SWGDE

Menu
Subscribe
Subscribe

published documents

SWGDE Considerations for Teleworking and Digital Forensics Analysis

15-v-001

View Pdf

Disclaimer:

As a condition to the use of this document and the information contained therein, the SWGDE requests notification by e-mail before or contemporaneous to the introduction of this document, or any portion thereof, as a marked exhibit offered for or moved into evidence in any judicial, administrative, legislative or adjudicatory hearing or other proceeding (including discovery proceedings) in the United States or any Foreign country. Such notification shall include: 1) the formal name of the proceeding, including docket number or similar identifier; 2) the name and location of the body conducting the hearing or proceeding; 3) subsequent to the use of this document in a formal proceeding please notify SWGDE as to its use and outcome; 4) the name, mailing address (if available) and contact information of the party offering or moving the document into evidence. Notifications should be sent to secretary@swgde.org.

It is the reader’s responsibility to ensure they have the most current version of this document. It is recommended that previous versions be archived.

Redistribution Policy:

SWGDE grants permission for redistribution and use of all publicly posted documents created by SWGDE, provided that the following conditions are met:

  1. Redistribution of documents or parts of documents must retain the SWGDE cover page containing the disclaimer.
  2. Neither the name of SWGDE nor the names of contributors may be used to endorse or promote products derived from its documents.
  3. Any reference or quote from a SWGDE document must include the version number (or create date) of the document and mention if the document is in a draft status.

Requests for Modification:

SWGDE encourages stakeholder participation in the preparation of documents. Suggestions for modifications are welcome and must be forwarded to the Secretary in writing at secretary@swgde.org. The following information is required as a part of the response:

  1. Submitter’s name
  2. Affiliation (agency/organization)
  3. Address
  4. Telephone number and email address
  5. Document title and version number
  6. Change from (note document section number)
  7. Change to (provide suggested text where appropriate; comments not including suggested text will not be considered)
  8. Basis for change

Intellectual Property:

Unauthorized use of the SWGDE logo or documents without written permission from SWGDE is a violation of our intellectual property rights.

Individuals may not misstate or over represent duties and responsibilities of SWGDE work. This includes claiming oneself as a contributing member without actively participating in SWGDE meetings; claiming oneself as an officer of SWGDE without serving as such; claiming sole authorship of a document; use the SWGDE logo on any material or curriculum vitae.

Any mention of specific products within SWGDE documents is for informational purposes only; it does not imply a recommendation or endorsement by SWGDE.

Table of Contents

1. Scope:

This document identifies considerations for a digital evidence organizations considering telework. This includes criminal, civil and other types of digital forensics work. It does not address classified work. SWGDE does not have a position on teleworking. Feedback and comments are welcome.

2. Background/Purpose:

Prior to the COVID-19 pandemic, most digital evidence and eDiscovery labs did not consider working from home. As a result of the pandemic, some organizations are considering or have moved to full or partial telework. This document outlines key factors to be considered when moving to remote digital evidence analysis generally in a telework environment (i.e., work from home). Note that the Organization of Scientific Committees (OSAC) has also provided guidance to be used in tandem with this document’s considerations entitled “Guidance on Non-routine Offsite Examination of Forensic Digital/Multimedia Evidence.”

The purpose of this document is to address temporary telework such as during the COVID-19 pandemic or other temporary situations such as natural disasters. The considerations in this document are for both accredited and non-accredited organizations. However, both types of organizations must identify existing policies, procedures, regulations, and laws that should be analyzed when considering a telework practice. Those may require adjustments. We recommend that “emergency” or temporary procedures that identify specific adjustments to approved practices be developed rather than drafting completely new documents.

Physical location of personnel providing services may include the type of telework framework to include:

  • Relocation of services from the traditional laboratory to homes or other off-site locations (i.e., moving lab equipment)
  • Remote secure access from homes or other off-site locations into the laboratory-housed equipment or into corporate network devices
  • Using cloud-based infrastructure to support services.

The decision to telework is a lab-based decision based on an assessment of risks, opportunities, and the needs of the organization and customers. This document identifies key considerations in the following areas:

  • Policy Process Pathway
  • Confidentiality
  • Facilities
  • Equipment and Software Management
  • Data Integrity and Physical Device Management
  • Risk Management

This document first addresses each of the areas at a high level, followed by several appendices with more detailed technical information. The last appendix is a checklist.

