Prospective EESP use scenarios and solutions · 2019-10-02 · EVIDENCE2e-Codex project Florence, 25th September 2019 manufacturer Samsung Model SM-G900F IMEI 356765064657669 Serial

Prospective EESP

use scenarios and solutions

Florence

25th September 2019

Mattia Epifani / CNR-IGSG

• Preparing the floor for the electronic exchange of electronic

evidence in all the EU MS in the specific scenario of

the European Investigation Order (EIO) and Mutual Legal

Assistance (MLA) procedures

• Initiating the harmonization of the legal and technological

frameworks and the stakeholder awareness on the treatment

and the exchange of electronic evidence in the EIO and

MLA procedures

• Implementing a ‘true to life’ example of successfully linking

the EVIDENCE Project to e-CODEX Project’s results in support of an EIO case

EVIDENCE2e-CODEX Project

EVIDENCE2e-Codex project Florence, 25th September 2019


E2E project: how can the goal be accomplished?


What is missing from this scenario?

• Message, with the EP attached, will travel

through the R.I. and over e-Codex

• The EP could be exchanged as a simple

attachment

• It is essential to use a standard to represent

the EP (data and meta data)

• UCO/CASE language

Standard representation for the EP


CASE is a community-developed standard to

support:

• reporting of digital traces

• exchanging of digital traces

• tool validation

www.caseontology.org

Cyber-investigation

Analysis Standard Expression


www.caseontology.org



What does the Evidence Package

contain?

People

InvestigativeAction

Process /Lifecycle

Trace

Relationship

Instrument

Role

Martin Rohde - Forensic ExpertSaga Norén - Police OfficerMagnus Krepper - SuspectMaria Kulle - Judge

Search and seizureForensic Acquisition, Forensic Extraction– Date/Time- Who, What, When

- Input and OutputLegal authorization –

Search warrant /Forensic Tool - Plaso

Chain of Custody

Chain of Evidence

Mobile Device, Disk

File, Message, PhoneAccount,

EmailAccount

Sources of evidence


•Computer

•Smartphone

•Media (USB)

•Server

•CCTV

•IoT

•Cloud Infrastructure

Device

•Subscriber Information

•Traffic Data

•Content Data

ISP/CSP

•Voice traffic

•Network traffic

•State Trojan

Interception

• Country A requests a search and seizure of digital devices

• Country B performs the search and seizure of a smartphone

SCENARIO ATransfer of source of evidence

SCENARIO BTransfer of acquired data (forensic image/extraction)

SCENARIO CTransfer of processed/extract data

• Ex. Call Logs, SMS, WhatsApp, Images, etc.

Devices



EIO – Timeline in the Evidence Exchange Context

• Search and Seizure

• Case preparation (Select methods and

tools)

• Forensic Acquisition (Imaging)

• Forensic Extraction (Data processing)

• Tools comparison

Actions


• Application useful to generate UCO / CASE

languange object

• It can be used by

• LE / JA to describe non-technical actions

• FL to describe technical actions

• For example a «Search and Seizure» action

• Authorization (JA)

• Performer (LE)

• Location

• Result

Tool: UCO / CASE Generator


Search and Seizure


manufacturer SamsungModel SM-G900FIMEI 356765064657669Serial Number FDG764192Storage capacity 64 GBClock setting 2018-05-31 6:00Mobile account +393319420019Item number ITEM_00001

Carrier Telecom ItaliaSimType SIMSIMForm Micro SIMICCID 89390100001847875453IMSI 222014603559590Phone Number 393319420019PIN 7571PUK 86245177

Search and Seizure


Search and Seizure


• Digital forensics Tools Catalogue

• About 1500 tools mapped

• Acquisition and Analysis tools

• Tools categorized based on• Features (Computer/Mobile/Network)

• License type (Free/Commercial/Only LE)

• Platform (Windows/Linux/MacOS)

Tool: Digital Forensics Tools Catalogue






https://www.dftoolscatalogue.eu/






Forensic Acquisition






Data processing and extraction


SMS Messages


NOT deleted SMS Messages

CELLEBRITE UFED PA


NOT deleted SMS Messages

MAGNET AXIOM


Exporting data from different tools


Comparing reports


• Intermediate software layer developed to convert

the output of a forensic tool in UCO/CASE standard

• As a PoC it supports

• XML report generated by Cellebrite UFED

• XML report generated by Magnet Axiom (WIP)

• XML Logicube Falcon hardware duplicator

Tool: UCO / CASE Converter



• Support the development of UCO / CASE

language in forensic tools

• Develop tools to map/convert the output

produced by different tools in UCO / CASE

• Work with software developers and cloud

providers to facilitate the native adoption of UCO /

CASE language

The future…


Conversion and parsing tools


Obtaining Cloud Provider datahttps://www.facebook.com/records/login/


https://www.facebook.com/records/login/

Obtaining Cloud Provider data


Analyzing Cloud Provider data


Obtaining Cloud Provider datahttps://legalrequests.twitter.com/


Analyzing Cloud Provider data


Analyzing Cloud Provider data…


Conversion and parsing

Cloud Provider data



Thanks for your attention

Questions?

Mattia Epifani / CNR-IGSG

[email protected]

Documents

Prospective EESP use scenarios and solutions · 2019-10-02 · EVIDENCE2e-Codex project Florence, 25th September 2019 manufacturer Samsung Model SM-G900F IMEI 356765064657669 Serial