European Commission logo
English English
CORDIS - EU research results

From mobile phones to court – A complete FORensic investigation chain targeting MOBILE devices

Periodic Reporting for period 2 - FORMOBILE (From mobile phones to court – A complete FORensic investigation chain targeting MOBILE devices)

Reporting period: 2020-11-01 to 2022-04-30

Criminals commonly use mobile phones to communicate information on illegal activities. Thus, accessing materials contained on phones is crucial for fighting crime. The data, which law enforcement agencies (LEAs) aim to recover includes call history, chat messages, web browser history, emails, contacts, location information. FORMOBILE reviewed current mobile forensics and assessed the needs of LEAs for future improvements. Respecting the GDPR the team produced tools to unlock, acquire and decode previously unattainable data. A standard, containing best practices, helps to guide LEAs through the existing documentation. Training supports both initiatives. Aim was an end-to-end investigation chain for mobile devices (see image: Mobile forensic investigation chain).
LEA status
With a survey and a ring trial, problems & needs of European LEAs in mobile forensics have been compiled. A report describes current capabilities of European labs in the field of mobile forensics. Hereupon, requirements were defined and standardization agreements, tools and their application have been validated.

Legal & ethical issues
With ongoing legal input, the legal partners ensured the project respects applicable ethical 6 legal rules, and results follow criminal procedure rules. The Legal & Ethical Report covers legal & ethical examination, explaining the approaches taken to legal & ethical issues. The Criminal Procedure Report assesses current criminal procedure legislation regarding electronic evidence extracted from mobile devices. Additionally, a Guidance to Checklist Preparation for Legal Practitioners involved this group in the mobile forensic investigation chain.

Based on an overview to existing materials and a gap analysis, the CEN Workshop Agreement 17865 (CWA, see image: Roadmap to a CWA) - Requirements & Guidelines for a complete end-to-end mobile forensic investigation chain - was created from LEAs, IT specialists, industry, scientific and legal representants. It describes personnel, tools, processes as well as legal and ethical framework.

The technical work assisted with acquiring challenging mobile data, overcoming security measures, decoding mobile data and the analysis of mobile data, as well as resolving problems that arise with the review of large-scale data volumes. All tool prototypes are realised, tested, some integrated at TRL9.

Based on a survey and interviews with LEAs on gaps in existing training; a curriculum containing consecutive modules on mobile forensics was created. 3 consecutive online courses and a CTF for 1st responders and common forensic labs have been conducted successfully. Exploitation of the materials to ECTEG are under preparation.

Dissemination & Exploitation
Through websites, 1 secure portal, 4 social media channels, 9 newsletters, presentations on 17 conferences, 8 open access publications, 23 workshops, and collaboration with sister projects >520 international stakeholders were gained. Results are free available on GitHub or follow exploitation plans of MSAB, NFI or ECTEG (see image: FORMOBILE results).
European standard for mobile forensics
There was no standard for the forensic examination of mobile phones adopted throughout Europe. After reviewing practices, guidelines and standards and gaps for mobile forensics a CWA specifically on mobile forensics has been created which is available as open access document.

Research for a novel RAM acquisition tool has been conducted. The acquisition of mobile RAM as ground-breaking objective was the most challenging technical ambition within the project. Mobile device RAM acquisition is limited to specialised forensic laboratories with approved LEAs. The CLOUDxTRACT, usable by 1st responders, covers a broad spectrum of cloud providers. The acquisition of mobile clones has been enhanced. The CLONEaQUIRE, an easy-to-use tool for first responders, allows safe acquisition of over 400 mobile clone phones. The Dump Importer, an easy-to-use tool to import dumps imports RAM, Cloud and Clone dumps from mobile devices in a standardised open-source format or gain access via an API.

The eMMC/UFS emulator presents a technology, which allows to emulate mobile storage and gives specialised forensic laboratories repeated password attempts on locked devices. The RAM decoding tool is specially designed for mobile devices. It supports several mobile manufacturers and is available for highly specialized forensic labs as a breakthrough innovation. The Antiforensic System, available for first responders, effectively detects overvoltages. The Dump Decoder supports a great number of devices, data imports and third-party app data, is easily adoptable to new upcoming formats and available to first responders.

To scan large volumes of data used in messaging apps for the search of digital evidence, the Semantic Analyser examines this data automatically with semantic algorithms for text and pictures to aid investigators. The easy-to-use mobile Malware Analysis Platform allows a fast and automated dissection of mobile malware. The FORMOBILE Visualizer helps to show extracted data so the security practitioner can easily distinguish important evidence from unimportant data and identify key persons involved in the case. The Dump Analysis Tool enriches the extracted data with the results from the big data analysis and allows a view of the data from the raw hex data through to the wider overview.

European training program
A novel curriculum to train LEA 1st responders & mobile forensic experts has been developed. The modules are didactically structured and deliver a comprehensive training for mobile forensics. Practical courses are combined with innovative, ongoing augmented learning techniques.

Technologic, economic, and social impacts
• overview on mobile forensic practices & guidelines, a European pre-standard for mobile forensics helps unifying working processes
• user-friendly tools supporting extraction & examination of mobile devices and the analysis of digital evidence in big data, available for a broader group of security practitioners, addressing traditional or emerging forms of crime and terrorism at acceptable costs. Investigation capabilities improved in quality & speed
• training for LEAs & prosecution especially on mobile forensics, filling gaps to existing trainings
• expertise obtained in developing the eMMC emulator facilitates development of emulators of new chip technologies in the future. Strengthening EU economy in hardware development especially for disruptive technologies like the IoT.
• faster prediction of the counterfeit smartphone black market in Europe
• support to EU economy’s intellectual property protection & fight against forgeries & counterfeits
• strengthening of European mobile forensics market & competitiveness of main EU player
• young researchers’ qualification within EU & beyond, cross-border cooperation of significant players from forensic science & security research - helps relieving specialists’ lack in forensics
• tools to aid cross border sharing & collaboration of digital forensic data between EU LEAs
• support of development & consolidation of stable open societies in Central Asia by tailored training on legal & ethical aspects adhering to international norms
Roadmap to a CWA
Mobil forensic investigation chain
FORMOBILE main results