Training Standards and Knowledge Skills and Abilities

Contents

1. Introduction
2. Principles of Training
Minimum Recommendations for Training
Minimum Training Topics
Cost
Cooperation
3. Core Training Standards
Personnel
Qualifications, Competance and Experience
Recommended Knowledge Base
4. Specialized Training
Court Training/Legal Issues
Partnerships
Management Awareness
5. Recommendations Regarding Training
Recommendations for Cooperation in Training
Training for the G-8/24-7 Points of Contact
6. Recommendations to the Board
Source Description

1. Introduction

The IOCE acknowledges the following:

2. Principles of Training

Individuals must have education skills and abilities commensurate with their responsibilities and on the job training specific to their position. Management shall ensure that trained and equipped personnel are available in order to facilitate the operation of the agency. Managers must recognize that 18 months to 2 years is required to achieve full competency and agency succession plans should take this into account. All personnel have an ongoing responsibility to remain current in their field. In addition, agencies should provide support and opportunities for continuing professional development.

Any agency must train their personnel in the areas of seizing, accessing, storing or transferring digital evidence in compliance with these principles:
  1. Minimum Recommendations for Training

    2. Depending on experience and job assignments the following are suggested annual minimum requirements.

    Junior Level The first year, starting with 80 hours of formal training followed by two months on-the-job training. Each following year there should be at least 80 hours of continuing formal training.
    Mid Level 80 hours of continuing formal training.
    Senior Level 40 hours of continuing formal training.

    The training can be provided from a variety of sources, including but not limited to:
    Continuous professional development can be accomplished through:
  2. Minimum Training Topics

    3. These minimum training requirements allow agencies to structure their training program to meet their needs as it relates to the type of casework encountered, equipment available, and the level of competency of trainees.

    1. A written training program focusing on the development of the theoretical and practical knowledge, skills and abilities necessary to perform examinations to include:
      1. A training curriculum including descriptions of the knowledge and skills an examiner is to be trained in (specific topic areas), milestones of achievement, and methods of testing or evaluating competency.
      2. Agencies should have written standards of competence for each role, a documented training program and processes for assessing that the trainee has achieved the level of competence required. These will include:
        1. practical tests
        2. written and oral examinations
        3. practical court exercises
        4. casework conducted under close supervision a portfolio of previous casework
      3. A period of supervised casework representative of the type he/she will be required to perform.
      4. Documentation verifying that the trainee has achieved the desired competence per specific topic area.
    2. Topic areas in the training program will include, as a minimum, the following:
      1. Relevant background information on digital evidence, to include hardware, software, and operating systems.
        1. Hardware
        2. Operating Systems
        3. Relevant Applications
        4. File Identification
        5. Relevant Media (Digital/Analogue)
        6. File Systems
      2. Techniques, methodologies and equipment utilized in the examination of digital evidence and related materials.
        1. Forensic Analysis Procedures
        2. Best Practices (Technical Procedures)
        3. Standard Operating Procedures
      3. Quality Assurance.
        1. Quality Assurance (consistency within the forensic community)
        2. Technical Writing (for concise, clear reports.)
        3. Presentation Skills (for the explanation of factual information)
        4. General Forensic Principles and Practices (knowledge base)
      4. Expert/Court testimony and legal requirements.
        1. Public Speaking (to build confidence in speaking situations)
        2. Testimony Skills (to establish a comfort level for testimony)
        3. Admissibility (Daubert) Hearing Testimony (issue awareness)
        4. General Criminal Justice (legal issues, purpose, authority and result of examinations)
        5. Basic Crime Scene management (understanding scene and evidence complexity)
      5. Agency policy and procedures (such as evidence handling, documentation, safety and security) as they relate to the examination of digital evidence and related materials.
        1. Safety (for the purpose of risk management and personal safety)
        2. Security (to preserve chain of custody)
        3. Ethics (to conform to a standard of integrity)
        4. Evidence Handling (to preserve integrity of evidence)
        5. Training Documentation (to demonstrate compliance)
    3. An individual qualified to provide instruction must have demonstrated competence in the subject area and in the delivery of training.

