Df-C²M² – The Body of Knowledge

The DF-C²M²Body of Knowledge is a structured collection of digital forensic- specific processes, standard operating procedures, workflows, forms, and guides. The Body of Knowledge provides the basis for building and implementing the People, Processes, and Tools domains within the DF-C²M², and yet at the same time the Body of Knowledge serves as the main DF-C²M² planning, implementing, audit, and assessment toolkit.

The Body of Knowledge was designed as the basis for the assessments conducted as part of the research, and to provide participating digital forensics laboratories with a structured and detailed assessment system and best practices repository covering all three key elements (People, Processes, and Tools) of a digital forensic laboratory. The DF-C²M² Body of Knowledge provides participating organisations with a current and up-to-date compendium related to digital forensics.

In essence, the DF-C²M² Body of Knowledge was designed to provide the steps, planning guides, and template processes and procedures that can be easily adapted and implemented by new, existing, or ISO 17025 accredited digital forensic labs to achieve digital forensics organisational capability maturity and compliance with existing standards and best practices.

5.7.2.1 Body of Knowledge Design Goals

The DF-C²M² and the related DF-C²M² Body of Knowledge’s design goals were to provide:

1. A detailed list of requirements to cater to the majority of requirements for most digital forensic labs (including those in law enforcement).

2. A common model that can be used to assess all digital forensic labs of a similar nature, e.g. law enforcement vs. law enforcement, commercial vs.

136

commercial, etc. and a modular framework that would enable organisations to either:

A. Achieve international accreditation of their digital forensics laboratory and operations (Applicable to new and existing labs). B. Improve on current systems and processes (Applies to new and

existing labs).

C. Create a shared framework and repository of knowledge for participating organisations.

The schematic in Figure 13 depicts the DF-C²M² Body of Knowledge Key Influencers, illustrating that the Body of Knowledge is designed to cater to changes in requirements and be readily updated accordingly.

DF-C²M² Body of Knowledge Key Influencers

Environment Health and Safety Requirements

Technical Requirements Training and Proficiency

Testing Requirements Operational Requirements Quality Management Requirements ISO/IEC:17025 ASCLD-LAB Supplemental Controls

New & Emerging Standards Capability Maturity Technical SOPs Technical Best Practices

Training SOPs & Best Practices Proficiency Testing Organisation SOPs Capability Maturity Best Practices

Health & Safety SOPs Operational SOPs Audit & Planning Tools Service Catalogue DF-C²M² Body of Knowledge

Lab Efficiency & Proficiency

Quality Assurance, Accreditation &

Assessments

Local & State Regulatory Requirements

Business Drivers Industry Trendss

Inputs

Outputs

Figure 13: DF-C²M² body of knowledge key influencers

Figure 13 illustrates the key influencers that helped to determine which elements are added and/or modified within the Body of Knowledge. Ultimately, for the Body of Knowledge to be practical and relevant in the long term, it would have to take into account three key environmental factors, namely Business Drivers, Standards, and

137

Industry Trends based on practitioner inputs. These three categories of influencers would affect the usefulness and relevance of Body of Knowledge components in its present state and in the future.

Figure 14 illustrates how industry Challenges and Requirements (derived from Influencers in Figure 13) were evaluated for relevance and impact on the People, Processes, and Tools domains.

Figure 14: DF-C²M² components design inter-relationship

Next, these requirements were translated into tangible items that could be used to help determine new requirements or changes to the Six Steps Model, and whether these changes may require revisions to the Service Catalogue (list of services or prerequisites). These requirements were evaluated to determine which categories of Tools (Operational, Quality Assurance, etc.) would be affected and need to be revised in order to accommodate this change.

DF-C²M² Body of Knowledge

DF-C²M² Audit , Planning & Assessment Tools

DF-C²M² Audit , Policies, Procedures & Best Practices

Standards and Best Practices Efficiency & Capability Maturity Statutory & Legal Challenges & Requirements

People Process Tools

Organisational Domains Operational Tools Quality Assurance Tools

DF-C²M² 6 Steps Process Model

DF-C²M² Service Catalogue Planning & Readiness Tools

Relevance Review Process

Feedback

138

The Body of Knowledge consists primarily of content created to address perceived needs of a digital forensic lab seeking to gain ISO 17025 accreditation, and work towards achieving Capability Maturity. The content was used initially as the basis for the creation of the assessment tool, and the design of the DF-C²M² key elements. The content was updated at various stages during the research based on new findings, improved workflow designs, and feedback from participant labs.

A summary of the key elements and their creation is outlined below in Table 13:

Table 13: BoK key elements and their creation

BoK Component Function Created Comment

Technical Workflows

To depict detailed technical processes



Process Workflows

To illustrate non-technical processes and procedure based on ISO 17025 requirements



Includes input from assessed lab participants Assessment Tool Covers all aspects of ISO 17025

with ASCLD-LAB Supplemental requirements, CMM, P-CMM, Skills , Training and overall audit requirements  Included in evaluation and review with assessed labs Technical and procedural forms

To structure and capture vital records and information for each process  Included in evaluation and review with assessed labs Training Progression plans and Workflows

Structured, suggested training required per role based on skill/job analysis and training requirements mapping performed

 Includes input from assessed lab participants

Competency tests for technical processes

Specific, task oriented competency tests, to test the technical and procedural knowledge of a candidate in accordance with ISO 17025 requirements

 Included in evaluation and review with assessed labs as part of witnessing of tests for skills/job analysis requirements

139

BoK Component Function Created Comment

Tools Domain & Technical procedures

Technical workflows covering all technical processes and tool validation requirements. Supplements Process Domain BoK elements related to

verification and validation of tools and methods with CMM and ISO 17025 elements included.

