Search

Author

Seamus E. Byrne is an Australian Information Lawyer and Computer Forensics Expert with extensive e-discovery and electronic evidence experience.

Sponsored by Lion Forensic.

Subscribe (Free)

In Pursuit of Relevance is the leading e-discovery law blog for the Asia-Pacific.

Subscribe now and receive the latest blog entries via e-mail or RSS.

Blog Filter
Blog Roll
Disclaimer

This website is made available by Seamus E. Byrne, an Australian legal practitioner, for educational purposes only. Content is not to be used as legal opinion or as a substitute to qualified matter-specific legal advisory within your jurisdiction. No responsibility is taken, or endorsement made, for the content of any externally hyperlinked webpage. All endeavours have been made to ensure content accuracy as at time of publication.

Administration
« Computer Forensics and Licensing in Australia | Main | Intel Corporation v Unwired Group Ltd [2008] FCA 1927 »
Tuesday
23Dec2008

NATA and Electronic Evidence (Computer Forensics) Accreditation

Posted on DateDecember 23, 2008

Introduction

The National Association of Testing Authorities, Australia ("NATA") provides laboratory accreditation services based on internationally recognised standards (e.g. ISO/IEC 17025:2005). Within their existing Forensic Science accreditation program, NATA recently issued specific requirements for electronic evidence (computer forensics) accreditation. This brief entry outlines key points of NATA Technical Circular 9 and references related provisions in the Standards Australia HB 171-2003 Guidelines.

NATA and Australian Government Forensic Laboratories

Per the NATA Website:

NATA has now signed Memoranda of Understanding with the Commonwealth Government, and with the governments of ACT, Victoria and Tasmania.

The Commonwealth MOU states that:

  • All Commonwealth laboratories whose principal function is to provide calibration, measurement, testing or related services to either Government or outside agencies will, as appropriate, obtain and maintain accreditation by NATA

NATA Technical Circular 9

5.2 - Personnel

Electronic evidence examiners within the laboratory:

  • should hold a Bachelor qualification, or equivalent, in a field of science;
  • must be competent in the preservation and analysis of electronic evidence;
  • must possess a multi-disciplinary appreciation; and
  • must document and satisfy on-going training and continued competency evaluation requirements.

HB 171-2003

[2.2.6] "Ensure that personnel involved in the design, production, collection, analysis and presentation of evidence have appropriate training, experience and qualifications to fulfil their role(s)."

[3.5.2] "Persons conducting analysis of IT evidence should be suitably qualified for the role they are performing."

"An expert witness must be able to demonstrate the appropriate qualifications and experience to substantiate their claim as an "expert". In Australia, "expert" means a person who has specialized knowledge based on the person’s training, study or experience. There is no requirement for an expert witness to be a “member of a learned society” and Australian Courts generally recognize a Bachelor’s Degree in a relevant field as sufficient qualification, as is five or more years experience in the field (without tertiary education)."

5.3 - Accommodation and environmental conditions

The laboratory:

  • must have documented procedures for the authorisation of access to areas, both physical and electronic, within the laboratory; and
  • must maintain records for time spent in the laboratory by authorised persons.

Further, authorised persons:

  • are expected to meet appropriate security standards; and
  • are expected to be aware of access procedures, and any limitations to their access.

HB 171-2003

  • No direct coverage.

5.4 – Test and calibration methods and method validation

The laboratory:

  • is not required, at this stage, to attach an estimation of uncertainty measurement to non-numeric test results;
  • is encouraged, where possible, to have an understanding of the variability of their results; and
  • may need to consider uncertainty measurements attached to the measurement of time using the system clock.

HB 171-2003

  • [3.5.3] Completeness of evidence
  • [3.2.2] Identifying the author of electronic records
  • [3.2.3] Establishing the authenticity of electronic records
  • [3.2.4] Establishing the time and date a particular computer electronic record was created or altered

Further Reading: Eoghan Casey, 'Error, Uncertainty, and Loss in Digital Evidence' (2002) 1(2), International Journal of Digital Evidence.

5.8 – Handling of test and calibration items

The laboratory:

  • must have a documented evidence control system that appropriately caters for both physical and electronic evidence (including receipt, handling, protection and storage);
  • must have procedures to ensure the integrity of evidence under its control; and
  • must have a secure area for overnight and/or long-term storage of physical and electronic evidence.

HB 171-2003

  • [3.4.2] Contemporaneous notes
  • [3.4.4] Chain of custody
  • [3.2.3] Establishing the authenticity of electronic records

5.9 - Assuring the quality of test and calibration results

The laboratory:

  • must monitor the performance of tests/examinations by using quality control procedures appropriate to the type and frequency of tests/examinations undertaken; and
  • must clearly identify case records that have been reviewed, including reviewer and date of the review.

HB 171-2003

  • [3.2.5] Establishing the reliability of computer programs
  • [3.3.1] Correct operation

Further Reading: NIST Computer Forensic Reference Data Sets ("CFReDS") Project

Equipment calibration intervals

The laboratory:

  • must check write blockers and data acquisition tools for functionality and verify their fitness for use, upon use.

HB 171-2003

  • [3.2.5] Establishing the reliability of computer programs
  • [3.3.1] Correct operation

Further Reading: NIST Computer Forensic Tool Testing ("CFTT") Program

CommentPost a Comment | Reference1 Reference | Print ArticlePrint Article | |
AuthorSeamus Byrne | in , , , , |

References (1)

References allow you to track sources for this article, as well as articles that were written in response to this article.
  • Related
    Related: Computer forensics
    by Australian Federal Police (AFP) at Australian Federal Police (AFP)
    The Australian Federal Police's (AFP) Computer Forensic Team specialises in obtaining, analysing and presenting electronic evidence stored on computers and other electronic devices. The AFP has computer forensics laboratories in Brisbane, Sydney, Melbourne, Perth and Canberra, and provides services primarily to ACT Community Policing and AFP National Operations, as well as other Government and law enforcement agencies.

Reader Comments

There are no comments for this journal entry. To create a new comment, use the form below.

PostPost a New Comment

Enter your information below to add a new comment.

My response is on my own website »
Author Email (optional):
Author URL (optional):
Post:
 
All HTML will be escaped. Hyperlinks will be created for URLs automatically.
Alert
Comment Moderation Enabled
Your comment will not appear until it has been cleared by a website editor.