SEMINAR TWO

MTEB UK SEMINARS 2016

Mobile Phone Forensics
QA and Lab Accreditation in
the Public & Private Sector
Greg Smith
26th September 2016
 MTEB UK SEMINARS 2016
MTEB Seminars are presented by Greg Smith trewmte.
Greg has a long standing connection, over 30 years experience, ranging from dealing with telecoms
manufacturer and devices placed onto the market and with mobile and digital evidence.

Has worked in the UK and overseas specifically as a consultant previously in the areas of
telecommunications type approval, which involved working with BS5750/ISO9001-4 for production,
testing and calibrating of test equipment and testing of telecom apparatus, including cordless, analogue
and digital mobile phones. Consulting on BABT (British Approval Board for Telecommunications) quality
and audit guide BABT340.

Produced and delivered the first mobile telephone, SIM Card and cell site analysis courses in the UK for
law enforcement run through ICAF the institute, now part of British Computer Society.

He assists organisations in relation to evidence, examination, cell site analysis and Internal Assessments
to assist preparation of a quality management system prior to pre-assessment for accreditation.

Provides mentoring and help on digital forensics to BSc, MSc and PhD candidate students.

Greg founded the Mobile Telephone Examination Board, a not-for-profit focus organisation on mobile
phone evidence and the Institute for Digital Forensics and ./FCORD. He can be contacted at
trewmte@gmail.com or visit http://trewmte.blogspot.co.uk/.
 MTEB UK SEMINARS 2016
Seminar Topics
SEMINAR ONE
• Why the FSR and ‘Codes of Practice and Conduct’
• Why ISO/IEC 17025 and the standard’s architecture
• Accreditation
SEMINAR TWO
• Laboratory testing facilities
• Codes/Standards/Guidance
• Device and technical standards
• QA difficulties/challenges
SEMINAR THREE
• Forensic and investigatory tools
• SOPs (standard operating procedures)
• Statutory laws, provisions and cases
• Anything else to be covered?
 MTEB UK SEMINARS 2016
Seminar Topics
Seminar One was a useful exercise as feedback identified what people require is more
ideas, hints and tips that could aid understanding to assist newcomers to the field of
mobile forensics, existing organisation thinking of going down the accreditation route
and those already in the process of laboratory preparation.

The subject matter for Seminar Two will look at the following:

SEMINAR TWO
• Laboratory testing facilities
• Codes/Standards/Guidance
• Device and technical standards
• QA difficulties/challenges

But first a recap from Seminar One.

 MTEB UK SEMINARS 2016
QA and Laboratory Accreditation. Previously, lab criteria applied to mobile phone forensic
testing was randomly applied:

- various industry standards

- public and private approach to best practice
- guidelines/training courses
- Some certified ISO9001, some sought UKAS accreditation.

The introduction of a UK Forensic Science Regulator (FSR), there are now mandated
‘Codes of Practice and Conduct’, standards and accreditation applicable to mobile phone
forensic evidence:

- ISO/IEC 17025 e.g. requirements for the competence to carry out tests and calibrations...
- ISO/IEC 17020 e.g. scene of crime and in the field activity
- UKAS Accreditation

The FSR’s strategy moves the goalposts away from simply applying industry best practice
and random approaches to a common purpose – provision of forensic science across the
criminal justice system is "subject to an appropriate regime of scientific quality standards".
 MTEB UK SEMINARS 2016
That common purpose approach has been developing for approximately 6 years but only
really in the last several years ISO/IEC 17025:2005 has started to make its mark and the
first accreditation to requirements of Forensic Science Regulator’s ‘Codes of Practice and
Conduct’ was 2014.

