Peer Review for Mobile Forensics
Bottom Line Up Front (BLUF): We are excited to introduce a Peer Review Checklist for Mobile Forensics written by Ricky Johnson and Jessica Hyde with Peer Review from Trevor Holt and Alexis Brignoni.
Why Peer Review Mobile Forensics – Ricky Johnson
Over the past year or so, I have started slowly transferring from a full time Investigative Administrator to the world of mobile forensics. As most administrators do, I quickly started asking questions about how the forensic process was being conducted in our lab. At that time, I would have considered our lab “push-button forensics” for the most part. Much of this was from lack of knowledge from our upper administration which directly reflected the training budget. We had to start training our administrators on this digital forensic process and the importance of going beyond pushing a button and reporting everything out. Little by little, we were able to start attending different vendor and non-vendor trainings, which helped produce a stronger product conducted with validated means.
After attending these various trainings and reading different blogs across the DIFR community, I soon realized that our lab could still be stronger in several areas, one of those being the peer review process. There really wasn’t a peer review process in our lab. We would verify and validate our tools and results with test data, but it wasn’t being reviewed by anyone. As a result, I wanted to create a policy which would help assure consistency and reliability with our reporting across the entire lab. The peer review process not only helps to ensure the validity of work, but it also helps improve the quality of the work being submitted. Examiners who are not as strong as others, could get an opportunity to learn and grow by growing through the peer review process.
I started by reading through SWDGE documents for guidance but was still looking for something else. In my role in investigations, we commonly use checklists when creating case summaries to ensure nothing was being missed or overlooked during the review process. I was looking for some type of checklist to use in our lab which could help in assuring every “box” was checked for confidence that the information we were providing was both credible and conducted under forensically sound conditions using validated means. Having assurance that the product the examiner is delivering is reliable and trustworthy is extremely important as it is most likely going to be used in legal decision making. The goal of every examiner should be to produce a report that prevents misleading or inaccurate information by using forensically sound and validated means. The goal of creating a checklist is to ensure every area of the digital forensic process was documented and reviewed consistently by the examiner during their process. I reached out to Jessica and inquired if a peer review checklist of any sort existed, and unfortunately it did not. Anyone who knows Jessica, knows that she is always willing to help the DFIR community. Jessica enthusiastically agreed to help create a peer review checklist that could be shared with the community.
Figure 1 - Snippet of the Mobile Forensics Peer Review Checklist
Proposed Process for Peer Reviews – Jessica Hyde
After identifying why your organization or lab should incorporate peer review, the next step is to establish a process. Several labs I have been involved in the process included a peer review, senior review, and then a final review by the lab manager or other representative of the organization. In a perfect world three reviews of the work make sense, especially from different experience levels and perspectives. However, for a lab instituting the process for the first time and looking to grow, it may make sense for there to be an initial peer review.
Once the examiner conducting the analysis has drafted a report on findings, the report should be sent for peer review. The peer review would make comments and ask questions to determine the completeness and correctness of the work. While the peer reviewer does not reconduct the exam, they should use the opportunity to ask critical questions of the work
To aid in this process we have created a Peer Review for Mobile Forensics Checklist. The checklist is broken into four different sections; Scope, Acquisition Tools, Analysis Tools, and Analysis Process. To aid in the process, we have also included a Tool Report document.
Figure 2: Tool Reporting Document
Conclusion
We hope that this Peer Review Checklist for Mobile Forensics will be useful in your labs. While we have had some peer review of this document (Thank you, Alexis Brignoni and Trevor Holt), we want to make sure to reach out to the wider community. If you have any feedback for the checklist, please feel free to reach out to Jessica or Ricky or use the Hexordia comment form.
