Mobile phones are an important part of modern life but they also pose a unique challenge for law enforcement agencies (LEAs) due to the volume and variants in circulation. They are also analysed differently to other devices such as PCs and Laptops, meaning the investigation requires a separate forensic process.
Criminals are using mobile phones to communicate, coordinate, organise and execute illegal activities.
It is imperative LEAs have ways to; access, decode and use the data as evidence - in a safe, trustworthy and reliable manner.
Smartphone Related Facts
Crime Investigations Include Mobile Data
EU Citizens Prefer Smartphones to Access Internet (2017)
All Photos Taken in the EU Made Using Smartphones (2017)
Innovative new tools available to LEAs allowing for the rapid retrieval, storage and analysis of mobile phone data.
The goal is to reduce the gap between LEAs and the crime & terror organisations.
Giving them the tools and systems, to work with the latest devices and technology, favoured by criminal groups.
Standard: A result of the project will be a European standard for the forensic investigation of mobile phones.
It is also an aim for the new FORMOBILE standard, to become a European Committee for Standardisation (CEN), Workshop Agreement (CWA).
CWAs are frequently the forerunner of ENs and ISO standards.
To maximise the success of the FORMOBILE project, it is imperative that the LEAs and associated agencies receive the best training possible on the new tools and standard implemented.
A dedicated training team will combine the best aspects of existing training courses available, into a new curriculum.
Combining knowledge of commercial parties, academia and LEAs will enable a set of courses, with the supporting materials, to be developed.
FORMOBILE aims at developing a complete forensic investigation chain, targeting mobile devices. A result of the project should be a holistic view of all areas of mobile forensics, allowing continued research on the complete investigation chain.
The project has been divided into 10 Work Packages that reflect the analysis chain used by security practitioners that examine mobile evidence.
The forensic investigation chain is broken into three steps: acquisition, decoding and analysis of data.
Timeline of Project Results
Project constituted at kick-off meeting
The novel curriculum for mobile forensics trainings is developed.
Acquisition, decoding & analysis techniques working in laboratory, during the development phase.
The CEN Workshop Meetings have been carried out – participants agree the new standard on mobile forensics is appropriate.
Project results are presented at the Final Meeting. All objectives have been reached. The standard has been published, prototypes are ready for exploitation, pilot training was successful.
Work Package Breakdown
Work package WP1 collects the requirements of law enforcement agencies (LEAs) and provides the base of the subsequent WPs. Based on these requirements, the methods to test the standardization agreements, as well as the tools and their applications (WP4 to WP6) will be defined. During this process, the input from the LEAs is essential to ensure that the results of the other work packages are useful in practice.
The work package is broken down into tasks. These include:
Task 1.1 - Specification of end-user requirements (Lead: ZITiS; Participants: HO, ESMIR, KWPP, MPF, PJ, PPHS, LIF) [M01-M06]
Main activities involve-
- ZITiS is to prepare a reporting template to retrieve LEAs’ requirements on mobile forensics.
- LEAs is to gather case information and prepare a local report, based on the current status of mobile forensics in their countries – to detail relevant data and known challenges
- Requirements for hardware and tools to be used in the mobile forensic workflow will be defined.
- ZITiS will combine all local reports and prepare an overall description of end-user requirements.
Task 1.2 - Evaluation of current status in mobile forensics (Lead: ZITiS; Participants: HO, ESMIR, KWPP, MPF, PJ, NFI) [M07- M13]
Based on the report about end-user requirements, a ring trial will be prepared to evaluate the current status of mobile forensics performed in different countries.
- All Partners to be included, ZITiS will analyse and interpret the data.
- The focus is to improve the current state of mobile forensics and to evaluate the differences throughout the European Union
Task 1.3 - Developing methodologies to test the project results (Lead: HO; Participants: ESMIR, KWPP, MPF, PJ, NMPS) [M14- M28]
- LEAs to develop multiple test cases - used for the validation of project results.
- Test cases will map different forensic scenarios, which can also be used during the training in WP7.
- Scenarios will be accompanied by the finding of suitable standardized test and evaluation methods. Scenarios and methods may also cover hardware and software tools.