  3. Cost
    4.
    Agencies that will initiate and/or have established digital evidence programs must be financially committed to supporting the cost associated with training. Computer related criminal techniques and capabilities change more rapidly than those in more traditional areas of criminal activities. Therefore a considerable effort is required in the area of continuous specialized training.

  4. Cooperation
    5.
    In order to stay current with best practices and methods, a sharing of resources and information is necessary. A means to accomplish these goals must be a priority for IOCE. For example, The Guide to Forensic Computing Training Courses must be updated continuously, description of recognized courses will be included, and eligibility/requirements for attendees. Ultimately IOCE will strive to create a list of recommended courses. To improve international cooperation a broad scope of training should address:
    1. Making training programs available to other countries
    2. Sharing contents of training programs
    3. Accept English as the recognized standard for Computer Forensic Training
    4. Embrace private industrys expertise in Information Technology

3. Core Training Standards

It is recognized that the diversity in personnel, experience and equipment available throughout the world makes the task of reaching a consensus of opinion regarding how examinations should be carried out an enormous one. The underlying section of the document will set down minimum core standards for the training of Technical Specialists, Technician/Analyst/Assistant in an attempt to reach that consensus opinion. Periodic revisions to this document will be necessary to meet the rapidly changing technology.
  1. Personnel
    2.
    With respect to the personnel as defined by the ISO 17025 document the definition of the personnel included are to be:

    Technician/Analyst/Assistant An individual carrying out general casework examinations/technical work under the supervision of a reporting officer or a technical specialist and who is able to provide information to assist with the interpretation of the tests.
    Technical Specialist A forensic scientist/officer who has achieved levels of technical competency for specific equipment and services. They are able to write reports/statements of factual information in their specific specialist areas and can provide factual testimony in court. This person can have the authority and responsibility for the technical quality of digital evidence casework when the Section Head/Operations manager is not competent in technical aspects of digital evidence.

  2. Qualifications, Competance and Experience
    3.
    Technician/Analyst/Assistant Qualifications in a natural or applied science; knowledge of the theories, technology and procedures applicable to the examination of digital technology (hardware and software), the practical skills to operate specialist equipment and to carry out examinations safely and reliably in compliance with laboratory protocols; and an understanding of the requirements of the criminal justice system.
    Technical Specialist A minimum of a Bachelorīs Degree (or equivalent) in a natural or applied science, or peer acceptance as an expert in the field of digital evidence/technology through experience and publication; a high level of knowledge of the relevant technology and procedures applicable to the examination of digital technology (hardware and software); extensive experience in the field over at least a two year period and proven competence in the evaluation of results and conclusions in cases involving digital evidence.

  3. Recommended Knowledge Base
    4.
    Given the qualifications, competance and experience detailed above in the Minimum Training Topics section the practitioner should be able to demonstrate, explain and document, as a minimum, the following:
    1. Solid familiarization with computer hardware
    2. Care and handling of computer systems
    3. Operate and understand from a command line OS
    4. Understand, maintain and explain the evidentiary chain
    5. Understand the methodology and terminology of the tools used
    6. Document the procedures taken
    7. Insure the forensic capture of data and verify that the integrity of the data is maintained throughout the entire process.

4. Specialized Training

Recognizing that agencies are facing challenges in accessing and processing highly specialized technologies, agencies must dedicate resources to the task of acquiring knowledge and expertise in these specialized areas. The following are some examples of specific areas that require additional training:

AVI (Audio/Video/Imaging)

PDA
Handheld
Phone
Telephony
Telecommunications

Cryptography

Data Hiding
Steganography

Emerging Technologies
Biometrics

Various Operating Systems (Forensics)
Mac
Windows
Linux
Unix
Etc.

Network Forensics
Wireless Networks
Network Security (Hacking Cases)
  1. Court Training/Legal Issues
    2.
    We recognize that the ultimate objective is presentation of Technical Evidence to judges and/or juries. Taking a proactive approach to educating the analysts, investigators, prosecutors and the judiciary is an essential requirement in addressing the growing complexity of issues including but not limited to:
    1. Foundational Requirements
    2. Court Room Simulations
    3. Technical Presentation Skills for Analysts
    4. Training for Prosecutors and Judges
      1. Demonstrative Evidence
      2. Archive for Appellate Use

