osbi digital evidence unit quality manual...osbi digital evidence unit quality manual deqm-0:...

OSBI DIGITAL EVIDENCE UNIT QUALITY MANUAL

DEQM_REV03 of 50 Effective Date: 08/16/2019

QUALITY MANUAL INDEX

DEQM-0 Foreword, Management, and Organization

DEQM-1 Definitions and Abbreviations

DEQM-2 Laboratory Personnel

DEQM-3 Purchasing Supplies and Services

DEQM-4 Proficiency Testing

DEQM-5 Reserved for Future Use

DEQM-6 Approved Examination Tools

DEQM-7 Equipment and Tool Maintenance Records


DEQM-9 Function Testing and Performance Verifications


DEQM-11 Reporting Examination Results

DEQM-12 Administrative and Technical Reviews

DEQM-13 Retention of Evidence and Data

DEQM-Attached DEQM Attached Documents

DEQM-References DEQM Document References

DEQM-History DEQM Document History

DEQM-Approval DEQM Document Approval


DEQM-0: FOREWORD, MANAGEMENT, AND ORGANIZATION


0.1 FOREWORD

0.1.1 The OSBI Digital Evidence Unit (DEU) and the AT&T Digital Forensic

Laboratory (ATTDFL) are firmly committed to quality performance and strict

conformance to recognized current best practices of the digital forensic

community. It is imperative that the digital forensic laboratory quality standards

evolve and improve parallel with new and improved methods of scientific

examination and analysis as they are developed to meet the expanding needs of

the criminal justice system. The DEU and the ATTDFL are dedicated to the

implementation of policy and procedure changes required to ensure quality in all

facets of digital forensics laboratory operation.

0.1.2 This Quality Manual is based on the ISO/IEC 17025:2017 standard

complemented by the AR3125 ANAB Forensic Science Testing Laboratories

Accreditation Requirements, which are wholly relevant to the function and work

of the DEU and the ATTDFL. This DEU Quality Manual is subordinate to all

policies, procedures, practices, and/or requirements issued by the OSBI

Criminalistics Services Division (CSD) level and above.

0.1.3 All DEU Supervisors and Managers are responsible for the incorporation

of the quality practices and procedures specified within this Quality Manual into

the daily operation of the DEU and the ATTDFL. All DEU and ATTDFL

employees share in the responsibility for adherence to these established quality

measures and are crucial to the overall success of the quality management

program.

0.2 SCOPE

The DEU Quality Manual applies to all DEU and OSBI CSD personnel who

perform digital evidence examinations and to all personnel assigned to the ATTDFL.

The DEU Quality Manual also applies to all digital evidence examinations performed at

the ATTDFL and all other OSBI laboratory locations digital evidence examinations are

performed by OSBI CSD personnel.

0.3 MANAGEMENT

0.3.1 The immediate managerial staff of the DEU and the ATTDFL will consist

of the DEU Supervisor and the DEU Technical Manager.




0.3.1.1 In addition to the responsibilities and authority outlined in the

OSBI CSD Quality Manual QP 1, the DEU Supervisor shall:

Be responsible for overall oversight and administration of the DEU

and the ATTDFL

Oversee laboratory access control

Oversee the receipt and prioritization of requests for examination

Oversee the assignment and workflow of laboratory casework

Be responsible for the accountability and inventory of property

assigned to the DEU and the ATTDFL

0.3.1.2 In addition to the responsibilities and authority outlined in OSBI

CSD Quality Manual QP 1, the DEU Technical Manager shall:

Maintain familiarity with the current best practices of the digital

forensic community

Stay abreast of evolving changes and trends in technology which

have the potential to impact digital forensic examinations

0.3.2 The DEU and the ATTDFL will provide assigned personnel with the

authority and resources required to carry out the duties of their position(s)

including the implementation, maintenance, and improvement of the quality

system. All DEU and ATTDFL personnel will share the responsibility to identify

departures from the quality system and initiate actions to prevent or minimize

such departures.

0.3.3 Examination procedures followed by all DEU and ATTDFL examiners will

be specified in the DEU Technical Procedures Manual.

0.4 ORGANIZATION

0.4.1 The ATTDFL is organized as a task force facility under the direction and

administration of the OSBI Criminalistics Services Division and the DEU. As a

task force facility, the ATTDFL provides laboratory workspace and resources for

digital forensic examiners from partner law enforcement agencies. References to

the ATTDFL will refer to the facility as a whole and include all DEU and partner

law enforcement agency assigned examiners.




0.4.2 The organization and oversight of the ATTDFL Task Force will be

governed by the current Memorandum of Understanding (MOU) that exists

between all participating agencies and entities.

0.4.3 The organization and management structure of the DEU and the ATTDFL

will be clearly defined and the relationships between laboratory management,

technical management, and technical operations are illustrated in the OSBI CSD

organizational chart.


DEQM-1: DEFINITIONS AND ABBREVIATIONS


1.1 DEFINITIONS AND ABBREVIATIONS

In addition to the following definitions and abbreviations, any relevant terms and

definitions given in ISO/IEC 17025, the ANAB ISO/IEC 17025:2005 – Forensic Science

Testing Laboratories Accreditation Requirements, and the OSBI Criminalistics Services

Division Quality Manual apply:

ATTDFL – The AT&T Digital Forensics Laboratory.

CSD – The OSBI Criminalistics Services Division.

DEU – The OSBI Digital Evidence Unit. Unless otherwise specified, all

references to the “DEU” will include and/or apply to all ATTDFL examiners and

facilities as well as to all OSBI CSD digital evidence examiners and facilities.

Examiner – An individual who conducts and/or directs the examination and

analysis of digital evidence, interprets data, reaches conclusions, and issues

reports concerning conclusions.

Exhibit Report - A collection or group of electronic reports and corresponding

data, files, and/or information produced by forensic tools during digital evidence

examinations. Exhibit Report(s) are produced from either the forensic copies and

extractions obtained from ODE items or from the ODE items themselves and are

identified as derivative evidence.

Extraction – The collective group of files and data extracted from the digital

storage capacity of an item of evidence.

Forensic Copy – A copy of the digital storage capacity of a device that contains

an exact copy of the data from every data storage location on the device from the

first place data can be stored to the last.

Function Test – A test or series of tests based upon an approved Function Test

Plan conducted to determine if a forensic tool or device performs its intended

function and is suitable for use in examination casework.

Function Test Plan – A detailed plan which describes the methodology used to

test forensic tools or devices and any potential impacts or additional

requirements associated with the plan.

HDD – “Hard Disk Drive”; also abbreviated HD.


DEQM-1: DEFINITIONS AND ABBREVIATIONS


Preview – A basic search of the data storage area of a device conducted to

quickly eliminate devices with no files or data of immediately apparent evidentiary

value from full forensic examination or to confirm the device requires full forensic

examination.

Triage – Triage is the reduction of the number of items and volume of data

associated with examination requests by reviewing case details and eliminating

items from the request which likely contain no data of evidentiary value or

interest.

ODE – “Original Digital Evidence” is the original item of digital evidence

submitted by the requestor for forensic examination.


DEQM-2: LABORATORY PERSONNEL


2.1 All personnel who perform digital evidence examinations in OSBI CSD facilities

and in the ATTDFL will follow the requirements set forth in the OSBI CSD Quality

Manual, the DEU Quality Manual, the DEU Technical Manual, and the DEU Training

Manual.

2.2 All agencies and personnel assigned to or associated with the ATTDFL will

additionally adhere to the provisions of the ATTDFL Memorandum of Understanding

(MOU), which defines the responsibilities of all participating entities.

2.3 The ATTDFL operates as a task force facility and, as such, provides laboratory

workspace and resources for digital evidence examiners from partner law enforcement

agencies.

2.4 All ATTDFL personnel will be subject to OSBI Agency Directives, Policies, and

Procedures for matters that affect or directly impact the laboratory casework of the

ATTDFL.

2.5 If an event, incident, or situation arises that is not specifically addressed by the

ATTDFL MOU or an applicable OSBI policy or procedure, ATTDFL personnel will be

governed by their respective agency’s applicable policies and procedures.

2.6 ATTDFL assigned examiners will continue to be accountable to their partner law

enforcement agency for administrative, discipline, and payroll purposes.

2.7 Partner law enforcement agencies will be responsible for providing examiners

from their agencies assigned to the ATTDFL with the digital forensic examination

equipment, software, and tools necessary for the examiner to perform digital forensic

examination work within the ATTDFL.


DEQM-2: LABORATORY PERSONNEL


2.8 All digital forensic equipment, software, and tools provided by partner law

enforcement agencies for use by ATTDFL assigned examiners must meet and be

subject to all requirements established by the DEU Quality Manual, the DEU Technical

Manual, and the OSBI CSD Quality Manual.

2.9 ATTDFL assigned examiners will retain the capability to perform examination

casework from their parent agency as priority casework. All examination casework

performed in requests from parent law enforcement agencies will adhere to the DEU

Quality Manual, the DEU Technical Manual, and the OSBI CSD Quality Manual.

2.10 ATTDFL assigned examiners will perform examination casework assigned by the

DEU Supervisor in accordance with DETM-0: Administrative Procedures, when

practical, given the examiner’s caseload from their parent agency.

2.11 Any concerns by examiners assigned to the ATTDFL on the day-to-day operation

of the laboratory will be addressed in accordance with the ATTDFL MOU and normally

be directed to the DEU Supervisor.

2.12 The day-to-day supervision of matters pertaining to the ATTDFL will be the

responsibility of the DEU Supervisor and be handled in accordance with the ATTDFL

MOU.

2.13 Responsibility for personal and professional conduct of personnel assigned to

the ATTDFL is the responsibility of each respective participating agency and will be

handled in accordance with each agency’s policies regarding conduct and the ATTDFL

MOU.


DEQM-3: PURCHASING SUPPLIES AND SERVICES


3.1 SCOPE

3.1.1 This protocol will apply to the purchase of equipment, hardware, software,

and supplies which are required to meet certain technical specifications in order

to properly and efficiently perform digital evidence examinations.

3.1.2 This protocol shall apply to the purchase of all equipment, hardware,

software, and supplies for use in the DEU to perform or in support of digital

evidence examinations which meet the following criteria:

3.1.2.1 All hardware items which require Function Testing as defined in

DEQM-9.

3.1.2.2 All hardware items used in the repair or maintenance of items

which require Function Testing as defined in DEQM-9.

3.1.2.3 All software which requires Performance Verification Testing as

defined in DEQM-9.

3.1.2.4 All digital storage devices used to store copies of digital evidence

or in the processing of items of digital evidence.

3.2 CRITICAL EQUIPMENT AND CONSUMABLES

There are no equipment items or supplies identified as critical equipment or

critical consumables used by the DEU. There are no supplies used by the DEU which

are considered consumable supplies that affect the quality of testing.

3.3 CRITICAL SERVICES

There are no critical services utilized within the DEU, as routine maintenance,

performance checks, verifications, and validations are performed by the assigned

laboratory examiners.




3.4 PURCHASING

3.4.1 The DEU does not have any defined critical consumables, services, or

supplies and, therefore, is not required to evaluate or maintain lists of suppliers

as defined in OSBI CSD QP9.

3.4.2 All purchase requests for items to be used in the DEU as defined in

DEQM-3.1 must contain sufficient information and data to fully identify the item(s)

and provide detailed specifications for each item.

3.4.3 Purchase requests for items to be used in the DEU as defined in DEQM-

3.1 will be prepared by the examiner requesting the item(s) and routed to the

DEU Supervisor for approval.

3.4.4 All purchase requests which require funding from OSBI sources will follow

OSBI Policy 208 and OSBI Internal Purchase Request rules.

3.4.5 Purchase requests from ATTDFL Assigned Examiners will follow the

assigned examiners parent agency purchasing policy and rules after approval by

the DEU Supervisor.

3.5 RECEIVING

3.5.1 Once purchased items are received, the item(s) will be inspected to verify

they meet the specifications and requirements of the purchase request and

match the items listed on the packing list.

3.5.2 The DEU Technical Manager will establish a Maintenance Record as

required in DEQM-7 for the item(s), if applicable.

3.5.3 The item(s) received will be documented and labeled in accordance with

the purchasing agency’s inventory accountability policies and procedures.

3.5.4 The item(s) received shall not be used in laboratory casework until

successfully Function Tested or Performance Verification Tested in accordance

with DEQM-9, if applicable.




3.6 PURCHASING RECORDS

The DEU Technical Manager will ensure purchasing records for item(s) requiring

Maintenance Records are entered and maintained in the items Maintenance Record

and Maintenance Log for the respective item(s) in accordance with DEQM-7.

3.7 STORAGE

3.7.1 All items purchased for use by DEU personnel as defined in DEQM-3.1

will be stored in a secure location assigned or designated for the items by the

DEU Supervisor, DEU Technical Manager, or the CSD Supervisor of the facility

where the items are being stored and used.

3.7.2 Purchased items may be stored within the workspace of the examiner

assigned to use the item, or in another specified location designated by the DEU

Supervisor, DEU Technical Manager, or the CSD Supervisor of the facility where

the items are being stored and used.


DEQM-4: PROFICIENCY TESTING


4.1 All DEU examiners will follow the requirements set forth in OSBI CSD QP30 –

Proficiency Tests.

4.2 All DEU examiners will complete at least one (internal or external) proficiency

test per year whenever practical.

4.3 All DEU examiners will undergo proficiency testing in a digital evidence sub-

category(s) of testing the examiner is authorized to perform examinations.

4.4 Newly qualified and assigned examiners will begin participation in the proficiency

testing program within one year of the date of their qualification.

4.5 Proficiency Tests will be completed individually by the examiner to whom the test

is assigned.

4.6 Examiners will be notified of the final test results of each completed proficiency

test and the notification will be documented prior to being assigned any subsequent

proficiency test.

4.7 All information and records associated with proficiency testing will be maintained

in accordance with OSBI CSD QP 30 – Proficiency Testing.


DEQM-6: APPROVED EXAMINATION TOOLS


6.1 FORENSIC EXAMINATION TOOLS

6.1.1 Forensic Examination Tools will be defined as hardware and software

tools which are used in digital evidence examinations.

6.1.2 The Forensic Examination Tools utilized by the DEU to perform and

conduct digital evidence examinations will be classified into one of the following

three categories:

Forensic Software Tools

Forensic Computers

Forensic Hardware Tools

6.1.3 Common Use Software will be defined as software tools which are used in

a support capacity and from which no direct results are reported in examination

casework.

6.2 APPROVED FORENSIC SOFTWARE TOOLS

6.2.1 Forensic Software Tools will be further classified into the following two

sub-categories:

Computer Forensic Tools: Examination software tools which are

designed for and used primarily to examine computers and data

storage devices, but may be used to examine mobile devices as

well.

Mobile Device Forensic Tools: Examination software tools which

are designed for and used primarily to examine cellular telephones

and other mobile devices, but may be used to examine data from

other sources as well

6.2.2 The following Computer Forensic Tools are approved for use in digital

forensic examination casework:

Forensic ToolKit (FTK) – AccessData

FTK Imager – AccessData

Registry Viewer – AccessData

Password Recovery ToolKit (PRTK) – AccessData

EnCase Forensic – Guidance Software

Magnet Acquire – Magnet Forensics




Axiom – Magnet Forensics

Tableau Disk Monitor – Tableau

HxD Hexeditor – Maël Hörz

osTriage2 – Eric Zimmerman (Feeble Industries)

Windows Forensics Environment (WinFE) – Microsoft

6.2.3 The following Mobile Device Forensic Tools are approved for use in digital


UFED Physical Analyzer – Cellebrite

UFED 4PC – Cellebrite

GrayKey – Grayshift

6.2.4 Examiners limited to Mobile Device Examinations on their Authorization to

Work document may only use the Mobile Device Forensic Tools listed in section

6.2.3 for mobile device examination casework.

6.2.5 The DEU Technical Manager will monitor the support site of each software

manufacturer or vendor for releases of updates of new versions of approved

forensic examination software tools. The Technical Manager will determine

which versions or updates will be further reviewed, tested, and approved for use

in examination casework.

6.2.6 The DEU Technical Manager will review the release notes and ensure

new versions of forensic software examination tools are function tested and/or

performance verified in accordance with DEQM-9: Function Testing and

Performance Verifications prior to approving the version of the tool for use in

examination casework.

6.2.7 The DEU Technical Manager will not approve a new version of a forensic

software examination tool for use in examination casework within the first seven

days of the new version release date. If a new version of a tool is approved

within the first seven days of its release, the reason for the early approval will be

documented in the Maintenance Log of the tool in accordance with DEQM-7:

Equipment and Tool Maintenance Records.

6.2.8 The DEU Technical Manager will obtain the installation and update

software as well as any supporting documentation or release notes for approved

forensic examination software tools only from the official site or location

designated by the manufacturer or vendor of the software.

6.2.9 The DEU Technical Manager will establish and maintain an “Approved

Software” local storage resource accessible to all DEU examiners for the




purpose of storing the installation files and media for currently approved versions

of forensic examination software tools.