Task 1.4 - Validation of the FORMOBILE results (Lead: ZITiS; Participants: HO, ESMIR, KWPP, MPF, PJ, A.S.I.) [M29- M36]
After the test training program, another ring trial will be prepared to evaluate the tools and methods developed in the FORMOBILE project. The “Best Practices” generated in the CEN workshop will be implemented in the ring trial after they were taught in training by WP7 – All partners to be included.
Is to ensure FORMOBILE action is carried out with respect to applicable ethical and legal rules; and, results produced are elaborated in compliance with criminal procedure.
To safeguard compliance issues arising during or after the implementation of the action, which would hamper the potential exploitation of the tools and results.
Facilitate the implementation of the European legislation in the field of data protection, notably Directive 680/2016, the General Data Protection Regulation where applicable and any other act in the field adopted before the project’s end.
Task 2.1 - Identification of legal and ethical issues (Lead: LIF; Participants: All) [M01-M12]
Identify potential legal issues that may arise in relation to the FORMOBILE implementation.
Legal partner LIF, with the support of time.lex to carry out appropriate research to identify possible issues, predominately relating to GDPR.
Identify the ethical rules applicable to FORMOBILE’s activities and the potential issues that may arise in this regard.
Task 2.2 – Research on the applicable legislation in the field of electronic evidence extracted from mobile phones (Lead: LIF; Participants: All) [M3-M18]
Explore the different legislative approaches regulating electronic evidence extracted from mobile phones in the selected countries.
- Elaboration of a tailored questionnaire strictly focused on issues related to extraction and use of electronic evidence from mobile devices.
- WP2 team to perform desk-based research to identify and analyse the applicable criminal procedure legal framework.
- The completed questionnaires are to analyse and compare the collected response and juxtapose it with the research findings.
- The resulting report is to concentrate on the criminal procedure rules and will examine how the tools elaborated during the project could be used and be of help to LEAs and the judiciary.
Task 2.3 - Specification of a regulatory framework (Lead: LIF; Participants: All) [M12-M36]
Task 2.3 builds on the work done in task 2.1 and task 2.2 to identify ethical and legal issues applicable to the work done in FORMOBILE and the intended results and tools.
- It specifies the ethical and legal framework that must be respected,
- To include the pitfalls, challenges and proposed solutions or applicable best practices to prevent compliance issues at the exploitation stage. These may arise in relation to data protection and human rights.
Task 2.4 - Validation of standard and tool (Lead: TLX; Participants: All) [M24-M36]
The final legal reflection to validate, from a legal and ethical point of view, FORMOBILE standard (WP3), tools (WP4 to WP6) and trainings (WP7). Any outstanding issues are described in detail and practical solutions are to be proposed.
Due to the cross-border nature of crimes, it is vital to create EU standards regarding the forensic examination of mobile devices.
The new standard for mobile forensics will become a CEN workshop agreement (CWA), developed in a CEN or workshop. These workshops are open to all European institutions. CWAs are regularly the forerunner of an EN or ISO standard.
Task 3.1 - Identification of existing practices and standards (Lead: A.S.I.; Participants: ZITiS, PPHS, NFI) [M1-M9]
Existing standards and those under development which are within the scope of the project will be identified.
All relevant standards, directives and regulations will be screened. It will be confirmed which standards are currently used by the LEAs and forensics institutes within the European Union.
Examples of such standards include –
- ISO17025 which is used in many forensic laboratories
- ISO/IEC 27037 (Guidelines for identification, collection, acquisition and preservation of digital evidence)
- NIST Special Publication 800-101 (Guidelines on Mobile Device Forensics)
- ETSI standards on lawful interception
Task 3.2 - Gap analysis of existing practices and standards (Lead: A.S.I.; Participants: HO, ESMIR, KWPP, MPF, PJ) [M10-M15]
Standards identified in Task 3.1 will be evaluated against the end-user requirements that are collected in WP1.
The aim is to analyse what is missing in existing standards and what needs to be included in standards under development - Findings of this gap analysis will be included in a gap report.
Task 3.3 - Definition of the European mobile forensic standard (Lead: A.S.I.; Participants: HSMW, NFI, MSAB, ZITiS, HO, ESMIR, KWPP, MPF, PJ, NMPS, LIF, PPHS, TLX) [M1-M36]
To define the European standard, a workshop of the European Committee for Standardisation (CEN) will be set up and managed. This involves a series of physical and online meetings for engaging with stakeholder communities.
