WB-001, WB-002, WB-003 for write blocking devices
7.4.5 All Forensic Software Tools will be uniquely identified by the name or title
of the software assigned by the manufacturer or vendor. This unique name will
be used as a reference identifier in all Function Testing, Performance
Verification, and maintenance related testing and records.
7.5 EQUIPMENT MAINTENANCE RECORDS
7.5.1 For each Forensic Tool assigned a Maintenance Number or Identifier
under section 7.4 of this policy, the DEU Technical Manager will establish and
maintain a Maintenance Record uniquely associated with each Maintenance
Number or Identifier. The Maintenance Record will, at a minimum, contain the
following:
7.5.1.1 The manufacturer, model number, serial number, and OSBI asset
number (if applicable).
7.5.1.2 The Maintenance Number assigned to the specific tool by the
DEU Technical Manager.
7.5.1.3 The date the item was originally placed in service.
7.5.1.4 The manufacturer’s owner’s manual or user guide (if available).
7.5.1.5 The version number and manufacturer’s release notes associated
with software or firmware updates (if available).
7.5.1.6 Other documents and records associated with the tool as
determined by the DEU Technical Manager.
7.5.1.7 Each Maintenance Record will contain a chronological
Maintenance Log in which the following will, at a minimum, be recorded:
OSBI DIGITAL EVIDENCE UNIT QUALITY MANUAL
DEQM-7: EQUIPMENT AND TOOL MAINTENANCE RECORDS
DEQM_REV03 Page 19 of 50 Effective Date: 08/16/2019
7.5.1.7.1 The identity of the examiner performing each instance of
maintenance, testing, or update which required entry in the
Maintenance Log.
7.5.1.7.2 The date a tool was originally placed in service or
returned to service after being temporarily taken out of service.
7.5.1.7.3 The date(s) a tool was either temporarily or permanently
taken out of service and the reason it was taken out of service.
7.5.1.7.4 The date(s) the tool failed any Function Test or
Performance Verification, the actions taken to correct the problem
that caused the failure, and the date the tool passed Function
Testing or Performance Verification after the correction or repair.
7.5.1.7.5 The dates of all Function Tests performed on the item
and the results of each test (pass/fail).
7.5.1.7.6 The date(s) forensic software tools were updated or
upgraded with new or updated versions.
7.5.1.7.7 The dates of any modification, repair, update, upgrade,
or any other changes made to the tool’s hardware or software.
7.5.1.7.8 The results of any maintenance or quality related event.
7.5.1.7.9 For forensic software tools, the Maintenance Log will
include the date each version was approved for use in casework.
7.5.1.7.10 For forensic software tools which are released as a suite
or group, (i.e. Forensic ToolKit), the Maintenance Logs will include
the specific version number of each subordinate software program
for each approved version of the suite.
7.5.1.8 An example Maintenance Log is included attachment DEQM-7A.
7.5.2 The DEU Technical Manager will maintain the Maintenance Records for
all Approved Forensic Tools. The DEU Technical Manager will ensure all current
and archived Maintenance Records are properly backed up and retained.
7.5.3 The DEU Technical Manager will maintain the Function Test
Documentation and Records for all tested Forensic Tools separate from the
individual Tool Maintenance Records.
OSBI DIGITAL EVIDENCE UNIT QUALITY MANUAL
DEQM-7: EQUIPMENT AND TOOL MAINTENANCE RECORDS
DEQM_REV03 Page 20 of 50 Effective Date: 08/16/2019
7.5.4 The Maintenance Record for each tool will be maintained for a minimum of
ten years after the item has been permanently taken out of service.
OSBI DIGITAL EVIDENCE UNIT QUALITY MANUAL
DEQM-9: FUNCTION TESTING AND PERFORMANCE VERIFICATIONS
DEQM_REV03 Page 21 of 50 Effective Date: 08/16/2019
9.1 PURPOSE
The purpose of this protocol is to provide a set of standardized procedures for
the Function Testing and Performance Verification of forensic tools used during the
examination of digital evidence.
9.2 SCOPE
This procedure will apply to all forensic tools used by personnel and examiners of
the DEU to perform digital evidence examinations which require Function Testing or
Performance Verification.
9.3 EQUIPMENT
Equipment will consist of hardware (e.g., forensic computer systems, physical
write blocking devices, etc.), software (e.g., forensic software applications, common
programs, etc.), and firmware (e.g., read-only memory found on hardware devices).
9.4 SCOPE OF FUNCTION TESTING
9.4.1 The DEU Technical Manager is responsible for determining which forensic
tools require Function Testing. The DEU Technical Manager will consider the
general acceptance of a tool within the digital forensic community when making
the determination if and how often Function Testing is required.
9.4.2 The following forensic tools require Function Testing prior to first use in
examination casework:
9.4.2.1 Forensic tools which function as a write blocking device.
9.4.2.2 Forensic tools which function to wipe or sterilize data storage.
9.4.2.3 Any other forensic tool listed on the Function Test Tracking
Roster maintained by the DEU Technical Manager.
9.4.3 The following criteria or conditions will require forensic tools identified in
section 9.4.2 to undergo Function Testing prior to being returned to use or
continued to be used in casework, regardless of when the last or previous
Function Testing was performed:
OSBI DIGITAL EVIDENCE UNIT QUALITY MANUAL
DEQM-9: FUNCTION TESTING AND PERFORMANCE VERIFICATIONS
DEQM_REV03 Page 22 of 50 Effective Date: 08/16/2019
9.4.3.1 Any change or update to the device firmware.
9.4.3.2 Any repair to the device hardware.
9.4.3.3 Any time the device is sent, transported, or otherwise outside of
the positive control of DEU examiners, such as shipped back to the
manufacturer for service.
9.4.4 All forensic tools identified in section 9.4.2 will be Function Tested annually.
9.4.5 Examiners will only use approved forensic examination tools listed in DEQM-6
as well as common tools to perform Function Testing as defined in this procedure.
9.5 FUNCTION TEST ADMINISTRATION
9.5.1 The DEU Technical Manager will maintain and track Function Tests and
all associated documentation separate from the forensic tool Maintenance
Records.
9.5.2 The DEU Technical Manager will assign a unique “Function Test Number”
for each Function Test for indexing and reference. The Function Test Number
will be used as a referenced index number for recording and tracking Function
Testing.
9.5.2.1 The first two digits in the Function Test Number will be “FT” to
identify the number as a Function Test Number and will be followed by a
dash or “-“.
9.5.2.2 Digits 4-7 in the Function Test Number will be the four digit year
in which the testing took place and will be followed by a dash or “-“.
9.5.2.3 Digits 9-13 in the Function Test Number will be the five digit
Maintenance Number or Identifier assigned to the item for Maintenance
Record tracking in accordance with DEQM-7: Equipment and Tool
Maintenance Records. The Function Test Number will be appended with
a dash or “-“ and a single digit sequence number for each subsequent
Function Test performed within the calendar year.
9.5.2.4 Examples of Function Test Numbers:
FT-2017-WB001
OSBI DIGITAL EVIDENCE UNIT QUALITY MANUAL
DEQM-9: FUNCTION TESTING AND PERFORMANCE VERIFICATIONS
DEQM_REV03 Page 23 of 50 Effective Date: 08/16/2019
FT-2017-WB002-1
FT-2017-WB002-2
9.5.3 All Function Test documentation will utilize and reference the Maintenance
Number assigned to the forensic tool in accordance with DEQM-7 as a common
reference identifier.
9.5.4 Each Function Test will utilize and reference a Function Test Plan which
has been approved by the DEU Technical Manager and the OSBI CSD
Administrative Staff.
9.5.5 The DEU Technical Manager will review and approve all Function Test
Reports and documentation generated during the course of Function Testing
prior to the release of any Forensic Equipment or Tools for use in casework.
9.5.6 The Function Test Number, the reason function testing was conducted,
the testing examiner, and date(s) Function Testing was conducted will be
recorded in the chronological Maintenance Log in the Maintenance Record for
the tested forensic tool in accordance with DEQM-7. The log will indicate if the
test was conducted to satisfy the annual testing requirement established in
section 9.4.4 of this protocol or if the function testing was conducted as a result
of a problem, failure, or maintenance event.
9.6 FUNCTION TEST PLANS
9.6.1 The DEU Technical Manager will develop and maintain a separate
Function Test Plan for each forensic tool type which requires Function Testing.
Forensic tools will be considered to be of the same tool type if the different tools
can be effectively and properly function tested using the same testing
methodology and plan.
9.6.2 Function Test Plans should be written specific to the forensic tool type
and, at a minimum, contain the following sections:
9.6.2.1 Function Test Plan Title – Must contain the forensic tool type.
9.6.2.2 Purpose and Scope – Describe the purpose of testing and the
scope of tools the plan is applicable to.
OSBI DIGITAL EVIDENCE UNIT QUALITY MANUAL
DEQM-9: FUNCTION TESTING AND PERFORMANCE VERIFICATIONS
DEQM_REV03 Page 24 of 50 Effective Date: 08/16/2019
9.6.2.3 Requirements and Expected Results – Describe what the tool is
required or expected to do and the expected results of testing.
9.6.2.4 Methodology – Describe how the test is to be performed. Must
include:
Description of the test data set and test media devices.
Description of the tools to be used in testing.
Description of the actions and/or procedures to perform for each
testing scenario.
The number of times the testing procedure or scenario must be
replicated.
Description of any configurable option settings within the stated
purpose and scope which may require additional testing or
replication.
Description of data which must be documented for each testing
procedure and/or scenario.
9.6.2.5 Required Training – Determine if training for examiners is
required or provide an explanation why training will not be necessary.
9.6.2.6 Required Competency – Determine if competency testing or
evaluation for examiners is required or an explanation why competency
testing or evaluation will not be necessary.
9.6.2.7 References – Provide references from Scientific Working Group
documentation or other applicable technical references.
9.6.3 Once completed, the DEU Technical Manager will sign and date the
Function Test Plan.
9.6.4 The DEU Technical Manager will forward the Function Test Plan to the
OSBI CSD Administrative Staff for review and approval in accordance with OSBI
CSD QP 21.2. The Function Test Plan must be reviewed and approved by OSBI
CSD Administrative Staff prior to the start of Function Testing.
9.6.5 Once reviewed and approved by the OSBI CSD Administrative Staff, the
Function Test Plan and all related documentation will be archived and maintained
by the DEU Technical Manager in accordance with OSBI CSD QP 21.2.
OSBI DIGITAL EVIDENCE UNIT QUALITY MANUAL
DEQM-9: FUNCTION TESTING AND PERFORMANCE VERIFICATIONS
DEQM_REV03 Page 25 of 50 Effective Date: 08/16/2019
9.6.6 Once a Function Test Plan has been reviewed for a forensic tool type, the
plan may be used for subsequent Function Testing of the same forensic tool type
without additional review and approval by the OSBI CSD Administrative Staff.
9.7 FUNCTION TEST REPORTS
9.7.1 All Function Testing will follow a developed and approved Function Test
Plan before testing begins.
9.7.2 The Function Test Report will serve as the document which details the
results of Function Testing and will contain, at a minimum, the following:
9.7.2.1 A reference to the specific Function Test Plan utilized.
9.7.2.2 A brief summary of the testing conducted and any conclusions made.
9.7.2.3 A description of the forensic tools used in testing.
9.7.2.4 A description of the media devices used in testing.
9.7.2.5 The testing results for each variable in the test plan and any
observations pertinent to the observed results for that testing variable.
9.7.2.6 A summary of observations or results that do not fit within the
expected results.
9.7.2.7 A summary stating the overall outcome of the testing process and
if the forensic tool tested is suitable for its intended use.
9.7.2.8 A description of any limitations for the use of the forensic tool.
9.7.2.9 Signature blocks for both the testing examiner and the DEU
Technical Manager to sign and date the report.
9.7.3 The testing examiner is responsible for conducting all Function Testing in
accordance with the applicable Function Test Plan assigned by the DEU
Technical Manager.
9.7.4 The testing examiner is responsible for preparing the Function Test Report
and providing the report to the DEU Technical Manager for approval. Once the
report has been approved, both the testing examiner and the DEU Technical
Manager will sign and date the report.
OSBI DIGITAL EVIDENCE UNIT QUALITY MANUAL
DEQM-9: FUNCTION TESTING AND PERFORMANCE VERIFICATIONS
DEQM_REV03 Page 26 of 50 Effective Date: 08/16/2019
9.7.5 The DEU Technical Manager will forward the Function Test Report
through the OSBI CSD Administrative Staff for review and approval in
accordance with OSBI CSD QP 21.2.
9.7.6 Once reviewed and approved by the OSBI CSD Administrative Staff, the
Function Test Report and all related documentation will be archived and
maintained by the DEU Technical Manager in accordance with OSBI CSD QP
21.2.
9.7.7 Once a Function Test Report has been reviewed by the OSBI CSD
Administrative Staff for a forensic tool type, subsequent Function Test Reports
produced for the same forensic tool type may be produced by examiners and
reviewed, approved, and archived by the DEU Technical Manager without
additional review and approval by the OSBI CSD Administrative Staff.
9.7.8 When the DEU Technical Manager is the testing examiner, Function Test
Reports may be reviewed and approved by the DEU Supervisor; unless the
reports are required to be reviewed by the CSD Administrative Staff.
9.8 PERFORMANCE VERIFICATIONS
9.8.1 Performance Verifications are required for the following forensic tools:
Approved Forensic Software Tools listed in DEQM-6.2.
Approved Forensic Computer System types listed in DEQM-6.3.
Approved Forensic Hardware Tools listed in DEQM-6.4.
9.8.2 All forensic examination software tools listed in DEQM-6.2 are widely
accepted by the digital evidence community and will be considered Performance
Verified after DEU Technical Manager has reviewed the release notes, approved
the specific version of the tool for use in examination casework, and the tool
launches without error(s) when run on an approved forensic computer system.
9.8.3 Any problem or error with a forensic examination software tool which is
acknowledged by the manufacturer and listed as a “known issue” in the release
notes for the applicable software version will not be considered as a cause for
Performance Verification failure.
OSBI DIGITAL EVIDENCE UNIT QUALITY MANUAL
DEQM-9: FUNCTION TESTING AND PERFORMANCE VERIFICATIONS
DEQM_REV03 Page 27 of 50 Effective Date: 08/16/2019
9.8.4 Forensic computer systems will be considered Performance Verified after
a successful Power-On Self Test (POST) and subsequent operating system load
or boot with no errors or failures.
9.8.5 Forensic hardware write-blocking or write-protecting hardware will be
considered Performance Verified after the device is successfully powered on, the
firmware has successfully loaded, and the hardware’s write protect setting(s)
have been confirmed to be properly set or enabled.
9.8.6 When forensic examination tools are used during examinations in
casework and uniquely identified in the case notes; the tool will be considered to
have successfully passed Performance Verification unless otherwise noted.
9.8.7 Performance Verifications will not be used in lieu of Function Testing when
any condition exists that would require Function Testing of the tool as defined in
Section 9.4.
9.8.8 If a forensic examination tool passes Performance Verification as defined
in 9.8.2 through 9.8.5 above, no entry in the tool’s Maintenance Record is
required.
9.8.9 If a forensic examination tool fails a Performance Verification test, the
following course of action will be followed in order:
9.8.9.1 The DEU Technical Manager will be immediately notified of the
failure.
9.8.9.2 The forensic tool which failed verification will be taken out of
service, clearly labeled as “Out of Service” in accordance with OSBI CSD
QM Section 5.5.7, and not used for examination casework until the failure
is corrected, repaired, and/or resolved.
9.8.9.3 Documentation pertaining to the Performance Verification failure,
any repairs made to the device, and dates of removal from use in
examination casework will be documented in the Maintenance Record
associated with the tool.
9.8.9.4 Once the cause of the Performance Verification failure has been
corrected or resolved and the forensic examination tool has subsequently
passed Performance Verification, the DEU Supervisor or Technical
Manager shall document the subsequent successful Performance
OSBI DIGITAL EVIDENCE UNIT QUALITY MANUAL
DEQM-9: FUNCTION TESTING AND PERFORMANCE VERIFICATIONS
DEQM_REV03 Page 28 of 50 Effective Date: 08/16/2019
Verification and approval to use the tool in examination casework in the
tool’s Maintenance Record.
9.8.10 Performance Verifications will be documented in the Maintenance Record
associated with the examination tool:
9.8.10.1 Prior to the use of the examination tool in casework.
9.8.10.2 After all Performance Verification failures.
9.8.10.3 After any repair, maintenance, or firmware update to the
equipment which was completed as a result of a Performance Verification
failure.
