European Informatics Data Exchange Framework for Courts and Evidence
EVIDENCE aims at providing a road map (guidelines, recommendations, technical standards) for realising the missing Common European Framework for the systematic and uniform application of new technologies in the collection, use and exchange of evidence. This road map incorporating standardized solutions would enable policy maker to realize an efficient regulation, treatment and exchange of digital evidence, LEAs as well as judges/magistrates and prosecutors and lawyers practising in the criminal field to have at their disposal as legal/technological background a Common European Framework allowing them to gather, use and exchange digital evidences according to common standards and rules.EVIDENCE activities will enable the implementation of a stable network of experts in digital forensics communicating and exchanging their opinions.
CONSIGLIO NAZIONALE DELLE RICERCHE
Piazzale Aldo Moro 7
€ 311 552,60
Maria Angela Biasiotti (Dr.)
Sort by EU Contribution
€ 398 297,50
THE INTERNATIONAL CRIMINAL POLICE ORGANIZATION
€ 224 967,50
GOTTFRIED WILHELM LEIBNIZ UNIVERSITAET HANNOVER
€ 185 110
LABORATORIO DI SCIENZE DELLA CITTADINANZA
€ 206 510
UNIVERSITA TA MALTA
€ 111 012,50
CENTRE D'EXCELLENCE EN TECHNOLOGIES DE L'INFORMATION ET DE LA COMMUNICATION
€ 181 365
PRAVO I INTERNET FOUNDATION
€ 151 693,90
CONSEIL DES BARREAUX EUROPEENS AISBL
€ 154 080
Grant agreement ID: 608185
1 March 2014
31 October 2016
€ 2 303 649
€ 1 924 589
CONSIGLIO NAZIONALE DELLE RICERCHE
Roadmap to regulate cross-border electronic evidence in Europe
The EU needs to develop better means of exchanging information and evidence among Member States in order to combat counterterrorism and crime in a timely manner. 'Mutual legal assistance procedures for gathering and exchanging information, and requesting and providing support in obtaining evidence between Member States, have not been adapted to the realities of today's increasingly global and complex crime,' says project coordinator Dr Maria Angela Biasiotti, a researcher at the Italian National Research Council's Institute of Legal Information Theories and Techniques. 'To tackle terrorism and organised crime, a fast, secure and trusted cross-border exchange of qualified information and electronic evidence is needed between public prosecutors and law enforcement agencies,' explains Dr Biasiotti. To address this issue, the EVIDENCE (European informatics data exchange framework for courts and evidence) project worked to realise a coherent European framework for the regulation and standardisation of electronic evidence gathering and exchange. Project research led to several key findings. Although no comprehensive legal framework exists in the EU, electronic evidence is increasingly being used as main evidence in criminal procedures. LEAs are left to operate in a patchwork of legal, data protection, enforcement or technical solutions. Relevant stakeholders also feel a need to certify and professionalise actors and environments where electronic evidence is preserved, stored, analysed and exchanged. Making cross-border investigations faster and more efficient To provide solutions for its core findings, EVIDENCE developed a roadmap that includes guidelines, best practices, recommendations, technical standards and a research agenda. It serves as a resource for policymakers, legislators, law enforcement agencies, digital forensic experts and other stakeholders in laying the groundwork for a common European electronic evidence framework. The roadmap identifies a number of challenges concerning the collection, preservation, use and exchange of electronic evidence from different perspectives, and provides 10 strategic goals for addressing them. Objectives included conducting further research and enhancing law enforcement, legislation, policies, trust, technical standards and digital forensics. Several short-, medium- and long-term actions were laid down to achieve these objectives. Other concrete EVIDENCE outcomes include an electronic evidence categorisation tool, an electronic evidence map of actors and a digital forensics tools catalogue. Researchers also developed proposals for a standard language and approach to electronic evidence exchange and tools to foster its use. Bringing together key actors in digital forensics According to Dr Biasiotti, EVIDENCE is already making an impact on its end users, thus helping to create the necessary critical mass of stakeholders involved in the electronic evidence process at European and global levels. 'We have been able to generate awareness, stimulate debate, initiate dialogue and ultimately set up an informed and well-balanced network and community from different disciplines and domains.' The wide-ranging network reads like a who's who of global electronic evidence treatment and exchange. It includes leading EU and international agencies and organisations such as Europol and Interpol as well as the European body for the enhancement of judicial cooperation (Eurojust). It also comprises influential communities, several digital forensics software companies, European public prosecutors, judges and law enforcement agencies as well as related EU-funded projects. EVIDENCE has teamed up with the e-Codex project to pilot the secure and trusted exchange of electronic evidence in the EU, in line with the directive on the European Investigation Order and the mutual legal assistance model. 'We really hope to have the opportunity to follow up with what we have achieved so far, and contribute to the realisation of a common European framework,' concludes Dr Biasiotti.
Grant agreement ID: 608185
1 March 2014
31 October 2016
€ 2 303 649
€ 1 924 589
CONSIGLIO NAZIONALE DELLE RICERCHE
Discover other articles in the same domain of application
Final Report Summary - EVIDENCE (European Informatics Data Exchange Framework for Courts and Evidence)
Crime has become global. Principles like territoriality and borders of the criminal action are no longer just local or national. Evidence and qualified criminal and investigative information no longer appear in their traditional form: they are mostly electronically stored on a mobile phone or another mobile device. Electronic evidence as such is no longer only relating to cybercrime but almost all crimes involve electronic evidence. E.g. terrorists organize their attack by talking on social networks and by chatting online or via Whatsapp. Taking these developments into account the European Union needs to develop better means to exchange information and evidence relating to crimes quickly from one country to another, to a Law Enforcement Agency, to another public prosecutor, etc. in order to combat crime in a cross-border dimension. The exchange becomes crucial in the counterterrorism fight and for the fight against global crimes.