This is an open, inclusive multi-stakeholder process, where a European Standardisation Deliverable /CEN Workshop Agreement (CWA)/ a publicly available specification, will be produced.
Mobile forensics is mainstream but several technological trends threatening the continuous success of the acquisition of mobile devices.
Three main challenges arise in the field of acquisition:
- Acquisition of RAM memory
- Acquisition of cloud storage
- Acquisition of counterfeit devices.
This work package aims to assist with the acquisition process of challenging mobile data.
Task 4.1 - Acquisition of RAM memory/ Extraction of RAM memory content (Lead: NFI; Participants: TUD) [M1-M36]
An increasing application of strong cryptography demands for new approaches of (mobile) forensics.
To stay successful, focus must widen to include extraction of RAM content, like in traditional PC/laptop oriented digital forensics.
Key focus area will be –
- Adapting workflows from crime scene to lab – Reducing RAM contamination.
- To extract RAM content of a live phone.
Task 4.2 - Cloud data extraction (Lead: HSMW; Participants: MSAB, KWPP) [M1-M36]
Cloud data sources can serve as great evidence in investigations.
This task will support the improvements to decode even the major cloud computing data export formats in an automated and efficient way - whilst adhering to both national and international laws and the jurisdiction of LEAs.
Task 4.3 - Handling mobile clones (Lead: KSTU; Participants: MSAB, NFI, HSMW) [M1-M36]
With a lack of software information available from the manufacturers of smartphone clones, forensic examinations are very difficult.
Through the examination of many illegal clones - knowledge, skills and training will be developed and shared between practitioners across Europe.
Task 4.4 - Development of novel import methods (Lead: MSAB; Participants: TUD, NFI, HSMW) [M1M36]
The goal is to create a software extraction tool Dump Importer to further process the additional data, gathered from the work of previous tasks.
Despite the importance of mobile forensics, security measures are hindering forensic examination.
- Increasing application of strong cryptography
- Migration of security techniques into the hardware
- Development of anti-forensic techniques
The work package aims to assist with the decoding process of mobile data and overcoming security measures like anti-forensic systems.
Task 5.1 - Overcoming security measures hindering forensic examination (Lead: UPat; Participants: NFI) [M1-M36]
The quantity and complexity of the steps required to access modern mobile devices (phones, tablets, car multimedia systems, USB-sticks) are increasing rapidly, due to the increasing application of encryption.
FORMOBILE will explore the known and original possibilities to overcome these security measures.
Task 5.2 - RAM Decoding (Lead: MSAB; Participants: NFI, TUD) [M1-M36]
Traditionally, the focus of mobile forensics has been on non-volatile memory. To stay successful, the focus must widen to include RAM decoding, just like in traditional PC/laptop-oriented digital forensics.
Task 5.3 - Detection and bypassing anti-forensics (Lead: HSMW; Participants: NFI, ZITiS) [M1-M36]
Mobile devices inherently create opportunities to present environments that are conducive to anti-forensic activities.
FORMOBILE will work on a new tool to detect and overcome anti-forensic techniques commonly used in mobile devices.
Task 5.4 - Development of novel decoding tools (Lead: MSAB; Participants: NMPS) [M1-M36]
The data dumps that will be acquired with the methods developed in WP4 need to be decoded. The aim of Task 5.4 is to develop new methods of decoding. This includes especially the decoding of file systems and file formats.
Mobile devices store more and more data, causing challenges for forensic analysis. This includes the sheer mass of short messages and the rise of mobile malware. This work package aims to assist with the analysis process of mobile data and overcoming problems that arise with mass data.
Task 6.1 - Evaluation of big data by semantic analysis (Lead: HSMW; Participants: UPat) [M1-M36]
The contents analysis of mobile data covers the analysis and evaluation of multiple artefacts, for example:
- Location Data
The goal is to develop new methods to analyse each data type and integrate all retrieved information into one complete knowledge map.
Task 6.2 - Malware analysis (Lead: ZITiS; Participants: HSMW) [M1-M36]
Today, mobile devices are the main target for cyber criminals. In particular, there is a broad range of malware for mobile platforms. The analysis of the malicious code is an important challenge for the law enforcing agencies and developers of antivirus suites.
