Prior to making plans for progress and developing new solutions, it is imperative to understand the expectations and requirements from the users and beneficiaries of future changes.
In the FORMOBILE project, this is the remit of Work Package 1. The team from ZITiS, Germany’s Central Office for Information Technology in the Security Sector, is responsible for managing these tasks and the associated activities.
The outputs from ZITiS’s efforts enable other work packages to prepare for the main goals of FORMOBILE: the innovative tools, the CEN Workshop Agreement (CWA) standard, and the novel mobile forensic training. Bringing all these actions together supports the ‘complete forensic investigation chain for mobile devices’, toward which FORMOBILE strives.
This article reviews parts of the deliverable produced for Task 1.1 ‘Specification of End-user Requirements’, led by ZITiS during the early months of the project. The official deliverable of this task, released in May 2020, contains sensitive information and is therefore restricted.
The scope and ambition for the task:
To prepare a reporting template to retrieve LEAs’ requirements on mobile forensics. The volunteering LEAs shall gather case information and complete a local report based on the template and questions prepared by ZITiS; thus providing an overview of mobile forensics within that region. The information gathered will cover, amongst other things, the equipment used in the investigations, the personnel involved and their training, the processes and standards referenced for the work. Also, an assessment of common challenges in mobile forensics in their agency; including issues with commercial products as well as the solutions and workarounds currently used.
Gathering this information allows ZITiS to define the future hardware and tools to be used in the forensic workflow, with particular consideration on the necessity of guaranteeing solutions can be integrated and will be used.
ZITiS will combine all local reports and prepare an overall report on end-user requirements of LEAs on mobile forensics. The retrieved requirements of task 1.1 will culminate in deliverable D1.1.
The ZITiS team, in cooperation with the FORMOBILE’s Executive Board, agreed on a detailed questionnaire that took inspiration from the efforts of i-LEAD (Innovation - Law Enforcement Agencies’ Dialogue). The comprehensive survey would elicit substantial details from LEAs on the following topics related to mobile forensics:
- Background information
- Expertise collaborations/knowledge exchange
- Processes and procedures -at the crime scene
- Processes and procedures -in general
- Technical equipment
- Scope of services
- Requirements and needs
The Work Package 1 team distributed the questionnaire and appropriate consent forms to LEAs across Europe. The completed surveys were gathered and assessed using common statistics software.
The questionnaire reached 15 countries and was completed by a total of 49 LEAs helping to paint a well-rounded picture of the current situation in mobile forensics within Europe. The ZITiS team considered that most countries have a tiered approach to mobile forensics to accomplish the forensic examination of digital evidence. 1. First Responder 2. Common Forensic Laboratory 3. Highly Specialised Forensic Laboratory. The surveys were most commonly completed by actors who identified as ‘first responders/common forensic laboratory’, or just, ‘forensic laboratory’.
The consensus was that ‘knowledge-transfer’ must take place between agencies on national and international levels to aid the successful execution of forensic cases.
A standard approach
A high proportion of respondents stated that current methods of working are aligned to current standards. However, almost half of all participants believe that the current ‘standardised’ approach is not best suited to the work. Moreover, another question highlighted that almost 50% of people were not involved with standardisation activities in the domain. Similar figures apply to the lack of involvement in the procurement of new technologies to support their work.
A reasonable argument would suggest that the more experts involved in the process of creating new standards can increase the chances of more suitable and appropriate standards being developed. This is certainly the view of FORMOBILE and the possibility with the CWA; all experts are welcome to join the discussion and contribute to the process.
The latest tools and cutting-edge techniques are necessary for LEAs to extract and analyse the artefacts on mobile devices. There are many tools that are used by LEAs, but given a ‘wish list’, the LEAs would like to have access to more of the leading technologies to assist their work. This highlights the importance of technology-availability, as well as the improvement of the tools used. For the LEAs who have struggled to gain access to data on a mobile device, lack of technology and tools was cited as the main underlying issue.
Perhaps surprisingly for some, in the section that provided an opportunity for LEAs to list their ‘requirements and needs’ training – specifically, hands-on experience – was listed as the most effective measure for improving capabilities. Improved hardware and software were sandwiched between two other training-related requirements ‘additional specialised staff’ and ‘theoretical training’.
From initial research and general background knowledge of the forensic domain, certain results were expected; however, it was enlightening to gather all the answers together.
In relation to the overall policing force of the LEAs questioned, the mobile forensic teams make up a tiny part. Considering the frequency and volume of cases requiring input from forensics teams, it is not too surprising that there are reports of police forces struggling to match the current demand. As technology improves and the access to mobile devices accelerates further – this is not an issue that will disappear. Furthermore, LEAs listed hands-on training in the field of mobile forensics as the single most helpful measure to aid improvement, closely followed by better software and hardware equipment, additional specialised staff, and trainings/education in this specialised field.
From this, one can postulate that focused investment and continued development in mobile forensics is a must if LEAs are going to maintain pace with the speed of technological progress, and the demand for forensic-support in cases involving mobile devices (almost all.)