Mutual Legal Assistance (MLA) procedures have not been adapted to the realities of today’s crimes which are increasingly global and complex and heavily impact the potential for rapid and efficient transfers of potential electronic evidence.
Security problem addressed
Tackling terrorism and organized crime, including cybercrime, by allowing a fast, secure and trusted exchange of qualified information and electronic evidence among public prosecutors and LEAs of different Member States, by adopting a standardized approach and standardized procedures in a cross-border dimension fostering the cooperation in criminal matters.
Focus of the project
The aim of the EVIDENCE project was to create a Common European Framework for the correct and harmonised handling of electronic evidence during its entire lifecycle: the collection, preservation, use and – in particular – exchange of electronic evidence. The main goal was to draft a Roadmap including policy recommendations, guidelines, technical standards, legislation, further research, etc. for realising this Common European Framework.
The Roadmap, drafted as the main outcome of the project, is to be a resource for policymakers and legislators as well as law enforcement agencies, digital forensic experts and other stakeholders. The Roadmap is based on the evidence and research found throughout the EVIDENCE project.
The following concrete results and tools were realized:
- The Electronic Evidence Categorisation Tool- This is a thesuarus of relevant electronic evidence domain including digital forensics.
- The Electronic Evidence Map of Actors- This identifies all the actors involved into the electronic evidence chain of custody and treatment as well as the obstacles and facilitating factors impacting on the electronic evidence exchange in EU.
- The EVIDENCE Catalogue of Digital Forensics Tools- This tool comprises the most significant digital forensics tools related to Acquisition and Analysis currently in use all over the world by LEAs and digital forensics experts. The total number of software tools collected so far is 1.492.
- The EVIDENCE proposal for a standard language and approach for the exchanging of electronic evidence- This formal language allows to represent a set of data and metadata for describing electronic evidence in terms of Actors (Subject, Victim, Examiners, Judge, Investigator), Actions (Search and Seizure, Acquisition, Analysis, ...) Tools (Encase, Cellbrite, ...) Objects (Hard disk, Smartphone, Live memory, ...) and Relationships between objects, actors and actions.
- The EVIDENCE Proof of Concept - This is a case management workflow able to manage forensics cases represented with the standard language, to speed up the Evidence Exchange process and foster the judicial cooperation at national and European level.
- The EVIDENCE Roadmap- this comprises strategies, policies and measures to be adopted in the future for realizing the European Common Framework allowing the exchange of electronic evidence in EU.
From when we started in 2014 we have been able to generate awareness, stimulate the debate, open/set up a dialogue and create a specific network and community of various communities and stakeholders belonging to the different disciplines and domains involved in the field of electronic evidence. We were able to build up a high level and well-balanced EVIDENCE Network including the following actors:
- Communities involved into the Electronic Evidence treatment and exchange DFRWS, NFI, NIST, INTERPARES - EU Institutions: EUROJUST, EUROPOL, COE Cybercrime Convention, OLAF-Digital Forensics Unit and DPO
- International Institutions: INTERPOL, ICC
- Digital Forensics Software companies: Cellebrite, Oxygen Forensics, Magnet Forensics
- ISPs/Tech companies: Facebook, Yahoo, Microsoft, Google, Apple and Samsung.
- Public Prosecutors, Judges and LEAs of EU MS
- EU Projects: LASIE, e-Crime, GIFT, MAPPING, SIIP, e-Codex, e-Sens, EA-Fit Tools, and others.
Project Context and Objectives:
The topic set by the call SEC-2013.1.4 highlights the need in the European Union context to have a Common Framework regulating the implementation of ICTs in the use, collection and exchange of evidence in criminal trials. However, legislations on criminal procedures in many European countries were enacted before these technologies appeared, thus taking no account of them and creating a scenario where criteria are different and uncertain, regulations are not harmonised and aligned and therefore exchange among EU countries jurisdictions, at transnational level, is very hard to be realised.
What is missing is a Common European Framework to guide policy makers, Law Enforcement Agencies (LEAs), judges/magistrates as well as lawyers and prosecutors when dealing with digital evidence treatment and exchange. It means that what is missing is:
1) a common legal layer devoted to the regulation of electronic evidence in courts;
2) a common guide identifying the value to be assigned to electronic evidence all over EU member States, common criteria for reliability of electronic evidence independently from the country or LEA by which is gathered, reliability, validity and integrity of the electronic proof, and so forth;
3) a common background for all policy makers that must regulate the use of electronic evidence in their national scenario, for LEAs major actors in gathering electronic evidence, for judges magistrates evaluating such electronic evidence in trials, for prosecutors and for lawyers, using electronic evidence for conducting someone’s defence.
In response to the above needs and gaps the EVIDENCE project aims at providing a Road map (guidelines, recommendations, technical standards) for realising the missing Common European Framework for the systematic and uniform application of new technologies in the collection, use and exchange of evidence. This road map incorporating standardized solutions would enable policy maker to realize an efficient regulation, treatment and exchange of digital evidence, LEAs as well as judges/magistrates and prosecutors and lawyers practising in the criminal field to have at their disposal as legal/technological background a Common European Framework allowing them to gather, use and exchange digital evidences according to common standards and rules. EVIDENCE activities will enable the implementation of a stable network of experts in digital forensics communicating and exchanging their opinions.