To overcome this issue, a new platform for the automatic analysis of mobile malicious code will be developed.
Task 6.3 - Visualization of enriched data (Lead: MSAB; Participants: HSMW, KWPP) [M1-M36]
One problem of the analysis of big data is to find value in the mass amount of data. Visualisation is the main tool to overcome this problem, therefore, new tools to visualise the result of the big data analysis will be created.
Task 6.4 - Development of novel analysis tools/ Tools to enrich the extracted data with the results from the big data analysis (Lead: MSAB; Participants: HSMW, KWPP) [M1-M36]
Data acquired with the methods developed in WP5 need to be analysed, this is the aim of Task 6.4. This especially includes the ability to enrich the extracted data with the results from the analysis.
The FORMOBILE target user groups must be trained to use the tool and the novel mobile forensic standard. Users should be able to verify results from the tool and have in-depth knowledge of the standard defined by the project.
We aim for a new novel mobile forensics training curriculum that is developed by commercial players together with academia and LEAs. The curriculum will define a recommended set of courses to become a forensic expert in mobile forensics. Course material will be developed, and a test training of LEAs will be performed.
Task 7.1 - Design of a novel curriculum for LEAs training (Lead: NMPS; Participants: FORTH) [M1-M12]
Today, there are few, mostly commercial, courses in mobile forensics. FORMOBILE will start evaluating existing curricula and courses in the domain of mobile forensics and will perform a gap analysis.
Based on the findings we will develop an innovative novel curriculum, consisting of a set of consecutive modules that will train on tools and standards.
Task 7.2 - Development of training material for LEA training and joint exercises training (Lead: FORTH; Participants: NMPS, MSAB) [M13-M30]
In Task 7.2 we will develop course material based on the novel curriculum, created for physical classrooms, online webinars and tutorials.
To ensure that the scenarios are relevant for the law enforcement agencies we will include the results task 1.4.
Task 7.3 - Prove of concept FORMOBILE forensic training / Train the trainers training (Lead: NMPS; Participants: All except TLX and SI) [M30-M36]
To prove the effectiveness of the novel curriculum and the training material, we will perform three proof of concept trainings with LEAs. A ‘train the trainers’ concept will be used to help disseminate the knowledge of the tool and the standard much faster.
WP8 aims to plan, develop and coordinate all FORMOBILE activities related to communication, dissemination and exploitation, to reach a wide audience and relevant stakeholders and to create strong awareness of the FORMOBILE outcomes (tools, standard and trainings) at the national, European and global level.
Task 8.1 - FORMOBILE Communication and Dissemination plan (Leader: PPHS; Participants: All) [M1-36]
To define all project communication and dissemination activities carried out throughout the lifetime of the project a strategic document the Communication and Dissemination plan (C&D) will be developed.
This plan will define actions with specific timelines, responsibilities and measurable results, tools (channels) and methods that will be used by the consortium, to ensure that the project is effectively promoted and FORMOBILE results meet the appropriate audience.
Task 8.2 - Communication and dissemination channels (Leader: PPHS; Participants: All) [M1-36]
To facilitate appropriate communication, a set of channels will be used to engage a variety of users. These will include:
- Project website
- Social media presence
- LinkedIn, Twitter, YouTube
Task 8.3 - Dissemination materials and visibility (Leader: PPHS; Participants: All) [M1-36]
To support the dissemination and communication activities, promotional materials (electronic and printed versions) will be produced. Moreover, it is planned to publish scientific articles with project results in scientific journals and magazines.
To coordinate dissemination activities, a GDPR compliant stakeholder database, shall be developed and filled up.
Task 8.4 - Dissemination FORMOBILE events (Leader: PPHS; Participants: All) [M1-36]
To disseminate the project results to an extended audience across Europe, a series of events will be created.
It is planned to organise different kinds of events, depending on the aim and the target group. These will include–
- Kick-off meeting (M1), Mid-term meeting (M18) and the Final-review meeting combined with a public event (M36)
- Executive meetings for the WP Leaders
- The standardization workshops (CEN workshop meetings
All events will be combined with public thematic conferences.