OSBI DIGITAL EVIDENCE UNIT QUALITY MANUAL
DEQM-11: REPORTING EXAMINATION RESULTS
DEQM_REV03 Page 29 of 50 Effective Date: 08/16/2019
11.1 PURPOSE
The purpose of this protocol is to provide standardization for the required
minimum content and formatting of Digital Evidence Examination Reports.
11.2 SCOPE
This protocol applies to all Digital Evidence Examination Reports produced by
personnel and examiners of the DEU.
11.3 GENERAL
11.3.1 All Digital Evidence Examination Reports will conform to the guidelines
and standards set forth in the DEU Technical Procedures, DEU Quality Manual,
the OSBI Criminalistics Services Division (CSD) Quality Manual, and CSD QP
28.
11.3.2 All Digital Evidence Examination Reports will be created in and produced
by the CSD BEAST Laboratory Information Management System (LIMS) in
accordance with CSD QP 16.2.
11.3.3 All Digital Evidence Examination Reports will be formatted to
accommodate the types of examinations conducted and to minimize the
possibility of misunderstanding or abuse.
11.4 DESCRIPTION OF EVIDENCE SECTION
11.4.1 The Digital Evidence Examination Report will include all items examined
and referenced by the report in the “Description of Evidence” section.
11.4.2 The intent of the Description of Evidence section of the report is to list the
item or sub-item number associated with each item of evidence examined and
provide a brief description of each item.
OSBI DIGITAL EVIDENCE UNIT QUALITY MANUAL
DEQM-11: REPORTING EXAMINATION RESULTS
DEQM_REV03 Page 30 of 50 Effective Date: 08/16/2019
11.5 RESULTS AND INTERPRETATIONS SECTION
11.5.1 The Results and Interpretations Section of the report will include a
separate section for each examination type performed by the examiner. For
example, if an examiner utilized Forensic ToolKit (FTK) and Axiom during an
examination, the report should include separate sections for both FTK and
Axiom.
11.5.2 All examination types performed during the examination of evidence will
be listed in a separate section in the report.
11.5.3 Report sections for each examination type performed by the examiner
which produced examination results included in an Exhibit Report will include, at
a minimum, a list containing the following:
11.5.3.1 All bookmarks
11.5.3.2 All category reports
11.5.3.3 All summary reports
11.5.3.4 All other reports or report sections
11.5.4 Report sections for each examination type performed by the examiner
from which no examination results are included in an Exhibit Report will describe
the reason no results were included in the Exhibit Report.
11.5.5 A separate section which describes the exhibit report storage device type
and corresponding LIMS evidence item number will be included.
11.6 TECHNICAL SUMMARY SECTION
11.6.1 All evidence will be documented in the LIMS in accordance with DETM-2:
Examination Documentation and the CSD Quality Manual.
11.6.2 All forensic hardware and software tools utilized in the examination of
evidence will be documented in the LIMS matrix data entry for the corresponding
item.
11.6.2.1 Hardware tools will be identified by the Maintenance Number
assigned to the specific hardware tool.
OSBI DIGITAL EVIDENCE UNIT QUALITY MANUAL
DEQM-11: REPORTING EXAMINATION RESULTS
DEQM_REV03 Page 31 of 50 Effective Date: 08/16/2019
11.6.2.2 Software tools will be identified by the Maintenance Identifier and
the complete version number of the tool used.
11.6.2.3 All forensic tools used will be selected from the listed available
tools in the drop-down lists within the matrix data entry panels.
11.6.2.4 Any forensic tools used which are approved for use but do not
appear in the drop down lists within the matrix data entry panels may be
listed in the notes section of the matrix data entry panel.
OSBI DIGITAL EVIDENCE UNIT QUALITY MANUAL
DEQM-12: ADMINISTRATIVE AND TECHNICAL REVIEWS
DEQM_REV03 Page 32 of 50 Effective Date: 08/16/2019
12.1 All digital evidence examination reports produced by DEU examiners will meet
the administrative and technical review requirements set forth in OSBI CSD QP31. All,
or 100%, of DEU examination reports will undergo Technical and Administrative
Review.
12.2 Administrative and Technical Reviews of DEU digital evidence examination
reports will only be performed by examiners who have been approved by the DEU
Technical Manager to perform Administrative and Technical Reviews and have that
approval documented in their Authorization to Work document.
12.3 Administrative and Technical Reviews will be conducted as separate reviews and
the Technical Review must have been completed prior to the start of the Administrative
Review.
12.4 TECHNICAL REVIEWS
12.4.1 All technical reviews of DEU casework and reports will include all review
criteria required by CSD QP31 as well as all review criteria listed on the OSBI
Digital Evidence Examination Technical Review Form, which is attached as
DEQM-12A.
12.4.2 All DEU examination reports will be technical reviewed by an approved
and qualified examiner who did not participate in any part of the examination or
preview of any item of evidence in the request.
12.4.3 All DEU Technical Reviews should be completed within 5 days of the date
the review is requested.
12.4.4 All examination reports and cases which require correction will be
properly routed to the reporting examiner for correction with an explanation in the
comments specifically describing the recommended corrections. All changes
made during the review and correction process must be documented.
12.4.5 Completion of the Technical Review will be documented in accordance
with CSD QP 31.
OSBI DIGITAL EVIDENCE UNIT QUALITY MANUAL
DEQM-12: ADMINISTRATIVE AND TECHNICAL REVIEWS
DEQM_REV03 Page 33 of 50 Effective Date: 08/16/2019
12.5 ADMINISTRATIVE REVIEWS
12.5.1 Administrative Reviews of DEU casework and reports will be defined as
the review of the exhibit report storage device and exhibit reports produced by
the examiner for release to the requestor at the conclusion of the digital evidence
examination.
12.5.2 During the administrative review, the reviewing examiner will review the
examination report and the exhibit report storage device for all review criteria
required by CSD QP31 as well as all review criteria listed on the OSBI Digital
Evidence Examination Administrative Review Form, which is attached as DEQM-
12B.
12.5.3 If the administrative review identifies conditions which require correction,
the reviewer will route the report to the reporting examiner for corrections and
clearly identify the items or conditions which require correction.
12.5.4 If no corrections are required to the digital evidence examination report
but are required to the exhibit report media, the reporting examiner will make the
corrections to the exhibit report storage device and route the report back to the
reviewing examiner for administrative review.
12.5.5 If corrections are required to the digital evidence examination report, the
reporting examiner will make the corrections to the examination report and to the
exhibit report storage device and route the report back to the examiner who
conducted the technical review for re-review of the examination report. Once the
technical review has been completed for the changes made to the examination
report, the reporting examiner will re-route the report to the examiner who
conducted the administrative review.
12.5.6 Once all corrections to both the digital evidence examination report and
the exhibit report storage device have been made and all technical and
administrative review criteria have been satisfied, the examiner performing the
administrative review will approve the report to finalize it and notify the reporting
examiner the report has been approved.
12.5.7 Completion of the Administrative Review will be documented in
accordance with CSD QP 31.
OSBI DIGITAL EVIDENCE UNIT QUALITY MANUAL
DEQM-12: ADMINISTRATIVE AND TECHNICAL REVIEWS
DEQM_REV03 Page 34 of 50 Effective Date: 08/16/2019
12.6 ADMINISTRATIVE REVIEWS WITH NO EXHIBIT REPORT
If an exhibit report is not produced or referenced in the digital evidence
examination report, the review criteria on the Administrative Review Form will be
annotated with “N/A” where applicable and the examiner performing the administrative
review will approve the examination report once the administrative review has been
finalized.
12.7 If an examiner and a technical reviewer disagree whether a report and case file
meet the criteria to pass administrative and/or technical review, the disagreement or
discrepancy will be resolved in accordance with CSD QP-31.
OSBI DIGITAL EVIDENCE UNIT QUALITY MANUAL
DEQM-13: RETENTION OF EVIDENCE AND DATA
DEQM_REV03 Page 35 of 50 Effective Date: 08/16/2019
13.1 SCOPE
This protocol applies to all items of digital evidence received for examination by
DEU examiners as well as the data associated with the examination of all items of
submitted evidence.
13.2 RETENTION OF EVIDENCE
13.2.1 All DEU examiners will utilize an evidence storage facility approved by the
CSD Director to store items of evidence submitted for digital evidence
examination.
13.2.2 The ATTDFL Evidence Storage Facility will be maintained by the DEU
Supervisor, or designee, and will follow all requirements for evidence handling
and storage set forth in OSBI CSD Policies, Procedures, and the OSBI CSD
Quality Manual.
13.2.3 The ATTDFL Evidence Storage Facility will only store items of evidence
submitted for digital evidence examination while the items are pending
examination, in the process of examination, or awaiting return to the requesting
agency.
13.2.4 All items of evidence submitted for digital evidence examination will be
returned to the requesting agency, their designee, or to an appropriate OSBI
evidence storage facility as soon as practical after the examination of the items is
complete and the Exhibit Report(s) are prepared and ready for dissemination to
the requestor.
13.3 RETENTION OF EXTRACTIONS AND FORENSIC COPIES
13.3.1 Extractions and forensic copies obtained during digital evidence
examinations are not required to be retained after the examination report
associated with the ODE items has been reviewed and approved.
13.3.2 The requestor may request a verified copy of the extractions and forensic
copies obtained during the examination(s). The requestor must provide an
appropriate storage device of sufficient capacity to store the copies of the
extractions, images, and forensic copies.
OSBI DIGITAL EVIDENCE UNIT QUALITY MANUAL
DEQM-13: RETENTION OF EVIDENCE AND DATA
DEQM_REV03 Page 36 of 50 Effective Date: 08/16/2019
13.3.3 Copies of extractions and forensic copies provided to requestors will be
prepared and verified by the examiner who performed the examination whenever
possible. Once the data has been copied to the requestor’s storage device and
verified to be an exact copy, the copy or copies will then be released to the
requestor.
13.3.4 Copies of extractions and forensic copies may be maintained after the
examination report associated with the ODE items has been reviewed and
approved at the discretion of the examiner, the DEU Supervisor, the DEU
Technical Manager, or the OSBI CSD Administrative Staff.
13.3.5 Requests for additional, follow-up, or subsequent additional examination
of previously submitted digital evidence may require re-submission of the ODE
items if the extractions and forensic copies associated with the ODE items in the
request have been destroyed, are no longer available, or are no longer viable.
13.4 RETENTION OF OTHER DATA
13.4.1 The DEU will utilize the LIMS to document, record, and store case and
technical records associated with examination casework in accordance with
DETM-2, OSBI CSD policies, and the OSBI CSD Quality Manual. The retention
of all data and information stored within the LIMS is governed by the OSBI CSD
Quality Manual and applicable OSBI CSD Policy.
13.4.2 The DEU is not required to retain exhibit reports or their corresponding
data, files, and information after the exhibit report storage device evidence item
has been released to the requestor, the requesting agency, or designee.
13.4.3 The DEU is not required to retain other data that has been created,
copied, or utilized by forensic examination tools during digital evidence
examinations after all examination reports and exhibit reports associated with a
digital evidence examination request have been disseminated to the requestor,
requesting agency, or designee.
13.4.4 Exhibit reports and other data may be maintained after all examination
reports and exhibit report evidence item(s) have been disseminated at the
discretion of the examiner, the DEU Supervisor, the DEU Technical Manager, or
the OSBI CSD Administrative Staff.
OSBI DIGITAL EVIDENCE UNIT QUALITY MANUAL
DEQM DOCUMENT ATTACHMENTS
DEQM_REV03 Page 37 of 50 Effective Date: 08/16/2019
The following documents are attached to this policy manual at the section
references indicated below:
7.6.1 Example Maintenance Log (DEQM-7A_REV03)
12.8.1 OSBI Digital Evidence Unit and ATTDFL Technical Review Form
(DEQM-12A_REV03)
12.8.2 OSBI Digital Evidence Unit and ATTDFL Administrative Review Form
(DEQM-12B_REV03)
Maintenance Log
Date Examiner Logged Maintenance or Quality Event Result of Event
DEQM-7A_REV03 Page 1 of 1 Effective Date: 08/16/2019
OKLAHOMA STATE BUREAU OF INVESTIGATION CRIMINALISTIC SERVICES DIVISION Digital Evidence Unit Technical Review Form
Analyst: Case #: Report
1. The case file and report were reviewed in accordance with DEQM-12: Administrative and Technical Reviews, and OSBI CSD QP31.
2. All examinations were conducted within the examination scope provided in the request.
3. The report Technical Summary section documents the forensic hardware, software, software version(s), and examination procedures used.
4. Hashing was utilized and documented in accordance with applicable DEU Technical Procedures.
5. All opinions expressed in the report are consistent with the OSBI CSD Quality Manual and applicable DEU Quality Manual/Technical
Procedures.
Comments:
Technical Review Signature
Signature indicates Technical Review approval
DEQM-12A_REV03 AΩ Effective Date 08/16/2019
OKLAHOMA STATE BUREAU OF INVESTIGATION CRIMINALISTIC SERVICES DIVISION Digital Evidence Unit Administrative Review Form
Analyst: Case #: Report
1. The Technical Review for the case file and report has been completed.
2. All Exhibit Reports referenced in the Digital Evidence Examination Report are present and accessible on the Exhibit Report media.
3. All Exhibit Reports present on the Exhibit Report media are referenced in the Digital Evidence Examination Report.
Comments:
Administrative Review Signature
Signature indicates Administrative Review approval
DEQM-12B_REV03 AΩ Effective Date 08/16/2019
OSBI DIGITAL EVIDENCE UNIT QUALITY MANUAL
DEQM DOCUMENT REFERENCES
DEQM_REV03 Page 38 of 50 Effective Date: 08/16/2019
The following standards and sources guide the requirements included in this
quality manual. If the reference listed does not include a date, the most recent revision
of the referenced document or source applies.
ISO/IEC 17025:2017
ANAB ISO/IEC 17025 – Forensic Science Testing Laboratories Accreditation
Requirements (AR3125)
Scientific Working Groups on Digital Evidence (SWGDE) www.swgde.org
National Institute of Standards and Technology (NIST) Computer Forensics
Tool Testing Project www.cftt.nist.gov
OSBI Criminalistics Services Division Quality Manual
OSBI DIGITAL EVIDENCE UNIT QUALITY MANUAL
DEQM DOCUMENT HISTORY
DEQM_REV03 Page 39 of 50 Effective Date: 08/16/2019
DEQM DOCUMENT HISTORY:
Revision #
Review Date
Revision History Notes/Description
0 5/27/2016 Original Issue. Original DEQM was published with each section as a separate document and each document had a separate document history page.
1 12/01/2017 Updated to revision 1. Combined all DEQM REV0 separate section documents into one document with a single history and approval. Revised all sub-sections to further define the purpose and scope to include references to OSBI CSD and DEU laboratory facilities other than the ATTDFL and to all CSD, DEU, and ATTDFL personnel who perform digital evidence examinations. Removed redundant language associated with acronyms. Changed all references from ASCLD/LAB to ANAB Accreditation Requirements. DEQM-0: Section 0.4.3 edited to remove hyperlink to the OSBI CSD Organizational Chart. DEQM-1: Section 1.1 edited to remove the reference to “image” from definition of Forensic Copy. DEQM-2: Entire section was comprehensively re-written to include personnel who perform digital evidence examinations at locations other than the ATTDFL and are not assigned to the DEU and/or ATTDFL. Corrected section numbering index and removed redundant language. DEQM-3: Section 3.1.2.3 edited to remove “installed or used on items”. Section 3.1.2.5 was removed in its entirety. Section 3.1.3 added to include all OSBI CSD personnel who perform digital evidence examinations and to include all locations digital evidence examinations are performed by OSBI CSD personnel.
