Skip to main content

From mobile phones to court – A complete FORensic investigation chain targeting MOBILE devices

Periodic Reporting for period 1 - FORMOBILE (From mobile phones to court – A complete FORensic investigation chain targeting MOBILE devices)

Reporting period: 2019-05-01 to 2020-10-31

Criminals commonly use mobile phones to communicate information on illegal activities. Therefore, accessing materials contained on phones is crucial for fighting crime. The data, which LEAs aim to recover includes call history, chat messages, web browser history, email, contacts and GPS location information. FORMOBILE reviews the current mobile forensics and assesses the requirements of LEAs for future improvements. With respect to the GDPR the consortium produces new tools to unlock, acquire and decode previously unattainable data. A new standard, containing best practices, will help guide LEAs through the existing documentation. Training will support both initiatives. The goals are to create an end-to-end investigation chain for mobile devices (image mobile forensic investigation chain), maximising the use of digital evidence to support criminal investigation and prosecution.
LEA status
Starting with a survey and a ring trial, the problems and requirements of European LEAs in the field of mobile forensics have been compiled. A report describes the current capabilities of laboratories in the field of mobile forensics in Europe. With these findings, methods to test the standardization agreements, the tools and their application are under preparation.

Legal & ethical issues
In providing ongoing legal input the legal partners ensure the project respects applicable ethical and legal rules, and the results produced follow criminal procedure rules. The Legal & Ethical Report covers the legal and ethical examination. It explains the approaches taken to legal and ethical issues. The Criminal Procedure Report assesses the current criminal procedure legislation in regard to electronic evidence extracted from mobile devices.

On the way to a CEN workshop agreement (CWA, image roadmap to a CWA), existing guidelines from LEAs, IT specialists, industry, scientific and legal representants with applicable standards and best practice used in mobile forensics, have been gathered in an overview report and gaps in these guidelines have been defined.

The technical work assists with acquiring challenging mobile data, overcoming security measures, decoding mobile data and the analysis of mobile data, as well as overcoming problems that arise with the review of large-scale data volumes. The tools are under construction and the first prototypes for some of the tools are already available.

On the basis of a survey and interviews with LEAs about gaps in existing training; a curriculum containing consecutive modules on mobile forensics has been created. The development of 9 online or physical certificated training modules is ongoing.

Dissemination and Exploitation
For external communication, security, data management, dissemination and exploitation respective plans, a website, a secure portal and social media channels have all been created. Over 150 international external stakeholders are following the project. A quarterly newsletter, presentations on conferences and workshops, as well as collaboration with sister projects supports awareness for the project (image 1st year improvements).
European standard for mobile forensics
So far there is no particular standard for the forensic examination of mobile phones adopted throughout Europe. After reviewing practices, guidelines and standards (T3.1) and gaps for mobile forensics (T3.2) a CWA specifically on mobile forensics is in progress (T3.3). After the project the CWA will be available to all European security practitioners.

T4.1 A novel RAM acquisition tool will be created. This ground-breaking objective will allow the acquisition of RAM for a broad spectrum of mobile devices. The acquisition of mobile RAM is the most challenging technical ambitions within the project. Initially at least mobile device RAM acquisition will be limited to specialised forensic laboratories with approved LEAs.
T4.2 The tool CLOUDxTRACTOR will be available for most security practitioners and can also be used by first responders. The tool will be able to cover a broad spectrum of cloud providers.
T4.3 The acquisition of mobile clones will be enhanced. We will create CLONEaQUIRE as an easy-to-use tool, that can be used by first responders and will allow safe acquisition of mobile clone phones.
T4.4 The Dump Importer, an easy-to-use tool to import dumps will be able to import RAM dumps from mobile devices. It will import the dumps in a standardised open source format or gain access via an API.

T5.1 The eMMC/UFS emulator presents a technology, which makes it possible to emulate mobile storage and gives specialised forensic laboratories repeated password attempts on locked devices.
T5.2 The RAM decoding tool is specially designed for mobile devices. It supports more than one mobile manufacturer and will be available for common forensic laboratories.
T5.3 The Antiforensic System, available for first responders, will be able to effectively detect and deactivate antiforensic techniques.
T5.4 The Dump Decoder supports a great number of third-party app data, is easily adoptable to new upcoming formats and available to first responders.

T6.1 To scan large volumes of data used in messaging apps for the search of digital evidence, the Semantic Analyser examines this data automatically with semantic algorithms for text and pictures to aid investigators.
T6.2 The easy-to-use mobile Malware Analysis Platform allows a fast and automated dissection of mobile malware. It will be available for forensic laboratories and first responders.
T6.3 The FORMOBILE Visualizer helps to visualise the extracted data in a way that the security practitioner can easily distinguish important evidence from unimportant data.
T6.4 The Dump Analysis Tool enriches the extracted data with the results from the big data analysis.

European training program
The FORMOBILE team are developing a curriculum to train LEA first responders and mobile forensic experts. The modules in the curriculum are didactically structured and deliver a comprehensive training for mobile forensics. The training combines practical courses with innovative, ongoing augmented learning techniques.

• overview on mobile forensic practices and guidelines, a pre-standard for European-wide mobile forensics to help unify working processes
• new, user-friendly tools supporting extraction and examination of mobile devices and the analysis of digital evidences in big data, available for a broader group of security practitioners, addressing traditional or emerging forms of crime and terrorism at acceptable costs. Investigation capabilities will improve in quality and speed
• training for LEAs and prosecution especially on mobile forensics, filling gaps to existing training
• strengthening of abilities of the EU economy in hardware development especially for disruptive technologies like the internet of things
• faster prediction of the counterfeit smartphone black market in Europe
• support to protect intellectual property of the EU economy and the fight against forgeries and counterfeits
• strengthening of European mobile forensics market and competitiveness of the main EU player
• qualification of young researchers within the EU and beyond, cross-border cooperation of significant players from the field of forensic science and security research.
• tools to aid cross border sharing and collaboration of digital forensic data between EU LEAs
1st year improvements
Roadmap to a CWA
Mobil forensic investigation chain