Furthermore, all consortium members agreed to contribute to project dissemination when participating in public events like conferences or fairs.
Task 8.5- FORMOBILE exploitation Strategy (Leader: SI; Participants: MSAB, NFI, HSMW) [M1-36]
The FORMOBILE Exploitation Board consisting of the partners (SI, MSAB, NFI and HSMW) will monitor the progress of project results and decide about the related exploitation route and ensure that appropriate measures for IP protection are implemented.
For the tools (developed in WP4-6), exploitation will take place directly by MSAB and NFI respectively. For other specific results, the potential to create start-ups to exploit side results for civil applications will be investigated.
All exploitation will be in total compliance with the Consortium Agreement and the Grant Agreement. One result of the task will be the project exploitation plan. This document will address IPR issues, commercialisation and exploitation aspects. It will ensure the best, maximised impact and full use of all results and outputs of the project.
Task 8.6 - Data Management (Leader: SI; Participants: All) [M1-36]
A Data Management Plan will be developed detailing what data the project will generate (including metadata), whether and how it will be shared or made accessible for verification and re-use, and how it will be curated and preserved.
Task 8.7 - Management of Security Issues (Leader: MSAB) [M1-M36]
The security officer of the FORMOBILE project will oversee all security issues that arise within the project. This includes the risk of misuse of research results and all problems that arise from dual-use. FORMOBILE is committed to the ethics of the Wassenaar Arrangement and will take care that sensitive technologies will propagate freely.
Aims to provide effective and efficient management and communications environment of the FORMOBILE. This will cover the timely delivery of all obligations under the terms of the Grant and Consortium Agreement. Furthermore, the monitoring and managing the work packages, milestones and deliverables will be managed and maintained.
Task 9.1 - Internal Project Communication / Administrative and Financial Project Management. (Leader: HSMW) [M1-36]
This task will take care of the overall coordination and day-to-day management for the FORMOBILE project concerning internal communication, administrative and financial issues.
A close relationship with the finance departments of each partner will be established, to make sure all budget-related actions are performed correctly. Especially the EU financial contribution will be administrated and distributed within the consortium.
To summarize all these activities a FORMOBILE Project Management Handbook will be created. The project management team will set up and maintain adequate communications with the Commission’s project officers on the project progression and other relevant issues.
Task 9.2 - Technical Organisation, Coordination and Scientific Management of the Project (Leader: HSMW) [M1-36]
The project coordinator, HSMW, with its project management office is responsible for technical coordination and quality assurance throughout the project. This task involves coordination and synchronisation of the interfaces between the work package activities, monitoring of progress, tracking deliverables and milestones, coordinating input/output flows between the various work packages and tasks.
These tasks have been deduced from the deliverables of WP10 by the PMO
Task 10.1 - H - Requirement No. 2 (Leader: HSMW, Participants: All) [M1]
The procedures and criteria that will be used to identify/recruit research participants will be determined.
Task 10.2 - H - Requirement No. 3 (Leader: HSMW, Participants: All) [M1]
Copies of opinions/approvals by ethics committees and/or competent authorities for the research with humans have to be collected.
Task 10.3 - H - Requirement No. 4 (Leader: HSMW, Participants: All) [M1]
Informed consent procedures that will be implemented for the participation of humans will be defined. Templates of the informed consent forms and information sheets (in language and terms intelligible to the participants) will be created.
Task 10.4 - POPD - Requirement No. 6 (Leader: HSMW, Participants: All) [M1]
The host institution confirms that it has appointed a Data Protection Officer (DPO) and the contact details of the DPO are available to all data subjects involved in the research. For host institutions not required to appoint a DPO under the GDPR a detailed data protection policy for the project must be defined.
Task 10.5 - POPD - Requirement No. 7 (Leader: HSMW, Participants: All) [M1]
A description of the security measures that will be implemented to prevent unauthorised access to personal data or the equipment used for processing must be defined.
Task 10.6 - POPD - Requirement No. 8 (Leader: HSMW, Participants: All) [M1]
In case of further processing of previously collected personal data, an explicit confirmation that the beneficiary has a lawful basis for the data processing and that the appropriate technical and organisational measures are in place to safeguard the rights of the data subjects has to be defined.