3. Policy Process Pathway

Identify the current policies, procedures, and practices that may require adjustment, change, or exception. Exceptions infrequently occurring for technical procedures or quality assurance standards may be considered a “deviation” from current policies and procedures. Excepted services for an accredited laboratory may be that which the laboratory identifies as activities not considered outside of scope of accreditation.

The organization needs to look at their current procedures and those impacted by a telework environment requiring modification. Some changes may be able to be addressed by documenting an exception while others may require explicit permission. It is possible that the goals of various procedures may be able to be achieved with alternate controls since most were written for activities intended to occur in a controlled environment (i.e., laboratory).

Public (i.e., law enforcement) laboratories may be governed by specific laws that need to be considered to permit such activities as witnessing, which obviously should not occur in a home. Private or corporate laboratories may be governed by regulations for the protection of personally identifiable information or protection of highly sensitive proprietary data requiring encryption or other data protections.

If the organization determines that telework is a viable solution, it is vital to document the decision, the modifications to the procedures, any risk management controls required, and issue written guidance to impacted personnel. Communication and risk acceptance by customers may be necessary and is recommended (investigators, counsel, accrediting bodies, regulatory bodies).

4. Confidentiality

Protect the confidentiality of evidence/data, communications with the customer (e.g., telephone conversations), technical notes, and reports.

Unlike an organization-controlled dedicated facility (i.e., laboratory), telework locations will not likely have the same level of control of persons (e.g., family members) entering the work area. Sensitive data may be displayed on a monitor, while being documented, or where telephone conversations about sensitive matters are occurring. These risks may require analysis on an individual location basis.

5. Facilities

Evaluate the facility for adequate security and environmental controls.

The facility should have the necessary environmental conditions to support forensic equipment and a dedicated area to conduct technical services. This may be challenging given the presence of other people at the telework site. Consider the use of risk mitigation security features (e.g., locks, alarm, video monitoring).

6. Equipment and Software Management

Ensure adequate forensic equipment and software and that adequate IT infrastructure requirements can be met. If there are significant changes to the hardware/software environment, determine if performance checks are required based on current or modified SOPs.

Consider requirements for authentication onto computers used to conduct casework using a unique username and password or, preferably, two-factor authentication or a biometric.

7. Data Integrity and Physical Device Management

Ensure that data integrity and chain of custody are maintained and that IT infrastructure is secure. Procedures are also needed to address the sanitizing of physical devices. Implement procedures for maintaining data integrity, physical device protection, and secure transmission of results.

Consider requirements for data encryption for data stored in the home and during data transmission.

8. Risk Management

Each organization must balance the risks of teleworking to the needs of personnel, stakeholders, and the recommended changes in standard operating procedures.

While a telework policy introduces risks to policies and procedures implemented in “normal” conditions, it may offer opportunities for process improvements and alternative practices that can establish organization resilience when confronted by future unknown events that impact traditional laboratory operations.

For accredited labs, COVID-19 can be categorized as a dynamic risk. It requires an organization to respond to meet the goals of the organization and meet customer expectations as best possible in a changing environment. The response can be as extreme from discontinuing operation or adapted to maintain normal operations. However, organizations themselves are dynamic. Thus, there is no “one size fits all” approach to identifying and managing risks.

Appendix A: Data Integrity and Physical Device Management Specific Considerations

Keeping track of evidence/datasets may be complicated by telework. This appendix addresses differences in the collection of both physical and digital material and the movement of data between locations.