OSBI DIGITAL EVIDENCE UNIT QUALITY MANUAL
DEQM DOCUMENT HISTORY
DEQM_REV03 Page 40 of 50 Effective Date: 08/16/2019
Section 3.5.1 edited to remove ATTDFL as the sole point of receipt for purchased items. Section 3.6 edited to require purchasing records be maintained only for items requiring Maintenance Records and removed redundant retention requirement for purchasing records. Section 3.7.1 edited to apply to the storage of purchased items at approved designated locations other than the ATTDFL. DEQM-4: Sections 4.1, 4.2, and 4.3 edited to include all OSBI CSD examiners. Section 4.2 edited to remove requirement to complete one proficiency test in each category of testing once per accreditation cycle due to unnecessary redundancy with OSBI CSD QP30. Section 4.3 edited to replace “methods” with “categories”. DEQM-6: Section 6.1.2 edited to add language to include OSBI CSD personnel and additional language to specify applicability to tools used “to perform and conduct digital evidence examinations”. Section 6.2 was comprehensively re-written to create and define the two sub-categories of software forensic tools “Computer Forensic Software Tools” and “Mobile Device Forensic Software Tools”; to separate the list of approved software tools into their respective sub-categories; add section 6.2.4 to allow for restrictions applicable to mobile device only examiners; and to add sections 6.2.5 through 6.2.12 which detail the duties and responsibilities of the DEU Technical Manager with respect to the administration, approval, distribution, management, and oversight of forensic software tools. Sections 6.3 and 6.4 were edited to reflect current in service hardware and software. DEQM-7: Section 7.4.5 added to allow the maintenance records of software tools to be uniquely identified by the name or title of the software as a maintenance identifier rather than requiring the use of a maintenance number.
OSBI DIGITAL EVIDENCE UNIT QUALITY MANUAL
DEQM DOCUMENT HISTORY
DEQM_REV03 Page 41 of 50 Effective Date: 08/16/2019
Section 7.5 edited to include reference to maintenance identifier and number requirement in section 7.5.1.5 to document the version number for software tools. Section 7.5.1.7.9 added to include requirement to document the specific version numbers for each subordinate software program for software tools which are released as a “suite” or group. Removed requirement for all approved software tools to be stored “on a network storage location within the ATTDFL”. DEQM-9: Section 9.4.2.3 edited to require other forensic tools which require Function Testing be identified on the Function Test Tracking Roster maintained by the DEU Technical Manager. Section 9.4.4 edited to change function testing requirement from “every 12 months” to “annually”. Section 9.5.1 edited to remove requirement to uniquely identify function tests performed to meet annual testing requirement. Sections 9.5.2.3 through 9.5.3 edited to require the use of the maintenance number or identifier in the function test number and remove naming convention which uniquely identified annual function tests. Section 9.5.6 edited to require the reason function testing was conducted be documented in the maintenance log for the tested item. DEQM-11: Section 11.5.5 edited to replace “…section which describes the media type and a full description of the media device used to distribute the Exhibit Report(s)…” with “…section which describes the media used to distribute the Exhibit Report(s)…” Section 11.6.1 edited to replace “Each evidence item and sub-item” with “All evidence”. Section 11.6.2 edited to replace “Each evidence item or sub-item” with “evidence”. Section 11.6.2.1 edited to replace “Quality Number” with “Maintenance Number” and “item” with “tool”. Section 11.6.2.2 edited to replace “complete name” with “Maintenance Identifier”. DEQM-12:
OSBI DIGITAL EVIDENCE UNIT QUALITY MANUAL
DEQM DOCUMENT HISTORY
DEQM_REV03 Page 42 of 50 Effective Date: 08/16/2019
Entire policy section comprehensively re-written to require the Administrative and Technical Review process be divided into and documented as two separate reviews and further define and explain each review. Attached document DEQM-12A (Technical Review Form) edited to reflect revisions to DEQM-12. Attached document DEQM-12B (Administrative Review Form) created as Revision 1 to satisfy the added administrative review requirements in the DEQM-12 revision. DEQM-13: Entire section edited to include the use of other approved CSD evidence storage facilities outside of the ATTDFL and to remove references to “image(s)” from references to “extractions, images, and forensic copies”. Section 13.3.6 edited to require the requestors acceptance or declination to receive copies of extractions or forensic copies to be documented on the CSD Digital Evidence Examination Request Addendum instead of in the case notes. DEQM Attached Documents: Section added to the end of the manual to list all attachments from all sub-sections and identify the current revision numbers for each attachment. DEQM References: Section added to the end of the manual to list all manual references from each individual document section in one location. Removed references listed at the end of each document section.
2 12/05/2018 Updated to Revision 2. A substantive revision of this manual is in progress and expected to be completed within the first two quarters of calendar year 2019. This revision is pending completion of Revision 6 of the OSBI CSD Quality Manual, which is under revision to ensure compliance with the ISO/IEC 17025:2017 International Standard and the ANAB AR3125 Accreditation Requirements.
3 08/16/2019 Updated document to Revision 03. The entire document was edited to consistently apply document and paragraph formatting and spacing. Throughout the entire document, redundant references to “OSBI CSD”, “DEU”, and the “ATTDFL” were replaced with “DEU” where applicable.
OSBI DIGITAL EVIDENCE UNIT QUALITY MANUAL
DEQM DOCUMENT HISTORY
DEQM_REV03 Page 43 of 50 Effective Date: 08/16/2019
Added hyperlink to the document revision number in lower left footer to return to the document index page. DEQM-INDEX: Added hyperlinks to each individual manual sub-section. DEQM-0: Section 0.1.2 was edited to replace “ISO/IEC 170525:2005” with “ISO/IEC 17025:2017” and add the “AR3125” ANAB document number. DEQM-1: Section 1.1 was edited to update the following definitions and abbreviations:
- DEU: Added “Unless otherwise specified, all references to the “DEU” will include and/or apply to all ATTDFL examiners and facilities as well as to all OSBI CSD digital evidence examiners and facilities.”
- Examiner: Edited to replace “An individual, who conducts and/or directs the analysis of casework samples, interprets data…” with “An individual who conducts and/or directs the examination and analysis of digital evidence, interprets data…”.
- Exhibit Report: Completely re-written to replace previous definition with “A collection or group of electronic reports and corresponding data, files, and/or information produced by forensic tools during digital evidence examinations. Exhibit Report(s) are produced from either the forensic copies and extractions obtained from ODE items or from the ODE items themselves and are identified as derivative evidence.”
- ODE: Edited to replace “…original item of evidence…” with “…original item of digital evidence…”.
DEQM-2: Section 2.1 was edited to replace “…the DEU Quality Manual and the DEU Technical Manual.” With “the DEU
OSBI DIGITAL EVIDENCE UNIT QUALITY MANUAL
DEQM DOCUMENT HISTORY
DEQM_REV03 Page 44 of 50 Effective Date: 08/16/2019
Quality Manual, the DEU Technical Manual, and the DEU Training Manual.” Section 2.8 was edited to replace “…subject to all requirements of the DEU Technical Procedures, the DEU Quality Manual, and the OSBI CSD Quality Manual.”, with “…subject to all requirements established by the DEU Quality Manual, the DEU Technical Manual, and the OSBI CSD Quality Manual.” Section 2.9 was edited to replace “…will adhere to the DEU Technical Procedures, the DEU Quality Manual, and the OSBI CSD Quality Manual.” With “…will adhere to the DEU Quality Manual, the DEU Technical Manual, and the OSBI CSD Quality Manual.” Section 2.10 was edited to replace “DE-0” with “DETM-0”. DEQM-3: Section 3.1.2.3 was edited to replace “Function Testing” with “Performance Verification Testing”. Section 3.1.3 was deleted in its entirety. Section 3.4.1 was edited to replace “do” with “does”. Section 3.5.4 was edited to replace “…Function Tested in accordance…” with “…Function Tested or Performance Verification Tested in accordance…”. Section 3.6 was edited to delete “all” and move the text “in accordance with DEQM-7” to the end of the sentence. DEQM-4: Section 4.3 was re-written to remove redundant references to OSBI CSD and ATTDFL examiners and to specify examiners will undergo proficiency testing in a digital evidence sub-category of testing the examiner is authorized to perform examinations. DEQM-6:
OSBI DIGITAL EVIDENCE UNIT QUALITY MANUAL
DEQM DOCUMENT HISTORY
DEQM_REV03 Page 45 of 50 Effective Date: 08/16/2019
Section 6.1.2 was edited to rename the three categories of forensic examination tool to Forensic Software Tools, Forensic Computers, and Forensic Hardware Tools. Section 6.2.1 was edited to replace the term “Forensic Examination Software Tools” with “Forensic Software Tools”. Section was further edited to rename “Computer Forensic Software Tools” with “Computer Forensic Tools” and rename “Mobile Device Forensic Software Tools” with “Mobile Device Forensic Tools”. The remainder of the DEQM was also edited to consistently apply the aforementioned terminology changes. Section 6.2.2 was edited to incorporate Deviation dated April 9, 2018 which was implemented to add the “Magnet Acquire” and “Magnet Axiom” Computer Forensic Tools to the list of approved examination tools. Internet Evidence Finder and Tableau Imager were deleted from the approved examination tools. Section 6.2.3 was edited to incorporate Deviation dated November 29, 2018 which was implemented to add “GrayKey” to the list of approved mobile device forensic tools. Section 6.2.11 was edited to allow the DEU Technical Manager to either attach or provide a reference to release notes corresponding with a newly approved software version. Section 6.3 was edited to remove Windows 7, Windows 8.1, Apple OSX 10.10 and 10.11; and to add Apple macOS 10.14 as operating systems approved for use on forensic computer systems. Section 6.4 was edited to remove “Examination” from the section header and to remove the following from the list of approved forensic hardware tools:
FireChief (FW800) – Digital Intelligence
EX S3 Forensic Media Card Reader – AFT Section 6.4 was further edited to add the following to the list of approved forensic hardware tools:
OSBI DIGITAL EVIDENCE UNIT QUALITY MANUAL
DEQM DOCUMENT HISTORY
DEQM_REV03 Page 46 of 50 Effective Date: 08/16/2019
UltraBay 4d T356789iu IDE/SATA Write Blocker (PCIe) – Digital Intelligence/Tableau
T8U USB3 Write Blocker – Tableau
T9 Firewire Write Blocker – Tableau
T35U IDE/SATA Write Blocker – Tableau
TD2U Forensic Duplicator – Tableau Section 6.4 was also edited to include the Tableau model number with the UltraBay 3D and UltraBay II as well as to remove the T35689iu IDE/SATA Write Blocker (the same device as the UltraBay 3D) as a separate listed device. Section 6.5 was edited to enable the DEU Technical Manager to add common use software to the approved software storage location without the common use software being listed in Section 6.5 of this policy and without a deviation to this policy. Section was further edited to list only examples of common use software rather than provide an exclusive list of approved common use software. DEQM-7: Section 7.4.1 was edited to remove “Examination” from “Forensic Examination Hardware Tools” in the first sentence. Section 7.4.5 was edited to remove “Examination” from “Forensic Examination Software Tools” in the first sentence. Section 7.5.1 was edited to remove “Examination from “Forensic Examination Tool” in the first sentence. Section 7.5.1.6 was edited to add “…as determined by the DEU Technical Manager” to the end of the sentence. Sections 7.5.1.7.2 through 7.5.1.7.9 were renamed to Sections 7.5.1.7.3 through 7.5.1.7.10, respectively. Section 7.5.1.7.8 was edited from “The results of the maintenance or quality event.” to read “The results of any maintenance or quality related event.
OSBI DIGITAL EVIDENCE UNIT QUALITY MANUAL
DEQM DOCUMENT HISTORY
DEQM_REV03 Page 47 of 50 Effective Date: 08/16/2019
Section 7.5.1.7.9 was edited to remove the requirement to record the date in the maintenance log an approved forensic software version is removed from the approved software list. Sections 7.5.2 and 7.5.3 were edited to replace “Forensic Examination Tools” with “Forensic Tools”. Section 7.5.4 was edited to replace “item” with “tool”. DEQM-9: Section 9.7.8 was added as a new section to allow the DEU Supervisor to review and approve Function Test Reports when the DEU Technical Manager is the testing examiner unless they require review by the CSD Administration. Section 9.8.1 was edited to replace “Approved Forensic Examination Software Tools” with “Approved Forensic Software Tools” and “Approved Forensic Examination Hardware Tools” with “Approved Forensic Hardware Tools”. Section 9.8.9.1 was edited to replace “…DEU Supervisor and Technical Manager…” with “…DEU Technical Manager…”. DEQM-11: Section 11.5.1 was edited to remove reference to Internet Evidence Finder (IEF) and replaced it with reference to Axiom. Section 11.5.5 was edited to replace “…describes the media used to distribute the Exhibit Report(s) to the requestor will be included.” with “…describes the exhibit report storage device type and corresponding LIMS evidence item number will be included.”. Sections 11.6.1 and 11.6.2 were edited to remove “BEAST” from both sections. DEQM-12: Section 12.1 was edited to change “technical review” to “Technical and Administrative Review” in the last sentence.
OSBI DIGITAL EVIDENCE UNIT QUALITY MANUAL
DEQM DOCUMENT HISTORY
DEQM_REV03 Page 48 of 50 Effective Date: 08/16/2019
Sections 12.5.1, 12.5.2, 12.5.4, 12.5.5, and 12.5.6 were all edited to replace the term “exhibit report media” with “exhibit report storage device”. DEQM-13: NOTE: Edits to Sections 13.2.4 and 13.3.3 were edited to incorporate Deviation Dated May 21, 2019 which was implemented to make accommodations for the submission of evidence for digital examination at OSBI CSD regional laboratory facilities other than the ATTDFL. Section 13.2.4 was edited to replace “…evidence submitted to the ATTDFL Evidence Storage Facility will be returned to the agency requesting the digital evidence examination or to the appropriate…” with “…evidence submitted for digital evidence examination will be returned to the requestor, the requesting agency, or to the appropriate…”. Section 13.3.1 was edited to add “reports” after “examination” in the first sentence. Section 13.3.2 was edited to replace “will be offered the opportunity to obtain” with “may request” in the first sentence. Section 13.3.3 was edited to delete “The requestor should receive any requested copies of extractions or forensic copies at the same time they are provided with exhibit reports whenever possible.” Sections 13.3.6, 13.3.7, and 13.3.8 were re-numbered to Sections 13.3.4, 13.3.5, and 13.3.6, respectively. Section 13.3.4 was rewritten to remove the requirement to document the requestor’s declination to receive a copy of forensic copies and extractions on the Digital Evidence Examination Request Addendum and to indicate the extractions and forensic copies are not required to be maintained after the examination and exhibit reports have been disseminated. Section 13.3.5 was edited to add “examination reports” after “…maintained after all”.
OSBI DIGITAL EVIDENCE UNIT QUALITY MANUAL
DEQM DOCUMENT HISTORY
DEQM_REV03 Page 49 of 50 Effective Date: 08/16/2019
Section 13.3.6 was edited to replace “has” with “have” after “…ODE items in the request”. Section 13.4.1 was edited to remove “BEAST” from the first sentence. Section 13.4.2 was re-numbered as 13.4.3. Section 13.4.2 was then edited to add “The DEU is not required to retain exhibit reports or their corresponding data, files, and information after the exhibit report storage device evidence item has been released to the requestor or requesting agency”. Section 13.4.3 was edited to replace “…exhibit reports associated with a Digital Evidence Examination Request have been disseminated to the requestor.” with “…exhibit reports associated with a digital evidence examination request have been disseminated to the requestor or requesting agency.”. Section 13.4.4 was edited to replace “Other data may be maintained after all exhibit reports have been disseminated at the discretion of the examiner…” with “Exhibit reports and other data may be maintained after all examination reports and exhibit report evidence item(s) have been disseminated to the requestor at the discretion of the examiner…”. DEQM DOCUMENT REFERENCES: “ISO/IEC 17025:2005” was edited to read “ISO/IEC 17025:2017” to properly reflect currently applicable ISO/IEC international standard. “AR3028” was edited to read “AR3125” to properly reflect the currently applicable ANAB Accreditation Requirements document.
OSBI DIGITAL EVIDENCE UNIT QUALITY MANUAL
DEQM-APPROVAL: DEQM DOCUMENT APPROVAL
DEQM_REV03 Page 50 of 50 Effective Date: 08/16/2019
DEU Technical Manager: August 16, 2019
Donald Rains Date
CSD Division Director: August 16, 2019
Andrea Fielding Date
OSBI DIGITAL EVIDENCE UNIT TECHNICAL MANUAL
TECHNICAL MANUAL INDEX
DETM_REV03 Page 1 of 52 Effective Date: 08/16/2019
DETM-0 Administrative Procedures
DETM-1 Preparation and Use of Forensic Computer Systems
DETM-2 Examination Documentation
DETM-3 Physical Inspection & Processing of Evidence
DETM-4 Sterilization of Target Data Storage Media
DETM-5 Write Protecting Examination Media
DETM-6 Hard Disk Drive Removal & System Settings Check
DETM-7 Forensic Copy Procedures
DETM-8 Examination & Analysis – Computers and Data
Storage Devices
DETM-9 Examination & Analysis – Mobile Devices
DETM-10 Restoration of Forensic Copies During Examinations
DETM-References DETM Document References
DETM-History DETM Document History
DETM-Approval DETM Document Approval
OSBI DIGITAL EVIDENCE UNIT TECHNICAL MANUAL
DETM-0: ADMINISTRATIVE PROCEDURES
DETM_REV03 Page 2 of 52 Effective Date: 08/16/2019
0.1 PURPOSE
The purpose of this protocol is to provide standardized procedures for
administrative functions pertaining or related to digital evidence examinations within the
laboratory facilities of the OSBI Criminalistics Services Division (CSD), the OSBI Digital
Evidence Unit (DEU), and the AT&T Digital Forensic Laboratory (ATTDFL).