In order to produce the Road map the following objectives are considered essential:
- developing a common and shared understanding on what electronic evidence is and which are the relevant concepts of electronic evidence in involved domains and related fields (digital forensic, criminal law, criminal procedure, criminal international cooperation);
- detecting which are rules and criteria utilized for processing electronic evidence in EU Member States, and eventually how is the exchange of evidence regulated;
- detecting of the existence of criteria and standards for guaranteeing reliability, integrity and chain of custody requirement of electronic evidence in the EU Member States and eventually in the exchange of it;
- defining operational and ethical implications for Law Enforcement Agencies all over Europe;
- identifying and developing technological functionalities for a Common European Framework in gathering and exchanging electronic evidence;
- seizing the EVIDENCE market.
In order to achieve the objectives of the project, EVIDENCE has seven research work packages. Each work package is led by an experienced project member who is responsible for clearly delineated, measurable deliverables. The work packages are carried out in the context of four distinct project streams which build on and inform each other:
- Status Quo Analysis (WP2, WP3, WP4, WP6, WP8),
- Technical Functionalities development (WP5),
- Impact and Testing (WP5, WP7), and
- Road Map (WP9).
The project moves from an ‘as is’ analysis to the envisioning of future counter measures and research.
The seven work packages exploring fundamental issues through both theoretical and applied research are complemented by three other Work Packages designed to ensure that the EVIDENCE project, which groups nearly 25 researchers from ten institutions in six EU Member States, is fully compliant with the highest standards of project management in international collaborative research. Thus, WP1 deals with project management and co-ordination across the entire EVIDENCE project while WP10 provides an internal evaluation function. WP11 serves to build strong relations with stakeholders and focus effort on dissemination of the project results across the widest possible range of audiences, also by means of consultation with various stakeholders in meetings and workshops.
The EVIDENCE project will be co-managed through a Steering Committee on the basis of the joint responsibility principle. External input, advice and feedback will be provided by members of the External Advisory Group (EAG). Dissemination of the project outcomes will be carried out in the context of a dedicated work package (WP11) that which will be in close cooperate with all other work packages to achieve the widest possible dissemination of information to the relevant stakeholders and policy makers.
The most significant result consists in the Roadmap, drafted as the main outcome of the project, to be used as a resource for policy makers and legislators as well as law enforcement agencies, digital forensic experts and other stakeholders. The Roadmap is based on the evidence and research found throughout the EVIDENCE project.
The following concrete results and tools have been realized:
• The Electronic Evidence Categorisation Tool- This is a thesaurus of relevant electronic evidence domain including digital forensics.
• The Electronic Evidence Map of Actors- This identifies all the actors involved into the electronic evidence chain of custody and treatment as well as the obstacles and facilitating factors impacting on the electronic evidence exchange in EU.
• The Digital Forensics Tools Catalogue (https://wp4.evidenceproject.eu). This Catalogue comprises the most significant digital forensics tools related to Acquisition and Analysis currently in use all over the world by LEAs and digital forensics experts. The total number of software tools collected so far is 1.509.
• The EVIDENCE proposal for a standard language and approach for the exchanging of electronic evidence- This formal language allows to represent a set of data and metadata for describing electronic evidence in terms of Actors (Subject, Victim, Examiners, Judge, Investigator), Actions (Search and Seizure, Acquisition, Analysis, etc.), Tools (Encase, Cellbrite, etc.) Objects (Hard disk, Smartphone, Live memory, etc.) and Relationships between objects, actors and actions.
• The EVIDENCE Proof of Concept - This is a case management workflow able to manage forensics cases represented with the standard language, to speed up the Evidence Exchange process and foster the judicial cooperation at national and European level.
• The EVIDENCE Roadmap: it comprises strategies, policies and measures to be adopted in the future for realizing the European Common Framework allowing the exchange of electronic evidence in EU.
The results achieved within the activities of the project are outlined, in details, below.
Evidence Categorization (WP2)
A common language has been provided to be utilized for identifying, connecting and aligning all relevant activities carried out within the project.
The use of Electronic Evidence has become a necessary element to consider when solving a crime and conducting a fair trial. This is of the utmost importance in a cross-border dimension considering the specific collaboration among European Union Member States related to criminal investigations and criminal trials. The EVIDENCE project will look at the challenges and problems surrounding the use and the exchange of Electronic Evidence in the legal systems and will emphasise the need for a common and shared understanding of what Electronic Evidence is and how it should be treated.
In setting the domain boundaries, the WP2 team has examined relevant literature, guidelines and standards used to define and handle Electronic Evidence. The gathering of relevant documentation has been carried out through an internal consultation among partners and desktop research. At the end of this step 128 sources in full text were collected and classified in:
- academic papers and books (45), - guidelines (30),
- reports (13),
- project reports (16),
- legislative codes of practice and regulation commentaries (16), - recommendation and policy documents (8).
These sources of information allowed the team to identify a first set of terms and definitions used in the top down extraction of relevant concepts, to be considered as the basis for the development of the Categorization. In parallel, the gathered documentation was used to apply a bottom up strategy that allowed a semi-automatic extraction of lemmas and syntagms, using a natural language processing technique. The results of this activity allowed the identification of further terms and concepts to enrich the top-down extraction. Each term identified as “concept” has a specific definition context based on and consistent with the scope of the EVIDENCE Project. The research team chose SKOS (Simple Knowledge Organization System) as the standard way to represent and support the categorization activities. SKOS has the advantage of expressing knowledge organization systems in a machine-understandable way within the framework of the semantic web. One of the main focuses of the EVIDENCE Project concerns the development of a framework for data exchange between judicial actors and LEAs, therefore it has been adopted a broad vision of the term Evidence, in order to include both Digital Evidence and Electronic Evidence.