6.2.10 When a new version of a forensic examination software tool is approved

for use in examination casework, the DEU Technical Manager will post the

installation or update software to the local storage resource and post any

documentation or release notes associated with the newly approved version to

the Maintenance Record of the software tool in accordance with DEQM-7:

Equipment and Tool Maintenance Records.

6.2.11 The DEU Technical Manager will send a notification email to all DEU

examiners who perform digital evidence examinations within the sub-category of

testing that corresponds with the software tool informing them that a new version

of a software tool has been approved for use in examination casework. The DEU

Technical Manager will attach or provide a reference to the release notes

corresponding with the newly approved version and include any additional

guidance or information pertaining to the new features, use, or installation of the

software.

6.2.12 Examiners will only install forensic examination software tools from the

designated storage resource “Approved Software” installation files and media.

6.3 APPROVED FORENSIC COMPUTER SYSTEM TYPES

The following forensic computer system types are approved for use in digital


FRED Workstations – Digital Intelligence (Windows 10)

MacPro Workstations – Apple (macOS v10.14/ Windows 10)

6.4 APPROVED FORENSIC HARDWARE TOOLS

The following forensic hardware write blocking tools are approved for use in

digital forensic examination casework:

SuperChief (USB3) – Digital Intelligence

Ultrabay 4d T356789iu IDE/SATA Write Blocker (PCIe) – Digital

Intelligence/Tableau

UltraBay 3D T35689iu IDE/SATA Write Blocker (USB3) – Digital





UltraBay II T34589is IDE/SATA Write Blocker (FW800) – Digital


Forensic Media Card Reader (USB2/USB3) – Digital Intelligence

T3iu SATA Write Blocker – Tableau

T8 USB Write Blocker – Tableau

T8U USB3 Write Blocker – Tableau

T9 Firewire Write Blocker – Tableau

T35 IDE/SATA Write Blocker – Tableau

T35U IDE/SATA Write Blocker - Tableau

TD1 Forensic Duplicator – Tableau

TD2U Forensic Duplicator - Tableau

6.5 APPROVED COMMON USE SOFTWARE

Common use software with no direct forensic function may be made available by

the DEU Technical Manager through the approved common use software storage

location without being specifically listed in this policy section and without an approved

deviation to this policy. The following are examples of software designated as common

use and approved for use on digital forensic examination workstations:

7Zip

IrfanView

Microsoft Office

Adobe Acrobat

VLC Media Player

Nero Burning ROM


DEQM-7: EQUIPMENT AND TOOL MAINTENANCE RECORDS


7.1 PURPOSE

The purpose of this protocol is to establish a standardized procedure for the

creation, use, and maintenance of the Maintenance Records associated with the

forensic examination hardware and software tools identified in DEQM-6 as Approved

Examination Tools.

7.2 SCOPE

This procedure will apply to all records, data, and information which will be

maintained in each specific item’s Maintenance Record for all approved Forensic

Examination Tools used in the DEU to perform digital evidence examinations.

7.3 EQUIPMENT

Equipment will consist of the following types of Forensic Examination Tools

identified in DEQM-6 as Approved Examination Tools:

Forensic Examination Software Tools

Forensic Computer System Types

Forensic Examination Hardware Tools

7.4 EQUIPMENT MAINTENANCE NUMBERS

7.4.1 All Forensic Hardware Tools and Forensic Computer Systems identified

and listed in DEQM-6 will be assigned a unique identification number by the DEU

Technical Manager for indexing and reference. This unique number will be

referred to as the Maintenance Number assigned to the item and will be used as

a reference or index number for all Function Testing, Performance Verification,

and maintenance related testing and records.

7.4.2 The first two digits in the Maintenance Number will be “FC” for Forensic

Computer or “WB” for Write-Blocking devices and will be followed by a dash or “-“.

7.4.3 Digits 4-6 in the Maintenance Number will be a sequential three digit

number assigned by the DEU Technical Manager which corresponds with a




single specific Forensic Computer, Write-Blocking Device, or forensic software

item.

7.4.4 Examples of Maintenance Numbers:

FC-001, FC-002, FC-003 for forensic computers

WB-001, WB-002, WB-003 for write blocking devices

7.4.5 All Forensic Software Tools will be uniquely identified by the name or title

of the software assigned by the manufacturer or vendor. This unique name will

be used as a reference identifier in all Function Testing, Performance

Verification, and maintenance related testing and records.

7.5 EQUIPMENT MAINTENANCE RECORDS

7.5.1 For each Forensic Tool assigned a Maintenance Number or Identifier

under section 7.4 of this policy, the DEU Technical Manager will establish and

maintain a Maintenance Record uniquely associated with each Maintenance

Number or Identifier. The Maintenance Record will, at a minimum, contain the

following:

7.5.1.1 The manufacturer, model number, serial number, and OSBI asset

number (if applicable).

7.5.1.2 The Maintenance Number assigned to the specific tool by the

DEU Technical Manager.

7.5.1.3 The date the item was originally placed in service.

7.5.1.4 The manufacturer’s owner’s manual or user guide (if available).

7.5.1.5 The version number and manufacturer’s release notes associated

with software or firmware updates (if available).

7.5.1.6 Other documents and records associated with the tool as

determined by the DEU Technical Manager.

7.5.1.7 Each Maintenance Record will contain a chronological

Maintenance Log in which the following will, at a minimum, be recorded:




7.5.1.7.1 The identity of the examiner performing each instance of

maintenance, testing, or update which required entry in the

Maintenance Log.

7.5.1.7.2 The date a tool was originally placed in service or

returned to service after being temporarily taken out of service.

7.5.1.7.3 The date(s) a tool was either temporarily or permanently

taken out of service and the reason it was taken out of service.

7.5.1.7.4 The date(s) the tool failed any Function Test or

Performance Verification, the actions taken to correct the problem

that caused the failure, and the date the tool passed Function

Testing or Performance Verification after the correction or repair.

7.5.1.7.5 The dates of all Function Tests performed on the item

and the results of each test (pass/fail).

7.5.1.7.6 The date(s) forensic software tools were updated or

upgraded with new or updated versions.

7.5.1.7.7 The dates of any modification, repair, update, upgrade,

or any other changes made to the tool’s hardware or software.

7.5.1.7.8 The results of any maintenance or quality related event.

7.5.1.7.9 For forensic software tools, the Maintenance Log will

include the date each version was approved for use in casework.

7.5.1.7.10 For forensic software tools which are released as a suite

or group, (i.e. Forensic ToolKit), the Maintenance Logs will include

the specific version number of each subordinate software program

for each approved version of the suite.

7.5.1.8 An example Maintenance Log is included attachment DEQM-7A.

7.5.2 The DEU Technical Manager will maintain the Maintenance Records for

all Approved Forensic Tools. The DEU Technical Manager will ensure all current

and archived Maintenance Records are properly backed up and retained.

7.5.3 The DEU Technical Manager will maintain the Function Test

Documentation and Records for all tested Forensic Tools separate from the

individual Tool Maintenance Records.




7.5.4 The Maintenance Record for each tool will be maintained for a minimum of

ten years after the item has been permanently taken out of service.


DEQM-9: FUNCTION TESTING AND PERFORMANCE VERIFICATIONS


9.1 PURPOSE

The purpose of this protocol is to provide a set of standardized procedures for

the Function Testing and Performance Verification of forensic tools used during the

examination of digital evidence.

9.2 SCOPE

This procedure will apply to all forensic tools used by personnel and examiners of

the DEU to perform digital evidence examinations which require Function Testing or

Performance Verification.

9.3 EQUIPMENT

Equipment will consist of hardware (e.g., forensic computer systems, physical

write blocking devices, etc.), software (e.g., forensic software applications, common

programs, etc.), and firmware (e.g., read-only memory found on hardware devices).

9.4 SCOPE OF FUNCTION TESTING

9.4.1 The DEU Technical Manager is responsible for determining which forensic

tools require Function Testing. The DEU Technical Manager will consider the

general acceptance of a tool within the digital forensic community when making

the determination if and how often Function Testing is required.

9.4.2 The following forensic tools require Function Testing prior to first use in

examination casework:

9.4.2.1 Forensic tools which function as a write blocking device.

9.4.2.2 Forensic tools which function to wipe or sterilize data storage.

9.4.2.3 Any other forensic tool listed on the Function Test Tracking

Roster maintained by the DEU Technical Manager.

9.4.3 The following criteria or conditions will require forensic tools identified in

section 9.4.2 to undergo Function Testing prior to being returned to use or

continued to be used in casework, regardless of when the last or previous

Function Testing was performed:




9.4.3.1 Any change or update to the device firmware.

9.4.3.2 Any repair to the device hardware.

9.4.3.3 Any time the device is sent, transported, or otherwise outside of

the positive control of DEU examiners, such as shipped back to the

manufacturer for service.

9.4.4 All forensic tools identified in section 9.4.2 will be Function Tested annually.

9.4.5 Examiners will only use approved forensic examination tools listed in DEQM-6

as well as common tools to perform Function Testing as defined in this procedure.

9.5 FUNCTION TEST ADMINISTRATION

9.5.1 The DEU Technical Manager will maintain and track Function Tests and

all associated documentation separate from the forensic tool Maintenance

Records.

9.5.2 The DEU Technical Manager will assign a unique “Function Test Number”

for each Function Test for indexing and reference. The Function Test Number

will be used as a referenced index number for recording and tracking Function

Testing.

9.5.2.1 The first two digits in the Function Test Number will be “FT” to

identify the number as a Function Test Number and will be followed by a

dash or “-“.

9.5.2.2 Digits 4-7 in the Function Test Number will be the four digit year

in which the testing took place and will be followed by a dash or “-“.

9.5.2.3 Digits 9-13 in the Function Test Number will be the five digit

Maintenance Number or Identifier assigned to the item for Maintenance

Record tracking in accordance with DEQM-7: Equipment and Tool

Maintenance Records. The Function Test Number will be appended with

a dash or “-“ and a single digit sequence number for each subsequent

Function Test performed within the calendar year.

9.5.2.4 Examples of Function Test Numbers:

FT-2017-WB001




FT-2017-WB002-1

FT-2017-WB002-2

9.5.3 All Function Test documentation will utilize and reference the Maintenance

Number assigned to the forensic tool in accordance with DEQM-7 as a common

reference identifier.

9.5.4 Each Function Test will utilize and reference a Function Test Plan which

has been approved by the DEU Technical Manager and the OSBI CSD

Administrative Staff.

9.5.5 The DEU Technical Manager will review and approve all Function Test

Reports and documentation generated during the course of Function Testing

prior to the release of any Forensic Equipment or Tools for use in casework.

9.5.6 The Function Test Number, the reason function testing was conducted,

the testing examiner, and date(s) Function Testing was conducted will be

recorded in the chronological Maintenance Log in the Maintenance Record for

the tested forensic tool in accordance with DEQM-7. The log will indicate if the

test was conducted to satisfy the annual testing requirement established in

section 9.4.4 of this protocol or if the function testing was conducted as a result

of a problem, failure, or maintenance event.

9.6 FUNCTION TEST PLANS

9.6.1 The DEU Technical Manager will develop and maintain a separate

Function Test Plan for each forensic tool type which requires Function Testing.

Forensic tools will be considered to be of the same tool type if the different tools

can be effectively and properly function tested using the same testing

methodology and plan.

9.6.2 Function Test Plans should be written specific to the forensic tool type

and, at a minimum, contain the following sections:

9.6.2.1 Function Test Plan Title – Must contain the forensic tool type.

9.6.2.2 Purpose and Scope – Describe the purpose of testing and the

scope of tools the plan is applicable to.




9.6.2.3 Requirements and Expected Results – Describe what the tool is

required or expected to do and the expected results of testing.

9.6.2.4 Methodology – Describe how the test is to be performed. Must

include:

Description of the test data set and test media devices.

Description of the tools to be used in testing.

Description of the actions and/or procedures to perform for each

testing scenario.

The number of times the testing procedure or scenario must be

replicated.

Description of any configurable option settings within the stated

purpose and scope which may require additional testing or

replication.

Description of data which must be documented for each testing

procedure and/or scenario.

9.6.2.5 Required Training – Determine if training for examiners is

required or provide an explanation why training will not be necessary.

9.6.2.6 Required Competency – Determine if competency testing or

evaluation for examiners is required or an explanation why competency

testing or evaluation will not be necessary.

9.6.2.7 References – Provide references from Scientific Working Group

documentation or other applicable technical references.

9.6.3 Once completed, the DEU Technical Manager will sign and date the

Function Test Plan.

9.6.4 The DEU Technical Manager will forward the Function Test Plan to the

OSBI CSD Administrative Staff for review and approval in accordance with OSBI

CSD QP 21.2. The Function Test Plan must be reviewed and approved by OSBI

CSD Administrative Staff prior to the start of Function Testing.

9.6.5 Once reviewed and approved by the OSBI CSD Administrative Staff, the

Function Test Plan and all related documentation will be archived and maintained

by the DEU Technical Manager in accordance with OSBI CSD QP 21.2.




9.6.6 Once a Function Test Plan has been reviewed for a forensic tool type, the

plan may be used for subsequent Function Testing of the same forensic tool type

without additional review and approval by the OSBI CSD Administrative Staff.

9.7 FUNCTION TEST REPORTS

9.7.1 All Function Testing will follow a developed and approved Function Test

Plan before testing begins.

9.7.2 The Function Test Report will serve as the document which details the

results of Function Testing and will contain, at a minimum, the following:

9.7.2.1 A reference to the specific Function Test Plan utilized.

9.7.2.2 A brief summary of the testing conducted and any conclusions made.

9.7.2.3 A description of the forensic tools used in testing.

9.7.2.4 A description of the media devices used in testing.

9.7.2.5 The testing results for each variable in the test plan and any

observations pertinent to the observed results for that testing variable.

9.7.2.6 A summary of observations or results that do not fit within the

expected results.

9.7.2.7 A summary stating the overall outcome of the testing process and

if the forensic tool tested is suitable for its intended use.

9.7.2.8 A description of any limitations for the use of the forensic tool.

9.7.2.9 Signature blocks for both the testing examiner and the DEU

Technical Manager to sign and date the report.

9.7.3 The testing examiner is responsible for conducting all Function Testing in

accordance with the applicable Function Test Plan assigned by the DEU

Technical Manager.

9.7.4 The testing examiner is responsible for preparing the Function Test Report

and providing the report to the DEU Technical Manager for approval. Once the

report has been approved, both the testing examiner and the DEU Technical

Manager will sign and date the report.




9.7.5 The DEU Technical Manager will forward the Function Test Report

through the OSBI CSD Administrative Staff for review and approval in

accordance with OSBI CSD QP 21.2.

9.7.6 Once reviewed and approved by the OSBI CSD Administrative Staff, the

Function Test Report and all related documentation will be archived and

maintained by the DEU Technical Manager in accordance with OSBI CSD QP

21.2.

9.7.7 Once a Function Test Report has been reviewed by the OSBI CSD

Administrative Staff for a forensic tool type, subsequent Function Test Reports

produced for the same forensic tool type may be produced by examiners and

reviewed, approved, and archived by the DEU Technical Manager without

additional review and approval by the OSBI CSD Administrative Staff.

9.7.8 When the DEU Technical Manager is the testing examiner, Function Test

Reports may be reviewed and approved by the DEU Supervisor; unless the

reports are required to be reviewed by the CSD Administrative Staff.

9.8 PERFORMANCE VERIFICATIONS

9.8.1 Performance Verifications are required for the following forensic tools:

Approved Forensic Software Tools listed in DEQM-6.2.

Approved Forensic Computer System types listed in DEQM-6.3.

Approved Forensic Hardware Tools listed in DEQM-6.4.

9.8.2 All forensic examination software tools listed in DEQM-6.2 are widely

accepted by the digital evidence community and will be considered Performance

Verified after DEU Technical Manager has reviewed the release notes, approved

the specific version of the tool for use in examination casework, and the tool

launches without error(s) when run on an approved forensic computer system.

9.8.3 Any problem or error with a forensic examination software tool which is

acknowledged by the manufacturer and listed as a “known issue” in the release

notes for the applicable software version will not be considered as a cause for

Performance Verification failure.




9.8.4 Forensic computer systems will be considered Performance Verified after

a successful Power-On Self Test (POST) and subsequent operating system load

or boot with no errors or failures.

9.8.5 Forensic hardware write-blocking or write-protecting hardware will be

considered Performance Verified after the device is successfully powered on, the

firmware has successfully loaded, and the hardware’s write protect setting(s)

have been confirmed to be properly set or enabled.

9.8.6 When forensic examination tools are used during examinations in

casework and uniquely identified in the case notes; the tool will be considered to

have successfully passed Performance Verification unless otherwise noted.

9.8.7 Performance Verifications will not be used in lieu of Function Testing when

any condition exists that would require Function Testing of the tool as defined in

Section 9.4.

9.8.8 If a forensic examination tool passes Performance Verification as defined

in 9.8.2 through 9.8.5 above, no entry in the tool’s Maintenance Record is

required.