0.2 SCOPE
This procedure applies to all requests for digital evidence examination received
by CSD, the DEU, and the ATTDFL laboratory facilities and to all digital evidence
examinations which are administered, conducted, or performed at OSBI CSD, DEU, and
ATTDFL laboratory facilities. Unless otherwise specified, all references to “DEU” will
include and/or apply to all ATTDFL examiners and facilities as well as to all OSBI CSD
digital evidence examiners and facilities.
0.3 OBJECTIVES
0.3.1 With respect to digital evidence examinations, the primary objective of the
DEU is to provide forensic digital evidence examination services to law
enforcement agencies within the State of Oklahoma. The services provided to
Oklahoma law enforcement agencies will include:
0.3.1.1 Relevant, timely, and effective forensic examination, analysis,
and interpretation of digital evidence based on Oklahoma State Law and
the current best practices of the digital forensic community.
0.3.1.2 Courtroom testimony to explain observations and results of digital
evidence examinations.
0.3.1.3 Training and/or education in the proper handling and preservation
of digital evidence for law enforcement agencies.
0.3.2 The objective of the DEU Technical Procedures is to provide the policy
and structure necessary to conduct the examination and analysis of digital
evidence in a consistent manner and to establish a framework for uniform
reporting of examination observations and results.
0.3.3 The DEU Technical Procedures shall be used by properly trained and
qualified examiners familiar with digital evidence preservation, handling,
examination, and analysis as outlined in DEU Training Manual. These technical
procedures are not intended as a textbook and should not serve as a substitute
OSBI DIGITAL EVIDENCE UNIT TECHNICAL MANUAL
DETM-0: ADMINISTRATIVE PROCEDURES
DETM_REV03 Page 3 of 52 Effective Date: 08/16/2019
for the appropriate prerequisite training necessary to properly conduct digital
evidence examinations. The DEU Technical Procedures are intended to be used
along with the examiner’s experience, training, and current best practices of the
digital forensic community to conduct thorough and consistent examinations of
digital evidence.
0.4 GOALS
0.4.1 Personnel who perform digital evidence examinations within OSBI CSD,
DEU, and ATTDFL laboratory facilities will follow all OSBI Criminalistics Services
Division (CSD) Quality Manual requirements for all matters involving laboratory
casework.
0.4.2 Personnel assigned to work within the ATTDFL will maintain a working
knowledge of the ATTDFL Memorandum of Understanding (MOU) and adhere to
all conditions set forth in the MOU.
0.4.2 Personnel who perform digital evidence examinations within DEU
laboratory facilities will maintain an ongoing dialog with law enforcement
administrators and investigators regarding the services provided. Open lines of
communication will be maintained with respect to active casework as well as
changes to policies and procedures which may affect evidence processing and
examination due to changes in technology.
0.5 LEGAL AUTHORITY TO CONDUCT EXAMINATIONS
0.5.1 It is the responsibility of the requesting law enforcement officer to obtain
proper legal authorization to examine or search all items of evidence submitted
for digital evidence examination to DEU laboratory facilities.
0.5.2 It is the responsibility of the requesting law enforcement officer to ensure
the digital evidence examination request does not exceed the scope of the
proper legal authorization obtained to examine or search the items of evidence
listed on the examination request. It is also the responsibility of the requesting
law enforcement officer to ensure proper legal authorization is obtained to
examine or search each item listed on the examination request and that the
proper legal search authorization is obtained prior to the submission of the
examination request.
0.5.3 Personnel who conduct digital evidence examinations within DEU
laboratory facilities are not required to maintain or review copies of search
warrants, consents to search, or other search authorization documentation.
OSBI DIGITAL EVIDENCE UNIT TECHNICAL MANUAL
DETM-0: ADMINISTRATIVE PROCEDURES
DETM_REV03 Page 4 of 52 Effective Date: 08/16/2019
0.5.4 Personnel who perform digital evidence examinations within DEU
laboratory facilities will ensure that all examinations adhere to and do not exceed
the scope of the examination request.
0.5.5 If a digital evidence examiner discovers evidence of another crime(s)
during an examination that is outside the scope of the submitted examination
request, the examiner must stop all analysis and notify the DEU Supervisor, or
designee, of the discovery and nature of evidence of other crime(s). The
examiner or supervisor will then contact the submitting requestor and notify them
of the discovery. The examiner will not resume examination work in the request
until notified by the requestor that proper legal authorization has been obtained to
expand the scope of examination. The discovery of the evidence of other
crime(s) as well as the results of the coordination with the requestor will be
documented in the Laboratory Information Management System (LIMS) case
narrative as a case event.
0.6 EXAMINATION REQUEST PROCEDURES
0.6.1 All questions or requests for clarification related to digital evidence
examination requests will be directed to the DEU Supervisor or designee.
0.6.2 The requestor must provide sufficient case information that is relevant to
the digital evidence items in the request so that the forensic examination of those
items can be focused to provide data and information of interest to the
investigation. The requestor must also provide a detailed list of the specific items
to be examined and clearly articulate the scope of search for each item listed in
the examination request.
0.6.3 All digital evidence examination requests must be accompanied by a
completed current version of the Digital Evidence Examination Request
Addendum OSBI CSD QPA 5.2. The requestor must provide a completed
addendum form prior to the start of any digital evidence examination and the
form must include the requestors signature acknowledging the responsibility to
ensure the examination request does not exceed the scope of already obtained
or existing legal search authorization.
0.6.4 When requests are received which contain digital evidence items that
require examination by any other OSBI laboratory section or discipline, the DEU
Supervisor will, on a case-by-case basis, work with the requestor and other OSBI
CSD Laboratory personnel to ensure the item(s) of evidence are examined in the
order least likely to alter or destroy evidence that may be recoverable by another
forensic laboratory discipline.
OSBI DIGITAL EVIDENCE UNIT TECHNICAL MANUAL
DETM-0: ADMINISTRATIVE PROCEDURES
DETM_REV03 Page 5 of 52 Effective Date: 08/16/2019
0.6.5 The DEU Supervisor will assign the request to a DEU examiner based on
the details of and the priority assigned to the request, examiner training and
experience, and the current laboratory caseload.
0.6.6 When necessary, the assigned examiner will coordinate with the requestor
to clarify details of the examination request and to triage the items of evidence
submitted in accordance with DETM-0.8.
0.6.7 Evidence will not be examined without a completed current version of the
OSBI CSD QPA 5.2, Digital Evidence Request Addendum.
0.6.8 Evidence in digital evidence examination requests will only be accepted at
locations approved by the OSBI CSD Director.
0.7 PRIORITIZATION OF EXAMINATION REQUESTS
The DEU Supervisor, or designee, is responsible for prioritizing examination
requests and will normally prioritize requests based on the facts provided by the
requestor on the Digital Evidence Examination Request Addendum at the time of
submission.
0.8 TRIAGE OF ITEMS IN EXAMINATION REQUESTS
0.8.1 The specific items included in digital evidence examination requests may
be triaged in an attempt to identify which items are of primary evidentiary value
and eliminate items of no evidentiary interest. The intent of the use of triage is to
reduce the number of items and volume of data associated with examination
requests by reviewing case details and eliminating items from the request which
likely contain no data of evidentiary value or interest. This use of triage will
reduce the time spent examining items of no evidentiary value or interest to the
request and result in a reduction in the time required to complete examination
requests.
0.8.2 Triage of items may be done by the DEU Supervisor or designee.
OSBI DIGITAL EVIDENCE UNIT TECHNICAL MANUAL
DETM-1: PREPARATION AND USE OF FORENSIC COMPUTER SYSTEMS
DETM_REV03 Page 6 of 52 Effective Date: 08/16/2019
1.1 PURPOSE
The purpose of this protocol is to establish a standardized procedure for the
preparation of forensic computer systems to a baseline or default state.
1.2 SCOPE
This procedure will apply to forensic computer systems used by examiners to
perform digital evidence examinations in DEU laboratory facilities. This procedure will
only apply to forensic computers which are required to undergo performance verification
testing as defined in DEU Quality Manual.
1.3 EQUIPMENT
1.3.1 Hardware - The forensic computer system hardware and all of its
associated and installed physical subcomponents.
1.3.2 Software – The operating system installed on the forensic computer
system drive and the software and programs identified on the Approved
Examination Software List in DEQM-6.
1.4 PREPARATION OF FORENSIC COMPUTER SYSTEMS
1.4.1 All forensic computer systems will normally be prepared for operation and
use in laboratory casework by the examiner who is assigned actual physical
control of the computer. Forensic computer systems may also be prepared by
the DEU Supervisor, DEU Technical Manager, or designee. Forensic computer
systems designated as “Common Laboratory Use” computers will be prepared
and maintained by either the DEU Supervisor, the DEU Technical Manager, or
designee.
1.4.2 All forensic computer systems will have operating system(s) installed
which are annotated in DEQM-6 and correspond with the approved forensic
computer system type. Operating systems, or versions of operating systems
which are not annotated in DEQM-6.3 and correspond with the associated
forensic computer system type will not be used or installed on forensic computer
systems.
OSBI DIGITAL EVIDENCE UNIT TECHNICAL MANUAL
DETM-1: PREPARATION AND USE OF FORENSIC COMPUTER SYSTEMS
DETM_REV03 Page 7 of 52 Effective Date: 08/16/2019
1.4.3 Examiners will obtain the installation files for forensic software tools only
from the designated approved software storage location or method maintained
and controlled by the DEU Technical Manager.
1.4.4 Only forensic software programs and applications listed in DEQM-6.2.2 –
6.2.3 will be installed on forensic computer systems. Software applications and
programs which are designated as common use in DEQM-6.5 and made
available by the DEU Technical Manager through the approved common use
software storage location may be installed on forensic computer systems.
1.4.5 All forensic computer systems will be configured with, at a minimum, a
password protected user account which requires entry of a password or PIN
number for logon and use.
1.5 USE OF FORENSIC COMPUTER SYSTEMS
1.5.1 Forensic computer systems will normally only be used by the examiner
who is assigned actual physical control of the computer for inventory
accountability purposes.
1.5.2 Common laboratory use computer systems and equipment will be
available for use by laboratory personnel when not in use by another examiner.
1.5.3 Forensic computer systems will only have an active Internet connection
when needed or required to activate, repair, troubleshoot, or update approved
software applications and programs found in DEQM-6.
1.5.4 Forensic computer systems will not have an active or live Internet
connection during examination casework.
1.5.5 Forensic computer systems will not be used for online undercover
purposes.
1.5.6 Forensic computer systems may only be used for laboratory examination
casework, laboratory quality assurance/quality control examination work, or for
administrative tasks directly related to either casework or quality
assurance/control work.
1.5.7 All forensic computer systems will be reset to a baseline restore status,
which will be the restore or reinstallation of the operating system(s) and all
common software tools, at a minimum of once annually.
OSBI DIGITAL EVIDENCE UNIT TECHNICAL MANUAL
DETM-1: PREPARATION AND USE OF FORENSIC COMPUTER SYSTEMS
DETM_REV03 Page 8 of 52 Effective Date: 08/16/2019
1.5.8 When possible, baseline restores of forensic computer systems should
coincide with the installation or upgrade of other forensic software tools.
1.5.9 The operating systems on forensic computers will have critical and
recommended updates applied at the time the computer is baseline restored or
when otherwise required by the DEU Technical Manager.
1.5.10 When a forensic computer system is baselined or has an operating
system update applied, the examiner who performed the baseline or operating
system update will update the Maintenance Log within the Maintenance Record
associated with the forensic computer system.
1.5.11 Unless otherwise directed by the DEU Supervisor or DEU Technical
Manager, the operating systems, common software tools, or forensic software
tools on forensic computer systems will not be updated or upgraded in the middle
of a laboratory casework examination. Updates and upgrades will be performed
following the completion of laboratory casework in one examination case and
prior to the start of the next examination case.
OSBI DIGITAL EVIDENCE UNIT TECHNICAL MANUAL
DETM-2: EXAMINATION DOCUMENTATION
DETM_REV03 Page 9 of 52 Effective Date: 08/16/2019
2.1 PURPOSE
The purpose of this protocol is to provide standardized procedures for
documenting relevant and required case information and data during the conduct of
digital evidence examinations within DEU laboratory facilities.
2.2 SCOPE
This protocol applies to all requests for digital evidence examination received by
DEU laboratory facilities, and to the subsequent examination of all items of evidence
submitted for forensic examination.
2.3 GENERAL
2.3.1 The physical and technical characteristics of each item of evidence
received for examination will be documented in accordance with DETM-3:
Physical Inspection and Processing of Evidence and the OSBI CSD Quality
Manual.
2.3.2 All examination documentation will be recorded in the CSD LIMS in
accordance with CSD QP 16.2.
2.3.3 The examination start date will be defined as the first day the chain of
custody record reflects the evidence was in the possession of the assigned
examiner.
2.3.4 The examination end date will be defined as the date the Administrative
Review was completed and the report was approved. The completed
Administrative Review Form will be the source of the case record documentation
for the examination end date.
2.3.5 Hard copy forms may be used to document required information and data
if the LIMS is unavailable due to technical difficulties or other circumstances. If
hard copy forms are used, a copy of the form must be added to the case
documents section of the LIMS after access to the system is restored.
2.3.6 Digital Evidence Photographs may be used to supplement, not replace,
case documentation and information. The use of Digital Evidence Photographs
will be in accordance with DETM-3: Physical Inspection and Processing of
Evidence. If taken, Digital Evidence Photographs will be added to the LIMS
examination documentation and directly associated with the evidence item or
sub-item photographed.
OSBI DIGITAL EVIDENCE UNIT TECHNICAL MANUAL
DETM-2: EXAMINATION DOCUMENTATION
DETM_REV03 Page 10 of 52 Effective Date: 08/16/2019
2.4 EVIDENCE ITEM MATRIX PANELS
2.4.1 The LIMS will have matrix panels established for each major category of
commonly encountered digital evidence. Each matrix panel will have data entry
fields corresponding with the most commonly used descriptive information and
identifying numbers associated with devices and items of the category.
2.4.2 If the evidence item category for an item is not apparent, the examiner
should use the matrix panel that most closely resembles the item and contains
the data entry fields which most completely captures the items descriptive
information and identifiers.
2.5 DOCUMENTING HARDWARE AND SOFTWARE USED TO PERFORM
EXAMINATIONS
2.5.1 All forensic examination tools which are approved for use in DEQM-6 and
used to perform digital evidence examinations will be documented and directly
associated with the evidence item or sub-item examined.
2.5.2 Use of a hardware or software forensic examination tool will be defined as
the use of the specified tool to perform any of the following:
Write block or write protect any item of Original Digital Evidence
(ODE).
Obtain or verify a forensic copy of any item of ODE.
Obtain or verify an extraction of data from any item of ODE.
Perform a Preview of any item of ODE.
Create a restore or clone from an extraction or forensic copy of an
item of ODE.
Perform forensic examination of data contained within an extraction
or forensic copy of an item of ODE.
Perform virus or malware scans of data contained within an
extraction or forensic copy of an item of ODE.
2.5.3 The Maintenance Number associated with a forensic examination
hardware tool in accordance with DEQM-7 will be used to refer to the item in
case documentation and notes.
2.5.4 All software forensic tools utilized in the examination will be documented
in the appropriate matrix panel with the name and the complete version number
of the tool.
OSBI DIGITAL EVIDENCE UNIT TECHNICAL MANUAL
DETM-2: EXAMINATION DOCUMENTATION
DETM_REV03 Page 11 of 52 Effective Date: 08/16/2019
2.6 EXHIBIT REPORT DOCUMENTATION
2.6.1 An Exhibit Report is a collection or group of electronic reports and
corresponding data, files, and/or information produced by forensic tools during
digital evidence examinations.
2.6.2 Exhibit reports will be identified as derivative evidence and are produced
from the following sources:
Forensic copies obtained directly from ODE items.
Data extractions obtained directly from ODE items.
Data obtained directly from ODE items.