On the basis of this broad view, the definition adopted for the Electronic Evidence concept is the following:
Electronic Evidence is any data resulting from the output of an analogue device and/or a digital device of potential probative value that are generated by, processed by, stored on or transmitted by any electronic device. Digital evidence is that Electronic Evidence which is generated or converted to a numerical format.
The identified concepts have been structured into 8 main classes able to represent the EVIDENCE project specific objectives, but also in line with the conceptual model arising from the relevant literature, sources of law, practises and standards duly considered in the implementation phase. These main classes are:
• Crime. It is defined as an act, default or conduct prejudicial to the community, for which the person responsible may, by law, be punished by fine or imprisonment
• Source of Electronic Evidence. It is defined as any physical, analogical and digital device (computer or computer like device) capable of creating information that may have a probative value in courts.
• Process. It is defined as a series of actions or steps taken in order to achieve a particular end within the Electronic Evidence lifecycle.
• Electronic Evidence. It is defined as any data resulting from the output of an analogue device and/or a digital device of potential probative value that are generated by, processed by, stored on or transmitted by any electronic device. Digital evidence is that Electronic Evidence which is generated or converted to a numerical format.
• Requirement. It is defined as principles or rules related both to legal rules and handling procedures that are necessary, indispensable, or unavoidable to make potential Electronic Evidence admissible in court.
• Stakeholder. It is defined as actors or organizations having a concern in or playing a specific role in the Electronic Evidence lifecycle.
• Rule. It is defined as a set of explicit or understood regulations or principles governing conduct or procedures for the identification, collection, preservation, analysis, exchange and presentation of Electronic Evidence in a cross border and national dimension.
• Digital Forensics. It is defined as the application of forensic science to Electronic Evidence in a legal environment.
These main classes have been hierarchically structured in sub-classes, that may be easily updated and maintained. The structure is conceived as a conceptual map and all the definitions and notes of the Categorization may be viewed via the following url:
The SKOS structure is available via the following url: http://evidence-project.herokuapp.com/en/hierarchical_concepts.html
Legal issues (WP3) and Data Protection issue (WP8)
Legal scenario is devoted to understanding whether and how electronic evidence is perceived and eventually regulated in the European Union (EU) framework. This is achieved through a wide collection of relevant documentation and available information, including by way of a questionnaire in order to identify the existing national legal frameworks. It has put the focus not only on the domestic regulation but also on specific criteria implemented in each Member State for transnational exchange of electronic evidence.
The main objective deals primarily with the status quo analysis and is aimed at providing a comparative overview of legislation and practices in EU Member States by considering the following three stages:
• Collection of electronic evidence;
• Preservation of electronic evidence;
• Exchange of electronic evidence: examination of the principia governing transnational transfer of evidence.
In the Description of Work was planned to create an overview in 27+1 Member States, but it has been decided to take a two-step approach instead:
• step 1 to cover the European-wide context of electronic evidence and focus only on a select number of MS for in-depth study (covering primarily but not exclusively continental public law jurisdictions);
• step 2 to add to our focus three bodies of legal cultures in the EU not yet covered in step 1 – primarily the position in the Anglo-Saxon world, in Nordic countries and in the Baltics.
The comparative overview of national laws regulating the collection, preservation, use and exchange of electronic evidence is based upon the results from the questionnaires from the respondent Member States.
International and European legislation and practices
There is no comprehensive international or European legal framework relating to (electronic) evidence. Parties involved rely on national law when it comes to the collection, preservation, use and exchange of (electronic) evidence. These national criminal laws have been written ages ago, long before there was such a thing as the internet and modern technologies which could provide electronic evidence. While it is true that some countries have adapted their legislation in order to include such developments, others rely on traditional laws and, in case, apply them to electronic evidence as well. There are thus big differences in national legislation and approach, which makes handling transnational electronic evidence difficult. According to the United Nations (UN) Study on Cybercrime evidence rules vary considerably even amongst countries with similar legal traditions. In certain countries traditional investigative powers might be general enough to apply to electronic evidence while in other countries traditional procedural laws might not cover specific issues regarding electronic evidence, making it necessary to have additional legislation. In certain countries there are defined rules as to admissibility of evidence in Court while in other countries admissibility is flexible. In all cases legislation requires a clear scope of application of powers and sufficient legal authority for actions.
While there is no comprehensive international or European legal framework relating to electronic evidence, a number of international and European legal instruments and policy documents are relevant to electronic evidence. These instruments and documents may inspire national laws and practices or may be implemented into national law. Apart from these international and European instruments and documents it is worth mentioning that Member States may also rely on bilateral and multilateral agreements, in particular when it comes to cross-border exchange of (electronic) evidence.
The EU Member States are also Member States to the United Nations and signatories to some of the mayor international treaties and other instruments. This includes various international human rights and trade treaties and agreements. For example, some international documents may assist in effectively assuring the legal treatment of electronic signatures and give certainty to their status, meaning that for example their admissibility in Court is assured even if exchanged cross-border. But in particular the human rights aspects are relevant when it comes to electronic evidence in criminal investigation and prosecution, considering the need of balance between security and fundamental rights and especially when it comes to cross- border exchange of (electronic) evidence.