9.8.9 If a forensic examination tool fails a Performance Verification test, the

following course of action will be followed in order:

9.8.9.1 The DEU Technical Manager will be immediately notified of the

failure.

9.8.9.2 The forensic tool which failed verification will be taken out of

service, clearly labeled as “Out of Service” in accordance with OSBI CSD

QM Section 5.5.7, and not used for examination casework until the failure

is corrected, repaired, and/or resolved.

9.8.9.3 Documentation pertaining to the Performance Verification failure,

any repairs made to the device, and dates of removal from use in

examination casework will be documented in the Maintenance Record

associated with the tool.

9.8.9.4 Once the cause of the Performance Verification failure has been

corrected or resolved and the forensic examination tool has subsequently

passed Performance Verification, the DEU Supervisor or Technical

Manager shall document the subsequent successful Performance




Verification and approval to use the tool in examination casework in the

tool’s Maintenance Record.

9.8.10 Performance Verifications will be documented in the Maintenance Record

associated with the examination tool:

9.8.10.1 Prior to the use of the examination tool in casework.

9.8.10.2 After all Performance Verification failures.

9.8.10.3 After any repair, maintenance, or firmware update to the

equipment which was completed as a result of a Performance Verification

failure.


DEQM-11: REPORTING EXAMINATION RESULTS


11.1 PURPOSE

The purpose of this protocol is to provide standardization for the required

minimum content and formatting of Digital Evidence Examination Reports.

11.2 SCOPE

This protocol applies to all Digital Evidence Examination Reports produced by

personnel and examiners of the DEU.

11.3 GENERAL

11.3.1 All Digital Evidence Examination Reports will conform to the guidelines

and standards set forth in the DEU Technical Procedures, DEU Quality Manual,

the OSBI Criminalistics Services Division (CSD) Quality Manual, and CSD QP

28.

11.3.2 All Digital Evidence Examination Reports will be created in and produced

by the CSD BEAST Laboratory Information Management System (LIMS) in

accordance with CSD QP 16.2.

11.3.3 All Digital Evidence Examination Reports will be formatted to

accommodate the types of examinations conducted and to minimize the

possibility of misunderstanding or abuse.

11.4 DESCRIPTION OF EVIDENCE SECTION

11.4.1 The Digital Evidence Examination Report will include all items examined

and referenced by the report in the “Description of Evidence” section.

11.4.2 The intent of the Description of Evidence section of the report is to list the

item or sub-item number associated with each item of evidence examined and

provide a brief description of each item.




11.5 RESULTS AND INTERPRETATIONS SECTION

11.5.1 The Results and Interpretations Section of the report will include a

separate section for each examination type performed by the examiner. For

example, if an examiner utilized Forensic ToolKit (FTK) and Axiom during an

examination, the report should include separate sections for both FTK and

Axiom.

11.5.2 All examination types performed during the examination of evidence will

be listed in a separate section in the report.

11.5.3 Report sections for each examination type performed by the examiner

which produced examination results included in an Exhibit Report will include, at

a minimum, a list containing the following:

11.5.3.1 All bookmarks

11.5.3.2 All category reports

11.5.3.3 All summary reports

11.5.3.4 All other reports or report sections

11.5.4 Report sections for each examination type performed by the examiner

from which no examination results are included in an Exhibit Report will describe

the reason no results were included in the Exhibit Report.

11.5.5 A separate section which describes the exhibit report storage device type

and corresponding LIMS evidence item number will be included.

11.6 TECHNICAL SUMMARY SECTION

11.6.1 All evidence will be documented in the LIMS in accordance with DETM-2:

Examination Documentation and the CSD Quality Manual.

11.6.2 All forensic hardware and software tools utilized in the examination of

evidence will be documented in the LIMS matrix data entry for the corresponding

item.

11.6.2.1 Hardware tools will be identified by the Maintenance Number

assigned to the specific hardware tool.




11.6.2.2 Software tools will be identified by the Maintenance Identifier and

the complete version number of the tool used.

11.6.2.3 All forensic tools used will be selected from the listed available

tools in the drop-down lists within the matrix data entry panels.

11.6.2.4 Any forensic tools used which are approved for use but do not

appear in the drop down lists within the matrix data entry panels may be

listed in the notes section of the matrix data entry panel.


DEQM-12: ADMINISTRATIVE AND TECHNICAL REVIEWS


12.1 All digital evidence examination reports produced by DEU examiners will meet

the administrative and technical review requirements set forth in OSBI CSD QP31. All,

or 100%, of DEU examination reports will undergo Technical and Administrative

Review.

12.2 Administrative and Technical Reviews of DEU digital evidence examination

reports will only be performed by examiners who have been approved by the DEU

Technical Manager to perform Administrative and Technical Reviews and have that

approval documented in their Authorization to Work document.

12.3 Administrative and Technical Reviews will be conducted as separate reviews and

the Technical Review must have been completed prior to the start of the Administrative

Review.

12.4 TECHNICAL REVIEWS

12.4.1 All technical reviews of DEU casework and reports will include all review

criteria required by CSD QP31 as well as all review criteria listed on the OSBI

Digital Evidence Examination Technical Review Form, which is attached as

DEQM-12A.

12.4.2 All DEU examination reports will be technical reviewed by an approved

and qualified examiner who did not participate in any part of the examination or

preview of any item of evidence in the request.

12.4.3 All DEU Technical Reviews should be completed within 5 days of the date

the review is requested.

12.4.4 All examination reports and cases which require correction will be

properly routed to the reporting examiner for correction with an explanation in the

comments specifically describing the recommended corrections. All changes

made during the review and correction process must be documented.

12.4.5 Completion of the Technical Review will be documented in accordance

with CSD QP 31.




12.5 ADMINISTRATIVE REVIEWS

12.5.1 Administrative Reviews of DEU casework and reports will be defined as

the review of the exhibit report storage device and exhibit reports produced by

the examiner for release to the requestor at the conclusion of the digital evidence

examination.

12.5.2 During the administrative review, the reviewing examiner will review the

examination report and the exhibit report storage device for all review criteria

required by CSD QP31 as well as all review criteria listed on the OSBI Digital

Evidence Examination Administrative Review Form, which is attached as DEQM-

12B.

12.5.3 If the administrative review identifies conditions which require correction,

the reviewer will route the report to the reporting examiner for corrections and

clearly identify the items or conditions which require correction.

12.5.4 If no corrections are required to the digital evidence examination report

but are required to the exhibit report media, the reporting examiner will make the

corrections to the exhibit report storage device and route the report back to the

reviewing examiner for administrative review.

12.5.5 If corrections are required to the digital evidence examination report, the

reporting examiner will make the corrections to the examination report and to the

exhibit report storage device and route the report back to the examiner who

conducted the technical review for re-review of the examination report. Once the

technical review has been completed for the changes made to the examination

report, the reporting examiner will re-route the report to the examiner who

conducted the administrative review.

12.5.6 Once all corrections to both the digital evidence examination report and

the exhibit report storage device have been made and all technical and

administrative review criteria have been satisfied, the examiner performing the

administrative review will approve the report to finalize it and notify the reporting

examiner the report has been approved.

12.5.7 Completion of the Administrative Review will be documented in

accordance with CSD QP 31.




12.6 ADMINISTRATIVE REVIEWS WITH NO EXHIBIT REPORT

If an exhibit report is not produced or referenced in the digital evidence

examination report, the review criteria on the Administrative Review Form will be

annotated with “N/A” where applicable and the examiner performing the administrative

review will approve the examination report once the administrative review has been

finalized.

12.7 If an examiner and a technical reviewer disagree whether a report and case file

meet the criteria to pass administrative and/or technical review, the disagreement or

discrepancy will be resolved in accordance with CSD QP-31.


DEQM-13: RETENTION OF EVIDENCE AND DATA


13.1 SCOPE

This protocol applies to all items of digital evidence received for examination by

DEU examiners as well as the data associated with the examination of all items of

submitted evidence.

13.2 RETENTION OF EVIDENCE

13.2.1 All DEU examiners will utilize an evidence storage facility approved by the

CSD Director to store items of evidence submitted for digital evidence

examination.

13.2.2 The ATTDFL Evidence Storage Facility will be maintained by the DEU

Supervisor, or designee, and will follow all requirements for evidence handling

and storage set forth in OSBI CSD Policies, Procedures, and the OSBI CSD

Quality Manual.

13.2.3 The ATTDFL Evidence Storage Facility will only store items of evidence

submitted for digital evidence examination while the items are pending

examination, in the process of examination, or awaiting return to the requesting

agency.

13.2.4 All items of evidence submitted for digital evidence examination will be

returned to the requesting agency, their designee, or to an appropriate OSBI

evidence storage facility as soon as practical after the examination of the items is

complete and the Exhibit Report(s) are prepared and ready for dissemination to

the requestor.

13.3 RETENTION OF EXTRACTIONS AND FORENSIC COPIES

13.3.1 Extractions and forensic copies obtained during digital evidence

examinations are not required to be retained after the examination report

associated with the ODE items has been reviewed and approved.

13.3.2 The requestor may request a verified copy of the extractions and forensic

copies obtained during the examination(s). The requestor must provide an

appropriate storage device of sufficient capacity to store the copies of the

extractions, images, and forensic copies.


DEQM-13: RETENTION OF EVIDENCE AND DATA


13.3.3 Copies of extractions and forensic copies provided to requestors will be

prepared and verified by the examiner who performed the examination whenever

possible. Once the data has been copied to the requestor’s storage device and

verified to be an exact copy, the copy or copies will then be released to the

requestor.

13.3.4 Copies of extractions and forensic copies may be maintained after the

examination report associated with the ODE items has been reviewed and

approved at the discretion of the examiner, the DEU Supervisor, the DEU

Technical Manager, or the OSBI CSD Administrative Staff.

13.3.5 Requests for additional, follow-up, or subsequent additional examination

of previously submitted digital evidence may require re-submission of the ODE

items if the extractions and forensic copies associated with the ODE items in the

request have been destroyed, are no longer available, or are no longer viable.

13.4 RETENTION OF OTHER DATA

13.4.1 The DEU will utilize the LIMS to document, record, and store case and

technical records associated with examination casework in accordance with

DETM-2, OSBI CSD policies, and the OSBI CSD Quality Manual. The retention

of all data and information stored within the LIMS is governed by the OSBI CSD

Quality Manual and applicable OSBI CSD Policy.

13.4.2 The DEU is not required to retain exhibit reports or their corresponding

data, files, and information after the exhibit report storage device evidence item

has been released to the requestor, the requesting agency, or designee.

13.4.3 The DEU is not required to retain other data that has been created,

copied, or utilized by forensic examination tools during digital evidence

examinations after all examination reports and exhibit reports associated with a

digital evidence examination request have been disseminated to the requestor,

requesting agency, or designee.

13.4.4 Exhibit reports and other data may be maintained after all examination

reports and exhibit report evidence item(s) have been disseminated at the

discretion of the examiner, the DEU Supervisor, the DEU Technical Manager, or

the OSBI CSD Administrative Staff.


DEQM DOCUMENT ATTACHMENTS


The following documents are attached to this policy manual at the section

references indicated below:

7.6.1 Example Maintenance Log (DEQM-7A_REV03)

12.8.1 OSBI Digital Evidence Unit and ATTDFL Technical Review Form

(DEQM-12A_REV03)

12.8.2 OSBI Digital Evidence Unit and ATTDFL Administrative Review Form

(DEQM-12B_REV03)

Maintenance Log

Date Examiner Logged Maintenance or Quality Event Result of Event

DEQM-7A_REV03 Page 1 of 1 Effective Date: 08/16/2019

OKLAHOMA STATE BUREAU OF INVESTIGATION CRIMINALISTIC SERVICES DIVISION Digital Evidence Unit Technical Review Form

Analyst: Case #: Report

1. The case file and report were reviewed in accordance with DEQM-12: Administrative and Technical Reviews, and OSBI CSD QP31.

2. All examinations were conducted within the examination scope provided in the request.

3. The report Technical Summary section documents the forensic hardware, software, software version(s), and examination procedures used.

4. Hashing was utilized and documented in accordance with applicable DEU Technical Procedures.

5. All opinions expressed in the report are consistent with the OSBI CSD Quality Manual and applicable DEU Quality Manual/Technical

Procedures.

Comments:

Technical Review Signature

Signature indicates Technical Review approval

DEQM-12A_REV03 AΩ Effective Date 08/16/2019

OKLAHOMA STATE BUREAU OF INVESTIGATION CRIMINALISTIC SERVICES DIVISION Digital Evidence Unit Administrative Review Form

Analyst: Case #: Report

1. The Technical Review for the case file and report has been completed.

2. All Exhibit Reports referenced in the Digital Evidence Examination Report are present and accessible on the Exhibit Report media.

3. All Exhibit Reports present on the Exhibit Report media are referenced in the Digital Evidence Examination Report.

Comments:

Administrative Review Signature

Signature indicates Administrative Review approval

DEQM-12B_REV03 AΩ Effective Date 08/16/2019


DEQM DOCUMENT REFERENCES

DEQM_REV03 Page 38 of 50 Effective Date: 08/16/2019

The following standards and sources guide the requirements included in this

quality manual. If the reference listed does not include a date, the most recent revision

of the referenced document or source applies.

ISO/IEC 17025:2017

ANAB ISO/IEC 17025 – Forensic Science Testing Laboratories Accreditation

Requirements (AR3125)

Scientific Working Groups on Digital Evidence (SWGDE) www.swgde.org

National Institute of Standards and Technology (NIST) Computer Forensics

Tool Testing Project www.cftt.nist.gov

OSBI Criminalistics Services Division Quality Manual

http://www.swgde.org/

http://www.cftt.nist.gov/


DEQM DOCUMENT HISTORY


DEQM DOCUMENT HISTORY:

Revision #

Review Date

Revision History Notes/Description

0 5/27/2016 Original Issue. Original DEQM was published with each section as a separate document and each document had a separate document history page.

1 12/01/2017 Updated to revision 1. Combined all DEQM REV0 separate section documents into one document with a single history and approval. Revised all sub-sections to further define the purpose and scope to include references to OSBI CSD and DEU laboratory facilities other than the ATTDFL and to all CSD, DEU, and ATTDFL personnel who perform digital evidence examinations. Removed redundant language associated with acronyms. Changed all references from ASCLD/LAB to ANAB Accreditation Requirements. DEQM-0: Section 0.4.3 edited to remove hyperlink to the OSBI CSD Organizational Chart. DEQM-1: Section 1.1 edited to remove the reference to “image” from definition of Forensic Copy. DEQM-2: Entire section was comprehensively re-written to include personnel who perform digital evidence examinations at locations other than the ATTDFL and are not assigned to the DEU and/or ATTDFL. Corrected section numbering index and removed redundant language. DEQM-3: Section 3.1.2.3 edited to remove “installed or used on items”. Section 3.1.2.5 was removed in its entirety. Section 3.1.3 added to include all OSBI CSD personnel who perform digital evidence examinations and to include all locations digital evidence examinations are performed by OSBI CSD personnel.




Section 3.5.1 edited to remove ATTDFL as the sole point of receipt for purchased items. Section 3.6 edited to require purchasing records be maintained only for items requiring Maintenance Records and removed redundant retention requirement for purchasing records. Section 3.7.1 edited to apply to the storage of purchased items at approved designated locations other than the ATTDFL. DEQM-4: Sections 4.1, 4.2, and 4.3 edited to include all OSBI CSD examiners. Section 4.2 edited to remove requirement to complete one proficiency test in each category of testing once per accreditation cycle due to unnecessary redundancy with OSBI CSD QP30. Section 4.3 edited to replace “methods” with “categories”. DEQM-6: Section 6.1.2 edited to add language to include OSBI CSD personnel and additional language to specify applicability to tools used “to perform and conduct digital evidence examinations”. Section 6.2 was comprehensively re-written to create and define the two sub-categories of software forensic tools “Computer Forensic Software Tools” and “Mobile Device Forensic Software Tools”; to separate the list of approved software tools into their respective sub-categories; add section 6.2.4 to allow for restrictions applicable to mobile device only examiners; and to add sections 6.2.5 through 6.2.12 which detail the duties and responsibilities of the DEU Technical Manager with respect to the administration, approval, distribution, management, and oversight of forensic software tools. Sections 6.3 and 6.4 were edited to reflect current in service hardware and software. DEQM-7: Section 7.4.5 added to allow the maintenance records of software tools to be uniquely identified by the name or title of the software as a maintenance identifier rather than requiring the use of a maintenance number.