  1. Submittal of Physical Evidence/Material
    1. Physical devices may contain biological or chemical contaminants and should be sanitized.
    2. If you are working with mobile phones or many IOT devices, they may attach to your home Wi-Fi or to local services and reveal your location. It is possible the person who seized the device was not able to or did not correctly place the device in full airplane mode.
    3. A solution to these problems is to continue to acquire the device at the lab and perform the analysis remotely. It may be possible for labs to share digital acquisition resources.
    4. The chain of custody must be maintained. Examiners should be given material to handle the physical tracking of the device including evidence bags, tape, and a method to document how the device was received and when it was moved to another location.
  2. Collection of Images/Data from External Sources
    1. Sources include cloud-based solutions such as Google drive (takeout), O365, iCloud, Dropbox, or other social media account collections.
    2. Image files accessed via a remote computer or downloaded from a laboratory secure solution will still require the safeguards of image integrity that are used onsite in the laboratory such as hashing prior to examination.
    3. If downloading data to work locally, the forensic machine must also have the same safeguards as laboratory workstations and laboratory equipment.
    4. It is possible that the remote sources may introduce malware to the local machine, infect it, and then go over the VPN connection back to the lab. There are situations when active malware scanning is incompatible with forensic analysis techniques. In those cases, consideration should be made for requiring malware scanning be done before connecting back to the lab.
    5. Use a sterilized media and file organization structure (e.g., create a case folder for all materials for the case, create a folder for each evidence item within the case folder, etc.) when downloading data to ensure no cross-contamination between cases or evidence and images.
    6. When accessing data to work locally or even with some VPN applications, be cognizant of the TEMP folders or cached folders on the local machine which could contain artifacts of the examination. This is especially notable when dealing with sensitive data or contraband material.
  3. Transferring Evidence between Locations.
    1. If digital examiners are teleworking, there will be a need to transfer evidence and analysis products between the examiner’s home, the lab, and to other users of the reports. There are two major choices – internet-based and physical transfer – as well as several options within those choices.
    2. Encryption. In general, if evidence is being transferred by any means, it must be encrypted while in transit. This applies to internet-based and physical transfers. Labs should consider using the AES for encryption. The password to access files must be hard to guess. Digital examiners are used to hashing evidence to ensure that evidence has not been altered. There is no need to stop hashing, but the ability to decrypt a file is also an integrity check.
    3. Internet-based. Many organizations have VPNs which set up encrypted secure channels between the remote location and the lab. There are also secure file transfer services available. The use of services which do not natively provide encryption are discouraged because it is very easy for people to accidentally send information in the clear.
    4. Physical transfer. Data can be put encrypted on hard drives or other media and mailed or driven between locations. If the information is mailed, it is recommended to use services with tracking information and require an adult signature at the recipient address.

Appendix B: Facility Considerations - Home Safety and Security

For telework, key considerations revolve around home safety and security.

  1. A home office which can be separated from other members of the household. Other household members should not be able to see any case material or overhear discussions about the case. If material could include contraband, the home office must be able to be secured so household members are not accidentally exposed to the contraband.
  2. Ability to secure items while not in use either through encryption or physical locks. In general, if physical locks are used, the keys must not be shared with other family members, friends, or building management. For example, an apartment door lock is insufficient, as is a safe shared by family.
  3. Backups. Examiners may be used to having work backed up as part of lab systems. Especially if work is being performed locally, provide equipment and procedures to make backups
  4. Backups. Examiners may be used to having work backed up as part of lab systems. Especially if work is being performed locally, provide equipment and procedures to make backups
  5. Home network security. Work should not be performed using a public or unsecured WiFi network. If using a private WiFi network, consider using WPA2-PSK AES or higher.
    1. WEP, WPA, or TKIP standards are considered less secure.
    2. Good security practice is to keep WiFi firmware updated

Appendix C: Equipment and Software Management

Key considerations for equipment being used at home include:

  1. Access to Tools. There are three basic teleworking approaches. These can be used in combination.
    1. Move lab to house. In this scenario, material from the lab is moved to a person’s residence. This would normally involve a forensic workstation but also write blockers and software licenses and dongles. Shared resources will now not be accessible by all examiners. This is generally the least efficient method, but it is the easiest to make happen immediately.
    2. Remote in. In this scenario, people log into lab-based resources. This requires a significant understanding of internet security in order to make the connection secure.
    3. Cloud-based/Platform independent. Many digital evidence labs are moving to cloud-based processing. Once again, security is critical. There is a significant amount of overhead setting up these services.
  2. Dedicated Equipment. For criminal work, forensic equipment should be owned and managed by the lab. The equipment should not be used for other purposes. Note that personal equipment which has been used could be subject to public records laws and/or discovery rules.
  3. Bandwidth. Depending on the telework strategy, home networks may need to have large bandwidth. Moving material via the network will require bandwidth. Remote from home and cloud-based approaches may need less bandwidth.
  4. Access to Policies, Procedures, and Records: Labs should provide access to the most current policies, procedures, and records while working remotely to include modified policies for telework, standard operating procedures, and documentation used in the laboratory (e.g., performance check procedures for equipment, management documents or user guides).
  5. Technical Records: Personnel working in a telework capacity must be able to document the work they are doing in a way that is in compliance with their applicable policies.
  6. Reviews/discussion
    1. Organizations may leverage available remote capabilities to facilitate the review of derivative evidence and technical records by a qualified examiner.
    2. If organizational policy cannot be modified to enable a fully electronic, internet-based technical review process, review of physical work product and/or technical Scientific Working Group on Digital Evidence records may be conducted in accordance with the recommendations outlined in Appendix A Section C on transferring evidence between locations.
    3. Ensure work is in compliance with current organizational requirements, including modifications.