(Cyber)Security can only be sound and effective if it is based on fundamental rights and freedoms and individuals’ rights cannot be secured without safe networks and systems. Protecting fundamental rights, freedom of expression, personal data and privacy are of utmost importance.
Law enforcement, prosecution and the judiciary should also follow certain guidelines when collecting, preserving, using and exchanging electronic evidence, especially considering the volatile nature of electronic evidence. There are a number of international standards available which may be used as a guide including ISO standards.
With the adoption and entering into force of the Lisbon Treaty a supranational regime for EU criminal law was introduced. Title V of the Treaty on the Functioning of the European Union (TFEU) provides for the Area of Freedom, Security and Justice within the EU. Based on Art. 67 (3) TFEU, with this area the EU will endeavour to ensure a high level of security through measures to prevent an combat crime, through police and judicial coordination and cooperation, through mutual recognition of judgements in criminal matters and if necessary through harmonisation of criminal laws. The Area of Freedom, Security and Justice thus includes EU criminal law and police cooperation which is further developed in Chapters 4 (judicial cooperation in criminal matters) and 5 (police cooperation) of Title V TFEU. Although it is true that there has been progress, the realities are somewhat different. Judicial and police cooperation are subject to Art. 4 (2) of the Treaty on the European Union17 (TEU) which states that national security is the sole responsibility of each Member State, interpreted in the sense that the provisions regarding judicial and police cooperation are on stringent terms with sovereignty regarding national security. More so considering that sensitive matters can be referred to the European Council. Instruments adopted prior to the Lisbon Treaty furthermore retain their earlier status, the United Kingdom and Ireland can opt out of any of the instruments and Denmark is only bound by virtue of its commitments under the Schengen Convention.
The regime has been a step forward in particular seeing as judicial and police cooperation is of utmost importance with regard to the collection, preservation, use and exchange of (electronic) evidence and judicial authorities and police forces across Europe do tend to work together in preventing and solving cross border crime.
According to Art. 82 (1) TFEU judicial cooperation in the EU is based on the principle of mutual recognition of judgements and judicial decisions and includes approximation of laws and regulations of the Member States in a number of areas including mutual admissibility of evidence between Member States (Art. 82 (2, a) TFEU) and in a number areas of serious crimes including terrorism, organised crime and cybercrime (Art. 83 (1)TFEU). According to
Art. 87 TFEU police cooperation in the EU is established involving the competent authorities of the Member States and the EU. Based on these provisions the EU may issue Directives and other measures to the extent necessary to facilitate judicial and police cooperation within the EU. The EU has adopted a number of Directives and other measures with regard to criminal law.
Council of Europe
Apart from the available international and EU legal instruments and policy documents there are a number of instruments and documents by the Council of Europe relevant to electronic evidence. In fact, the Council of Europe instruments and documents are generally more authoritative than the international and EU ones. As far as international organisations go, the Council of Europe has more members than the EU and all EU Member States are members of the Council of Europe as well and in particular with regard to cybercrime the Council of Europe provided a binding international treaty that provides an effective framework for the adoption of national legislation and a basis for international cooperation in this field. In several pieces of EU legislation and policy documents it is reiterated that the Council of Europe’s instruments are the legal framework of reference for combating cybercrime and that the EU legislation and policies build on those of the Council of Europe.
With regard to electronic evidence, a number of Council of Europe instruments and documents are highly relevant. Firstly, the European Convention for the Protection of Human Rights and Fundamental Freedoms (ECHR) in particular when it comes to the protection of the right to privacy. Secondly, the Council of Europe Convention on Cybercrime (Cybercrime Convention) as this Convention remains the main (and only) international treaty which defines the substantive elements that lead to some cyber activities to be classified as crimes; and which has procedural provisions that allow for the prevention, detection and prosecution of these activities. Although electronic evidence may not necessarily result from cybercrime, this is the main framework for reference in this area which offers many provisions to enhance investigations where electronic evidence is involved. Thirdly, the Council of Europe Convention on Mutual Assistance in Criminal Matters, and its 1978 Protocol and lastly the Electronic Evidence Guide.
It has been provided an overview on law and practices in some EU Member States when implementing new technologies in processing evidence, processing meaning collecting, preserving, using and exchanging evidence (i.e. the chain of custody of evidence), in criminal proceedings. There are some overall conclusions that can be drawn at this stage:
a) There is no comprehensive EU legal framework regarding electronic evidence. There are only a number of EU instruments which may be directly or indirectly relevant to the collection, preservation, use and exchange of electronic evidence. Most of them have been implemented in the European Member States but often in a very different manner according to the single legal systems and traditions. The increasing use of digital technologies in individuals’ daily activities, including criminal ones and their cross-border nature have posed new challenges to the European and national legal
systems, especially as far as the collection, preservation and exchange of evidence is concerned. Laws and practices of the different Member States treat differently electronic evidence, contributing to create a situation of legal and practical uncertainty.
b) Although some regulations exist, clarity on the collection, preservation and exchange of electronic evidence relevant in criminal investigations is missing. Differences through European Member States may be in some cases significant, especially as far as the admissibility of electronic evidence is concerned. These differences (due to the traditional competence attributed to MS in criminal matters but also to the distinctive constitutional traditions) are not necessary a weakness per se? in the European legal framework. However, a clear and more harmonized framework is desirable in order to facilitate efficient cooperation in criminal matters.
c) While there is still no legislative harmonisation, it comes out a slow but gradual interpretative evolution of the national criminal laws regarding the treatment of evidence, which allowed the competent actors (judges, prosecutors, lawyers, LEAs) to apply, to some extent, existing norms to cases on e-evidence. This interpretative evolution, leading to some degree of harmonisation (albeit at a different level) may be due to the ratification of the Council of Europe Convention on Cybercrime in 25 EU MS293 and to some harmonising effect of the different Framework Decisions and Directives.