- still early days for the public and private sectors

- very small number of organisations accredited for mobile phone forensic evidence
- it could be said we are all pioneers to new endeavours
- common purpose does not dilute ‘speciality’ distinguishing one organisation from another
- FSR deadlines for public sector forensic science overall 2017-2020
- e.g. Law enforcement mobile phone forensic test laboratory accreditation by Oct 2017
- Lead times of 18-months to implement suggests 2017 deadline could be missed
- ‘devil in the detail’ causing much more work than at first thought

There is increased demand for practical solutions and helpful insights that may assist
prepare for accreditation.
 MTEB UK SEMINARS 2016
Seminar Topics
SEMINAR TWO
• Laboratory testing facilities
• Codes/Standards/Guidance
• Device and technical standards
• QA difficulties/challenges
 MTEB UK SEMINARS 2016
Seminar Topics

• Laboratory testing facilities

 MTEB UK SEMINARS 2016
Laboratory testing facilities
As this presentation concerns mobile phones it is not difficult to work out that a private organisation
could have a contract to independently run quality tests on mobile phones being placed on the
market – e.g. recent Samsung Note (http://www.dailymail.co.uk/news/article-3770185/Samsung-
considering-global-recall-Galaxy-Note-7-smartphone-battery-fire.html).

A local authority might require to test counterfeit smart phones. Alternatively, malware (illegal) or
beneficial blockers (contract dispute) that has been distributed onto handsets via website
access/network access and evidence is needed to hand evidence to the police or to enforce some
sort of cessation (cease and desist) order or for civil proceedings.

As highlighted above, accreditation is not limited to forensic science. Any public or private
organisation can undertake the accreditation process for the provision of test/calibration services to
others.

There is the choice and option for laboratory types accreditation available to organisations that run
testing and calibration.
 MTEB UK SEMINARS 2016
Laboratory testing facilities – types of laboratory
The lists below are not exhaustive but are referred to by Accreditation Bodies.

Main Laboratory: A laboratory (organisation) that maintains a single location only.

Permanent Laboratory: A laboratory erected on a fixed location. This is the laboratory

location (address) denoted on the scope of accreditation.

Branch Laboratory [multi-location system]: A laboratory system that consists of two or more
laboratories owned and operated by the same organisation, utilising the same management
system and managed by a Corporate Representative.

Satellite Laboratory: A physically separate laboratory (from the main laboratory) that is
allowed to place their testing or calibration capabilities on the main laboratory’s scope (with a
footnote to reference their location) as long as the satellite laboratory is:

- Field: Any location where testing or calibration takes place as defined in Field
Testing/Calibration.
 MTEB UK SEMINARS 2016
Laboratory testing facilities – types of laboratory

Field: Any location where testing or calibration takes place as defined in Field Testing/Calibration.
Performed by staff of a laboratory or organisation outside of the premises or grounds on which the
permanent laboratory or the organisation’s permanent base or headquarters is located. Example
categories can be:
- Field tests or calibrations performed by staff sent out in the field by an accredited,
permanent laboratory. This includes in-situ testing.
- Field tests or calibrations performed in the field by organisations that do not have a
permanent laboratory.

Field Laboratory: A testing or calibration laboratory facility set up in a dedicated location or at

a customer’s premises.

Mobile Laboratory: Fully equipped, self-contained, transportable testing or calibration

laboratory capable of performing tests or calibrations under controlled environmental conditions.
Various testing and calibration laboratory types whether sited in main buildings, permanent
or branch buildings or satellite locations in the field of testing and calibration such as
situated at a customer location, kiosk or tool bag operation or tailor-made mobile
examination transport.
 MTEB UK SEMINARS 2016
Seminar Topics

• Codes/Standards/Guidance
 MTEB UK SEMINARS 2016
Codes/Standards/Guidance
• The_FSR_Codes_of_Practice_and_Conduct_-_v2_August_2014.pdf (superceded)
• 2016_2_11_-_The_Codes_of_Practice_and_Conduct_-_Issue_3.pdf (current)
• ISO/IEC 17020:2012 Conformity assessment -- Requirements for the operation of
various types of bodies performing inspection
• ISO/IEC 17025:2005 General requirements for the competence of testing and
calibration laboratories
• Modules in Forensic Science Process ILAC G19:08/2014/ILAC-P15:06/2014 etc.

The above are referred to by or recorded in:

- House of Commons Science and Technology Committee
- Forensic Science Regulator
- UKAS/Standards Bodies/Forensic Science Organisations
- Conferences/Seminars, presentations, books, magazine articles and web-discussions etc.