Appendix D: Risk and General Considerations

  1. Risk management considerations:
    1. What are the intended results of risks and opportunities in an emergency environment?
    2. What is the purpose and objectives of the emergency policy?
    3. How can the policy prevent or reduce undesired impacts and potential failures?
    4. What improvements can be gained from the policy and how to continually evaluate the policy for improved operations?
  2. Communication considerations:
    1. Who has authority to authorize implementation of the policy?
    2. Which stakeholders should be consulted?
    3. Who is responsible for identifying risks or opportunities?
    4. How is the root cause or source of the risk identified?
    5. What is the impact of the risk event on the laboratory should the event be realized?
  3. Plan of action – risk and opportunities strategy considerations:
    1. What models or tools will be used to identify risks (e.g., brainstorming, SWOT, checklists, cause and effect diagrams, surveys)?
    2. Who is responsible for monitoring or taking ownership of risk factors?
    3. Are there processes in place for risk mitigation?

Appendix E: Checklist

POLICIES
Are there existing organization policies for telework? Can those be applied?
How will personnel access current policies including those recently modified?
How will personnel document technical processes?
How will technical reviews and quality reviews be conducted and documented?
How will nonconforming work be remediated?
CONFIDENTIALITY
How will casework data be protected from view by other occupants of the location?
How will oral communications about a case be protected from other occupants of the location?
Is the customer aware that teleworking has confidentiality risks and has the customer accepted those risks?
FACILITY CONSIDERATIONS
Are the environmental conditions of the telework site suitable (e.g., HVAC, power, internet)?
Is there sufficient security to ensure the integrity of the data or physical devices?
How will casework be protected from view by other occupants of the location?
Does the facility have an alarm system and video monitoring?
Are there physical security provisions for physical devices or created items (e.g., images on HDD)?
If working solely on a local forensic workstation, are data backup provisions required?
Is the Wi-Fi secure to a level that may be required by policy, regulations (i.e., banking), or law?
EQUIPMENT AND SOFTWARE MANAGEMENT
How will equipment and software be maintained with current firmware and software versions?
If new equipment is delivered to the telework location, how will performance verification be conducted?
If software dongles or licenses are limited how will they be shared among technical personnel?
Are personnel familiar with secure remote access methods for the laboratory or cloud services?
Is there sufficient bandwidth to support remote access methods?
Will relocated forensic equipment have secure access controls?
Is there a policy that prohibits forensic equipment from being used for personal use?
DATA INTEGRITY AND PHYSICAL DEVICE MANAGEMENT SPECIFIC CONSIDERATIONS
How will the chain of custody record reflect the location for work being conducted at “home?”
What will be the sealing method requirements if the telework environment lacks necessary sealing equipment and supplies?
How will physical devices be delivered to telework locations?
What precautions are necessary to neutralize potential biological hazards?
How are mobile or IOT devices prevented from connecting to unintended Wi-Fi networks?
Can original devices be imaged at the lab or remote telework analysis?
If yes, how will those images be accessed remotely? Can they be delivered via employees or common carrier?
How will network collections be conducted (O365, Google, Drop Box, private corporate networks)?
Are there requirements for data encryption for data at rest or during transmission?
How will malware scanning be conducted, if applicable?
How will cases be organized on a local forensic workstation to prevent cross-contamination of data?
Will personal equipment be used for forensic work?
If yes, what procedures will be in place for application configuration control, system security, secure deletion of temporary or cached data?
Should data being transferred either via electronic means or physical devices, including data output for the customer, be encrypted?
If physical devices are sent via common courier, how will those services be documented and transactions (i.e., delivery) tracked? Should adult signatures be required?
Will VPNs or secure file transfer services be needed?
If yes, do these services automatically encrypt the data to ensure an unintended delivery of open data protected by regulations or laws, or that is considered contraband?
RISK ANALYSIS, MANAGEMENT, AND MONITORING
What are the risks for a telework environment, many of which may be identified in Appendices A – D?
What is the purpose of the emergency telework policy? Is it intended for future emergencies?
Are there opportunities for improvements to be gained from an emergency policy and how will the organization evaluate and implement those opportunities?
Have stakeholders accepted the risks identified for telework?
Who in the organization is responsible for identifying, documenting, assigning responsibility, and monitoring risks or opportunities?
What methods will be used to identify risks (e.g., brainstorming, surveys, SWOT analysis)?
When a risk event is realized how will the root cause be identified and who will be responsible for evaluating the risk impact and any remediation?

Version: 1.0 (June 4, 2020)

View Pdf