d) There is an increase in legislative action in the MS as regards electronic evidence. In some more specific cases, amendments to existing norms of criminal law (substantial and procedural) were necessary to make them applicable to the new technological scenarios. In other cases, the amendments have been considerable, comprising the replacement of, for instance, entire articles/sections of the national criminal procedural law (or the introduction of new articles) also as a consequence of the implementation of a supranational legislation (e.g. Council of Europe Convention on cybercrime).
e) Although the specific knowledge and expertise of the main actors involved in the handling of e-evidence seems to increase and best practices are gradually developing, there is a lack of specific standards on the procedures and modalities to follow in the phase of gathering, preserving and especially exchanging electronic evidence.
f) With regard to the effect/impact of data protection and related legal framework, it is worth to noting that in most of the countries analysed, the national data protection provisions (implementing Directive 95/46/EC) have been modified as a consequence of the introduction of antiterrorism measures, entailing the application of new rules for collecting and retaining traffic data, log files and other (electronic) personal data..
Standard issue (WP4)
The activities carried out within the WP4 aimed at providing an overview of existing standard for treatment and exchange of electronic evidence also taking into consideration tools that are thoroughly tested and generally accepted in the computer forensics field in the EU Member States context.
In composing this overview we have considered the following sources: • relevant literature;
• existing guidelines and technical standards;
• practical and operational feedback by Law Enforcement Agencies and forensics specialists by means of questionnaires/interviews and workshops with expert group meetings both in the legal and technical fields.
Overview of existing standard for the handling of electronic evidence
Since the forensics science was born, processes for the handling of electronic evidence, have been described on the basis of different criteria and different levels of details. Within the digital investigation process models, the point of reference is represented by the technical standard ISO 27043 - Incident investigation principles and processes.
The overview of practices and procedures for gathering digital evidence, has been organized according to the Electronic Evidence life-cycle. Eight main different phases have been distinguished, regarding the handling of digital evidence, starting from the incident event:
• Case Preparation. This is the first step of the digital evidence management timeline and it comprises organizational, technical and investigative aspects and includes:
• Case Assessment. It consists in the identification of all available information and the evaluation of data to be searched.
• Human Resources Identification. It is about the evaluation of the human resources needed to carry out the investigation activity.
• Tools Checklist. It is the preparation of a tools checklist whereby all the authorized people check the available tools and their appropriateness regarding the investigation to be carried out.
• Media Destination. It concerns the preparation of media destination where data will be forensically copied to.
• Evidence Identification. This is the step consisting of examining/studying the crime scene in order to preserve, as much as possible, the original state of the digital/electronic devices that are going to be acquire.
• Evidence Classification: This is the step consisting of identifying the main features and the status of the device, taking notes about Case ID, Evidence ID, Seizure place/date/made by/ Evidence type, picture, status, etc.
• Evidence Handling. This is the step where it is defined which specific standard procedures are to be followed, based on the kind of device is being handled.
• Evidence Acquisition. This is one of the most critical phase within the digital evidence handle processes: the forensics specialist must take care of the potential digital evidence in order to guarantee its integrity during the judgment.
• Evidence Analysis. This is a process heavily affected by the kind of case under investigation, the type of evidence to be handled and the features related to each of the evidence to be examined (e.g. installed operating system, type of file system, etc.).
• Evidence Reporting. This is one of he most critical steps. After the completion of identification, acquisition and analysis activities digital evidence specialists have to complete their job producing a report with all the activities carried out and the outcome achieved. The report must contain all details to allow the specialists to testify before a Court only relying on that document.
Digital Forensics Tools Catalogue
In composing the overview of existing standard for the handling of electronic evidence, a huge number of digital forensics tools have been gathered and it has been created a Digital Forensics Tools Catalogue, concerning tools for the Acquisitive and Analysis phases as described at different levels of details by the ISO/IEC standards, especially 27037, 27042 and 27043.
The Catalogue (https://wp4.evidenceprojects.eu) represents the overview of forensics tools for handling digital evidence, generally accepted in the EU member states and it has been consolidated and integrated on the basis of the answers gathered through a bespoke online questionnaire involving a group of forensics specialists.
The catalogue comprises the most significant digital forensics tools related to:
• Acquisition (464 tools)
• Analysis (1045 tools)
The total number of software tools collected so far is 1.509 (the total amount of tools doesn’t correspond to the algebraic sum, because a tool can belong to both the Acquisition and Analysis branch).
The Analysis branch collection has been organized using a specific categorization briefly represented by the following main classes:
• Computer Forensics. It comprises tools for the analysis of File System, Operating System and Applications.
• File Analysis. It includes tools for the analysis of a file (content view, metadata view, specific file format analysis).
• Mobile Forensics. It encompasses tools for the analysis of Mobile Devices (Smartphont/Tablet, SIM Card, Sat Nav, etc.).
• Network Forensics. It comprises tools for the analysis of Network Traffic (NetFlow, PCAP), Network log files. Proxy Server and WiFi network.
• Memory Forensics. It includes tools for the analysis of RAM Memory Dump or Hibernation files.
• Malware Forensics. It comprises tools for the analysis of Malwer specimen. Tools are categorized in respect to the analysis type (e.g. Automated, Behavioral, Code, Sandbox, etc.).