2.6.3 A single exhibit report storage device may be used and identified as a
single item of derivative evidence and contain exhibit reports derived from
multiple items of ODE.
2.6.4 The exhibit report storage device will be identified as a subsequent and
unique item of evidence in the LIMS. The description of the exhibit report item of
evidence in the LIMS will identify the storage device type and the ODE source
item(s) of evidence the exhibit report(s) were derived from.
2.6.5 The exhibit report evidence item will be created in the LIMS prior to
technical and administrative review of the examination report and is not
considered finalized or completed until after both reviews are completed and the
examination report has been approved.
2.6.6 The exhibit report evidence item, or its container, will be marked with the
appropriate laboratory case number, item number, the creating examiner’s
initials, and the date the item was sealed.
2.6.7 The exhibit report storage device type and corresponding LIMS evidence
item number will be documented in the results and interpretations section of the
digital evidence examination report.
2.6.8 The exhibit report storage device and associated exhibit reports will be
released to the requestor or requesting agency in accordance with DEQM-13.4:
Retention of Exhibit Reports and Other Data.
2.7 HARD COPY CASE FILE DOCUMENTATION
2.7.1 The goal of DEU digital evidence examinations is to eliminate the need to
maintain or retain a hard copy case file. All administrative and technical
OSBI DIGITAL EVIDENCE UNIT TECHNICAL MANUAL
DETM-2: EXAMINATION DOCUMENTATION
DETM_REV03 Page 12 of 52 Effective Date: 08/16/2019
documentation which is required to be retained will be incorporated into the LIMS
case file whenever feasible or practical.
2.7.2 Any handwritten notes which directly record examination results or
observations not captured in an examination report or exhibit report will be
scanned and incorporated into the case documentation.
2.7.2 Administrative and technical documentation which is required to be
retained but not feasible or practical to incorporate into the LIMS case file will be
maintained in a hard copy case file in accordance with CSD QP 16.2.
OSBI DIGITAL EVIDENCE UNIT TECHNICAL MANUAL
DETM-3: PHYSICAL INSPECTION AND PROCESSING OF EVIDENCE
DETM_REV03 Page 13 of 52 Effective Date: 08/16/2019
3.1 PURPOSE
The purpose of this protocol is to establish a standardized procedure for how
items of digital evidence are inspected, documented, and processed and how the
condition of items of evidence received for digital evidence examination is documented
within DEU laboratory facilities.
3.2 SCOPE
This procedure applies to all evidence items submitted for digital evidence
examination within DEU laboratory facilities as well as all sub-items identified during
processing.
3.3 EQUIPMENT
3.3.1 Tools commonly used to access and repair computers and electronic
items.
3.3.2 Digital camera approved for use to take evidence photographs.
3.4 PHYSICAL INSPECTION OF EVIDENCE
3.4.1 All items of ODE, and any sub-items, will be physically inspected and
documented in accordance with section 3.4 of this policy and may be treated as
“evidence in the process of examination” stored in the laboratory’s secure, limited
access work area until examination is complete in accordance with OSBI CSD
QP 6.1 Section II.f.3.b
3.4.2 All ODE items received for examination determined to pose any risk as a
destructive device, contaminant danger, hazardous material, or a danger or
hazard in any other way will be handled and/or reported in accordance with
current OSBI and CSD policy.
3.4.3 Descriptive information (such as manufacturer’s markings which indicate
the make, model and serial number) for each item and all sub-items identified for
examination will be recorded in the appropriate matrix panel. Other identifying
numbers or values affixed by the manufacturer to uniquely identify the item to the
exclusion of other similar items may be recorded in the appropriate matrix panel
when applicable.
OSBI DIGITAL EVIDENCE UNIT TECHNICAL MANUAL
DETM-3: PHYSICAL INSPECTION AND PROCESSING OF EVIDENCE
DETM_REV03 Page 14 of 52 Effective Date: 08/16/2019
3.4.4 Digital Evidence Photographs are not required to be taken of each item of
ODE received for examination. Digital Evidence Photographs may be taken, at
the discretion of the examiner, in order to document anything about an item of
ODE determined to be noteworthy or important.
3.4.4.1 Digital Evidence Photographs will be taken with a digital camera
appropriate for use in photographing evidence.
3.4.4.2 Digital Evidence Photographs may be taken to document unusual
damage to an item of ODE, connections or relationships between ODE
items, or unusual labels or markings found on an item of ODE during
processing or examination.
3.4.4.3 Digital Evidence Photographs will be designated and handled as
case information documents and will be used to supplement, not replace,
written documentation and other case documentation.
3.4.4.4 All Digital Evidence Photograph files will be combined or
converted into single “PDF” document files per evidence item or (sub) item
number and named in accordance with CSD Quality Manual guidelines.
3.4.4.5 Digital Evidence Photograph PDF files will be uploaded into the
Case Information “Documents” section of the LIMS system.
3.4.5 If an item of ODE is damaged in any way during the examination,
inspection, processing, or handling of the item, sufficient digital evidence
photographs will be taken to thoroughly document the damage if applicable. A
thorough narrative which documents the circumstances that lead to the damage
of the item and a detailed description of the actual damage will be documented in
the case documentation.
3.4.6 Before and after digital evidence photographs will be taken any time an
item ODE submitted for examination is repaired or altered in any way to facilitate
successful examination or recovery of data or information from the device.
3.4.7 If an item of ODE submitted for examination is repaired or altered in any
way to facilitate successful examination or recovery of data or information from
the device, the examiner will coordinate with the requesting agency to obtain a
letter from the prosecutor indicating both the intent and the necessity to alter
and/or consume the item. The letter must be obtained prior to the start of any
analysis and must be included in the case documentation.
3.4.8 Each item of ODE submitted for examination and all sub-items identified
will be marked for identification with a permanent marker (such as a “Sharpie”
marker) directly on the item near the manufacturer’s descriptive information
(model and serial number) when possible or feasible.
OSBI DIGITAL EVIDENCE UNIT TECHNICAL MANUAL
DETM-3: PHYSICAL INSPECTION AND PROCESSING OF EVIDENCE
DETM_REV03 Page 15 of 52 Effective Date: 08/16/2019
3.4.9 When it is not advisable, possible, or feasible to directly mark the ODE
item or sub-item for identification, the item or sub-item will be marked with the
same information using a proximal container or tag in accordance with OSBI
CSD Quality Manual 5.8.4.3.
3.4.10 All ODE items will be marked, at a minimum, with the Laboratory
Examination Case Number, the Laboratory Assigned (Sub)Item Number, the
date of examination or processing in “mm/dd/yy” format, and the initials of the
examiner who examined or processed the item.
3.5 PROCESSING OF EVIDENCE
3.5.1 COMPUTER PROCESSING –The following items, whenever possible,
should be completed, documented, and/or observed when processing computer
and computer related items of ODE:
3.5.1.1 Whenever possible, all data storage media device sub-items
should be removed from computer systems and any other host ODE item
they are found installed within and all available descriptive information fully
documented in the appropriate matrix panel.
3.5.1.2 Whenever possible, relevant or pertinent CMOS/BIOS setting
information (system date, system time, etc.) should be obtained and
recorded in the appropriate matrix panel in accordance with DETM- 6.
3.5.1.3 To preserve the integrity of the data stored on the ODE, every
item and sub-item of data storage media will, whenever possible, be
protected from alteration by the use of hardware based write protection. If
hardware based write protection is not available or not feasible for use,
either built-in or software based write protection may be used.
3.5.1.4 Whenever possible, appropriate write protection will be applied or
in use prior to accessing any item or sub-item of data storage media for
any purpose, including preview, forensic copying, analysis, or
examination.
3.5.2 MOBILE DEVICE PROCESSING –Due to the extremely wide variety of
mobile device hardware available and the many different form factors that exist,
there is no single procedure or protocol to document and process every cellular
telephone or mobile device. The following procedures represent a general guide
to the processing of mobile devices:
OSBI DIGITAL EVIDENCE UNIT TECHNICAL MANUAL
DETM-3: PHYSICAL INSPECTION AND PROCESSING OF EVIDENCE
DETM_REV03 Page 16 of 52 Effective Date: 08/16/2019
3.5.2.1 Determine the power status of the device. If the device is not
powered on, do not power it on until ready and prepared to start
examination of the item.
3.5.2.2 If the power status of the device cannot be determined due to
damage or other factors, the device will be treated as “powered on”. If the
device is powered on, do not power off the device. Determine if the
device has a security measure enabled to prohibit access and document
the type of security. The intent is for the examiner, based on his/her
training and experience, to attempt to determine the power and security
state of the device and to prevent unnecessarily activating any device
security measures which may prohibit subsequent examination or
extraction of data.
3.5.2.3 Determine if the make and model of the ODE device is supported
for examination by any available tools. If the make and model of the
device is not specifically supported, it may be supported for examination
as a generic device type or examination by other examination tool
supported methods.
3.5.2.4 Determine if the make and model of the device is supported for
examination with the observed type of security enabled. If the device is
not supported for examination with the observed type of security enabled,
document the item as a device not currently supported for examination
with the observed security type enabled. ODE sub-items (flash memory
cards, SIM cards) may still be examined if found installed or contained
within unsupported devices.
3.5.2.5 Conduct a physical inspection of the item of ODE and document
in accordance with section 3.4 of this policy. If the device is received
powered on, do not power the device off to conduct the physical
inspection of the item. Many mobile devices require security
authentication only when the device is powered on. If the device is
received powered on, conduct the physical inspection after the device has
been examined and data extraction has completed to avoid triggering the
power on security.
3.5.2.6 Charge the device’s battery, if necessary or required.
3.5.2.7 Whenever possible, all media devices capable of storing data
(flash memory cards, SIM cards, etc.) should be removed from mobile
devices they are found installed within and all available descriptive
information fully documented.
OSBI DIGITAL EVIDENCE UNIT TECHNICAL MANUAL
DETM-3: PHYSICAL INSPECTION AND PROCESSING OF EVIDENCE
DETM_REV03 Page 17 of 52 Effective Date: 08/16/2019
3.5.2.8 Whenever possible, all media devices capable of storing data
(flash memory cards, SIM cards, etc.) which were removed from mobile
devices to document descriptive information shall be re-installed into the
item they were removed from prior to examination of the item itself. If an
item is examined with any media device removed, the reason for the
examination with the media device removed will be documented in the
appropriate matrix panel.
OSBI DIGITAL EVIDENCE UNIT TECHNICAL MANUAL
DETM-4: STERILIZATION OF TARGET DATA STORAGE MEDIA
DETM_REV03 Page 18 of 52 Effective Date: 08/16/2019
4.1 PURPOSE
The purpose of this protocol is to provide a standardized procedure for
overwriting all data storage capacity on target storage media within DEU laboratory
facilities. Commonly known as “wiping”, this process overwrites every addressable
storage location on an item of target storage media with a known value, which is usually
“0”. Wiping is used to sterilize target media devices prior to their use to store
examination case data and ensures that no lingering data is present on the device from
previous use.
4.2 SCOPE
This procedure applies to all data storage media items authorized to be wiped
and used to store examination case data within DEU laboratory facilities.
4.3 EQUIPMENT
4.3.1 Forensic computer system(s).
4.3.2 Hardware data wiping device.
4.3.3 Software data wiping utilities, programs, and applications.
4.3.4 Target data storage media.
4.4 WIPING TARGET DATA STORAGE MEDIA
4.4.1 All target data storage media devices will be wiped prior to being used to
store examination case data. All new data storage devices will be wiped prior to
being utilized to store examination case data.
4.4.2 Connect the target data storage device to the forensic computer system or
the hardware data wiping device using the appropriate data and power
connectors. Ensure the data connection port utilized is a “read-write” port.
4.4.3 When possible, set the data wiping preferences to overwrite all data
storage locations with “0”
4.4.4 Perform a single pass overwrite wipe of all data on the device.
OSBI DIGITAL EVIDENCE UNIT TECHNICAL MANUAL
DETM-4: STERILIZATION OF TARGET DATA STORAGE MEDIA
DETM_REV03 Page 19 of 52 Effective Date: 08/16/2019
4.4.5 Allow the data wiping device or software to complete a verification that the
wipe successfully completed or perform a verification that the device was
successfully wiped.
4.4.5.1 If the wipe successfully completed and was verified as
successful, store the wiped device in an approved location.
4.4.5.2 If the wipe was unsuccessful or failed to verify, repeat procedures
4.4.4 and 4.4.5.
4.4.6 If any target data storage device fails two consecutive attempts to wipe or
fails verification of two attempted wipes, the storage device will be removed from
service and labeled with “Out of Service” and the date the device was removed
from service.
4.4.7 No data storage device will be used to store examination case data that
has failed to successfully wipe, verify, and/or been removed from service.
4.4.8 Only approved examination tools listed in DEQM-6 will be used to wipe
target data storage media used in examination casework.
4.4.9 Wiped target data storage devices will not be formatted or altered until
used to store examination case data.
4.5 STERILIZATION OF SOLID STATE HARD DISK DRIVE MEDIA
4.5.1 Solid state hard disk drives cannot be “wiped” or sterilized by the same
procedure as other target media storage devices. Use of the procedure in
section 4.4 above to sterilize a solid state hard disk drive may result in
irreparable damage to the drive. It is possible to sterilize a solid state hard disk
drive, but the procedure is closer to a “reset” than to an “erase” or “wipe”.
4.5.2 All solid state hard disk drives will be sterilized using the secure erase
functionality of the software provided by the manufacturer of the drive.
4.5.3 Solid state hard disk drives will only be sterilized using the secure erase
software or procedure provided by the manufacturer specifically for the
sterilization of the exact make and model of the drive in question.
4.5.4 A solid state hard disk drive will be considered wiped and verified if the
drive manufacturer’s secure erase software completes the “reset” successfully
and reports no errors in the process.
4.5.5 If a solid state hard disk drive fails to complete the “reset” procedure or
completes with errors reported by the manufacturer’s software, a second attempt
will be made to “reset” the drive.
OSBI DIGITAL EVIDENCE UNIT TECHNICAL MANUAL
DETM-4: STERILIZATION OF TARGET DATA STORAGE MEDIA
DETM_REV03 Page 20 of 52 Effective Date: 08/16/2019
4.5.5.1 If the “reset” was successful, store the wiped device in an
approved location.
4.5.5.2 If the “reset” was unsuccessful or completed with errors, repeat
procedures 4.5.3 through 4.5.5.
4.5.6 If any solid state hard disk drive fails two consecutive attempts to “reset”,
the drive will be removed from service and labeled with “Out of Service” and the
date the device was removed from service.
4.5.7 No solid state hard disk drive will be used to store examination case data
that has failed to successfully “reset” and/or been removed from service.
4.5.8 “Reset” solid state hard disk drives will not be formatted or altered until
used to store examination case data.
OSBI DIGITAL EVIDENCE UNIT TECHNICAL MANUAL
DETM-5: WRITE PROTECTING EXAMINATION MEDIA
DETM_REV03 Page 21 of 52 Effective Date: 08/16/2019
5.1 PURPOSE
The purpose of this protocol is to provide a standardized procedure for write-
protecting items of ODE during processing, forensic copying, and examination and,
therefore, preserve the integrity of the items during the examination process by
preventing alterations.
5.2 SCOPE
This procedure applies to all evidence items submitted for digital evidence
examination within DEU laboratory facilities and all sub-items identified during
processing which are capable of storing data that may be of evidentiary value.
5.3 EQUIPMENT
5.3.1 Forensic computer system(s).
5.3.2 Hardware write-blocking device(s).
5.3.3 Software write-blocking utilities, programs, and applications.
5.3.4 Examination media.
5.4 USE OF WRITE-PROTECTION
5.4.1 In order to preserve the integrity of the data contained on items of ODE,
each item that is examined and is capable of storing data will, whenever
possible, be protected from alteration by the use of write-protection.
5.4.2 Whenever possible, write-protection will be instituted prior to accessing
any ODE data storage media item for any purpose, including preview, forensic
copying, or analysis.
5.4.3 Whenever possible, hardware write protection will be used to protect all
ODE media items. The use of hardware write-protection is the preferred method
and will be utilized if possible or if supported.
5.4.4 When using a hardware write-protection device, the item of ODE media
will be connected to the write-protection device before powering the device on, if
applicable.
OSBI DIGITAL EVIDENCE UNIT TECHNICAL MANUAL
DETM-5: WRITE PROTECTING EXAMINATION MEDIA
DETM_REV03 Page 22 of 52 Effective Date: 08/16/2019
5.4.5 Software write-protection may be utilized to write-protect ODE media
items during processing and examination if the use of hardware write-protection
was impractical, not possible, or unsupported.