Section 7.5 edited to include reference to maintenance identifier and number requirement in section 7.5.1.5 to document the version number for software tools. Section 7.5.1.7.9 added to include requirement to document the specific version numbers for each subordinate software program for software tools which are released as a “suite” or group. Removed requirement for all approved software tools to be stored “on a network storage location within the ATTDFL”. DEQM-9: Section 9.4.2.3 edited to require other forensic tools which require Function Testing be identified on the Function Test Tracking Roster maintained by the DEU Technical Manager. Section 9.4.4 edited to change function testing requirement from “every 12 months” to “annually”. Section 9.5.1 edited to remove requirement to uniquely identify function tests performed to meet annual testing requirement. Sections 9.5.2.3 through 9.5.3 edited to require the use of the maintenance number or identifier in the function test number and remove naming convention which uniquely identified annual function tests. Section 9.5.6 edited to require the reason function testing was conducted be documented in the maintenance log for the tested item. DEQM-11: Section 11.5.5 edited to replace “…section which describes the media type and a full description of the media device used to distribute the Exhibit Report(s)…” with “…section which describes the media used to distribute the Exhibit Report(s)…” Section 11.6.1 edited to replace “Each evidence item and sub-item” with “All evidence”. Section 11.6.2 edited to replace “Each evidence item or sub-item” with “evidence”. Section 11.6.2.1 edited to replace “Quality Number” with “Maintenance Number” and “item” with “tool”. Section 11.6.2.2 edited to replace “complete name” with “Maintenance Identifier”. DEQM-12:




Entire policy section comprehensively re-written to require the Administrative and Technical Review process be divided into and documented as two separate reviews and further define and explain each review. Attached document DEQM-12A (Technical Review Form) edited to reflect revisions to DEQM-12. Attached document DEQM-12B (Administrative Review Form) created as Revision 1 to satisfy the added administrative review requirements in the DEQM-12 revision. DEQM-13: Entire section edited to include the use of other approved CSD evidence storage facilities outside of the ATTDFL and to remove references to “image(s)” from references to “extractions, images, and forensic copies”. Section 13.3.6 edited to require the requestors acceptance or declination to receive copies of extractions or forensic copies to be documented on the CSD Digital Evidence Examination Request Addendum instead of in the case notes. DEQM Attached Documents: Section added to the end of the manual to list all attachments from all sub-sections and identify the current revision numbers for each attachment. DEQM References: Section added to the end of the manual to list all manual references from each individual document section in one location. Removed references listed at the end of each document section.

2 12/05/2018 Updated to Revision 2. A substantive revision of this manual is in progress and expected to be completed within the first two quarters of calendar year 2019. This revision is pending completion of Revision 6 of the OSBI CSD Quality Manual, which is under revision to ensure compliance with the ISO/IEC 17025:2017 International Standard and the ANAB AR3125 Accreditation Requirements.

3 08/16/2019 Updated document to Revision 03. The entire document was edited to consistently apply document and paragraph formatting and spacing. Throughout the entire document, redundant references to “OSBI CSD”, “DEU”, and the “ATTDFL” were replaced with “DEU” where applicable.




Added hyperlink to the document revision number in lower left footer to return to the document index page. DEQM-INDEX: Added hyperlinks to each individual manual sub-section. DEQM-0: Section 0.1.2 was edited to replace “ISO/IEC 170525:2005” with “ISO/IEC 17025:2017” and add the “AR3125” ANAB document number. DEQM-1: Section 1.1 was edited to update the following definitions and abbreviations:

- DEU: Added “Unless otherwise specified, all references to the “DEU” will include and/or apply to all ATTDFL examiners and facilities as well as to all OSBI CSD digital evidence examiners and facilities.”

- Examiner: Edited to replace “An individual, who conducts and/or directs the analysis of casework samples, interprets data…” with “An individual who conducts and/or directs the examination and analysis of digital evidence, interprets data…”.

- Exhibit Report: Completely re-written to replace previous definition with “A collection or group of electronic reports and corresponding data, files, and/or information produced by forensic tools during digital evidence examinations. Exhibit Report(s) are produced from either the forensic copies and extractions obtained from ODE items or from the ODE items themselves and are identified as derivative evidence.”

- ODE: Edited to replace “…original item of evidence…” with “…original item of digital evidence…”.

DEQM-2: Section 2.1 was edited to replace “…the DEU Quality Manual and the DEU Technical Manual.” With “the DEU




Quality Manual, the DEU Technical Manual, and the DEU Training Manual.” Section 2.8 was edited to replace “…subject to all requirements of the DEU Technical Procedures, the DEU Quality Manual, and the OSBI CSD Quality Manual.”, with “…subject to all requirements established by the DEU Quality Manual, the DEU Technical Manual, and the OSBI CSD Quality Manual.” Section 2.9 was edited to replace “…will adhere to the DEU Technical Procedures, the DEU Quality Manual, and the OSBI CSD Quality Manual.” With “…will adhere to the DEU Quality Manual, the DEU Technical Manual, and the OSBI CSD Quality Manual.” Section 2.10 was edited to replace “DE-0” with “DETM-0”. DEQM-3: Section 3.1.2.3 was edited to replace “Function Testing” with “Performance Verification Testing”. Section 3.1.3 was deleted in its entirety. Section 3.4.1 was edited to replace “do” with “does”. Section 3.5.4 was edited to replace “…Function Tested in accordance…” with “…Function Tested or Performance Verification Tested in accordance…”. Section 3.6 was edited to delete “all” and move the text “in accordance with DEQM-7” to the end of the sentence. DEQM-4: Section 4.3 was re-written to remove redundant references to OSBI CSD and ATTDFL examiners and to specify examiners will undergo proficiency testing in a digital evidence sub-category of testing the examiner is authorized to perform examinations. DEQM-6:




Section 6.1.2 was edited to rename the three categories of forensic examination tool to Forensic Software Tools, Forensic Computers, and Forensic Hardware Tools. Section 6.2.1 was edited to replace the term “Forensic Examination Software Tools” with “Forensic Software Tools”. Section was further edited to rename “Computer Forensic Software Tools” with “Computer Forensic Tools” and rename “Mobile Device Forensic Software Tools” with “Mobile Device Forensic Tools”. The remainder of the DEQM was also edited to consistently apply the aforementioned terminology changes. Section 6.2.2 was edited to incorporate Deviation dated April 9, 2018 which was implemented to add the “Magnet Acquire” and “Magnet Axiom” Computer Forensic Tools to the list of approved examination tools. Internet Evidence Finder and Tableau Imager were deleted from the approved examination tools. Section 6.2.3 was edited to incorporate Deviation dated November 29, 2018 which was implemented to add “GrayKey” to the list of approved mobile device forensic tools. Section 6.2.11 was edited to allow the DEU Technical Manager to either attach or provide a reference to release notes corresponding with a newly approved software version. Section 6.3 was edited to remove Windows 7, Windows 8.1, Apple OSX 10.10 and 10.11; and to add Apple macOS 10.14 as operating systems approved for use on forensic computer systems. Section 6.4 was edited to remove “Examination” from the section header and to remove the following from the list of approved forensic hardware tools:

FireChief (FW800) – Digital Intelligence

EX S3 Forensic Media Card Reader – AFT Section 6.4 was further edited to add the following to the list of approved forensic hardware tools:




UltraBay 4d T356789iu IDE/SATA Write Blocker (PCIe) – Digital Intelligence/Tableau

T8U USB3 Write Blocker – Tableau

T9 Firewire Write Blocker – Tableau

T35U IDE/SATA Write Blocker – Tableau

TD2U Forensic Duplicator – Tableau Section 6.4 was also edited to include the Tableau model number with the UltraBay 3D and UltraBay II as well as to remove the T35689iu IDE/SATA Write Blocker (the same device as the UltraBay 3D) as a separate listed device. Section 6.5 was edited to enable the DEU Technical Manager to add common use software to the approved software storage location without the common use software being listed in Section 6.5 of this policy and without a deviation to this policy. Section was further edited to list only examples of common use software rather than provide an exclusive list of approved common use software. DEQM-7: Section 7.4.1 was edited to remove “Examination” from “Forensic Examination Hardware Tools” in the first sentence. Section 7.4.5 was edited to remove “Examination” from “Forensic Examination Software Tools” in the first sentence. Section 7.5.1 was edited to remove “Examination from “Forensic Examination Tool” in the first sentence. Section 7.5.1.6 was edited to add “…as determined by the DEU Technical Manager” to the end of the sentence. Sections 7.5.1.7.2 through 7.5.1.7.9 were renamed to Sections 7.5.1.7.3 through 7.5.1.7.10, respectively. Section 7.5.1.7.8 was edited from “The results of the maintenance or quality event.” to read “The results of any maintenance or quality related event.




Section 7.5.1.7.9 was edited to remove the requirement to record the date in the maintenance log an approved forensic software version is removed from the approved software list. Sections 7.5.2 and 7.5.3 were edited to replace “Forensic Examination Tools” with “Forensic Tools”. Section 7.5.4 was edited to replace “item” with “tool”. DEQM-9: Section 9.7.8 was added as a new section to allow the DEU Supervisor to review and approve Function Test Reports when the DEU Technical Manager is the testing examiner unless they require review by the CSD Administration. Section 9.8.1 was edited to replace “Approved Forensic Examination Software Tools” with “Approved Forensic Software Tools” and “Approved Forensic Examination Hardware Tools” with “Approved Forensic Hardware Tools”. Section 9.8.9.1 was edited to replace “…DEU Supervisor and Technical Manager…” with “…DEU Technical Manager…”. DEQM-11: Section 11.5.1 was edited to remove reference to Internet Evidence Finder (IEF) and replaced it with reference to Axiom. Section 11.5.5 was edited to replace “…describes the media used to distribute the Exhibit Report(s) to the requestor will be included.” with “…describes the exhibit report storage device type and corresponding LIMS evidence item number will be included.”. Sections 11.6.1 and 11.6.2 were edited to remove “BEAST” from both sections. DEQM-12: Section 12.1 was edited to change “technical review” to “Technical and Administrative Review” in the last sentence.




Sections 12.5.1, 12.5.2, 12.5.4, 12.5.5, and 12.5.6 were all edited to replace the term “exhibit report media” with “exhibit report storage device”. DEQM-13: NOTE: Edits to Sections 13.2.4 and 13.3.3 were edited to incorporate Deviation Dated May 21, 2019 which was implemented to make accommodations for the submission of evidence for digital examination at OSBI CSD regional laboratory facilities other than the ATTDFL. Section 13.2.4 was edited to replace “…evidence submitted to the ATTDFL Evidence Storage Facility will be returned to the agency requesting the digital evidence examination or to the appropriate…” with “…evidence submitted for digital evidence examination will be returned to the requestor, the requesting agency, or to the appropriate…”. Section 13.3.1 was edited to add “reports” after “examination” in the first sentence. Section 13.3.2 was edited to replace “will be offered the opportunity to obtain” with “may request” in the first sentence. Section 13.3.3 was edited to delete “The requestor should receive any requested copies of extractions or forensic copies at the same time they are provided with exhibit reports whenever possible.” Sections 13.3.6, 13.3.7, and 13.3.8 were re-numbered to Sections 13.3.4, 13.3.5, and 13.3.6, respectively. Section 13.3.4 was rewritten to remove the requirement to document the requestor’s declination to receive a copy of forensic copies and extractions on the Digital Evidence Examination Request Addendum and to indicate the extractions and forensic copies are not required to be maintained after the examination and exhibit reports have been disseminated. Section 13.3.5 was edited to add “examination reports” after “…maintained after all”.




Section 13.3.6 was edited to replace “has” with “have” after “…ODE items in the request”. Section 13.4.1 was edited to remove “BEAST” from the first sentence. Section 13.4.2 was re-numbered as 13.4.3. Section 13.4.2 was then edited to add “The DEU is not required to retain exhibit reports or their corresponding data, files, and information after the exhibit report storage device evidence item has been released to the requestor or requesting agency”. Section 13.4.3 was edited to replace “…exhibit reports associated with a Digital Evidence Examination Request have been disseminated to the requestor.” with “…exhibit reports associated with a digital evidence examination request have been disseminated to the requestor or requesting agency.”. Section 13.4.4 was edited to replace “Other data may be maintained after all exhibit reports have been disseminated at the discretion of the examiner…” with “Exhibit reports and other data may be maintained after all examination reports and exhibit report evidence item(s) have been disseminated to the requestor at the discretion of the examiner…”. DEQM DOCUMENT REFERENCES: “ISO/IEC 17025:2005” was edited to read “ISO/IEC 17025:2017” to properly reflect currently applicable ISO/IEC international standard. “AR3028” was edited to read “AR3125” to properly reflect the currently applicable ANAB Accreditation Requirements document.


DEQM-APPROVAL: DEQM DOCUMENT APPROVAL


DEU Technical Manager: August 16, 2019

Donald Rains Date

CSD Division Director: August 16, 2019

Andrea Fielding Date

Donald.Rains

Don Sign

OSBI DIGITAL EVIDENCE UNIT TECHNICAL MANUAL

TECHNICAL MANUAL INDEX

DETM_REV03 Page 1 of 52 Effective Date: 08/16/2019

DETM-0 Administrative Procedures

DETM-1 Preparation and Use of Forensic Computer Systems

DETM-2 Examination Documentation

DETM-3 Physical Inspection & Processing of Evidence

DETM-4 Sterilization of Target Data Storage Media

DETM-5 Write Protecting Examination Media

DETM-6 Hard Disk Drive Removal & System Settings Check

DETM-7 Forensic Copy Procedures

DETM-8 Examination & Analysis – Computers and Data

Storage Devices

DETM-9 Examination & Analysis – Mobile Devices

DETM-10 Restoration of Forensic Copies During Examinations

DETM-References DETM Document References

DETM-History DETM Document History

DETM-Approval DETM Document Approval


DETM-0: ADMINISTRATIVE PROCEDURES


0.1 PURPOSE

The purpose of this protocol is to provide standardized procedures for

administrative functions pertaining or related to digital evidence examinations within the

laboratory facilities of the OSBI Criminalistics Services Division (CSD), the OSBI Digital

Evidence Unit (DEU), and the AT&T Digital Forensic Laboratory (ATTDFL).

0.2 SCOPE

This procedure applies to all requests for digital evidence examination received

by CSD, the DEU, and the ATTDFL laboratory facilities and to all digital evidence

examinations which are administered, conducted, or performed at OSBI CSD, DEU, and

ATTDFL laboratory facilities. Unless otherwise specified, all references to “DEU” will

include and/or apply to all ATTDFL examiners and facilities as well as to all OSBI CSD

digital evidence examiners and facilities.

0.3 OBJECTIVES

0.3.1 With respect to digital evidence examinations, the primary objective of the

DEU is to provide forensic digital evidence examination services to law

enforcement agencies within the State of Oklahoma. The services provided to

Oklahoma law enforcement agencies will include:

0.3.1.1 Relevant, timely, and effective forensic examination, analysis,

and interpretation of digital evidence based on Oklahoma State Law and

the current best practices of the digital forensic community.

0.3.1.2 Courtroom testimony to explain observations and results of digital

evidence examinations.

0.3.1.3 Training and/or education in the proper handling and preservation

of digital evidence for law enforcement agencies.

0.3.2 The objective of the DEU Technical Procedures is to provide the policy

and structure necessary to conduct the examination and analysis of digital

evidence in a consistent manner and to establish a framework for uniform

reporting of examination observations and results.

0.3.3 The DEU Technical Procedures shall be used by properly trained and

qualified examiners familiar with digital evidence preservation, handling,

examination, and analysis as outlined in DEU Training Manual. These technical

procedures are not intended as a textbook and should not serve as a substitute




for the appropriate prerequisite training necessary to properly conduct digital

evidence examinations. The DEU Technical Procedures are intended to be used

along with the examiner’s experience, training, and current best practices of the

digital forensic community to conduct thorough and consistent examinations of

digital evidence.

0.4 GOALS

0.4.1 Personnel who perform digital evidence examinations within OSBI CSD,

DEU, and ATTDFL laboratory facilities will follow all OSBI Criminalistics Services

Division (CSD) Quality Manual requirements for all matters involving laboratory

casework.

0.4.2 Personnel assigned to work within the ATTDFL will maintain a working

knowledge of the ATTDFL Memorandum of Understanding (MOU) and adhere to

all conditions set forth in the MOU.

0.4.2 Personnel who perform digital evidence examinations within DEU

laboratory facilities will maintain an ongoing dialog with law enforcement

administrators and investigators regarding the services provided. Open lines of

communication will be maintained with respect to active casework as well as

changes to policies and procedures which may affect evidence processing and

examination due to changes in technology.

0.5 LEGAL AUTHORITY TO CONDUCT EXAMINATIONS

0.5.1 It is the responsibility of the requesting law enforcement officer to obtain

proper legal authorization to examine or search all items of evidence submitted

for digital evidence examination to DEU laboratory facilities.

0.5.2 It is the responsibility of the requesting law enforcement officer to ensure

the digital evidence examination request does not exceed the scope of the

proper legal authorization obtained to examine or search the items of evidence

listed on the examination request. It is also the responsibility of the requesting

law enforcement officer to ensure proper legal authorization is obtained to

examine or search each item listed on the examination request and that the

proper legal search authorization is obtained prior to the submission of the

examination request.

0.5.3 Personnel who conduct digital evidence examinations within DEU

laboratory facilities are not required to maintain or review copies of search

warrants, consents to search, or other search authorization documentation.