• Anti Forensics. It includes tools useful to defeat anti-forensics techniques. Two categories are considered: Password Cracking tools and Stego Analysis tools.
• Cross Analysis. It concerns tools to perform analysis in more than one areas. Three sub categories are present: File Carving, Keyword Search and Timeline.
• Forensics/E-Discovery Toolkit. It comprises comprehensive tools for in depth analysis of multiple artifacts (e.g. Operating System, Applications, Memory) and with a lot of specific features (e.g. File Carving, Timeline, Password Cracking, etc.).
• Forensics Utilities. It contains tools for different and specific purposes.
The whole Analysis structure is available via the following url: https://wp4.evidenceproject.eu/dft.catalogue/dftc.analysis.pdf
The Acquisition branch collection has been organized using a specific categorization briefly represented by the following main classes:
• Disk duplication. Hardware and software tools to acquire storage devices (e.g. Hard Disk, Pen Drive, Memory Card, etc.).
• Network. Tools to acquire network traffic both on cabled and wireless network.
• Mobile device. Tools for the acquisition of Mobile Devices (Smartphont/Tablet, SIM
Card, Sat Nav, etc.).
• Live acquisition. Tools to acquire data from a live computer (RAM capture, process activities, network connections, incident response/forensics tookit, opened files, etc.).
• Internet/Cloud. Tools to acquire data from remote services (e.g. Web Site/Page, Email Accounts, Social Network, Cloud Storage, etc.).
The whole Acquisition structure is available via the following url: https://wp4.evidenceproject.eu/dft.catalogue/dftc.acquisition.pdf
The meaning of each class is visible via the following url:
Each tool is represented by the following data:
• Tool Name. It represents the name of the tool assigned to it by its producer/reseller/developer.
• Tool Description. It contains a short description of the tools, taken from its official web site.
• License Type. It may assume values like Opensource, Freeware, Commercial, Multi (when it may have more than one single value).
• Category. It represents the hierarchical view of the different kind of forensics tools. Each tool may assume more than one single category: in this case the multiple occurrences of the same tool are separately considered and therefore are considered as two distinguished tools.
• Operating System. It may assume values like: Windows, Mac, Linux, Standalone, Online, Hardware, Multi. Its value represents the operating system on which the tool run.
• Developer. It is the author of the development of the tops and it may be a person, an organization or a community.
• Test Report. It is the official web address where a well known organization has tested the software and put the results of the operation on the web.
• Useful References. It contains a list of web resources related to the tools, such as documentation, manual, unofficial tests and others.
• Features. Each Category is connected to a single or multiple features, even though, in some cases, it may not have any features at all. Each Feature may assume a single or multiple values.
The Catalogue main page has been divided in two frames:
• the left frame or Search Frame, is dedicated to query preparation
• the right frame or Results Frame, shows the result of a query
Operating on the Search Frame the first step is selecting the Acquisition or Analysis branches, using the related radio button. As far as the user makes that choice the content of the search and results frames coherently change. More specifically the following information will be modified:
• the total number of available tools
• the hierarchical structure of the Category field
• the link related to Mind Map: it represent the mind map of the chosen branch - Acquisiton or Analysis
• the link related to Tag Clouds: it shows a tag cloud representation of the Categories, within the selected branch, based on the number of tool belonging to the related Category
The other fields useful for preparing a query are:
• the Name of the tool: when the focus is on this field the Enter key is enabled and pressing it will run the query
• the License Type: it contains values like Freeware, Opensource, Commercial
• the Operating System: it contains values like Windows, Mac OS, Linux
• the Category: it is one of the main search field: it selects the branch of a particular digital forensics tools family. When the user select a Category the Features panel will show the related Features with all the possible values.
• the Developer/Reseller Electronic Evidence Exchange
The regular international procedures for mutual assistance in criminal matters are time- consuming and unpredictable, but they represent, at the moment, the only way for carrying out the evidence exchange process. Nevertheless the situation may hamper the handling of serious cross-border and organized crime especially for investigative cases where time is crucial. Furthermore, when it comes to Electronic Evidence Exchange, a group of questions are to be born in mind:
• What information should be exchanged?
• When may the exchange take place?
• How the information could be exchanged, even taking into consideration security issues?
• When the electronic evidence size is huge, how could it be dealt with?
• Which kind of stakeholders are involved?
Additionally, there is no standard concerning the Electronic Evidence Exchange (comparison with Acquisition and Analysis) and the scenario is rather diversified, so it might possible to manage the exchange differently on the basis of the kind of evidence.
Therefore a standard proposal for the electronic evidence exchange has been composed. It consists of:
• a set of data and metadata for describing all actions (i.e. tasks), actors (e.g.: subjects, victims, authorities, examiners, etc.), tools (i.e. digital tools for carrying out different forensics processes), digital and physical objects involved in the investigative case (e.g.: hard disk, smartphone, memory dump, etc.) and objects relationships (e.g. Contains, Extracted From, et.)
• formal languages for representing in a standard way all the elements above cited
• a platform for implementing the exchange process in terms of functionalities along with a recommendation for an integration with existing platforms already in place and run by an European/International public body.
In the field of information exchange regarding malware activities, many standard languages have been proposed and exploited, even taking into consideration that the use of common standards is important for the exchange of any kind of information.
