by Phil Cobley (MSAB), Georgina Humphries (NMPS), Harry Manifavas (FORTH-ICS), Rune Nordvik (NMPS), Matthew Sorell (Univ. of Adelaide)
Mobile devices, especially smartphones, constitute a major source of evidence in criminal activities investigated by law enforcement agencies (LEAs) . Mobile devices present unique challenges; therefore, it is vital to empower all players involved in solving and judging cases where mobile data plays a significant role. FORMOBILE [L1], an EU-funded H2020 project aims to establish a complete end-to-end forensic investigation chain for mobile devices by developing the first standard for mobile forensics, novel tools, and a targeted training programme.
The wider population increasingly utilises smartphones in their daily routine. Criminals also use mobile devices to coordinate their illegal activities. According to recent statistics [L1], 85% of crime investigations include mobile data.
Digital forensic investigators respond to a crime committed in the physical or cyber space by trying to reconstruct the crime based on the content stored on the digital devices seized and to produce sound evidence that can stand scrutiny in court. The full (end-to-end) investigation chain is composed of several phases and involves different types of practitioners (Figure 1). The phases can be categorised as Crime Scene, Acquisition, Analysis, Inquiry, Evaluation and Court. Practitioners include First Responders, Lab Technicians, Data Specialists, Detectives/Investigators, Prosecution, Judges and Defence.
Figure 1: Mobile Forensics Investigation Framework.
The FORMOBILE standard “Requirements and Guidelines for a complete end-to-end mobile forensic investigation chain” fills a gap in the standardisation activities around Digital Forensics. It aims to codify good practices observed in the field of mobile forensics. Practitioners adhering to the standard demonstrate a consistent and justified approach to dealing with mobile data. This is an essential requirement for the data to be considered as admissible evidence before the relevant court.
FORMOBILE tools allow LEAs to more robustly retrieve data stored on mobile phones, better decode retrieved data (especially types of data previously off-limits), and finally more efficiently visualise and analyse decoded data. Challenging data sources are for example, devices employing encryption or anti-forensics measures, cloned phones, and cloud accounts.
FORMOBILE, together with LEAs, commercial entities, and academia, developed a novel mobile forensics training curriculum. The curriculum defines a recommended set of courses for an individual to become a practitioner in mobile forensics. During the project, partners – led by the Norwegian Police University College on behalf of the Norwegian Ministry of justice and Public Safety (NMPS) – developed several online e-learning courses. Each course consists of lessons grouped into modules. The courses target all the practitioners listed in Fig. 1. More specifically, the courses developed are: Mobile Forensics Fundamentals and Best Practices, Mobile Forensics for Management, Mobile Forensics using FORMOBILE Tools. Current activities also include the development of two more courses, Mobile Forensics for Prosecution and Judges and Mobile Networks. Proof-of-concept trainings with LEAs and a train-the-trainer week-long event have been performed to help disseminate knowledge and practice, evaluate the trainings, and receive feedback.
The pilot training concluded with a week-long Capture the Flag (CTF) competition where the participants put their knowledge and skills into practice. During the CTF, participants were presented with a case scenario and a set of tasks consisting of several challenges. To answer each question, each participant had to reflect on the background theory and use the appropriate tools to extract relevant evidence from the device extractions provided. The CTF setup offers a gamified learning experience.
The overall aim of the training is to increase the quality of investigations by making the targeted audience aware of the complexities that surround such investigations, standardisation efforts, forensic tool intricacies, the evidential value of technical artefacts as well as the applicable legal frameworks and provisions (e.g., principle of necessity, principle of minimisation, right to a fair trial).
The FORMOBILE consortium consists of nineteen partners (L1). It brings together LEAs, commercial companies, civil organisations, and academic institutes. The project partners come from thirteen EU countries and two associated countries. The project started in May 2019 and ends in April 2022. Some of the results from the training will be made publicly available at the end of the project for the mobile forensic community, while other results will only be available to LEAs for reasons relating to security.
 Dismantling of an encrypted network sends shockwaves through organised crime groups across Europe, Aug. 2020. https://kwz.me/hfI