5.4.6 When using software based write-protection, the write-protection should
be implemented or initiated prior to attaching the ODE media whenever possible.
5.4.7 If any method of write-protection other than the use of a hardware write-
protection device is utilized to process or examine an item of ODE media, the
reason for using an alternative means of write protection will be documented in
the appropriate matrix panel.
5.4.8 Only hardware write-protection devices listed in DEQM-6: Approved
Examination Tools will be used in examination casework.
5.4.9 Only software write-protection applications, programs, and utilities listed in
DEQM-6: Approved Examination Tools will be used in examination casework.
5.4.10 No hardware device or forensic software toolwill be used in examination
casework for the purpose of write-protecting ODE media items that has not
undergone and passed either Function Testing or Performance Verification
Testing in accordance with DEQM-9.
5.5 DOCUMENTATION OF WRITE-PROTECTION
5.5.1 Any time a write-protection device is used to access an ODE media item,
its use must be documented in the appropriate matrix panel.
5.5.1.1 Hardware write-protection devices will be documented by the
Maintenance Number assigned to the item as required in DEQM-7.
5.5.1.2 For software write-protection, the Operating System utilized
during the time the ODE media item was accessed will be documented in
the appropriate matrix panel as well as the Maintenance Identifier and
version number associated with the software.
5.5.2 If the use of write-protection is not possible, the reason it could not be
used will be documented in the appropriate matrix panel.
OSBI DIGITAL EVIDENCE UNIT TECHNICAL MANUAL
DETM-6: HARD DISK DRIVE REMOVAL & SYSTEM SETTINGS CHECK
DETM_REV03 Page 23 of 52 Effective Date: 08/16/2019
6.1 PURPOSE
The purpose of this protocol is to provide standardized procedures for the
removal of hard disk drives and data storage devices from ODE items and for checking
the system settings of computers submitted for examination within the DEU laboratory
facilities.
6.2 SCOPE
This procedure applies to all ODE computer systems submitted for examination
within the DEU laboratory facilities.
6.3 EQUIPMENT
6.3.1 ODE computer system.
6.3.2 Removable media boot device(s).
6.4 HARD DISK DRIVE REMOVAL
6.4.1 Hard disk drives of ODE computer systems will be removed from the
submitted computer whenever possible for documentation, processing, and
forensic copying.
6.4.2 If it is not possible to remove the hard disk drive from the computer system
for documentation, processing, or forensic copying, the reason (i.e. hard disk
drive permanently affixed to system board, the use of encryption, the use of
multiple hard disk drives in a RAID configuration, etc.) will be documented in the
appropriate matrix panel.
6.4.3 The hard disk drive(s) should then be removed from the computer system.
Care should be taken to ensure the computer and all of its parts and components
which were disassembled or disconnected to remove the hard disk drives can be
reassembled and reconnected in exactly the same state following the completion
of documentation, processing, and forensic copying whenever practical.
6.4.4 Whenever practical, the make, model, serial number, storage capacity,
and connection type of each hard disk drive will be documented in the
appropriate matrix panel.
OSBI DIGITAL EVIDENCE UNIT TECHNICAL MANUAL
DETM-6: HARD DISK DRIVE REMOVAL & SYSTEM SETTINGS CHECK
DETM_REV03 Page 24 of 52 Effective Date: 08/16/2019
6.4.5 Label the hard disk drive(s) removed from the ODE computer with
appropriate case information in accordance with DETM-3.4: Physical Inspection
& Processing of Evidence.
6.4.6 Conduct a check of all removable media storage drives and bays on the
ODE computer for any removable media storage devices (i.e. CD/DVD discs,
flash memory cards, etc.). If any removable media storage device(s) are found,
follow the same procedure outlined in DETM-6.4.5 through 6.4.7 to remove and
document the device(s).
6.4.7 Once all hard disk drives and removable media devices have been
identified, documented, processed, forensically copied, and a system settings
check has been conducted, reassemble, reinstall, and reconnect all hard disk
drives and removable media devices into the ODE computer. The computer
should, whenever practical, be reassembled and returned to the same state as
when it was received.
6.5 CONDUCT A SYSTEM SETTINGS CHECK
6.5.1 Whenever possible, a check will be conducted of the system settings of all
ODE computer systems.
6.5.2 Prior to conducting a system settings check, ensure all hard disk drive(s)
and removable media devices have been disconnected and/or removed from the
computer. If it is not possible to remove the hard disk drive(s) or removable
media device(s) from the computer to conduct the system settings check, the
reason will be documented in the appropriate matrix panel.
6.5.3 Power the computer system on and access the computer’s system
settings or system setup interface if possible.
6.5.4 If the ODE computer’s system settings cannot be accessed, a removable
media boot device may be utilized to load an operating system and access
system settings information.
6.5.5 At a minimum, the date and time stored by the computer’s system settings
and the actual date and time the check was conducted will be recorded in the
appropriate matrix panel. Other system setting information may be recorded
based on the examination request.
6.5.6 Once the computer system settings information have been obtained, the
computer should be powered off and returned to the state in which it was
received whenever practical.
OSBI DIGITAL EVIDENCE UNIT TECHNICAL MANUAL
DETM-7: FORENSIC COPY PROCEDURES
DETM_REV03 Page 25 of 52 Effective Date: 08/16/2019
7.1 PURPOSE
The purpose of this protocol is to provide standardized procedures within DEU
facilities for the use of approved forensic hardware and software tools to obtain
forensically sound copies of Original Digital Evidence (ODE) hard disk drives and other
items of ODE data storage media.
7.2 SCOPE
This procedure applies to all ODE computer systems and data storage devices
submitted to DEU laboratory facilities which will be forensically copied for examination.
7.3 EQUIPMENT
7.3.1 Forensic computer system.
7.3.2 Prepared Target Data Storage Media.
7.3.3 Function Tested forensic copying hardware and/or software.
7.3.4 Original Digital Evidence data storage device.
7.4 PREPARATION OF TARGET DATA STORAGE MEDIA
7.4.1 Target data storage media must be properly prepared prior to the start of
any forensic copying procedure. The target data storage media device must
have been sterilized or wiped in accordance with DETM-4: Sterilization of Target
Data Storage Media prior to being used to store forensic copies in examination
casework.
7.4.2 Install the target data storage media into the forensic computer system
and power on the computer.
7.4.3 Initialize the target data storage media device and ensure it is of sufficient
size to store the forensic copies and case data associated with the examination
request.
7.4.4 An appropriate number of folders should be created and utilized on the
target data storage partition to organize and store forensic copies and
examination case data associated with the examination request. Folders should
OSBI DIGITAL EVIDENCE UNIT TECHNICAL MANUAL
DETM-7: FORENSIC COPY PROCEDURES
DETM_REV03 Page 26 of 52 Effective Date: 08/16/2019
be organized and named in such a way as to properly associate the stored data
with the examination case number and to identify its function and purpose.
7.5 FORENSIC COPYING PROCEDURE
7.5.1 Select the hardware and software tools from DEQM-6: Approved
Examination Tools to be used which are appropriate for the forensic copying
task. Document the selected hardware and software used for forensic copying in
the appropriate matrix panel. All write blocking devices used to forensically copy
ODE evidence items must have undergone and passed Function Testing in
accordance with DEQM-9: Function Testing and Performance Verifications.
7.5.2 Whenever possible, write-protection will be used to protect all ODE data
storage media items from alteration in accordance with DETM-5: Write Protecting
Examination Media. Any time a device cannot be accessed “read-only” or
utilizing write-protection, the reason write-protection could not be or was not used
will be documented in the appropriate matrix panel.
7.5.3 Generate a pre-examination hash value for the ODE item and document
the hash value in the appropriate matrix panel.
7.5.4 Utilize the selected hardware and software tools to acquire or obtain a
forensic copy of the ODE item. Document the acquisition method in the
appropriate matrix panel.
7.5.5 All forensic copies of ODE media items will be created using the “.E01” or
“EnCase” encapsulated file format whenever practical. Other forensic copy file
formats may be used based on the training and experience of the examiner
and/or file formats required by forensic tool manufacturers.
7.5.6 File names for forensic copies should be named and the files organized in
such a way they associate the forensic copy with the item it was obtained from
and with the examination request.
7.5.7 Generate a hash value for the newly acquired forensic copy and document
the hash value in the appropriate matrix panel.
7.5.8 Generate a post-forensic copy hash value for the ODE item and document
the hash value in the appropriate matrix panel.
7.5.9 If an automated forensic software tool is used, the original hash value
generated by the tool will serve as the pre-examination hash value in section
7.5.3 and the verification hash value generated by the tool will serve as the hash
value for the newly acquired forensic copy in section 7.5.7.
OSBI DIGITAL EVIDENCE UNIT TECHNICAL MANUAL
DETM-7: FORENSIC COPY PROCEDURES
DETM_REV03 Page 27 of 52 Effective Date: 08/16/2019
7.5.10 The pre-forensic copy hash value, forensic copy hash value, and post-
forensic copy verification hash value should match when compared.
7.5.11 If a forensic copy cannot be successfully obtained, verified, or created, a
second attempt to obtain or verify the forensic copy will be made. If the second
attempt to obtain, verify, or create the forensic copy fails or is not successful, the
examiner will notify the DEU Technical Manager, or DEU Supervisor, who will
attempt to determine the cause of the failure and provide guidance on how the
examiner should proceed. The DEU Technical Manager or DEU Supervisor will
document information about the failure, its cause, and resolution in the case
information narrative when required and/or appropriate.
7.5.12 If a post-forensic copy verification hash value of the ODE item fails
verification, the examiner will make a second attempt to obtain a verification hash
for the item. If the second attempt to obtain a post-verification hash for the ODE
item fails, the examiner will notify the DEU Technical Manager, or DEU
Supervisor, who will attempt to determine the cause of the failure and provide
guidance on how the examiner should proceed. The DEU Technical Manager or
DEU Supervisor will document information about the failure, its cause, and
resolution in the case information narrative when required and/or appropriate.
7.5.13 All failed attempts to create or verify forensic copies will be documented
in the appropriate matrix panel and addressed in the digital evidence examination
report.
7.6 ACQUISITION OF DATA FROM MOBILE DEVICES
7.6.1 Due to the diversity of data storage technologies found in the internal
storage of mobile devices, these items (i.e. smartphones, digital media players,
etc.) cannot be forensically copied using the same methodologies and
procedures as traditional data storage devices (i.e. hard disk drives, flash
memory cards, etc.). The procedures governing the acquisition of data from
mobile devices is provided in DETM-9: Examination and Analysis – Mobile
Devices.
7.6.2 While the mobile devices themselves cannot be forensically copied using
procedures outlined in DETM-7.4 through 7.5, they often contain expandable
storage media such as flash memory cards which may be forensically copied in
accordance with this procedure.
OSBI DIGITAL EVIDENCE UNIT TECHNICAL MANUAL
DETM-8: EXAMINATION & ANALYSIS – COMPUTERS AND DATA STORAGE DEVICES
DETM_REV03 Page 28 of 52 Effective Date: 08/16/2019
8.1 PURPOSE
The purpose of this protocol is to provide a standardized procedure for the
examination and analysis of computer systems and digital storage devices within DEU
laboratory facilities.
8.2 SCOPE
This procedure applies to the examination and analysis of digitally or
electronically stored data and information which originates from computer systems and
data storage devices submitted to DEU laboratory facilities for examination. Due to the
unique and varied technologies found in mobile devices, the procedure for examination
and analysis of those items is covered in DETM-9: Examination and Analysis of Mobile
Devices.
8.3 EQUIPMENT
8.3.1 Forensic computer system(s).
8.3.2 Forensic hardware and software tools.
8.3.3 Common use hardware and software tools.
8.3.4 Forensic copy of item(s) of ODE.
8.3.5 Digital media storage device(s)
8.4 EXAMINATION OF ITEMS OF ORIGINAL DIGITAL EVIDENCE
8.4.1 Examination and analysis should be conducted on a forensic copy of an
item of ODE whenever possible.
8.4.2 If a forensic copy of an item of ODE cannot be obtained, the ODE item
may be directly examined.
8.4.3 All direct examination and analysis of items of ODE will be conducted
using a write blocking device appropriate for the media item in accordance with
DETM-5: Write Protecting Examination Media.
8.4.4 If direct examination or analysis is conducted on an item of ODE
Evidence, the justification for directly examining the ODE media item will be
documented in the appropriate matrix panel.
OSBI DIGITAL EVIDENCE UNIT TECHNICAL MANUAL
DETM-8: EXAMINATION & ANALYSIS – COMPUTERS AND DATA STORAGE DEVICES
DETM_REV03 Page 29 of 52 Effective Date: 08/16/2019
8.4.5 If a forensic copy of an item of ODE media cannot be obtained and an
appropriate write blocking device is unavailable (or the ODE media item cannot
be accessed through an appropriate write blocking device), the item may still be
examined, but only with approval from the DEU Supervisor or Technical
Manager. The DEU Supervisor or Technical Manager will review the
examination request and the potential negative consequences of performing
direct examination of the ODE media item without the use of a write blocking
device and may approve direct examination of the item without the use of a write
blocking device.
8.4.6 If the DEU Supervisor or Technical Manager approves the direct
examination or analysis of an item of ODE Evidence without the use of a write
blocking device, the approval and the justification for directly examining the ODE
media item without a write blocking device will be documented in the case
information narrative.
8.5 PREVIEWS
8.5.1 During the course of digital evidence examinations, ODE media items are
often previewed as a means to quickly perform a basic search of the data
storage of a device for the presence of files or data of immediately apparent
evidentiary value. All previews of ODE media items by examiners at DEU
laboratory facilities will be conducted using approved and appropriate common
and/or forensic tools.
8.5.2 Previews will only be conducted on items of evidence which have been
accepted for digital evidence examination.
8.5.3 Previews may be used, when appropriate, to eliminate ODE media items
from the list of items selected for full forensic examination.
8.5.4 Previews of ODE media items will be conducted using an approved write
blocking device appropriate for the media item in accordance with DETM-5:
Write Protecting Examination Media. In the event a preview of an ODE media
item cannot be conducted using a write blocking device, the item may still be
previewed in accordance with DETM-8.
8.5.5 Previews will be documented in accordance with DETM-2: Examination
Documentation.
OSBI DIGITAL EVIDENCE UNIT TECHNICAL MANUAL
DETM-8: EXAMINATION & ANALYSIS – COMPUTERS AND DATA STORAGE DEVICES
DETM_REV03 Page 30 of 52 Effective Date: 08/16/2019
8.6 FORENSIC EXAMINATION PROCEDURES
8.6.1 If the forensic copies of ODE media items have been copied from one
physical media device or source to another physical media device, the forensic
copies will be verified with an approved forensic software tool prior to the start of
examination or analysis.
8.6.1.1 If the forensic copies have not been copied from the storage
device they were created on during the creation of the forensic copy, no
additional verification is required prior to the start of examination or
analysis.
8.6.1.2 If a forensic copy of an item of ODE media fails verification, the
copy may be re-attempted from the original source device. If the
duplicated forensic copy fails a second verification attempt, the original
forensic copy will be re-verified. If the original forensic copy fails
verification, another forensic copy of the ODE media item will be obtained
in accordance with DETM-7: Forensic Copy Procedures and the failure
will be documented in the appropriate matrix panel.
8.6.2 Prior to the start of examination, the examiner must carefully review the
examination request and perform all subsequent forensic examination within the
specific parameters of the scope of the request. Any examination exceeding the
scope of the request must be coordinated with the requesting agency or official
prior to being conducted.
8.6.3 The examination tools, processes, and methods used to perform forensic
examinations should be selected by the examiner based upon their training,
experience, and current “best practices” of the digital forensic community.
8.6.4 The examiner will conduct the examination utilizing forensic tools
identified in DEQM-6: Approved Examination Tools which are appropriate for the
type of examination(s) requested.
8.6.5 The details of how the examination was conducted will be documented in
accordance with DETM-2: Examination Documentation and in sufficient detail
that another qualified examiner could duplicate all examination processes at a
later date using the same forensic tools.
8.6.6 The examination should be conducted so that the examination results can
be reported in a manner that specifically addresses the examination request. All
examination results will be reported in accordance with DEQM-11: Reporting
Examination Results.