However, there are other standards and guidance that provide support to underpin processes
and procedures and/or maybe technology specific.
Codes/Standards/Guidance – Conformity Assessment & Guides
ISO/IEC 17000:2004 Vocabulary and general principles.
ISO/IEC 17001:2005 Impartiality - Principles and requirements
ISO/IEC 17002:2004 Confidentiality - Principles and requirements
ISO/IEC 17003:2004 Complaints and appeals - Principles and requirements
ISO/IEC 17004:2005 Disclosure of information - Principles and requirements
ISO/IEC 17007:2009 Guidance for drafting normative documents suitable for use for conformity assessment
ISO/IEC 17011:2004 General requirements for accreditation bodies accrediting conformity assessment bodies
ISO/IEC 17021:2011 Requirements for bodies providing audit and certification of management systems
ISO/IEC 17020:2012 Conformity assessment -- Requirements for the operation of various types of bodies
performing inspection
ISO/IEC 17025:2005 General requirements for the competence of testing and calibration laboratories
ISO/IEC 17030:2003 General requirements for third-party marks of conformity
ISO/IEC 17040:2005 General requirements for peer assessment of conformity assessment bodies and
accreditation bodies
ISO/IEC 17050-1:2007 Supplier's declaration of conformity - Part 1: General requirements
ISO/IEC 17050-2:2004 Supplier's declaration of conformity - Part 2: Supporting documentation
ISO/IEC 17065:2012 Conformity assessment -- Requirements for bodies certifying products, processes and
services
ISO/IEC 17067:2013 Conformity assessment -- Fundamentals of product certification and guidelines for
product certification schemes
ISO/IEC Guide 23 Methods of indicating conformity with Standards for third Party certification Systems
ISO/IEC Guide 28 Conformity assessment - Guidance on a third-party certification system for products
ISO/IEC Guide 60 Conformity assessment - Code of good practice
ISO/IEC Guide 65 General requirements for bodies operating product certification schemes
[Revised by ISO/IEC 17065:2012]
ISO/IEC Guide 67 Conformity assessment – fundamentals of product certification [Revised by
ISO/IEC 17067:2013]
ISO/IEC Guide 68 Arrangements for the recognition and acceptance of conformity assessment results
 MTEB UK SEMINARS 2016
Codes/Standards/Guidance
A useful flow diagram has been created by the International Standards Organisation to show
how ISO/IEC 17000 standards work together, published in ISO Focus+ Volume 3, No. 9, October
2012, ISSN 2226-1095 under Introducing the ISO/CASCO.
 MTEB UK SEMINARS 2016
Codes/Standards/Guidance – Additional Quality Assurance
ISO 9000:2015 - covers the basic concepts and language
ISO 9001:2015 - sets out the requirements of a quality management system
ISO 9002:1994 - Quality systems -- Model for quality assurance in production, installation and
servicing
ISO 9004:2009 - focuses on how to make a quality management system more efficient and
effective
ISO 19011:2011 - sets out guidance on internal and external audits of quality management
systems.
Additional Standards/guidance
BS 10008:2014, Evidential weight and legal admissibility of electronic information –
Specification.
BS ISO/IEC 27001:2013 Information technology – Security techniques – Information security
management systems – Requirements
BS ISO/IEC 27002:2013, Information technology – Security techniques – Code of practice for
information security management.
ISO/IEC 27042: 2015. Information Technology - Security Techniques - Guidelines for the Analysis
and Interpretation of Digital Evidence.
ISO/IEC 27037: 2012. Information Technology - Security Techniques - Guidelines for
Identification, Collection, Acquisition and Preservation of Digital Evidence.
 MTEB UK SEMINARS 2016
Codes/Standards/Guidance

Historical Snapshot ISO 9000 and ISO/IEC 17025

Turning to ISO 9000 and ISO/IEC 17025. Management requirements as set out in the first
edition of ISO/IEC 17025:1999 referred to ISO 9001:1994 and ISO 9002:1994.