0.5.4 Personnel who perform digital evidence examinations within DEU

laboratory facilities will ensure that all examinations adhere to and do not exceed

the scope of the examination request.

0.5.5 If a digital evidence examiner discovers evidence of another crime(s)

during an examination that is outside the scope of the submitted examination

request, the examiner must stop all analysis and notify the DEU Supervisor, or

designee, of the discovery and nature of evidence of other crime(s). The

examiner or supervisor will then contact the submitting requestor and notify them

of the discovery. The examiner will not resume examination work in the request

until notified by the requestor that proper legal authorization has been obtained to

expand the scope of examination. The discovery of the evidence of other

crime(s) as well as the results of the coordination with the requestor will be

documented in the Laboratory Information Management System (LIMS) case

narrative as a case event.

0.6 EXAMINATION REQUEST PROCEDURES

0.6.1 All questions or requests for clarification related to digital evidence

examination requests will be directed to the DEU Supervisor or designee.

0.6.2 The requestor must provide sufficient case information that is relevant to

the digital evidence items in the request so that the forensic examination of those

items can be focused to provide data and information of interest to the

investigation. The requestor must also provide a detailed list of the specific items

to be examined and clearly articulate the scope of search for each item listed in

the examination request.

0.6.3 All digital evidence examination requests must be accompanied by a

completed current version of the Digital Evidence Examination Request

Addendum OSBI CSD QPA 5.2. The requestor must provide a completed

addendum form prior to the start of any digital evidence examination and the

form must include the requestors signature acknowledging the responsibility to

ensure the examination request does not exceed the scope of already obtained

or existing legal search authorization.

0.6.4 When requests are received which contain digital evidence items that

require examination by any other OSBI laboratory section or discipline, the DEU

Supervisor will, on a case-by-case basis, work with the requestor and other OSBI

CSD Laboratory personnel to ensure the item(s) of evidence are examined in the

order least likely to alter or destroy evidence that may be recoverable by another

forensic laboratory discipline.




0.6.5 The DEU Supervisor will assign the request to a DEU examiner based on

the details of and the priority assigned to the request, examiner training and

experience, and the current laboratory caseload.

0.6.6 When necessary, the assigned examiner will coordinate with the requestor

to clarify details of the examination request and to triage the items of evidence

submitted in accordance with DETM-0.8.

0.6.7 Evidence will not be examined without a completed current version of the

OSBI CSD QPA 5.2, Digital Evidence Request Addendum.

0.6.8 Evidence in digital evidence examination requests will only be accepted at

locations approved by the OSBI CSD Director.

0.7 PRIORITIZATION OF EXAMINATION REQUESTS

The DEU Supervisor, or designee, is responsible for prioritizing examination

requests and will normally prioritize requests based on the facts provided by the

requestor on the Digital Evidence Examination Request Addendum at the time of

submission.

0.8 TRIAGE OF ITEMS IN EXAMINATION REQUESTS

0.8.1 The specific items included in digital evidence examination requests may

be triaged in an attempt to identify which items are of primary evidentiary value

and eliminate items of no evidentiary interest. The intent of the use of triage is to

reduce the number of items and volume of data associated with examination

requests by reviewing case details and eliminating items from the request which

likely contain no data of evidentiary value or interest. This use of triage will

reduce the time spent examining items of no evidentiary value or interest to the

request and result in a reduction in the time required to complete examination

requests.

0.8.2 Triage of items may be done by the DEU Supervisor or designee.


DETM-1: PREPARATION AND USE OF FORENSIC COMPUTER SYSTEMS


1.1 PURPOSE

The purpose of this protocol is to establish a standardized procedure for the

preparation of forensic computer systems to a baseline or default state.

1.2 SCOPE

This procedure will apply to forensic computer systems used by examiners to

perform digital evidence examinations in DEU laboratory facilities. This procedure will

only apply to forensic computers which are required to undergo performance verification

testing as defined in DEU Quality Manual.

1.3 EQUIPMENT

1.3.1 Hardware - The forensic computer system hardware and all of its

associated and installed physical subcomponents.

1.3.2 Software – The operating system installed on the forensic computer

system drive and the software and programs identified on the Approved

Examination Software List in DEQM-6.

1.4 PREPARATION OF FORENSIC COMPUTER SYSTEMS

1.4.1 All forensic computer systems will normally be prepared for operation and

use in laboratory casework by the examiner who is assigned actual physical

control of the computer. Forensic computer systems may also be prepared by

the DEU Supervisor, DEU Technical Manager, or designee. Forensic computer

systems designated as “Common Laboratory Use” computers will be prepared

and maintained by either the DEU Supervisor, the DEU Technical Manager, or

designee.

1.4.2 All forensic computer systems will have operating system(s) installed

which are annotated in DEQM-6 and correspond with the approved forensic

computer system type. Operating systems, or versions of operating systems

which are not annotated in DEQM-6.3 and correspond with the associated

forensic computer system type will not be used or installed on forensic computer

systems.




1.4.3 Examiners will obtain the installation files for forensic software tools only

from the designated approved software storage location or method maintained

and controlled by the DEU Technical Manager.

1.4.4 Only forensic software programs and applications listed in DEQM-6.2.2 –

6.2.3 will be installed on forensic computer systems. Software applications and

programs which are designated as common use in DEQM-6.5 and made

available by the DEU Technical Manager through the approved common use

software storage location may be installed on forensic computer systems.

1.4.5 All forensic computer systems will be configured with, at a minimum, a

password protected user account which requires entry of a password or PIN

number for logon and use.

1.5 USE OF FORENSIC COMPUTER SYSTEMS

1.5.1 Forensic computer systems will normally only be used by the examiner

who is assigned actual physical control of the computer for inventory

accountability purposes.

1.5.2 Common laboratory use computer systems and equipment will be

available for use by laboratory personnel when not in use by another examiner.

1.5.3 Forensic computer systems will only have an active Internet connection

when needed or required to activate, repair, troubleshoot, or update approved

software applications and programs found in DEQM-6.

1.5.4 Forensic computer systems will not have an active or live Internet

connection during examination casework.

1.5.5 Forensic computer systems will not be used for online undercover

purposes.

1.5.6 Forensic computer systems may only be used for laboratory examination

casework, laboratory quality assurance/quality control examination work, or for

administrative tasks directly related to either casework or quality

assurance/control work.

1.5.7 All forensic computer systems will be reset to a baseline restore status,

which will be the restore or reinstallation of the operating system(s) and all

common software tools, at a minimum of once annually.




1.5.8 When possible, baseline restores of forensic computer systems should

coincide with the installation or upgrade of other forensic software tools.

1.5.9 The operating systems on forensic computers will have critical and

recommended updates applied at the time the computer is baseline restored or

when otherwise required by the DEU Technical Manager.

1.5.10 When a forensic computer system is baselined or has an operating

system update applied, the examiner who performed the baseline or operating

system update will update the Maintenance Log within the Maintenance Record

associated with the forensic computer system.

1.5.11 Unless otherwise directed by the DEU Supervisor or DEU Technical

Manager, the operating systems, common software tools, or forensic software

tools on forensic computer systems will not be updated or upgraded in the middle

of a laboratory casework examination. Updates and upgrades will be performed

following the completion of laboratory casework in one examination case and

prior to the start of the next examination case.


DETM-2: EXAMINATION DOCUMENTATION


2.1 PURPOSE

The purpose of this protocol is to provide standardized procedures for

documenting relevant and required case information and data during the conduct of

digital evidence examinations within DEU laboratory facilities.

2.2 SCOPE

This protocol applies to all requests for digital evidence examination received by

DEU laboratory facilities, and to the subsequent examination of all items of evidence

submitted for forensic examination.

2.3 GENERAL

2.3.1 The physical and technical characteristics of each item of evidence

received for examination will be documented in accordance with DETM-3:

Physical Inspection and Processing of Evidence and the OSBI CSD Quality

Manual.

2.3.2 All examination documentation will be recorded in the CSD LIMS in

accordance with CSD QP 16.2.

2.3.3 The examination start date will be defined as the first day the chain of

custody record reflects the evidence was in the possession of the assigned

examiner.

2.3.4 The examination end date will be defined as the date the Administrative

Review was completed and the report was approved. The completed

Administrative Review Form will be the source of the case record documentation

for the examination end date.

2.3.5 Hard copy forms may be used to document required information and data

if the LIMS is unavailable due to technical difficulties or other circumstances. If

hard copy forms are used, a copy of the form must be added to the case

documents section of the LIMS after access to the system is restored.

2.3.6 Digital Evidence Photographs may be used to supplement, not replace,

case documentation and information. The use of Digital Evidence Photographs

will be in accordance with DETM-3: Physical Inspection and Processing of

Evidence. If taken, Digital Evidence Photographs will be added to the LIMS

examination documentation and directly associated with the evidence item or

sub-item photographed.




2.4 EVIDENCE ITEM MATRIX PANELS

2.4.1 The LIMS will have matrix panels established for each major category of

commonly encountered digital evidence. Each matrix panel will have data entry

fields corresponding with the most commonly used descriptive information and

identifying numbers associated with devices and items of the category.

2.4.2 If the evidence item category for an item is not apparent, the examiner

should use the matrix panel that most closely resembles the item and contains

the data entry fields which most completely captures the items descriptive

information and identifiers.

2.5 DOCUMENTING HARDWARE AND SOFTWARE USED TO PERFORM

EXAMINATIONS

2.5.1 All forensic examination tools which are approved for use in DEQM-6 and

used to perform digital evidence examinations will be documented and directly

associated with the evidence item or sub-item examined.

2.5.2 Use of a hardware or software forensic examination tool will be defined as

the use of the specified tool to perform any of the following:

Write block or write protect any item of Original Digital Evidence

(ODE).

Obtain or verify a forensic copy of any item of ODE.

Obtain or verify an extraction of data from any item of ODE.

Perform a Preview of any item of ODE.

Create a restore or clone from an extraction or forensic copy of an

item of ODE.

Perform forensic examination of data contained within an extraction

or forensic copy of an item of ODE.

Perform virus or malware scans of data contained within an

extraction or forensic copy of an item of ODE.

2.5.3 The Maintenance Number associated with a forensic examination

hardware tool in accordance with DEQM-7 will be used to refer to the item in

case documentation and notes.

2.5.4 All software forensic tools utilized in the examination will be documented

in the appropriate matrix panel with the name and the complete version number

of the tool.




2.6 EXHIBIT REPORT DOCUMENTATION

2.6.1 An Exhibit Report is a collection or group of electronic reports and

corresponding data, files, and/or information produced by forensic tools during

digital evidence examinations.

2.6.2 Exhibit reports will be identified as derivative evidence and are produced

from the following sources:

Forensic copies obtained directly from ODE items.

Data extractions obtained directly from ODE items.

Data obtained directly from ODE items.

2.6.3 A single exhibit report storage device may be used and identified as a

single item of derivative evidence and contain exhibit reports derived from

multiple items of ODE.

2.6.4 The exhibit report storage device will be identified as a subsequent and

unique item of evidence in the LIMS. The description of the exhibit report item of

evidence in the LIMS will identify the storage device type and the ODE source

item(s) of evidence the exhibit report(s) were derived from.

2.6.5 The exhibit report evidence item will be created in the LIMS prior to

technical and administrative review of the examination report and is not

considered finalized or completed until after both reviews are completed and the

examination report has been approved.

2.6.6 The exhibit report evidence item, or its container, will be marked with the

appropriate laboratory case number, item number, the creating examiner’s

initials, and the date the item was sealed.

2.6.7 The exhibit report storage device type and corresponding LIMS evidence

item number will be documented in the results and interpretations section of the

digital evidence examination report.

2.6.8 The exhibit report storage device and associated exhibit reports will be

released to the requestor or requesting agency in accordance with DEQM-13.4:

Retention of Exhibit Reports and Other Data.

2.7 HARD COPY CASE FILE DOCUMENTATION

2.7.1 The goal of DEU digital evidence examinations is to eliminate the need to

maintain or retain a hard copy case file. All administrative and technical




documentation which is required to be retained will be incorporated into the LIMS

case file whenever feasible or practical.

2.7.2 Any handwritten notes which directly record examination results or

observations not captured in an examination report or exhibit report will be

scanned and incorporated into the case documentation.

2.7.2 Administrative and technical documentation which is required to be

retained but not feasible or practical to incorporate into the LIMS case file will be

maintained in a hard copy case file in accordance with CSD QP 16.2.


DETM-3: PHYSICAL INSPECTION AND PROCESSING OF EVIDENCE


3.1 PURPOSE

The purpose of this protocol is to establish a standardized procedure for how

items of digital evidence are inspected, documented, and processed and how the

condition of items of evidence received for digital evidence examination is documented

within DEU laboratory facilities.

3.2 SCOPE

This procedure applies to all evidence items submitted for digital evidence

examination within DEU laboratory facilities as well as all sub-items identified during

processing.

3.3 EQUIPMENT

3.3.1 Tools commonly used to access and repair computers and electronic

items.

3.3.2 Digital camera approved for use to take evidence photographs.

3.4 PHYSICAL INSPECTION OF EVIDENCE

3.4.1 All items of ODE, and any sub-items, will be physically inspected and

documented in accordance with section 3.4 of this policy and may be treated as

“evidence in the process of examination” stored in the laboratory’s secure, limited

access work area until examination is complete in accordance with OSBI CSD

QP 6.1 Section II.f.3.b

3.4.2 All ODE items received for examination determined to pose any risk as a

destructive device, contaminant danger, hazardous material, or a danger or

hazard in any other way will be handled and/or reported in accordance with

current OSBI and CSD policy.

3.4.3 Descriptive information (such as manufacturer’s markings which indicate

the make, model and serial number) for each item and all sub-items identified for

examination will be recorded in the appropriate matrix panel. Other identifying

numbers or values affixed by the manufacturer to uniquely identify the item to the

exclusion of other similar items may be recorded in the appropriate matrix panel

when applicable.




3.4.4 Digital Evidence Photographs are not required to be taken of each item of

ODE received for examination. Digital Evidence Photographs may be taken, at

the discretion of the examiner, in order to document anything about an item of

ODE determined to be noteworthy or important.

3.4.4.1 Digital Evidence Photographs will be taken with a digital camera

appropriate for use in photographing evidence.

3.4.4.2 Digital Evidence Photographs may be taken to document unusual

damage to an item of ODE, connections or relationships between ODE

items, or unusual labels or markings found on an item of ODE during

processing or examination.

3.4.4.3 Digital Evidence Photographs will be designated and handled as

case information documents and will be used to supplement, not replace,

written documentation and other case documentation.

3.4.4.4 All Digital Evidence Photograph files will be combined or

converted into single “PDF” document files per evidence item or (sub) item

number and named in accordance with CSD Quality Manual guidelines.

3.4.4.5 Digital Evidence Photograph PDF files will be uploaded into the

Case Information “Documents” section of the LIMS system.

3.4.5 If an item of ODE is damaged in any way during the examination,

inspection, processing, or handling of the item, sufficient digital evidence

photographs will be taken to thoroughly document the damage if applicable. A

thorough narrative which documents the circumstances that lead to the damage

of the item and a detailed description of the actual damage will be documented in

the case documentation.

3.4.6 Before and after digital evidence photographs will be taken any time an

item ODE submitted for examination is repaired or altered in any way to facilitate

successful examination or recovery of data or information from the device.

3.4.7 If an item of ODE submitted for examination is repaired or altered in any

way to facilitate successful examination or recovery of data or information from

the device, the examiner will coordinate with the requesting agency to obtain a

letter from the prosecutor indicating both the intent and the necessity to alter

and/or consume the item. The letter must be obtained prior to the start of any

analysis and must be included in the case documentation.

3.4.8 Each item of ODE submitted for examination and all sub-items identified

will be marked for identification with a permanent marker (such as a “Sharpie”

marker) directly on the item near the manufacturer’s descriptive information

(model and serial number) when possible or feasible.




3.4.9 When it is not advisable, possible, or feasible to directly mark the ODE

item or sub-item for identification, the item or sub-item will be marked with the

same information using a proximal container or tag in accordance with OSBI

CSD Quality Manual 5.8.4.3.

3.4.10 All ODE items will be marked, at a minimum, with the Laboratory

Examination Case Number, the Laboratory Assigned (Sub)Item Number, the

date of examination or processing in “mm/dd/yy” format, and the initials of the

examiner who examined or processed the item.

3.5 PROCESSING OF EVIDENCE

3.5.1 COMPUTER PROCESSING –The following items, whenever possible,

should be completed, documented, and/or observed when processing computer

and computer related items of ODE:

3.5.1.1 Whenever possible, all data storage media device sub-items

should be removed from computer systems and any other host ODE item

they are found installed within and all available descriptive information fully

documented in the appropriate matrix panel.

3.5.1.2 Whenever possible, relevant or pertinent CMOS/BIOS setting

information (system date, system time, etc.) should be obtained and

recorded in the appropriate matrix panel in accordance with DETM- 6.