OSBI DIGITAL EVIDENCE UNIT TECHNICAL MANUAL
DETM-9: EXAMINATION & ANALYSIS – MOBILE DEVICES
DETM_REV03 Page 31 of 52 Effective Date: 08/16/2019
9.1 PURPOSE
The purpose of this protocol is to provide a standardized procedure within DEU
laboratory facilities for the examination and analysis of mobile devices (i.e. cellular
telephones, digital media players, etc.). Mobile Device examination includes the
identification and recovery of electronically stored information which originates from
many different sources found within the data storage of mobile devices.
9.2 SCOPE
This procedure applies to the examination and analysis of digitally or
electronically stored data and information which originates from mobile devices
submitted for examination in DEU laboratory facilities. The procedure for the
independent examination and analysis of removable digital data storage devices
commonly found installed in or used with mobile devices is covered in DETM-8:
Examination and Analysis – Computers & Data Storage Devices.
9.3 EQUIPMENT
9.3.1 Forensic computer system(s).
9.3.2 Forensic hardware and software tools.
9.3.3 Common use hardware and software tools.
9.3.4 ODE mobile device.
9.3.5 Digital media storage device(s)
9.4 MOBILE DEVICE EXAMINATION LIMITATIONS
9.4.1 Examination and analysis is normally conducted on a forensic copy of an
item of ODE whenever possible. Due to the variety and nature of mobile devices
and the methods available to connect to them and acquire their content, it may
not be possible to access mobile devices using write protection. As a result,
procedures outlined in many sections of DEU Technical Procedures may not be
applicable as they pertain to the use of write blocking devices to access items of
ODE.
9.4.2 There is no identified or available method that will acquire or parse all
electronically stored data and information from all mobile devices. Although
OSBI DIGITAL EVIDENCE UNIT TECHNICAL MANUAL
DETM-9: EXAMINATION & ANALYSIS – MOBILE DEVICES
DETM_REV03 Page 32 of 52 Effective Date: 08/16/2019
mobile device examination tools and equipment are under constant development
and receive frequent updates, these tools may not identify or recover all
electronically stored data and information stored on mobile devices.
9.5 SHIELDING MOBILE DEVICES FROM WIRELESS COMMUNICATIONS
9.5.1 Whenever possible, ODE mobile devices which have the capability to
receive or transmit data wirelessly will be shielded from external electromagnetic
and radio frequency sources during processing and examination to prevent the
wireless transfer of data to and from the device.
9.5.2 Whenever possible, ODE mobile devices will be placed in an
electromagnetic and radio frequency blocking device prior to being powered on
for the first time after the item was received.
9.5.3 Once the ODE mobile device is powered on inside of the electromagnetic
and radio frequency blocking device, the device will be placed in “Airplane Mode”
when available and as soon as is practical. Airplane Mode is a feature
commonly found in most mobile devices that disables the ability of the device to
send or receive data or forms of wireless communication.
9.5.4 If an ODE mobile device is received powered on, the device will be placed
in Airplane Mode as soon as practical.
9.5.5 Once the ODE mobile device has been placed in Airplane Mode, the
device may then be examined without the use of an electromagnetic and radio
frequency blocking device.
9.5.6 An electromagnetic and radio frequency blocking device may not block all
wireless transmissions for every device. Any transmission activity observed
during processing and/or examination will be documented in the appropriate
matrix panel.
9.5.7 Once the above procedure has been implemented to shield the ODE
mobile device from wireless connection(s) the device will then be processed in
accordance with procedure DETM-3.5.2 Mobile Device Processing.
9.6 MOBILE DEVICE EXAMINATION PROCEDURES
9.6.1 All forensic examination and analysis will be conducted using approved
forensic hardware and software tools listed in DEQM-6: Approved Examination
Tools which are appropriate for the type of examination(s) requested.
OSBI DIGITAL EVIDENCE UNIT TECHNICAL MANUAL
DETM-9: EXAMINATION & ANALYSIS – MOBILE DEVICES
DETM_REV03 Page 33 of 52 Effective Date: 08/16/2019
9.6.2 Prior to the start of examination, the examiner must carefully review the
examination request and perform all subsequent forensic examination within the
specific parameters of the scope of the request. Any examination exceeding the
scope of the request must be coordinated with the requesting agency or official
prior to being conducted.
9.6.3 The examination tools, processes, and methods used to perform forensic
examinations should be selected by the examiner based upon their training,
experience, and current “best practices” of the digital forensic community.
9.6.4 If an ODE mobile device is found to contain removable data storage
devices and/or Subscriber Identity Modules (SIM) cards, those data storage
devices and cards may be examined while installed in the mobile device when
appropriate. The intent is for the examiner, based on training and experience, to
choose the method(s) of examination appropriate for the specific device and the
examination request.
9.6.4.1 If removable data storage devices are removed from the mobile
device and examined independently, when practical or possible they will
be write protected in accordance with DETM-5: Write Protecting
Examination Media and a forensic copy will be obtained of the item in
accordance with DETM-7: Forensic Copy Procedures.
9.6.4.2 Removable data storage devices which are removed from ODE
mobile devices for independent examination outside of the mobile device
may be examined in accordance with DETM-8: Examination and Analysis
– Computers & Data Storage Devices.
9.6.4.3 SIM cards which are removed from ODE mobile devices for
independent examination outside of the mobile device will be examined
utilizing approved forensic tools appropriate for SIM card examination(s).
9.6.5 If necessary, charge the ODE mobile device battery utilizing a method
which does not involve a data connection to a computer or other examination
device.
9.6.6 Select the approved and appropriate tool(s) to be utilized for the extraction
and examination of data from the ODE mobile device. Document the tool(s)
used in accordance with DETM-2: Examination Documentation.
9.6.7 Mobile device examination software tools often provide support for
different types of extractions for each mobile device which vary and are
dependent on the device make and model, the software running or installed, and
the security settings employed on the device. The examiner will, based on
available examination tools, training, experience, and current “best practices” of
OSBI DIGITAL EVIDENCE UNIT TECHNICAL MANUAL
DETM-9: EXAMINATION & ANALYSIS – MOBILE DEVICES
DETM_REV03 Page 34 of 52 Effective Date: 08/16/2019
the digital forensic community, choose extraction methods which are appropriate
for the extraction of data from the ODE mobile device and the examination
request.
9.6.8 Examination tools may require additional steps in order to extract data
from ODE mobile devices. These steps may include loading a software “agent”
or “client” onto the device, enabling or disabling certain features or functionality,
and other input or selections necessary to successfully gain access to the device.
These steps may be performed as long as they are reversible and performed as
directed by the examination tool.
9.6.9 Extractions of data from mobile devices are normally not exact copies of
the data storage found on the device and cannot be hashed and verified in the
same way or manner as a forensic copy of a hard disk drive or flash media card.
After the extraction(s) have been obtained, the extracted data may be verified if
the tool selected to examine the extraction(s) provides support for verification.
9.6.10 The extraction(s) of data from ODE mobile devices will be examined
utilizing approved tools determined by the examiner to be appropriate for the type
of extraction and the examination request.
9.6.11 The details of how the examination was conducted will be documented in
accordance with DETM-2: Examination Documentation and in sufficient detail
that another qualified examiner could duplicate all examination processes at a
later date using the same examination tools.
9.6.12 The examination should be conducted so that the examination results
and findings can be reported in a manner that specifically addresses the
examination request. The examination results and findings may be reported in a
format deemed appropriate by the examiner. All examination results will be
reported in accordance with DEQM-11: Reporting Examination Results.
9.6.13 Following the completion of mobile device examination, the data storage
devices removed from ODE mobile devices for further or more in depth
examination separate from the mobile device may be examined in accordance
with DETM-8.
9.7 ADVANCED MOBILE DEVICE EXAMINATIONS
9.7.1 There may be instances when advanced examination techniques may be
required to extract data from a mobile device. Advanced Mobile Device
Examinations involve actual physical alteration of the device to facilitate recovery
of data from the device and may involve processes and/or techniques which are
OSBI DIGITAL EVIDENCE UNIT TECHNICAL MANUAL
DETM-9: EXAMINATION & ANALYSIS – MOBILE DEVICES
DETM_REV03 Page 35 of 52 Effective Date: 08/16/2019
potentially destructive to the functionality of the device itself or to the data stored
on the device.
9.7.2 Advanced examination processes or techniques which physically alter the
device or are potentially destructive to the device or the data stored on it will only
be conducted with written approval in advance from the District Attorney
prosecuting the case authorizing the physical alteration or destructive process to
facilitate data recovery from the device in accordance with OSBI CSD QP 16.
9.7.3 Advanced Mobile Device Examinations will only be performed for
examination cases assigned Priority Levels 1, 2, and 3 in accordance with
DETM-0: Administrative Procedures.
9.7.4 All Advanced Mobile Device Examinations must be approved in advance
by the OSBI DEU Supervisor or Technical Manager and the approval
documented as a Case Event in the Case Information Narrative section of the
LIMS examination case.
9.7.5 All costs, fees, and expenses pertaining or related to Advanced Mobile
Device Examinations will be paid for by either the requesting agency or the
District Attorney’s Office prosecuting the case. All Advanced Mobile Device
Examinations must be authorized or approved in writing prior to the start of any
advanced examination. The written authorization or approval will be uploaded to
the LIMS examination case documentation.
9.7.6 Device Repairs: In instances when mobile devices are submitted for
examination which are not functioning properly, the device may be repaired in
order to facilitate recovery of data from the device. Repairs may involve or
include removing and replacing internal device parts. Only the repairs required
to make the device functional enough to recover data from or perform an
examination of the data stored on the device will be performed.
9.7.7 Potentially Destructive Examinations and Extractions: Advanced
examination of some mobile devices may require specialized techniques which
require direct access to the internal memory to examine or extract data from the
device. These specialized techniques may or may not require the device to be
disassembled, may result in permanent irreversible damage to the device, or
render the device unusable. Specialized techniques requiring direct access to
the internal memory of mobile devices will only be performed by examiners who
have received documented training in these types of examinations.
OSBI DIGITAL EVIDENCE UNIT TECHNICAL MANUAL
DETM-9: EXAMINATION & ANALYSIS – MOBILE DEVICES
DETM_REV03 Page 36 of 52 Effective Date: 08/16/2019
9.8 MANUAL REVIEWS OF MOBILE DEVICES
9.8.1 If a mobile device contains or is suspected to contain data and information
which is not acquired through mobile device examination tools and equipment, it
may be obtained through a manual review of the data and information stored on
the device. A manual review is defined as using the device’s display, operating
system, and software to browse or review the data and files stored on the device.
A manual review is normally documented by recording the display of the device
using either photographs or video during the conduct of the manual review.
9.8.2 Examiners at DEU laboratory facilities will not normally perform or conduct
manual reviews of mobile devices except when determined to be appropriate by
the examiner, DEU Supervisor, or DEU Technical Manager due to the increased
risk of the loss or alteration of data on the device during direct interaction with the
data stored on the device.
9.8.3 Manual Review of mobile devices will be conducted as a last resort when
all other acceptable and/or appropriate examination and extraction means and
methods have been attempted and those attempts have failed to extract data
from a mobile device. Manual Review of mobile devices may also be utilized as
a last resort when all other acceptable and/or appropriate examination and
extraction means and methods have been attempted and those attempts have
failed to extract or report data of evidentiary value known to exist on the mobile
device.
9.8.4 Manual Review of mobile devices will be conducted as targeted reviews
for specific data and information and will not be conducted as “blanket” or
comprehensive reviews. When a Manual Review is requested, the requestor
must provide specific search criteria to narrow the target or scope of the Manual
Review.
9.8.5 When examiners at DEU laboratory facilities do perform manual reviews
of mobile devices, the review will be recorded by means deemed appropriate by
the examiner and the manual review will be documented in the case notes in
accordance with DETM-2: Examination Documentation. The photographs or
videos produced during the recording of manual reviews will be reported in a
manner that specifically addresses the examination request, in a format deemed
appropriate by the examiner, and in accordance with DEQM-11: Reporting
Examination Results.
9.8.6 Manual Review of mobile devices will normally be limited to what can be
documented by 100 photographs or 5 minutes of video taken or recorded of the
information or data displayed on the screen of the mobile device. Requests for
Manual Reviews exceeding 100 photographs or 5 minutes of video must be
OSBI DIGITAL EVIDENCE UNIT TECHNICAL MANUAL
DETM-9: EXAMINATION & ANALYSIS – MOBILE DEVICES
DETM_REV03 Page 37 of 52 Effective Date: 08/16/2019
approved by the DEU Supervisor or DEU Technical Manager and will be
evaluated based on the current laboratory caseload and the details of the
request. The approval will be documented as a Case Event in the Case
Information Narrative section of the LIMS examination case.
9.9 RECOVERY OF ACCESS CREDENTIALS FOR MOBILE DEVICES
9.9.1 Mobile devices secured with a Personal Identification Number (PIN),
passcode, passphrase, or other access credential which must be provided or
entered to enable access to the device represent a significant challenge to
mobile device examinations. In most instances, the access credential is
associated with the decryption of encrypted data stored on the device.
9.9.2 PIN’s, passcodes, passphrases, or other access credentials will not be
used to disable security on mobile devices if doing so causes the deletion of data
other than data associated only with the access security of the device.
9.9.3 Determination, extraction, or recovery of access credentials may be
possible on certain makes and models of mobile devices, dependent on the
functionality and capability of approved mobile device forensic tools listed in
DEQM-6.2.3 at the time of examination.
9.9.4 Only approved mobile device forensic tools listed in DEQM-6.2.3 will be
used to recover the access credentials for mobile devices submitted in
examination casework.
9.9.5 The recovery of mobile device access credentials is often accomplished
by using a mobile device forensic tool to load a software application known as a
“client” onto the mobile device. Once the client is loaded onto the mobile device,
the recovery process is independently performed on the mobile device itself and
will continue until the access credential is recovered, the client is cancelled or
uninstalled, the device is powered off, or the device no longer has power from a
battery or power source.
9.9.6 The amount of time required to complete the recovery of access
credentials from mobile devices may vary greatly from one device to another.
Generally, the recovery processes fall within the following categories:
Short Term Recovery: Short term recovery processes are generally completed within one week.
Long Term Recovery: Long term recovery processes are generally expected to take longer than one week to complete.
OSBI DIGITAL EVIDENCE UNIT TECHNICAL MANUAL
DETM-9: EXAMINATION & ANALYSIS – MOBILE DEVICES
DETM_REV03 Page 38 of 52 Effective Date: 08/16/2019
In most cases, the recovery can be determined to be short or long term
based on information provided by the mobile device forensic tool when the recovery
process is initiated.
9.9.7 Based on the facts and circumstances of the examination request, mobile
devices may be returned to the requestor with the device running the client software
and actively running access credential recovery processes as long as the return of the
device does not violate the license agreement of the forensic tool.
9.9.8 When the access credential recovery for a device is determined to be a
long term recovery, the examiner shall:
Notify the requestor that the recovery is a long term recovery and the potential length of time a long term recovery may take.
Determine if the requestor wants to continue the recovery process.
Determine if the requestor wants to pick up the device or leave the device at the DEU (if the requestor wants to continue the recovery process).
Notify the requestor that, if the device is returned to them and they want the DEU to perform the examination, it will have to be resubmitted once the access credential is recovered.
The results of the above coordination with the requestor will be
documented as a case event narrative in the case notes.
9.9.9 Once a mobile device has been determined to be in the process of long
term recovery and the requestor has been notified, a digital evidence
examination report may be produced for the device which, at a minimum,
indicates:
The date the recovery process was initiated.
The mobile device forensic tool used to perform the recovery.
The fact the recovery was an ongoing long term or slow process.
The examiner may delay producing the digital evidence examination report indicating a long term access credential recovery is in progress until after the recovery client has completed attempts of word lists, commonly used codes or phrases, and easily determined access credentials.
9.9.10 If a mobile device is returned to the requestor with access credential recovery in progress, a digital evidence examination report will be written as indicated in DETM-9.9.9.
9.9.11 If the request is for DEU to perform the examination and a digital evidence examination report was produced that indicated a long term recovery was in
OSBI DIGITAL EVIDENCE UNIT TECHNICAL MANUAL
DETM-9: EXAMINATION & ANALYSIS – MOBILE DEVICES
DETM_REV03 Page 39 of 52 Effective Date: 08/16/2019
progress, a separate digital evidence examination report will be issued after the access credential is recovered. 9.9.12 For mobile devices retained by the DEU throughout the recovery process, digital evidence examination reports produced for devices following access credential recovery will list the recovered access credential. 9.9.13 If a mobile device is released to a requestor with the device running client software and actively performing access credential recovery, the examiner will advise how to keep the recovery process going and, if applicable, how to resubmit the device for examination once the access credential is recovered.