  2. Partnerships
    3.  (investigate legal issues)

    In an effort to aid in investigations, protect forensic value and create a liaison with business in research and development interests, we encourage training and partnerships in the following areas:
    1. Academia
    2. Corporate
    3. Industry Development

  3. Management Awareness
    4.
    Information for management is required for support of personnel and justification in the budgetary process with exposure to the following areas:
    1. Orientation to the Issues
    2. Generalization v. Specialization
    3. Field Analysis v. Lab Analysis
    4. Personnel Issues:
      1. Redundant Personnel (Risk Assessment/Analysis/Management)
      2. Networking (with other Agencies/Analysts)
      3. Cross Trained Personnel
      4. Commitment of time to Research and Development

5. Recommendations Regarding Training

In an effort to create opportunities for expanding training to a greater number of agencies we would like to promote Train the Trainer and Global Sharing through Trainer Exchange. We recognize there are some obstacles that need to be addressed such as; Jurisdictional Issues, Language Barriers and Cost.
  1. Recommendations for Cooperation in Training:
    2.
    1. Industry members producing hardware, software, new or improved information technology or telecommunications services to make best efforts to inform and educate law enforcement personnel prior to launching of their products and services. Any current or emerging impediments to lawful access to evidence through technology shall be communicated to law enforcement on an expedited basis and appropriate training provided, as needed.
    2. Government and the IT/telecom industry to create a permanent venue, and allocate appropriate funding, to plan formulate content and deliver training to:
      1. Law enforcement regarding emerging technologies, and
      2. Industry regarding law enforcement needs.
    3. Law enforcement agencies to support opportunities to exchange knowledge and/or personnel to facilitate growth of computer forensic capability world-wide;
    4. Law enforcement agencies and private industry to consider, where appropriate, temporary exchange of personnel to improve training and development opportunities;
    5. Law enforcement agencies and industry to meet annually to establish a dialogue which:
      1. facilitates exchange of information and concerns;
      2. informs on their respective current and emerging issues;
      3. Enhances understanding and seeks to minimize the barriers to cooperation.

  2. Training for the G-8/24-7 Points of Contact
    3.
    Recognizing the role that the 24/7 points of contact have in the collection and exchange of electronic evidence IOCE recommends that training for the network shall include:
    1. Minimum understanding of the nature, perishability and use of digital evidence;
    2. General understanding of legal systems globally and the implications the differences or similarities in treatment of offences across borders have on the exchange of digital evidence;
    3. A significant understanding of the importance of evidence handling; chain of possession; and maintaining of the integrity of digital evidence;
    4. Understanding of the critical importance of providing information and intelligence on the further links in the chain (other countries involved) of illegal activities;
    5. Knowledge of the definition of terms relating to computer evidence of all countries which are members of the network and for engaging the requesting/responding country in a discussion of these definitions;
    6. Knowledge of note-taking/documenting techniques and creation of records of conversations and steps in the request/response process
    7. Confidentiality awareness training; and importance and impact of rules of disclosure.

6. Recommendations to the Board

  1. Coordination with international bodies/organizations (Interpol, COE, OECD, ENFSI, Europol, ODCCP) to establish a permanent working group with the purpose of making training programs available to other countries and share contents of training programs
  2. Encourage and support the creation of an International Certification Body for Forensic Training
  3. Establish a continuous updated webpage to include publications of training programs and other available training courses. For example, The Guide to Forensic Computing Training Courses must be updated continuously, description of recognized courses will be included, and eligibility/requirements for attendees. Ultimately IOCE will strive to create a list of recommended courses.


Source Description:
Information provided in this document originated from SWGDE Best Practices (Scientific Working Group for Digital Evidence), Guidelines for Best Practice in the Forensic Examination of Digital Technology (Association of Chief Police Officers), Convention on Cyber Crime (Council of Europe), Creating a safer information society by improving the security of information infrastructure and computer related crimes(European Commission), Computer Crime Manual (Interpol), G8 Proposed Principles for the Procedures Relating to Digital Evidence (G8).

The format of this document has been based around the ISO 17025 document produced by Dr L.W.Russell, Chairman, FCG Quality Sub-Committee, Member of ENFSI-FIT Working Group, Secretary IOCE, and Operations Manager, FSS in March 2002 and the guide produced by the ENFSI Fibres Group.