3.5.1.3 To preserve the integrity of the data stored on the ODE, every

item and sub-item of data storage media will, whenever possible, be

protected from alteration by the use of hardware based write protection. If

hardware based write protection is not available or not feasible for use,

either built-in or software based write protection may be used.

3.5.1.4 Whenever possible, appropriate write protection will be applied or

in use prior to accessing any item or sub-item of data storage media for

any purpose, including preview, forensic copying, analysis, or

examination.

3.5.2 MOBILE DEVICE PROCESSING –Due to the extremely wide variety of

mobile device hardware available and the many different form factors that exist,

there is no single procedure or protocol to document and process every cellular

telephone or mobile device. The following procedures represent a general guide

to the processing of mobile devices:




3.5.2.1 Determine the power status of the device. If the device is not

powered on, do not power it on until ready and prepared to start

examination of the item.

3.5.2.2 If the power status of the device cannot be determined due to

damage or other factors, the device will be treated as “powered on”. If the

device is powered on, do not power off the device. Determine if the

device has a security measure enabled to prohibit access and document

the type of security. The intent is for the examiner, based on his/her

training and experience, to attempt to determine the power and security

state of the device and to prevent unnecessarily activating any device

security measures which may prohibit subsequent examination or

extraction of data.

3.5.2.3 Determine if the make and model of the ODE device is supported

for examination by any available tools. If the make and model of the

device is not specifically supported, it may be supported for examination

as a generic device type or examination by other examination tool

supported methods.

3.5.2.4 Determine if the make and model of the device is supported for

examination with the observed type of security enabled. If the device is

not supported for examination with the observed type of security enabled,

document the item as a device not currently supported for examination

with the observed security type enabled. ODE sub-items (flash memory

cards, SIM cards) may still be examined if found installed or contained

within unsupported devices.

3.5.2.5 Conduct a physical inspection of the item of ODE and document

in accordance with section 3.4 of this policy. If the device is received

powered on, do not power the device off to conduct the physical

inspection of the item. Many mobile devices require security

authentication only when the device is powered on. If the device is

received powered on, conduct the physical inspection after the device has

been examined and data extraction has completed to avoid triggering the

power on security.

3.5.2.6 Charge the device’s battery, if necessary or required.

3.5.2.7 Whenever possible, all media devices capable of storing data

(flash memory cards, SIM cards, etc.) should be removed from mobile

devices they are found installed within and all available descriptive

information fully documented.




3.5.2.8 Whenever possible, all media devices capable of storing data

(flash memory cards, SIM cards, etc.) which were removed from mobile

devices to document descriptive information shall be re-installed into the

item they were removed from prior to examination of the item itself. If an

item is examined with any media device removed, the reason for the

examination with the media device removed will be documented in the

appropriate matrix panel.


DETM-4: STERILIZATION OF TARGET DATA STORAGE MEDIA


4.1 PURPOSE

The purpose of this protocol is to provide a standardized procedure for

overwriting all data storage capacity on target storage media within DEU laboratory

facilities. Commonly known as “wiping”, this process overwrites every addressable

storage location on an item of target storage media with a known value, which is usually

“0”. Wiping is used to sterilize target media devices prior to their use to store

examination case data and ensures that no lingering data is present on the device from

previous use.

4.2 SCOPE

This procedure applies to all data storage media items authorized to be wiped

and used to store examination case data within DEU laboratory facilities.

4.3 EQUIPMENT

4.3.1 Forensic computer system(s).

4.3.2 Hardware data wiping device.

4.3.3 Software data wiping utilities, programs, and applications.

4.3.4 Target data storage media.

4.4 WIPING TARGET DATA STORAGE MEDIA

4.4.1 All target data storage media devices will be wiped prior to being used to

store examination case data. All new data storage devices will be wiped prior to

being utilized to store examination case data.

4.4.2 Connect the target data storage device to the forensic computer system or

the hardware data wiping device using the appropriate data and power

connectors. Ensure the data connection port utilized is a “read-write” port.

4.4.3 When possible, set the data wiping preferences to overwrite all data

storage locations with “0”

4.4.4 Perform a single pass overwrite wipe of all data on the device.




4.4.5 Allow the data wiping device or software to complete a verification that the

wipe successfully completed or perform a verification that the device was

successfully wiped.

4.4.5.1 If the wipe successfully completed and was verified as

successful, store the wiped device in an approved location.

4.4.5.2 If the wipe was unsuccessful or failed to verify, repeat procedures

4.4.4 and 4.4.5.

4.4.6 If any target data storage device fails two consecutive attempts to wipe or

fails verification of two attempted wipes, the storage device will be removed from

service and labeled with “Out of Service” and the date the device was removed

from service.

4.4.7 No data storage device will be used to store examination case data that

has failed to successfully wipe, verify, and/or been removed from service.

4.4.8 Only approved examination tools listed in DEQM-6 will be used to wipe

target data storage media used in examination casework.

4.4.9 Wiped target data storage devices will not be formatted or altered until

used to store examination case data.

4.5 STERILIZATION OF SOLID STATE HARD DISK DRIVE MEDIA

4.5.1 Solid state hard disk drives cannot be “wiped” or sterilized by the same

procedure as other target media storage devices. Use of the procedure in

section 4.4 above to sterilize a solid state hard disk drive may result in

irreparable damage to the drive. It is possible to sterilize a solid state hard disk

drive, but the procedure is closer to a “reset” than to an “erase” or “wipe”.

4.5.2 All solid state hard disk drives will be sterilized using the secure erase

functionality of the software provided by the manufacturer of the drive.

4.5.3 Solid state hard disk drives will only be sterilized using the secure erase

software or procedure provided by the manufacturer specifically for the

sterilization of the exact make and model of the drive in question.

4.5.4 A solid state hard disk drive will be considered wiped and verified if the

drive manufacturer’s secure erase software completes the “reset” successfully

and reports no errors in the process.

4.5.5 If a solid state hard disk drive fails to complete the “reset” procedure or

completes with errors reported by the manufacturer’s software, a second attempt

will be made to “reset” the drive.




4.5.5.1 If the “reset” was successful, store the wiped device in an

approved location.

4.5.5.2 If the “reset” was unsuccessful or completed with errors, repeat

procedures 4.5.3 through 4.5.5.

4.5.6 If any solid state hard disk drive fails two consecutive attempts to “reset”,

the drive will be removed from service and labeled with “Out of Service” and the

date the device was removed from service.

4.5.7 No solid state hard disk drive will be used to store examination case data

that has failed to successfully “reset” and/or been removed from service.

4.5.8 “Reset” solid state hard disk drives will not be formatted or altered until

used to store examination case data.


DETM-5: WRITE PROTECTING EXAMINATION MEDIA


5.1 PURPOSE

The purpose of this protocol is to provide a standardized procedure for write-

protecting items of ODE during processing, forensic copying, and examination and,

therefore, preserve the integrity of the items during the examination process by

preventing alterations.

5.2 SCOPE

This procedure applies to all evidence items submitted for digital evidence

examination within DEU laboratory facilities and all sub-items identified during

processing which are capable of storing data that may be of evidentiary value.

5.3 EQUIPMENT


5.3.2 Hardware write-blocking device(s).

5.3.3 Software write-blocking utilities, programs, and applications.

5.3.4 Examination media.

5.4 USE OF WRITE-PROTECTION

5.4.1 In order to preserve the integrity of the data contained on items of ODE,

each item that is examined and is capable of storing data will, whenever

possible, be protected from alteration by the use of write-protection.

5.4.2 Whenever possible, write-protection will be instituted prior to accessing

any ODE data storage media item for any purpose, including preview, forensic

copying, or analysis.

5.4.3 Whenever possible, hardware write protection will be used to protect all

ODE media items. The use of hardware write-protection is the preferred method

and will be utilized if possible or if supported.

5.4.4 When using a hardware write-protection device, the item of ODE media

will be connected to the write-protection device before powering the device on, if

applicable.


DETM-5: WRITE PROTECTING EXAMINATION MEDIA


5.4.5 Software write-protection may be utilized to write-protect ODE media

items during processing and examination if the use of hardware write-protection

was impractical, not possible, or unsupported.

5.4.6 When using software based write-protection, the write-protection should

be implemented or initiated prior to attaching the ODE media whenever possible.

5.4.7 If any method of write-protection other than the use of a hardware write-

protection device is utilized to process or examine an item of ODE media, the

reason for using an alternative means of write protection will be documented in

the appropriate matrix panel.

5.4.8 Only hardware write-protection devices listed in DEQM-6: Approved

Examination Tools will be used in examination casework.

5.4.9 Only software write-protection applications, programs, and utilities listed in

DEQM-6: Approved Examination Tools will be used in examination casework.

5.4.10 No hardware device or forensic software toolwill be used in examination

casework for the purpose of write-protecting ODE media items that has not

undergone and passed either Function Testing or Performance Verification

Testing in accordance with DEQM-9.

5.5 DOCUMENTATION OF WRITE-PROTECTION

5.5.1 Any time a write-protection device is used to access an ODE media item,

its use must be documented in the appropriate matrix panel.

5.5.1.1 Hardware write-protection devices will be documented by the

Maintenance Number assigned to the item as required in DEQM-7.

5.5.1.2 For software write-protection, the Operating System utilized

during the time the ODE media item was accessed will be documented in

the appropriate matrix panel as well as the Maintenance Identifier and

version number associated with the software.

5.5.2 If the use of write-protection is not possible, the reason it could not be

used will be documented in the appropriate matrix panel.


DETM-6: HARD DISK DRIVE REMOVAL & SYSTEM SETTINGS CHECK


6.1 PURPOSE

The purpose of this protocol is to provide standardized procedures for the

removal of hard disk drives and data storage devices from ODE items and for checking

the system settings of computers submitted for examination within the DEU laboratory

facilities.

6.2 SCOPE

This procedure applies to all ODE computer systems submitted for examination

within the DEU laboratory facilities.

6.3 EQUIPMENT

6.3.1 ODE computer system.

6.3.2 Removable media boot device(s).

6.4 HARD DISK DRIVE REMOVAL

6.4.1 Hard disk drives of ODE computer systems will be removed from the

submitted computer whenever possible for documentation, processing, and

forensic copying.

6.4.2 If it is not possible to remove the hard disk drive from the computer system

for documentation, processing, or forensic copying, the reason (i.e. hard disk

drive permanently affixed to system board, the use of encryption, the use of

multiple hard disk drives in a RAID configuration, etc.) will be documented in the


6.4.3 The hard disk drive(s) should then be removed from the computer system.

Care should be taken to ensure the computer and all of its parts and components

which were disassembled or disconnected to remove the hard disk drives can be

reassembled and reconnected in exactly the same state following the completion

of documentation, processing, and forensic copying whenever practical.

6.4.4 Whenever practical, the make, model, serial number, storage capacity,

and connection type of each hard disk drive will be documented in the



DETM-6: HARD DISK DRIVE REMOVAL & SYSTEM SETTINGS CHECK


6.4.5 Label the hard disk drive(s) removed from the ODE computer with

appropriate case information in accordance with DETM-3.4: Physical Inspection

& Processing of Evidence.

6.4.6 Conduct a check of all removable media storage drives and bays on the

ODE computer for any removable media storage devices (i.e. CD/DVD discs,

flash memory cards, etc.). If any removable media storage device(s) are found,

follow the same procedure outlined in DETM-6.4.5 through 6.4.7 to remove and

document the device(s).

6.4.7 Once all hard disk drives and removable media devices have been

identified, documented, processed, forensically copied, and a system settings

check has been conducted, reassemble, reinstall, and reconnect all hard disk

drives and removable media devices into the ODE computer. The computer

should, whenever practical, be reassembled and returned to the same state as

when it was received.

6.5 CONDUCT A SYSTEM SETTINGS CHECK

6.5.1 Whenever possible, a check will be conducted of the system settings of all

ODE computer systems.

6.5.2 Prior to conducting a system settings check, ensure all hard disk drive(s)

and removable media devices have been disconnected and/or removed from the

computer. If it is not possible to remove the hard disk drive(s) or removable

media device(s) from the computer to conduct the system settings check, the

reason will be documented in the appropriate matrix panel.

6.5.3 Power the computer system on and access the computer’s system

settings or system setup interface if possible.

6.5.4 If the ODE computer’s system settings cannot be accessed, a removable

media boot device may be utilized to load an operating system and access

system settings information.

6.5.5 At a minimum, the date and time stored by the computer’s system settings

and the actual date and time the check was conducted will be recorded in the

appropriate matrix panel. Other system setting information may be recorded

based on the examination request.

6.5.6 Once the computer system settings information have been obtained, the

computer should be powered off and returned to the state in which it was

received whenever practical.


DETM-7: FORENSIC COPY PROCEDURES


7.1 PURPOSE

The purpose of this protocol is to provide standardized procedures within DEU

facilities for the use of approved forensic hardware and software tools to obtain

forensically sound copies of Original Digital Evidence (ODE) hard disk drives and other

items of ODE data storage media.

7.2 SCOPE

This procedure applies to all ODE computer systems and data storage devices

submitted to DEU laboratory facilities which will be forensically copied for examination.

7.3 EQUIPMENT

7.3.1 Forensic computer system.

7.3.2 Prepared Target Data Storage Media.

7.3.3 Function Tested forensic copying hardware and/or software.

7.3.4 Original Digital Evidence data storage device.

7.4 PREPARATION OF TARGET DATA STORAGE MEDIA

7.4.1 Target data storage media must be properly prepared prior to the start of

any forensic copying procedure. The target data storage media device must

have been sterilized or wiped in accordance with DETM-4: Sterilization of Target

Data Storage Media prior to being used to store forensic copies in examination

casework.

7.4.2 Install the target data storage media into the forensic computer system

and power on the computer.

7.4.3 Initialize the target data storage media device and ensure it is of sufficient

size to store the forensic copies and case data associated with the examination

request.

7.4.4 An appropriate number of folders should be created and utilized on the

target data storage partition to organize and store forensic copies and

examination case data associated with the examination request. Folders should




be organized and named in such a way as to properly associate the stored data

with the examination case number and to identify its function and purpose.

7.5 FORENSIC COPYING PROCEDURE

7.5.1 Select the hardware and software tools from DEQM-6: Approved

Examination Tools to be used which are appropriate for the forensic copying

task. Document the selected hardware and software used for forensic copying in

the appropriate matrix panel. All write blocking devices used to forensically copy

ODE evidence items must have undergone and passed Function Testing in

accordance with DEQM-9: Function Testing and Performance Verifications.

7.5.2 Whenever possible, write-protection will be used to protect all ODE data

storage media items from alteration in accordance with DETM-5: Write Protecting

Examination Media. Any time a device cannot be accessed “read-only” or

utilizing write-protection, the reason write-protection could not be or was not used

will be documented in the appropriate matrix panel.

7.5.3 Generate a pre-examination hash value for the ODE item and document

the hash value in the appropriate matrix panel.

7.5.4 Utilize the selected hardware and software tools to acquire or obtain a

forensic copy of the ODE item. Document the acquisition method in the


7.5.5 All forensic copies of ODE media items will be created using the “.E01” or

“EnCase” encapsulated file format whenever practical. Other forensic copy file

formats may be used based on the training and experience of the examiner

and/or file formats required by forensic tool manufacturers.

7.5.6 File names for forensic copies should be named and the files organized in

such a way they associate the forensic copy with the item it was obtained from

and with the examination request.

7.5.7 Generate a hash value for the newly acquired forensic copy and document


7.5.8 Generate a post-forensic copy hash value for the ODE item and document


7.5.9 If an automated forensic software tool is used, the original hash value

generated by the tool will serve as the pre-examination hash value in section

7.5.3 and the verification hash value generated by the tool will serve as the hash

value for the newly acquired forensic copy in section 7.5.7.




7.5.10 The pre-forensic copy hash value, forensic copy hash value, and post-

forensic copy verification hash value should match when compared.

7.5.11 If a forensic copy cannot be successfully obtained, verified, or created, a

second attempt to obtain or verify the forensic copy will be made. If the second

attempt to obtain, verify, or create the forensic copy fails or is not successful, the

examiner will notify the DEU Technical Manager, or DEU Supervisor, who will

attempt to determine the cause of the failure and provide guidance on how the

examiner should proceed. The DEU Technical Manager or DEU Supervisor will

document information about the failure, its cause, and resolution in the case

information narrative when required and/or appropriate.

7.5.12 If a post-forensic copy verification hash value of the ODE item fails

verification, the examiner will make a second attempt to obtain a verification hash

for the item. If the second attempt to obtain a post-verification hash for the ODE

item fails, the examiner will notify the DEU Technical Manager, or DEU

Supervisor, who will attempt to determine the cause of the failure and provide

guidance on how the examiner should proceed. The DEU Technical Manager or

DEU Supervisor will document information about the failure, its cause, and

resolution in the case information narrative when required and/or appropriate.

7.5.13 All failed attempts to create or verify forensic copies will be documented

in the appropriate matrix panel and addressed in the digital evidence examination

report.