The latter standards have been superseded by ISO 9001:2000, which required ISO/IEC 17025 to
make necessary updates to the first edition. In the second edition of ISO/IEC 17025:2005
particular clauses were amended or added only when considered necessary given the changes
in ISO 9001:2000. Testing and calibration laboratories that comply with ISO/IEC 17025:2005 will
therefore also operate in accordance with ISO 9001.

It is apposite to note ISO9001:2000 & ISO/IEC17025:2005 walk hand-in-hand. Thus an ISO/IEC

17025:2005 accredited laboratory need not require a separate approval under ISO 9001:2000.

Of importance to the quality manager and other responsible persons involved at the
management level in the ISO/IEC 17025:2005 QA delivery chain, under which provisions do ISO
9001:2000 coexist?
Codes/Standards/Guidance
Historical Snapshot ISO 9000 and ISO/IEC 17025
Dr Ludwig Huber, Chief Advisor for Global FDA and ISO/IEC 17025 Compliance – Agilent
Technologies, states in ‘Understanding and Implementing ISO/IEC 17025’
“Accreditation bodies that recognize the competence of testing and calibration laboratories use
ISO/IEC 17025 as the basis for their accreditation. ISO/IEC 17025 is divided into five clauses,
two annexes, and one bibliography section:
• Clause 1: Scope
The standard covers the technical activities of a laboratory as well as the management and
organizational aspects to perform the technical activities in a competent way.
• Clause 2: Normative References
• Clause 3: Terms and Definitions
• Clause 4: Management Requirements
Most of the requirements are similar to those specified in the ISO Standard 9001:2000.
• Clause 5: Technical Requirements
Most of the requirements come from the ISO Guide 25.
• Annex A: Cross References to ISO 9001:2000
• Annex B: Guidelines for Establishing Applications for Specific Fields
• Bibliography
The most important clauses are clause 4 and 5, describing management and technical
requirements. In addition to official requirements, these clauses also include notes with further
explanations and recommendations.”
Codes/Standards/Guidance
Quality Managers and others persons who have a responsibility for QA management in the
organisation will find changes to important Codes/Standards/Guidance that impact the
management system occur fairly regularly. Having a system in place to ‘remind to monitor’ to
check to see if changes have taken place is a good idea using solutions on a computer or a smart
phone such as ‘calendar’ and ‘alarm/reminders’ can help you do this.

A change was shown in an earlier slide:

ISO 9000:2015 - covers the basic concepts and language
ISO 9001:2015 - sets out the requirements of a quality management system

1) Is the accredited laboratory responsible to automatically update the management system

ISO/IEC 17025:2005 with any updates/changes prescribed in ISO 9001:2015?
2) Is it the responsibility of the FSR or Accrediting Body (AB) to inform the laboratory of necessary
updates/changes to ISO/IEC 17025:2005?
3). What impact would the updates/changes to ISO 9001:2015 have, if any, on the existing
management system and would it amount to non-compliance to remain with the older ISO
9001:2000 or non-compliance to start including any changes set out in the later ISO9001:2015?

These questions have been left unanswered so that those reading this seminar presentation can
investigate straightforward queries like this to build confidence in operating the management
system e.g. the problems are not insurmountable.
 MTEB UK SEMINARS 2016
Seminar Topics

• Device and technical standards

 MTEB UK SEMINARS 2016

It is said a picture can speak a thousand words. Mobile phone forensic practitioners are exposed on a daily
basis to highly-sophisticated devices containing enabled multiple radio-technologies, supported by a variety
of microcomputer processors and with extra large memory capacity. Photo courtesy www.at4wireless.com/
 MTEB UK SEMINARS 2016
Device and technical standards
If there is ever a case for an essential requirement to be clearly and unequivocally
stated, in my view, it should be this one:

Neither the Forensic Science Regulator, FSR ‘Codes of Practice and Conduct’ or
ISO/IEC 17025/17020, nor accreditation can stop or prevent mistake or technical
error from ever occurring. They exist, as stated earlier, for the ‘provision of
forensic science across the criminal justice system is "subject to an appropriate
regime of scientific quality standards".’