Task 10.7 - POPD - Requirement No. 9 (Leader: HSMW, Participants: All) [M1]
Detailed information on the informed consent procedures with data processing will be defined. Templates of the informed consent forms and information sheets with data processing (in language and terms intelligible to the participants) will be created.
Task 10.8 - POPD - Requirement No. 10 (Leader: HSMW, Participants: All) [M3]
All beneficiaries must explain how all of the data they intend to process is relevant and limited to the purposes of the research project (in accordance with the 'data minimisation' principle).
Task 10.9 - POPD - Requirement No. 11 (Leader: HSMW, Participants: All) [M3]
All beneficiaries must evaluate the ethics risks related to the data processing activities of the project. This includes also an opinion if data protection impact assessment should be conducted under art.35 General Data Protection Regulation 2016/679 or art. 27 of the Directive 2016/680.
Task 10.10 - M - Requirement No. 12 (Leader: HSMW, Participants: All) [M12]
Risk assessment and details on measures to prevent misuse of research findings must be defined.
Task 10.11 - DU - Requirement No. 13 (Leader: HSMW, Participants: All) [M12]
Details on potential dual-use implications of the project and risk-mitigation strategies have to be described.
Task 10.12 - GEN - Requirement No. 14 (Leader: HSMW, Participants: Ethics Advisory Board members) [M1]
Due to the severity of the ethics issues raised by the proposed research, the Ethical Advisory Board which includes relevant independent expertise must be established to monitor the ethics issues in this project and how they are handled. The Board must be consulted at least on the following points: processing of data extracted from mobile devices (who can access the data, potential anonymisation procedures and potential for misuse) and data security (multiple types of personal data, potentially including sensitive data is extracted from mobile devices and stored and processed).
Task 10.13 - GEN - Requirement No. 15 (Leader: HSMW, Participants: Ethics Advisory Board members) [M5]
A report by the Ethics Advisory Board must be submitted as a deliverable at month 5.
Task 10.14 - GEN - Requirement No. 16 (Leader: HSMW, Participants: Ethics Advisory Board members) [M19]
A report by the Ethics Advisory Board must be submitted as a deliverable at month 19.
Innovative new tools available to LEAs allowing for the rapid retrieval, storage and analysis of mobile phone data.
The goal is to provide tools, methods and education to help LEAs track down criminals and terrorists who are using the latest technology to attempt to evade detection and commit criminal activities.
The tools produced during the project include
Rapid Retrieval of Digital Evidence
Boosting first responders' abilities to trigger the investigation process
Decoding Retrieved Data
New techniques to access data, previously off-limits
Analysis & Validation
Automatic & enriched data for more accurate and decisive evidence
The introduction of the tools, supported by the standardised processes and relevant training, means LEAs will have improved investigative capabilities. Using solutions and methods that did not previously exist, it will be feasible for them to recover evidence from encrypted mobile phones, and data stored in cloud services. In addition to incorporating knowledge about cloned phones and anti-forensic methods into the forensic investigation process.
A result of the project will be a standardised European process for the forensic investigation of mobile phones.It is also an aim for the new FORMOBILE standard, to become a European Committee for Standardisation (CEN), Workshop Agreement (CWA). CWAs are frequently the forerunner of ENs and ISO standards.
The objective is to collect the best practices and common working methods - combining them to an agreed standard, which is to be adopted by the relevant stakeholders across Europe.
Utilisation of a common, pan-European standard will allow LEAs and other related associations to increase efficiency and efficacy when dealing with mobile device related crime.
To create the standard, the partners participating in the FORMOBILE project will first complete an analysis of the existing standards, before defining the new standards to be submitted as a CWA.
CWA Development Process
- Develop the draft project plan
- Perform self-assessment
- Analyse degree of interest amongst stakeholders
Submission to CEN-CENELEC Management Centre
- Technical Board decision needed
- Schedule Kick-off meeting
- Announce the proposal for comments
- Appoint the Chair
- Setup the rules of the workshop
CWA Draft Ready
- Draft CWA based on consensus
- Report to Technical Board if needed
- Perform internal enquiry for comments
Open Commenting Phase
- Consider comments from interested stakeholders
CWA Final Version Ready
- Comments incorporated
- Draft approved by Chair
- Draft submitted to CEN-CENELEC Management Centre