7.6 ACQUISITION OF DATA FROM MOBILE DEVICES

7.6.1 Due to the diversity of data storage technologies found in the internal

storage of mobile devices, these items (i.e. smartphones, digital media players,

etc.) cannot be forensically copied using the same methodologies and

procedures as traditional data storage devices (i.e. hard disk drives, flash

memory cards, etc.). The procedures governing the acquisition of data from

mobile devices is provided in DETM-9: Examination and Analysis – Mobile

Devices.

7.6.2 While the mobile devices themselves cannot be forensically copied using

procedures outlined in DETM-7.4 through 7.5, they often contain expandable

storage media such as flash memory cards which may be forensically copied in

accordance with this procedure.


DETM-8: EXAMINATION & ANALYSIS – COMPUTERS AND DATA STORAGE DEVICES


8.1 PURPOSE

The purpose of this protocol is to provide a standardized procedure for the

examination and analysis of computer systems and digital storage devices within DEU

laboratory facilities.

8.2 SCOPE

This procedure applies to the examination and analysis of digitally or

electronically stored data and information which originates from computer systems and

data storage devices submitted to DEU laboratory facilities for examination. Due to the

unique and varied technologies found in mobile devices, the procedure for examination

and analysis of those items is covered in DETM-9: Examination and Analysis of Mobile

Devices.

8.3 EQUIPMENT


8.3.2 Forensic hardware and software tools.

8.3.3 Common use hardware and software tools.

8.3.4 Forensic copy of item(s) of ODE.

8.3.5 Digital media storage device(s)

8.4 EXAMINATION OF ITEMS OF ORIGINAL DIGITAL EVIDENCE

8.4.1 Examination and analysis should be conducted on a forensic copy of an

item of ODE whenever possible.

8.4.2 If a forensic copy of an item of ODE cannot be obtained, the ODE item

may be directly examined.

8.4.3 All direct examination and analysis of items of ODE will be conducted

using a write blocking device appropriate for the media item in accordance with

DETM-5: Write Protecting Examination Media.

8.4.4 If direct examination or analysis is conducted on an item of ODE

Evidence, the justification for directly examining the ODE media item will be

documented in the appropriate matrix panel.




8.4.5 If a forensic copy of an item of ODE media cannot be obtained and an

appropriate write blocking device is unavailable (or the ODE media item cannot

be accessed through an appropriate write blocking device), the item may still be

examined, but only with approval from the DEU Supervisor or Technical

Manager. The DEU Supervisor or Technical Manager will review the

examination request and the potential negative consequences of performing

direct examination of the ODE media item without the use of a write blocking

device and may approve direct examination of the item without the use of a write

blocking device.

8.4.6 If the DEU Supervisor or Technical Manager approves the direct

examination or analysis of an item of ODE Evidence without the use of a write

blocking device, the approval and the justification for directly examining the ODE

media item without a write blocking device will be documented in the case

information narrative.

8.5 PREVIEWS

8.5.1 During the course of digital evidence examinations, ODE media items are

often previewed as a means to quickly perform a basic search of the data

storage of a device for the presence of files or data of immediately apparent

evidentiary value. All previews of ODE media items by examiners at DEU

laboratory facilities will be conducted using approved and appropriate common

and/or forensic tools.

8.5.2 Previews will only be conducted on items of evidence which have been

accepted for digital evidence examination.

8.5.3 Previews may be used, when appropriate, to eliminate ODE media items

from the list of items selected for full forensic examination.

8.5.4 Previews of ODE media items will be conducted using an approved write

blocking device appropriate for the media item in accordance with DETM-5:

Write Protecting Examination Media. In the event a preview of an ODE media

item cannot be conducted using a write blocking device, the item may still be

previewed in accordance with DETM-8.

8.5.5 Previews will be documented in accordance with DETM-2: Examination

Documentation.




8.6 FORENSIC EXAMINATION PROCEDURES

8.6.1 If the forensic copies of ODE media items have been copied from one

physical media device or source to another physical media device, the forensic

copies will be verified with an approved forensic software tool prior to the start of

examination or analysis.

8.6.1.1 If the forensic copies have not been copied from the storage

device they were created on during the creation of the forensic copy, no

additional verification is required prior to the start of examination or

analysis.

8.6.1.2 If a forensic copy of an item of ODE media fails verification, the

copy may be re-attempted from the original source device. If the

duplicated forensic copy fails a second verification attempt, the original

forensic copy will be re-verified. If the original forensic copy fails

verification, another forensic copy of the ODE media item will be obtained

in accordance with DETM-7: Forensic Copy Procedures and the failure

will be documented in the appropriate matrix panel.

8.6.2 Prior to the start of examination, the examiner must carefully review the

examination request and perform all subsequent forensic examination within the

specific parameters of the scope of the request. Any examination exceeding the

scope of the request must be coordinated with the requesting agency or official

prior to being conducted.

8.6.3 The examination tools, processes, and methods used to perform forensic

examinations should be selected by the examiner based upon their training,

experience, and current “best practices” of the digital forensic community.

8.6.4 The examiner will conduct the examination utilizing forensic tools

identified in DEQM-6: Approved Examination Tools which are appropriate for the

type of examination(s) requested.

8.6.5 The details of how the examination was conducted will be documented in

accordance with DETM-2: Examination Documentation and in sufficient detail

that another qualified examiner could duplicate all examination processes at a

later date using the same forensic tools.

8.6.6 The examination should be conducted so that the examination results can

be reported in a manner that specifically addresses the examination request. All

examination results will be reported in accordance with DEQM-11: Reporting

Examination Results.


DETM-9: EXAMINATION & ANALYSIS – MOBILE DEVICES


9.1 PURPOSE

The purpose of this protocol is to provide a standardized procedure within DEU

laboratory facilities for the examination and analysis of mobile devices (i.e. cellular

telephones, digital media players, etc.). Mobile Device examination includes the

identification and recovery of electronically stored information which originates from

many different sources found within the data storage of mobile devices.

9.2 SCOPE

This procedure applies to the examination and analysis of digitally or

electronically stored data and information which originates from mobile devices

submitted for examination in DEU laboratory facilities. The procedure for the

independent examination and analysis of removable digital data storage devices

commonly found installed in or used with mobile devices is covered in DETM-8:

Examination and Analysis – Computers & Data Storage Devices.

9.3 EQUIPMENT


9.3.2 Forensic hardware and software tools.

9.3.3 Common use hardware and software tools.

9.3.4 ODE mobile device.

9.3.5 Digital media storage device(s)

9.4 MOBILE DEVICE EXAMINATION LIMITATIONS

9.4.1 Examination and analysis is normally conducted on a forensic copy of an

item of ODE whenever possible. Due to the variety and nature of mobile devices

and the methods available to connect to them and acquire their content, it may

not be possible to access mobile devices using write protection. As a result,

procedures outlined in many sections of DEU Technical Procedures may not be

applicable as they pertain to the use of write blocking devices to access items of

ODE.

9.4.2 There is no identified or available method that will acquire or parse all

electronically stored data and information from all mobile devices. Although




mobile device examination tools and equipment are under constant development

and receive frequent updates, these tools may not identify or recover all

electronically stored data and information stored on mobile devices.

9.5 SHIELDING MOBILE DEVICES FROM WIRELESS COMMUNICATIONS

9.5.1 Whenever possible, ODE mobile devices which have the capability to

receive or transmit data wirelessly will be shielded from external electromagnetic

and radio frequency sources during processing and examination to prevent the

wireless transfer of data to and from the device.

9.5.2 Whenever possible, ODE mobile devices will be placed in an

electromagnetic and radio frequency blocking device prior to being powered on

for the first time after the item was received.

9.5.3 Once the ODE mobile device is powered on inside of the electromagnetic

and radio frequency blocking device, the device will be placed in “Airplane Mode”

when available and as soon as is practical. Airplane Mode is a feature

commonly found in most mobile devices that disables the ability of the device to

send or receive data or forms of wireless communication.

9.5.4 If an ODE mobile device is received powered on, the device will be placed

in Airplane Mode as soon as practical.

9.5.5 Once the ODE mobile device has been placed in Airplane Mode, the

device may then be examined without the use of an electromagnetic and radio

frequency blocking device.

9.5.6 An electromagnetic and radio frequency blocking device may not block all

wireless transmissions for every device. Any transmission activity observed

during processing and/or examination will be documented in the appropriate

matrix panel.

9.5.7 Once the above procedure has been implemented to shield the ODE

mobile device from wireless connection(s) the device will then be processed in

accordance with procedure DETM-3.5.2 Mobile Device Processing.

9.6 MOBILE DEVICE EXAMINATION PROCEDURES

9.6.1 All forensic examination and analysis will be conducted using approved

forensic hardware and software tools listed in DEQM-6: Approved Examination

Tools which are appropriate for the type of examination(s) requested.




9.6.2 Prior to the start of examination, the examiner must carefully review the

examination request and perform all subsequent forensic examination within the

specific parameters of the scope of the request. Any examination exceeding the

scope of the request must be coordinated with the requesting agency or official

prior to being conducted.

9.6.3 The examination tools, processes, and methods used to perform forensic

examinations should be selected by the examiner based upon their training,

experience, and current “best practices” of the digital forensic community.

9.6.4 If an ODE mobile device is found to contain removable data storage

devices and/or Subscriber Identity Modules (SIM) cards, those data storage

devices and cards may be examined while installed in the mobile device when

appropriate. The intent is for the examiner, based on training and experience, to

choose the method(s) of examination appropriate for the specific device and the

examination request.

9.6.4.1 If removable data storage devices are removed from the mobile

device and examined independently, when practical or possible they will

be write protected in accordance with DETM-5: Write Protecting

Examination Media and a forensic copy will be obtained of the item in

accordance with DETM-7: Forensic Copy Procedures.

9.6.4.2 Removable data storage devices which are removed from ODE

mobile devices for independent examination outside of the mobile device

may be examined in accordance with DETM-8: Examination and Analysis

– Computers & Data Storage Devices.

9.6.4.3 SIM cards which are removed from ODE mobile devices for

independent examination outside of the mobile device will be examined

utilizing approved forensic tools appropriate for SIM card examination(s).

9.6.5 If necessary, charge the ODE mobile device battery utilizing a method

which does not involve a data connection to a computer or other examination

device.

9.6.6 Select the approved and appropriate tool(s) to be utilized for the extraction

and examination of data from the ODE mobile device. Document the tool(s)

used in accordance with DETM-2: Examination Documentation.

9.6.7 Mobile device examination software tools often provide support for

different types of extractions for each mobile device which vary and are

dependent on the device make and model, the software running or installed, and

the security settings employed on the device. The examiner will, based on

available examination tools, training, experience, and current “best practices” of




the digital forensic community, choose extraction methods which are appropriate

for the extraction of data from the ODE mobile device and the examination

request.

9.6.8 Examination tools may require additional steps in order to extract data

from ODE mobile devices. These steps may include loading a software “agent”

or “client” onto the device, enabling or disabling certain features or functionality,

and other input or selections necessary to successfully gain access to the device.

These steps may be performed as long as they are reversible and performed as

directed by the examination tool.

9.6.9 Extractions of data from mobile devices are normally not exact copies of

the data storage found on the device and cannot be hashed and verified in the

same way or manner as a forensic copy of a hard disk drive or flash media card.

After the extraction(s) have been obtained, the extracted data may be verified if

the tool selected to examine the extraction(s) provides support for verification.

9.6.10 The extraction(s) of data from ODE mobile devices will be examined

utilizing approved tools determined by the examiner to be appropriate for the type

of extraction and the examination request.

9.6.11 The details of how the examination was conducted will be documented in

accordance with DETM-2: Examination Documentation and in sufficient detail

that another qualified examiner could duplicate all examination processes at a

later date using the same examination tools.

9.6.12 The examination should be conducted so that the examination results

and findings can be reported in a manner that specifically addresses the

examination request. The examination results and findings may be reported in a

format deemed appropriate by the examiner. All examination results will be

reported in accordance with DEQM-11: Reporting Examination Results.

9.6.13 Following the completion of mobile device examination, the data storage

devices removed from ODE mobile devices for further or more in depth

examination separate from the mobile device may be examined in accordance

with DETM-8.

9.7 ADVANCED MOBILE DEVICE EXAMINATIONS

9.7.1 There may be instances when advanced examination techniques may be

required to extract data from a mobile device. Advanced Mobile Device

Examinations involve actual physical alteration of the device to facilitate recovery

of data from the device and may involve processes and/or techniques which are




potentially destructive to the functionality of the device itself or to the data stored

on the device.

9.7.2 Advanced examination processes or techniques which physically alter the

device or are potentially destructive to the device or the data stored on it will only

be conducted with written approval in advance from the District Attorney

prosecuting the case authorizing the physical alteration or destructive process to

facilitate data recovery from the device in accordance with OSBI CSD QP 16.

9.7.3 Advanced Mobile Device Examinations will only be performed for

examination cases assigned Priority Levels 1, 2, and 3 in accordance with

DETM-0: Administrative Procedures.

9.7.4 All Advanced Mobile Device Examinations must be approved in advance

by the OSBI DEU Supervisor or Technical Manager and the approval

documented as a Case Event in the Case Information Narrative section of the

LIMS examination case.

9.7.5 All costs, fees, and expenses pertaining or related to Advanced Mobile

Device Examinations will be paid for by either the requesting agency or the

District Attorney’s Office prosecuting the case. All Advanced Mobile Device

Examinations must be authorized or approved in writing prior to the start of any

advanced examination. The written authorization or approval will be uploaded to

the LIMS examination case documentation.

9.7.6 Device Repairs: In instances when mobile devices are submitted for

examination which are not functioning properly, the device may be repaired in

order to facilitate recovery of data from the device. Repairs may involve or

include removing and replacing internal device parts. Only the repairs required

to make the device functional enough to recover data from or perform an

examination of the data stored on the device will be performed.

9.7.7 Potentially Destructive Examinations and Extractions: Advanced

examination of some mobile devices may require specialized techniques which

require direct access to the internal memory to examine or extract data from the

device. These specialized techniques may or may not require the device to be

disassembled, may result in permanent irreversible damage to the device, or

render the device unusable. Specialized techniques requiring direct access to

the internal memory of mobile devices will only be performed by examiners who

have received documented training in these types of examinations.




9.8 MANUAL REVIEWS OF MOBILE DEVICES

9.8.1 If a mobile device contains or is suspected to contain data and information

which is not acquired through mobile device examination tools and equipment, it

may be obtained through a manual review of the data and information stored on

the device. A manual review is defined as using the device’s display, operating

system, and software to browse or review the data and files stored on the device.

A manual review is normally documented by recording the display of the device

using either photographs or video during the conduct of the manual review.

9.8.2 Examiners at DEU laboratory facilities will not normally perform or conduct

manual reviews of mobile devices except when determined to be appropriate by

the examiner, DEU Supervisor, or DEU Technical Manager due to the increased

risk of the loss or alteration of data on the device during direct interaction with the

data stored on the device.

9.8.3 Manual Review of mobile devices will be conducted as a last resort when

all other acceptable and/or appropriate examination and extraction means and

methods have been attempted and those attempts have failed to extract data

from a mobile device. Manual Review of mobile devices may also be utilized as

a last resort when all other acceptable and/or appropriate examination and

extraction means and methods have been attempted and those attempts have

failed to extract or report data of evidentiary value known to exist on the mobile

device.

9.8.4 Manual Review of mobile devices will be conducted as targeted reviews

for specific data and information and will not be conducted as “blanket” or

comprehensive reviews. When a Manual Review is requested, the requestor

must provide specific search criteria to narrow the target or scope of the Manual

Review.

9.8.5 When examiners at DEU laboratory facilities do perform manual reviews

of mobile devices, the review will be recorded by means deemed appropriate by

the examiner and the manual review will be documented in the case notes in

accordance with DETM-2: Examination Documentation. The photographs or

videos produced during the recording of manual reviews will be reported in a

manner that specifically addresses the examination request, in a format deemed

appropriate by the examiner, and in accordance with DEQM-11: Reporting

Examination Results.

9.8.6 Manual Review of mobile devices will normally be limited to what can be

documented by 100 photographs or 5 minutes of video taken or recorded of the

information or data displayed on the screen of the mobile device. Requests for

Manual Reviews exceeding 100 photographs or 5 minutes of video must be




approved by the DEU Supervisor or DEU Technical Manager and will be

evaluated based on the current laboratory caseload and the details of the

request. The approval will be documented as a Case Event in the Case

Information Narrative section of the LIMS examination case.

9.9 RECOVERY OF ACCESS CREDENTIALS FOR MOBILE DEVICES

9.9.1 Mobile devices secured with a Personal Identification Number (PIN),

passcode, passphrase, or other access credential which must be provided or

entered to enable access to the device represent a significant challenge to

mobile device examinations. In most instances, the access credential is

associated with the decryption of encrypted data stored on the device.

9.9.2 PIN’s, passcodes, passphrases, or other access credentials will not be

used to disable security on mobile devices if doing so causes the deletion of data

other than data associated only with the access security of the device.