OSBI DIGITAL EVIDENCE UNIT TECHNICAL MANUAL
DETM-10: RESTORATION OF FORENSIC COPIES DURING EXAMINATIONS
DETM_REV03 Page 40 of 52 Effective Date: 08/16/2019
10.1 PURPOSE
The purpose of this protocol is to provide a standardized procedure to be used in
DEU laboratory facilities to restore a forensic copy of an item of ODE to a compatible
data storage device.
10.2 SCOPE
This procedure applies to all instances in DEU laboratory facilities when a
forensic copy is utilized to recreate a copy or clone of the original ODE item on a
different storage device for examination purposes.
10.3 EQUIPMENT
10.3.1 Forensic computer system(s).
10.3.2 Restoration software.
10.3.3 Sterilized target media storage device.
10.3.4 Forensic copy of an item of ODE.
10.4 PREPARATION OF DATA RESTORE MEDIA
All data restore media devices will be wiped and prepared in the same manner
and in accordance with DETM-4.4: Sterilization of Target Data Storage Media.
10.5 CREATION OF DATA RESTORE MEDIA
10.5.1 During the course of digital evidence examinations, it may become
necessary to view the evidence in its native state. In order to accomplish this
without alteration to the ODE, the forensic copy obtained from the ODE can be
restored to a compatible data storage medium. The storage device containing
the restoration can then be examined as though it were the original.
10.5.2 Connect the wiped and prepared data restore media to the forensic
computer system.
OSBI DIGITAL EVIDENCE UNIT TECHNICAL MANUAL
DETM-10: RESTORATION OF FORENSIC COPIES DURING EXAMINATIONS
DETM_REV03 Page 41 of 52 Effective Date: 08/16/2019
10.5.3 Use an approved forensic software tool to restore the forensic copy of the
ODE item to the data restore media. Document the method used in the
appropriate matrix panel.
10.5.4 If applicable, select the option to overwrite any remaining sectors on the
target data restore media with “0”.
OSBI DIGITAL EVIDENCE UNIT TECHNICAL MANUAL
DETM DOCUMENT REFERENCES
DETM_REV03 Page 42 of 52 Effective Date: 08/16/2019
The following standards and sources guide the requirements included in this
technical manual. If the reference listed does not include a date, the most recent
revision of the referenced document or source applies.
ISO/IEC 17025:2017
ANAB ISO/IEC 17025 – Forensic Science Testing Laboratories Accreditation
Requirements (AR3125)
Scientific Working Groups on Digital Evidence (SWGDE) www.swgde.org
National Institute of Standards and Technology (NIST) Computer Forensics
Tool Testing Project www.cftt.nist.gov
OSBI Criminalistics Services Division Quality Manual
OSBI DIGITAL EVIDENCE UNIT TECHNICAL MANUAL
DETM-HISTORY: DETM DOCUMENT HISTORY
DETM_REV03 Page 43 of 52 Effective Date: 08/16/2019
Revision #
Review Date
Revision History Notes/Description
0 5/27/2016 Original Issue. Original DETM was published with each section as a separate document and each document had a separate document history page.
1 12/01/2017 Updated to revision 1. Combined all DETM REV0 separate section documents into one document with a single history and approval. Revised all sub-sections to further define the purpose and scope to include references to OSBI CSD and DEU laboratory facilities other than the ATTDFL and to all CSD, DEU, and ATTDFL personnel who perform digital evidence examinations. Removed redundant language associated with acronyms. Changed all references from ASCLD/LAB to ANAB Accreditation Requirements. DETM-0: Section 0.5.3 edited to change “will not” to “are not required” to maintain or review copies of search authorizations. Section 0.5.5 edited to add requirement to document the discovery of additional crimes outside of the scope of search and subsequent coordination with the requestor in the LIMS case information narrative. Section 0.6.6 edited to remove requirement for DEU Supervisor to document the priority and assigned examiner on the examination request form. Section 0.6.7 edited to allow evidence to be received at locations other than ATTDFL and removed requirement for triage to be documented on the request form. Section 0.6.8 original section from Revision 0 (which required assigned examiner to provide the examination request form to the employee(s) responsible for maintaining the ATTDFL evidence room) was removed entirely. Section was replaced with Revision 0 Section 0.6.9. Section 0.6.9 replaced with Revision 0 Section 0.6.10 and edited to allow evidence to be accepted at locations designated by OSBI CSD Administration. Added language to expand administrative exception to include “locations other than those previously approved”. Section 0.8.5 edited to include “or designee” to the approval authority to accept more than ten items of evidence in a request.
OSBI DIGITAL EVIDENCE UNIT TECHNICAL MANUAL
DETM-HISTORY: DETM DOCUMENT HISTORY
DETM_REV03 Page 44 of 52 Effective Date: 08/16/2019
DETM-1: Section 1.4.4 edited to change “designated local network storage location” to “designated storage location or method” for location of forensic software tools. Section 1.5.7 edited to change the requirement to baseline forensic computer systems from “once per calendar year” to annually. Section 1.5.9 edited to change the requirement to update the operating systems of forensic computer systems from “every 90 days” to “all updates available at the time the computer was last baselined or when directed by the DEU Technical Manager. DETM-2: Section 2.3.3 edited to remove “The chain of custody record will be the source of the case record documentation location for the examination start date”. Section 2.3.4 edited to re-define the examination end date as the date the administrative review was completed and the examination report was approved. Section 2.5.2 edited to remove the requirement to document the tool used to produce examination reports. Section 2.5.4 edited to change “documentation and notes” to “matrix panel”. Sections 2.6.3. and 2.6.4 incorporated into Section 2.6.2 and edited the requirements for documenting and describing exhibit report media devices are labeled. Section 2.7.2 edited to replace “electronic report” with “examination or exhibit report”. DETM-3: The entire section was edited to replace generic references to “case notes” with more specific references to “matrix panel” or “case documentation” where appropriate. Section 3.5.2.3 edited to remove requirement to document whether ODE mobile device was listed as a “supported device” Section 3.5.2.7 edited to remove references to mobile device removable media storage as “sub-items” Section 3.5.2.8 edited to remove multiple references to mobile device removable media storage as “sub-items” DETM-4:
OSBI DIGITAL EVIDENCE UNIT TECHNICAL MANUAL
DETM-HISTORY: DETM DOCUMENT HISTORY
DETM_REV03 Page 45 of 52 Effective Date: 08/16/2019
Sections 4.1 and 4.2 edited to further define the purpose and scope to “within OSBI CSD, DEU, and ATTDFL laboratory facilities”. DETM-5: The entire section was edited to replace generic references to “case notes” with more specific reference to “matrix panel”. Section 5.4.2 edited to replace “forensic imaging” with “forensic copying”. Section 5.5.1.2 edited to replace “software application/ program/utility name” with “Maintenance Identifier” and replaced “case notes” with “matrix panel”. Section 5.5.2 deleted and replaced with Section 5.5.3. DETM-6: The entire section was edited to replace generic references to “case notes” with more specific reference to “matrix panel”. DETM-7: The entire section was re-named and edited to remove all references to and use of “image” or “forensic image” and replace those references with “forensic copy” as well as to replace generic references to “case notes” with more specific references to “matrix panel” or “case documentation” where appropriate. Section 7.5.10 edited to remove redundant requirement to document hash verification results. Section 7.5.11 re-written to clarify and simplify procedures to be followed if a forensic copy hash verification fails. Section 7.5.12 added section to require all failed attempts to obtain or verify forensic copies be documented in the appropriate matrix panel. DETM-8: The entire section was edited to remove all references to and use of “image” or “forensic image” and replace those references with “forensic copy” as well as to replace generic references to “case notes” with more specific references to “matrix panel” or “case information narrative” where appropriate. Section 8.5.1 edited to specify applicability to previews conducted “at OSBI CSD, DEU, and ATTDFL laboratory facilities”
OSBI DIGITAL EVIDENCE UNIT TECHNICAL MANUAL
DETM-HISTORY: DETM DOCUMENT HISTORY
DETM_REV03 Page 46 of 52 Effective Date: 08/16/2019
Section 8.6.8.1 through Section 8.6.8.8 re-written and reduced to Sections 8.6.8.1 through 8.6.8.3 to clarify and simplify procedures to be followed if a forensic copy post-examination verification hash fails and make the procedure consistent with the procedure followed for other hash verification failures. DETM-9: The entire section was edited to remove all references to and use of “image” or “forensic image” and replace those references with “forensic copy” as well as to replace generic references to “case notes” with more specific reference to “matrix panel”. DETM-10: The entire section was edited and re-named to remove all references to and use of “image” or “forensic image” and replace those references with “forensic copy” as well as to replace generic references to “case notes” with more specific reference to “matrix panel”. DETM References: Section added to the end of the manual to list all manual references from each individual document section in one location. Removed references listed at the end of each document section.
2 12/03/2018 Updated to Revision 2. A substantive revision of this manual is in progress and expected to be completed within the first two quarters of calendar year 2019. This revision is pending completion of Revision 6 of the OSBI CSD Quality Manual, which is under revision to ensure compliance with the ISO/IEC 17025:2017 International Standard and the ANAB AR3125 Accreditation Requirements.
03 08/16/2019 Updated document to Revision 03. The entire document was edited to consistently apply document and paragraph formatting and spacing. Throughout the entire document, redundant references to “OSBI CSD”, “DEU”, and the “ATTDFL” were replaced with “DEU” where applicable. Added hyperlink to the document revision number in lower left footer to return to the document index page.
OSBI DIGITAL EVIDENCE UNIT TECHNICAL MANUAL
DETM-HISTORY: DETM DOCUMENT HISTORY
DETM_REV03 Page 47 of 52 Effective Date: 08/16/2019
DETM-INDEX: Added hyperlinks to each individual manual sub-section. DETM-0: Section 0.2 was edited to add “Unless otherwise specified, all references to ‘DEU’ will include and/or apply to all ATTDFL examiners and facilities as well as to all OSBI CSD digital evidence examiners and facilities”. NOTE: Edits to Sections 0.6.1 through 0.8.5 were to incorporate Deviation dated May 21, 2018 which was implemented to make accommodations for the submission of evidence for digital examination at OSBI CSD regional laboratory facilities other than the ATTDFL. Section 0.6.1 was edited to remove requirement for requestors to make direct coordination with the DEU supervisor and add the requirement that all questions or requests for clarification related to digital evidence examination requests will be directed to the DEU Supervisor. Section 0.6.3 was re-written to require requestors to provide a completed and current version of the Digital Evidence Examination Request Addendum (OSBI CSD QPA 5.2) prior to the start of any digital evidence examination. Also established the requirement that the Digital Evidence Request Addendum must include the requestor’s signature acknowledging responsibility that the requestor must ensure the examination request does not exceed the scope of the legal search authority already obtained for the items submitted. Section 0.6.4 was deleted in its entirety. Sections 0.6.5 through 0.6.9 were re-numbered to accommodate for the deletion of Section 0.6.4. Section 0.6.6 was re-written to require coordination with the requestor and triage of evidence “when required”. Section 0.6.7 was re-written to allow acceptance of evidence without a completed current version of the Digital Evidence
OSBI DIGITAL EVIDENCE UNIT TECHNICAL MANUAL
DETM-HISTORY: DETM DOCUMENT HISTORY
DETM_REV03 Page 48 of 52 Effective Date: 08/16/2019
Request Addendum (QPA 5.2) but require the completed form before any examination work is conducted. Section 0.6.8 was edited to remove redundant language pertaining to case-by-case authorizations of alternative digital evidence acceptance locations. Section 0.7: The entire section was re-written to remove the numerical priority system for prioritization of incoming examination requests and to designate the DEU Supervisor as the individual responsible for prioritizing examination requests based on the information provided by the requestor. Section 0.8.2 was edited to remove the restriction which only allowed triage to be used for items which had not yet been accepted for examination and added the authorization for triage to be conducted by the DEU Supervisor or designee. Sections 0.8.3 through 0.8.5 were deleted in their entirety. DETM-1: Section 1.2 Corrected “function testing” to read “performance verification testing” in the final sentence. Section 1.4.2 Corrected “corresponding” to read “associated” in the final sentence. Section 1.4.3 was re-written to remove redundant language and to require examiners to obtain installation files for forensic software tools from the approved software storage location maintained by the DEU Technical Manager. Section 1.4.4 was re-written to establish the requirement that only forensic software tools and programs listed in DEQM-6.2.2-6.2.3 may be installed on forensic computer systems and that software designated as “Common Use” and made available by the DEU Technical Manager through the approved common use software storage location may be installed on forensic computer systems. Section 1.4.5 added language to authorize a PIN number to be used as a logon credential for forensic computer systems.
OSBI DIGITAL EVIDENCE UNIT TECHNICAL MANUAL
DETM-HISTORY: DETM DOCUMENT HISTORY
DETM_REV03 Page 49 of 52 Effective Date: 08/16/2019
DETM-2: Section 2.5.2 was edited to remove the bullet point “Create, prepare, or produce exhibit reports” from list of which constituted the use of a forensic examination tool. Section 2.6: The entire section was completely re-written to define DEU Exhibit Reports as items of derivative evidence and to establish the procedure to create and name Exhibit Reports as items of evidence. Also established the requirement to create the evidence item number for the Exhibit Report storage device prior to review and approval of the examination report. Section 2.7.2 was edited to change “examination or exhibit report” to read “examination report or exhibit report”. DETM-3: Section 3.4.1 was edited to be consistent with OSBI CSD QP 6.1 Section II.f.3.b with respect to the storage of “evidence in the process of examination”. Section 3.4.9 was edited to change “possible or feasible” to “advisable, possible, or feasible”. DETM-4: Section 4.5.1 was edited to change “will” to “may” …result in irreparable damage to the drive. DETM-5: Section 5.4.5 which required the use of write protection switches on ODE storage devices (when equipped) was deleted in its entirety. Section 5.4.6 through Section 5.4.10 were renamed to Section 5.4.5 through Section 5.4.9, respectively, to accommodate for the deletion of Section 5.4.5.
OSBI DIGITAL EVIDENCE UNIT TECHNICAL MANUAL
DETM-HISTORY: DETM DOCUMENT HISTORY
DETM_REV03 Page 50 of 52 Effective Date: 08/16/2019
DETM-6: Section 6.5.5 was edited to remove the requirement to document the method used to access and/or obtain the system settings information. DETM-7: Section 7.5.5 was edited to require the use of “E01” file formats for creating forensic copies of ODE items whenever practical. Added provisions for the use of other file formats based on training and experience of examiners or by forensic tool manufacturers Section 7.5.11 through 7.5.12 were edited to require examiners to notify either the DEU Technical Manager or the DEU Supervisor in the event of a failed forensic copy or post forensic copy hash verification failure as well as the documentation requirements pertaining to the failure. DETM-8: Section 8.3.4 was edited to replace “Original Digital Evidence” with “ODE”. Section 8.6.7 and Section 8.6.8 were deleted in their entirety to remove the requirement to perform a post examination hash verification of all forensic copies. DETM-9: Section 9.3.4 was edited to replace “Original Digital Evidence” with “ODE”. Section 9.8.4 was removed in its entirety. Section 9.8.5 through 9.8.7 were re-named to Sections 9.8.4 through Section 9.8.6, respectively, to accommodate for the deletion of Section 9.8.4. Section 9.9 was added as an entirely new section to incorporate Deviation dated October 5, 2018. This section was added to provide a framework of standard procedures for performing and reporting access credential recovery in mobile device examinations.
OSBI DIGITAL EVIDENCE UNIT TECHNICAL MANUAL
DETM-HISTORY: DETM DOCUMENT HISTORY
DETM_REV03 Page 51 of 52 Effective Date: 08/16/2019
DETM-10: Section 10.1 edited to replace “Original Digital Evidence” with “ODE”. Section 10.3.4 edited from “Forensic copy” to read “Forensic copy of an item of ODE”. DETM DOCUMENT REFERENCES: “ISO/IEC 17025:2005” was edited to read “ISO/IEC 17025:2017” to properly reflect currently applicable ISO/IEC international standard. “AR3028” was edited to read “AR3125” to properly reflect the currently applicable ANAB Accreditation Requirements document.
OSBI DIGITAL EVIDENCE UNIT TECHNICAL MANUAL
DETM-APPROVAL: DETM DOCUMENT APPROVAL
DETM_REV03 Page 52 of 52 Effective Date: 08/16/2019
DEU Technical Manager: August 16, 2019
Donald Rains Date
CSD Division Director: August 16, 2019
Andrea Fielding Date