Standard technical processes also included in Process Domain BoK

 Includes input from assessed lab participants

Process Domain Collection of Processes related to Quality Management, Lab Operations, Health & Safety, and Technical procedures with C-MM and ISO 17025 elements included.

Previously created as part of Lab #1 initial process documentation set, updated Researcher was previously director responsible for establishment, and creation of LAB#1, including systems, processes and controls. People Domain Trainings, skills requirements and

career development plans, with P- CMM and ISO 17025 elements included



External best practices

External NIST, NIJ, SWGDE and APCO Best practices referenced throughout where applicable.

No Referenced

Additionally, although the Body of Knowledge core is to provide tools for each of the three key domains of People, Processes, and Tools, Figure 14 illustrates that the Body of Knowledge tools can be further categorised based on three core functions: Planning Tools, Operational Tools, and Quality Assurance Tools – which is how most practitioners would tend to view digital forensic lab design and operations. The Body of Knowledge Reference Tables for People, process and tools domains can be found in Table 14 in Chapter 6.

140

5.7.2.2 ISO 17025 and 27034 Audits and Assessment Checklists

ISO 17025 readiness and readiness assessment tools were cited as an issue during the research, and to that end, an ISO 17025 audit assessment checklist with ASCLD-LAB supplemental controls was created to assist with the design elements of the DF-C²M² Quality Management components that extend to all three key domains (People, Processes, and Tools).

Additionally, an overall assessment and rating summary was also designed as a management decision support system to help plan and gauge compliance on a regular basis as part of the DF-C²M² assessment tool.

Following a review of the ISO 17025 standards and ASCLD-LAB supplemental requirements, an audit assessment planning sheet was created to assist with the review of lab processes and to help determine areas for improvement and capability maturity levels for each area.

The assessment tool covered the ISO 17025:2005 and ASCLD-Lab supplemental requirements to help laboratories demonstrate proof of compliance to determine degree of maturity. The ISO 17025 and 27034 assessment tools are included in the DF-C²M² Knowledge Base as both a planning and assessment tool.

141

5.7.2.3 Body of Knowledge Six Steps Model-specific Outputs

Processes and tools for use within the Six Steps Model provided within the Body of Knowledge include:

DF-C²M² Six Steps Model Process Domain Knowledge Base Outputs:

1. Assessment: The Assessment key element consisted of 18 specific planning and audit questions to help assess the capability maturity and ISO 17025 compliance at each level and an overall maturity level rating for this section.

2. Collection: The Collection key element consisted of 26 specific planning and audit questions to help assess the capability maturity and ISO 17025 compliance at each level and an overall maturity level rating for this section.

3. Examination: The Examination key element consisted of 30 specific planning and audit questions to help assess the capability maturity and ISO 17025 compliance at each level and an overall maturity level rating for this section. 4. Analysis: The Analysis key element consisted of 10 specific planning and audit

questions to help assess the capability maturity and ISO 17025 compliance at each level and an overall maturity level rating for this section.

5. Reporting: The Reporting key element consisted of 12 specific planning and audit questions to help assess the capability maturity and ISO 17025 compliance at each level and an overall maturity level rating for this section.

6. Review: The Review key element consisted of 6 specific planning and audit questions to help assess the capability maturity and ISO 17025 compliance at each level and an overall maturity level rating for this section.

142

5.8 SUMMARY

Collectively, the key elements of People, Processes, and Tools and the key sub-elements were identified as issues, and these were identified in reviews of existing standards and forensic models to establish the design foundation of the Digital Forensics – Comprehensive Capability Maturity Model (DF-C²M²).

The DF-C²M² People, Processes, and Tools elements as defined by the TQM analysis workflow are the critical success factors in enabling an organisation to achieve Digital Forensics Organisational Capability Maturity by combining Process Capability Maturity, People Capability Maturity, and Tools Capability Maturity within a unified standards-focussed modular framework ــ the DF-C²M².

The main contribution of this research is to create a comprehensive digital forensics capability and maturity model that address the gaps and opportunities discussed in Chapter 2, that covers the three organisational domains (People, Processes, and Tools) by integrating and adapting the existing CMM models and incorporating them to digital forensic laboratory standards/best practices to help overcome the barriers and gaps as previously identified in Chapter 2.

The DF-C²M² assessment tool has dual purposes in that it lists the DF-C²M² requirements for each of the three core domains, and provides a way to measure compliance with these requirements. CMM and P-CMM were included in the assessment and planning tools, and CMM ratings were included in the overall assessment for each of the three key domains (Processes, People, and Tools).

The DF-C²M² Body of Knowledge (originally designed for the assessments) is a key component of the final deliverable and extracts of the Body of Knowledge have been highlighted in this summary. The DF-C²M² assessment tool forms an integral part of the DF-C²M² framework and Knowledge Base. The Assessment tool is included as part of this research for review and feedback.

This chapter highlights the key elements of the DF-C²M² and considerations used in evaluating currently available standards and in evaluating present strengths, weaknesses, and opportunities to serve as the foundation for a more encompassing digital forensics-specific model, the DF-C²M².

143

CHAPTER 6: DF-C²M²: DEVELOPMENT, ASSESSMENT