9.9.3 Determination, extraction, or recovery of access credentials may be

possible on certain makes and models of mobile devices, dependent on the

functionality and capability of approved mobile device forensic tools listed in

DEQM-6.2.3 at the time of examination.

9.9.4 Only approved mobile device forensic tools listed in DEQM-6.2.3 will be

used to recover the access credentials for mobile devices submitted in

examination casework.

9.9.5 The recovery of mobile device access credentials is often accomplished

by using a mobile device forensic tool to load a software application known as a

“client” onto the mobile device. Once the client is loaded onto the mobile device,

the recovery process is independently performed on the mobile device itself and

will continue until the access credential is recovered, the client is cancelled or

uninstalled, the device is powered off, or the device no longer has power from a

battery or power source.

9.9.6 The amount of time required to complete the recovery of access

credentials from mobile devices may vary greatly from one device to another.

Generally, the recovery processes fall within the following categories:

Short Term Recovery: Short term recovery processes are generally completed within one week.

Long Term Recovery: Long term recovery processes are generally expected to take longer than one week to complete.




In most cases, the recovery can be determined to be short or long term

based on information provided by the mobile device forensic tool when the recovery

process is initiated.

9.9.7 Based on the facts and circumstances of the examination request, mobile

devices may be returned to the requestor with the device running the client software

and actively running access credential recovery processes as long as the return of the

device does not violate the license agreement of the forensic tool.

9.9.8 When the access credential recovery for a device is determined to be a

long term recovery, the examiner shall:

Notify the requestor that the recovery is a long term recovery and the potential length of time a long term recovery may take.

Determine if the requestor wants to continue the recovery process.

Determine if the requestor wants to pick up the device or leave the device at the DEU (if the requestor wants to continue the recovery process).

Notify the requestor that, if the device is returned to them and they want the DEU to perform the examination, it will have to be resubmitted once the access credential is recovered.

The results of the above coordination with the requestor will be

documented as a case event narrative in the case notes.

9.9.9 Once a mobile device has been determined to be in the process of long

term recovery and the requestor has been notified, a digital evidence

examination report may be produced for the device which, at a minimum,

indicates:

The date the recovery process was initiated.

The mobile device forensic tool used to perform the recovery.

The fact the recovery was an ongoing long term or slow process.

The examiner may delay producing the digital evidence examination report indicating a long term access credential recovery is in progress until after the recovery client has completed attempts of word lists, commonly used codes or phrases, and easily determined access credentials.

9.9.10 If a mobile device is returned to the requestor with access credential recovery in progress, a digital evidence examination report will be written as indicated in DETM-9.9.9.

9.9.11 If the request is for DEU to perform the examination and a digital evidence examination report was produced that indicated a long term recovery was in




progress, a separate digital evidence examination report will be issued after the access credential is recovered. 9.9.12 For mobile devices retained by the DEU throughout the recovery process, digital evidence examination reports produced for devices following access credential recovery will list the recovered access credential. 9.9.13 If a mobile device is released to a requestor with the device running client software and actively performing access credential recovery, the examiner will advise how to keep the recovery process going and, if applicable, how to resubmit the device for examination once the access credential is recovered.


DETM-10: RESTORATION OF FORENSIC COPIES DURING EXAMINATIONS


10.1 PURPOSE

The purpose of this protocol is to provide a standardized procedure to be used in

DEU laboratory facilities to restore a forensic copy of an item of ODE to a compatible

data storage device.

10.2 SCOPE

This procedure applies to all instances in DEU laboratory facilities when a

forensic copy is utilized to recreate a copy or clone of the original ODE item on a

different storage device for examination purposes.

10.3 EQUIPMENT


10.3.2 Restoration software.

10.3.3 Sterilized target media storage device.

10.3.4 Forensic copy of an item of ODE.

10.4 PREPARATION OF DATA RESTORE MEDIA

All data restore media devices will be wiped and prepared in the same manner

and in accordance with DETM-4.4: Sterilization of Target Data Storage Media.

10.5 CREATION OF DATA RESTORE MEDIA

10.5.1 During the course of digital evidence examinations, it may become

necessary to view the evidence in its native state. In order to accomplish this

without alteration to the ODE, the forensic copy obtained from the ODE can be

restored to a compatible data storage medium. The storage device containing

the restoration can then be examined as though it were the original.

10.5.2 Connect the wiped and prepared data restore media to the forensic

computer system.


DETM-10: RESTORATION OF FORENSIC COPIES DURING EXAMINATIONS


10.5.3 Use an approved forensic software tool to restore the forensic copy of the

ODE item to the data restore media. Document the method used in the


10.5.4 If applicable, select the option to overwrite any remaining sectors on the

target data restore media with “0”.


DETM DOCUMENT REFERENCES


The following standards and sources guide the requirements included in this

technical manual. If the reference listed does not include a date, the most recent

revision of the referenced document or source applies.

ISO/IEC 17025:2017

ANAB ISO/IEC 17025 – Forensic Science Testing Laboratories Accreditation

Requirements (AR3125)

Scientific Working Groups on Digital Evidence (SWGDE) www.swgde.org

National Institute of Standards and Technology (NIST) Computer Forensics

Tool Testing Project www.cftt.nist.gov

OSBI Criminalistics Services Division Quality Manual

http://www.swgde.org/

http://www.cftt.nist.gov/


DETM-HISTORY: DETM DOCUMENT HISTORY


Revision #

Review Date

Revision History Notes/Description

0 5/27/2016 Original Issue. Original DETM was published with each section as a separate document and each document had a separate document history page.

1 12/01/2017 Updated to revision 1. Combined all DETM REV0 separate section documents into one document with a single history and approval. Revised all sub-sections to further define the purpose and scope to include references to OSBI CSD and DEU laboratory facilities other than the ATTDFL and to all CSD, DEU, and ATTDFL personnel who perform digital evidence examinations. Removed redundant language associated with acronyms. Changed all references from ASCLD/LAB to ANAB Accreditation Requirements. DETM-0: Section 0.5.3 edited to change “will not” to “are not required” to maintain or review copies of search authorizations. Section 0.5.5 edited to add requirement to document the discovery of additional crimes outside of the scope of search and subsequent coordination with the requestor in the LIMS case information narrative. Section 0.6.6 edited to remove requirement for DEU Supervisor to document the priority and assigned examiner on the examination request form. Section 0.6.7 edited to allow evidence to be received at locations other than ATTDFL and removed requirement for triage to be documented on the request form. Section 0.6.8 original section from Revision 0 (which required assigned examiner to provide the examination request form to the employee(s) responsible for maintaining the ATTDFL evidence room) was removed entirely. Section was replaced with Revision 0 Section 0.6.9. Section 0.6.9 replaced with Revision 0 Section 0.6.10 and edited to allow evidence to be accepted at locations designated by OSBI CSD Administration. Added language to expand administrative exception to include “locations other than those previously approved”. Section 0.8.5 edited to include “or designee” to the approval authority to accept more than ten items of evidence in a request.




DETM-1: Section 1.4.4 edited to change “designated local network storage location” to “designated storage location or method” for location of forensic software tools. Section 1.5.7 edited to change the requirement to baseline forensic computer systems from “once per calendar year” to annually. Section 1.5.9 edited to change the requirement to update the operating systems of forensic computer systems from “every 90 days” to “all updates available at the time the computer was last baselined or when directed by the DEU Technical Manager. DETM-2: Section 2.3.3 edited to remove “The chain of custody record will be the source of the case record documentation location for the examination start date”. Section 2.3.4 edited to re-define the examination end date as the date the administrative review was completed and the examination report was approved. Section 2.5.2 edited to remove the requirement to document the tool used to produce examination reports. Section 2.5.4 edited to change “documentation and notes” to “matrix panel”. Sections 2.6.3. and 2.6.4 incorporated into Section 2.6.2 and edited the requirements for documenting and describing exhibit report media devices are labeled. Section 2.7.2 edited to replace “electronic report” with “examination or exhibit report”. DETM-3: The entire section was edited to replace generic references to “case notes” with more specific references to “matrix panel” or “case documentation” where appropriate. Section 3.5.2.3 edited to remove requirement to document whether ODE mobile device was listed as a “supported device” Section 3.5.2.7 edited to remove references to mobile device removable media storage as “sub-items” Section 3.5.2.8 edited to remove multiple references to mobile device removable media storage as “sub-items” DETM-4:




Sections 4.1 and 4.2 edited to further define the purpose and scope to “within OSBI CSD, DEU, and ATTDFL laboratory facilities”. DETM-5: The entire section was edited to replace generic references to “case notes” with more specific reference to “matrix panel”. Section 5.4.2 edited to replace “forensic imaging” with “forensic copying”. Section 5.5.1.2 edited to replace “software application/ program/utility name” with “Maintenance Identifier” and replaced “case notes” with “matrix panel”. Section 5.5.2 deleted and replaced with Section 5.5.3. DETM-6: The entire section was edited to replace generic references to “case notes” with more specific reference to “matrix panel”. DETM-7: The entire section was re-named and edited to remove all references to and use of “image” or “forensic image” and replace those references with “forensic copy” as well as to replace generic references to “case notes” with more specific references to “matrix panel” or “case documentation” where appropriate. Section 7.5.10 edited to remove redundant requirement to document hash verification results. Section 7.5.11 re-written to clarify and simplify procedures to be followed if a forensic copy hash verification fails. Section 7.5.12 added section to require all failed attempts to obtain or verify forensic copies be documented in the appropriate matrix panel. DETM-8: The entire section was edited to remove all references to and use of “image” or “forensic image” and replace those references with “forensic copy” as well as to replace generic references to “case notes” with more specific references to “matrix panel” or “case information narrative” where appropriate. Section 8.5.1 edited to specify applicability to previews conducted “at OSBI CSD, DEU, and ATTDFL laboratory facilities”




Section 8.6.8.1 through Section 8.6.8.8 re-written and reduced to Sections 8.6.8.1 through 8.6.8.3 to clarify and simplify procedures to be followed if a forensic copy post-examination verification hash fails and make the procedure consistent with the procedure followed for other hash verification failures. DETM-9: The entire section was edited to remove all references to and use of “image” or “forensic image” and replace those references with “forensic copy” as well as to replace generic references to “case notes” with more specific reference to “matrix panel”. DETM-10: The entire section was edited and re-named to remove all references to and use of “image” or “forensic image” and replace those references with “forensic copy” as well as to replace generic references to “case notes” with more specific reference to “matrix panel”. DETM References: Section added to the end of the manual to list all manual references from each individual document section in one location. Removed references listed at the end of each document section.

2 12/03/2018 Updated to Revision 2. A substantive revision of this manual is in progress and expected to be completed within the first two quarters of calendar year 2019. This revision is pending completion of Revision 6 of the OSBI CSD Quality Manual, which is under revision to ensure compliance with the ISO/IEC 17025:2017 International Standard and the ANAB AR3125 Accreditation Requirements.

03 08/16/2019 Updated document to Revision 03. The entire document was edited to consistently apply document and paragraph formatting and spacing. Throughout the entire document, redundant references to “OSBI CSD”, “DEU”, and the “ATTDFL” were replaced with “DEU” where applicable. Added hyperlink to the document revision number in lower left footer to return to the document index page.




DETM-INDEX: Added hyperlinks to each individual manual sub-section. DETM-0: Section 0.2 was edited to add “Unless otherwise specified, all references to ‘DEU’ will include and/or apply to all ATTDFL examiners and facilities as well as to all OSBI CSD digital evidence examiners and facilities”. NOTE: Edits to Sections 0.6.1 through 0.8.5 were to incorporate Deviation dated May 21, 2018 which was implemented to make accommodations for the submission of evidence for digital examination at OSBI CSD regional laboratory facilities other than the ATTDFL. Section 0.6.1 was edited to remove requirement for requestors to make direct coordination with the DEU supervisor and add the requirement that all questions or requests for clarification related to digital evidence examination requests will be directed to the DEU Supervisor. Section 0.6.3 was re-written to require requestors to provide a completed and current version of the Digital Evidence Examination Request Addendum (OSBI CSD QPA 5.2) prior to the start of any digital evidence examination. Also established the requirement that the Digital Evidence Request Addendum must include the requestor’s signature acknowledging responsibility that the requestor must ensure the examination request does not exceed the scope of the legal search authority already obtained for the items submitted. Section 0.6.4 was deleted in its entirety. Sections 0.6.5 through 0.6.9 were re-numbered to accommodate for the deletion of Section 0.6.4. Section 0.6.6 was re-written to require coordination with the requestor and triage of evidence “when required”. Section 0.6.7 was re-written to allow acceptance of evidence without a completed current version of the Digital Evidence




Request Addendum (QPA 5.2) but require the completed form before any examination work is conducted. Section 0.6.8 was edited to remove redundant language pertaining to case-by-case authorizations of alternative digital evidence acceptance locations. Section 0.7: The entire section was re-written to remove the numerical priority system for prioritization of incoming examination requests and to designate the DEU Supervisor as the individual responsible for prioritizing examination requests based on the information provided by the requestor. Section 0.8.2 was edited to remove the restriction which only allowed triage to be used for items which had not yet been accepted for examination and added the authorization for triage to be conducted by the DEU Supervisor or designee. Sections 0.8.3 through 0.8.5 were deleted in their entirety. DETM-1: Section 1.2 Corrected “function testing” to read “performance verification testing” in the final sentence. Section 1.4.2 Corrected “corresponding” to read “associated” in the final sentence. Section 1.4.3 was re-written to remove redundant language and to require examiners to obtain installation files for forensic software tools from the approved software storage location maintained by the DEU Technical Manager. Section 1.4.4 was re-written to establish the requirement that only forensic software tools and programs listed in DEQM-6.2.2-6.2.3 may be installed on forensic computer systems and that software designated as “Common Use” and made available by the DEU Technical Manager through the approved common use software storage location may be installed on forensic computer systems. Section 1.4.5 added language to authorize a PIN number to be used as a logon credential for forensic computer systems.




DETM-2: Section 2.5.2 was edited to remove the bullet point “Create, prepare, or produce exhibit reports” from list of which constituted the use of a forensic examination tool. Section 2.6: The entire section was completely re-written to define DEU Exhibit Reports as items of derivative evidence and to establish the procedure to create and name Exhibit Reports as items of evidence. Also established the requirement to create the evidence item number for the Exhibit Report storage device prior to review and approval of the examination report. Section 2.7.2 was edited to change “examination or exhibit report” to read “examination report or exhibit report”. DETM-3: Section 3.4.1 was edited to be consistent with OSBI CSD QP 6.1 Section II.f.3.b with respect to the storage of “evidence in the process of examination”. Section 3.4.9 was edited to change “possible or feasible” to “advisable, possible, or feasible”. DETM-4: Section 4.5.1 was edited to change “will” to “may” …result in irreparable damage to the drive. DETM-5: Section 5.4.5 which required the use of write protection switches on ODE storage devices (when equipped) was deleted in its entirety. Section 5.4.6 through Section 5.4.10 were renamed to Section 5.4.5 through Section 5.4.9, respectively, to accommodate for the deletion of Section 5.4.5.




DETM-6: Section 6.5.5 was edited to remove the requirement to document the method used to access and/or obtain the system settings information. DETM-7: Section 7.5.5 was edited to require the use of “E01” file formats for creating forensic copies of ODE items whenever practical. Added provisions for the use of other file formats based on training and experience of examiners or by forensic tool manufacturers Section 7.5.11 through 7.5.12 were edited to require examiners to notify either the DEU Technical Manager or the DEU Supervisor in the event of a failed forensic copy or post forensic copy hash verification failure as well as the documentation requirements pertaining to the failure. DETM-8: Section 8.3.4 was edited to replace “Original Digital Evidence” with “ODE”. Section 8.6.7 and Section 8.6.8 were deleted in their entirety to remove the requirement to perform a post examination hash verification of all forensic copies. DETM-9: Section 9.3.4 was edited to replace “Original Digital Evidence” with “ODE”. Section 9.8.4 was removed in its entirety. Section 9.8.5 through 9.8.7 were re-named to Sections 9.8.4 through Section 9.8.6, respectively, to accommodate for the deletion of Section 9.8.4. Section 9.9 was added as an entirely new section to incorporate Deviation dated October 5, 2018. This section was added to provide a framework of standard procedures for performing and reporting access credential recovery in mobile device examinations.




DETM-10: Section 10.1 edited to replace “Original Digital Evidence” with “ODE”. Section 10.3.4 edited from “Forensic copy” to read “Forensic copy of an item of ODE”. DETM DOCUMENT REFERENCES: “ISO/IEC 17025:2005” was edited to read “ISO/IEC 17025:2017” to properly reflect currently applicable ISO/IEC international standard. “AR3028” was edited to read “AR3125” to properly reflect the currently applicable ANAB Accreditation Requirements document.


DETM-APPROVAL: DETM DOCUMENT APPROVAL


DEU Technical Manager: August 16, 2019

Donald Rains Date

CSD Division Director: August 16, 2019

Andrea Fielding Date

Donald.Rains

Don Sign