When all is said and done the mobile phone forensic examiner conducting testing
and calibration will need competence (skill and experience) and backed up with
plenty of support (knowledge) and training from the organisation.
 MTEB UK SEMINARS 2016
Device and technical standards
Support in the form of knowledge to reference materials should be included with Laboratory Quality
SOPS (standards operating procedures), that same provision of support should not be overlooked for
Device Examination SOPs. Section 5 of ISO/IEC 17025:2005 deals with Technical requirements and in
particular section 5.4.1 “…All instructions, standards, manuals and reference data relevant to the work
of the laboratory shall be kept up to date and shall be made readily available to personnel (see 4.3).” As
device and technical standards contain important information that can assist testing it is sensible to
ensure examiners are kept up-to-date.
 MTEB UK SEMINARS 2016
Device and technical standards
Examiners need access to and to be kept up-to-date with relevant transmission
technology and testing standards.
 MTEB UK SEMINARS 2016
Device and technical standards
That case should be extended to access standards from the European
Telecommunications Standards Institute for standards relevant to Europe.
 MTEB UK SEMINARS 2016
Device and technical standards
The same approach applies to accessing internationally adopted testing standards
 MTEB UK SEMINARS 2016
Device and technical standards
Given the wide range of mobile handsets on the market access to manufacturer
name etc. are essential.
 MTEB UK SEMINARS 2016
Device and technical standards
It is inescapable, thus unavoidable, to keep up-to-date with software and operating systems
when testing for as the courts are aware “hardware can do little more without it”; Saphena
Computing Ltd -v-Allied Collection Agencies Ltd [1995] FSR 616 CA.
 MTEB UK SEMINARS 2016
Device and technical standards
Examiners should also keep up-to-date with known device websites, blogs, forums and
other sites and should information used from them are applied during testing this should
be recorded in cases where another competent reviewer is required to follow the tests.
 MTEB UK SEMINARS 2016
Device and technical standards
Software evolves and therefore keeping up-to-date with specific changes that
affect how testing is conducted is paramount.
 MTEB UK SEMINARS 2016
Device and technical standards
If support is needed to keep up-to-date with software evolving then the US case
that I discussed back in March 2016 at my web–blog concerning iPhone and the
San Bernardino incident may assist:

http://trewmte.blogspot.co.uk/2016/03/emergency-cases-smartphone-
examination.html:
Consider the current Apple case (and the articles still keep coming) and mistakes that are
said to have occurred. The - TECH INSIDER - reported (http://www.techinsider.io/apple-the-
fbi-screwed-up-san-bernardino-investigation-2016-2)

It is the words "password hadn't somehow" that has significance for me because in those
words it doesn't take account of the intense situation people are operating under, speed of
investigation operations, timescales, prevention for potential further attacks and pressure
to resolve the case etc. So the sub-text here is learning from adverse outcomes in
emergency cases.
 MTEB UK SEMINARS 2016
Seminar Topics

• QA difficulties/challenges
MTEB UK SEMINARS 2016
 MTEB UK SEMINARS 2016
QA difficulties and challenges
It seems appropriate that as sharing information is essential to good quality
practices it would be far more effective to provide Corrective Action and
Improvement Statements (CAIS) providing a flavour of what happens when
conducting an Internal Assessment.

Just to be clear, an Internal Assessment can be conducted many times and CAIS
can be as high as 300 for initial detection of non-compliances in the quality
system.

For this seminar presentation the Internal Assessment CAIS are following
inspection under Section 4 ISO/IEC 17025:2005.
WRITE YOUR OWN
NOTES HERE:
WRITE YOUR OWN
NOTES HERE:
WRITE YOUR OWN NOTES HERE:
WRITE YOUR OWN NOTES HERE:
WRITE YOUR OWN NOTES HERE:
WRITE YOUR OWN NOTES HERE:
WRITE YOUR OWN NOTES HERE:
MTEB UK SEMINARS 2016

Thank You

END OF SEMINAR TWO