CybOX (Cyber Observable eXpression) is one of the most important languages that have been recently proposed. It has been devised along with other related languages, by Mitre (US):
• CAPEC7 (Common Attack Pattern Enumeration and Classification)
• MAEC8 (Malware Attribute Enumeration and Characterization)
• STIX9 (Structured Threat Information eXpression)
• TAXII10 (Threat Automated eXchange of Indicator Information)
The combination of the languages/formalisms, DFXML, CybOX, DFAX and the Unified Cyber Ontology (UCO), represents the most suitable standards to representing data and metadata related to an evidence exchange for a variety of reasons:
• they have been developed in the cyber security environment but they include lots of essential elements to representing digital forensics information
• they allow describing technical, procedural and judicial information as well
• they have been developed with the extensibility in mind so they are adaptable to the fast-pace development of technology and they allow introducing new elements to include forensics
• information not envisaged yet;
• they leverage the UCO ontology that permits the description of Actions, Actors and their relationships
• they are open source
• they already contain a composed structure for representing a wide range of forensics information
• they would allow analytical activities, such as data collection, surveys, research activities, etc.;
• they would foster mutual learning, identifying and exchange of best practices, development of working methods which may be transferable to other participating countries;
• they would develop· capacity building for professionals;
• they would facilitate cooperation between competent authorities and agencies, legal practitioners and/or service providers (including multi-disciplinary networks at international, national, regional or local levels);
• they would help in dissemination and awareness raising activities. DFAX Language
DFAX is a standard language for representing the processes involving in handling digital evidence with the aim to foster the interoperability among forensics tools and the exchanging of forensics information. It incorporates its own structure to represent the more procedural aspects of the digital forensics domain, including those for chain of custody, case management, forensic processing.
DFAX uses CybOX (Cyber Observable eXpression) language, for representing digital actions and objects along with their context. It has been developed with extensibility in mind: new object types can be added to CybOX without altering the core schema. DFAX (Digital Forensic Analysis eXpression) leverages CybOX for representing the purely technical information.
Another independent part, used by DFAX, is the UCO Unified Cyber Ontology that provides an abstract layer and express constructs that are common across the cyber domain (e.g. Action Lifecycle) and represents the actors/stakeholders, or Identity, involved in a case, such as: Attorney, Investigator, Examiner, Subject, Victim.
Each Identity is described through an XML schema.
Forensics basic case
In order to better explain how DFAX formalism represents metadata involved in an investigative case, it is worth examining a basic example, published on the GitHub software development platform related to DFAX: a minor solicitation and digital photos exchange case. The involved information are:
• the Subject: the adult John Doe
• the Victim: the minor Jan Doe
• the Judge: Dreyfuss
• the Examiner: the investigator Bob Grave
§ Seize suspect's cell phone
§ Receive evidence via courier
§ Make forensic image of suspect's cell phone
§ Make forensic image of SD card from suspect's cell phone
§ Find communications and multimedia exchanged between subject and victim
• Purpose: to find all kind of communication, along with the related multimedia files, between Subject and his Victim
The XML representation in DFAX formalism is available via the following url: https://wp4.evidenceproject.eu/dfax/dfax.basic.example.forensic.action.xml
Evidence Exchange platform
Although the main important part of the proposal of a standard for the evidence exchange process consists of a set of metadata for representing technical, procedural, judicial and other forensics information, and formal languages for their representation, it is important to emphasize the main features that a platform should have in order to implement the electronic evidence exchange process.
The security of the information is one of these crucial features: an efficient level of security guarantees the protection of all assets involved in the exchange process information flow in order to spread trust to all potential stakeholders/users.
The security of the information can be accomplished only through putting into effect an appropriate set of controls that include policies, procedures, processes, organizational structures, hardware and software functions. Furthermore it is essential that these controls are implemented and continuously and carefully monitored, reviewed, updated and improved. Policies for the information security should include, but are not limited to, the following:
• the access control
• physical and environment security
• malware protection
• cryptographic control
• communication security
• personal data and privacy protection
A possible solution would be to propose an Electronic Evidence Exchange/Sharing Platform managed by an European/International public body, where the users can be competent authorities (e.g. judicial, police, etc.) but private subjects as well (i.e. Internet Service Providers). Relying on this platform would make it possible to carry out an electronic evidence exchange using specific metadata along with the data related to the source of evidence. These metadata, expressed in an open standard language would identify the digital evidence in a unique manner, devising a way to represent the widest range of forensic information and forensic processing results in order to share structured information between independent tools and organizations.
This cloud platform could have a centralized or distributed architecture and, in order to mitigate the risk related to data privacy issue, it should be organized in such a way that no database/archive will be built or kept inside the environment: data and metadata related to an electronic evidence should remain on the platform no longer than the download by the requesting authority is completed.
In order to promote the CybOX/DFAX standard formalism for representing data and meta- data involved in the Electronic Evidence Exchange process it has been chosen the Plaso tool, a very well known tool in the forensics community, and two repositories on GitHub, of the CNR- ITTIG organization account, have been created:
In the first one it has been created a fork of Plaso with DFAX extension that allows to directly create a DFAX/CybOX xml, as output, starting from a proto buffer as input of psort tool. This solution hasn't been considered the best one because the output produces a lot of noise. On the basis of an academic case it has been proposed an alternative solution: starting from the l2tcsv output produced by the psort tool, it is necessary to select a specify set of rows that are significant for the investigation and it's not always possible to extract/isolate them through the available filters provided by psort. An attempt is being made to develop a tool, having in mind the forensics analyst needs, to some extent an analyst centred application, at the aim to let an analyst to make the minimum effort to produce his/her analysis in DFAX/CybOX language (for the sake of the success of the formalism itself), therefore it will be developed an external tool (plaso2dfax) able to take in input the l2tcsv produced by psort and turn it in DFAX/CybOX.
Of course this means that, in the future, each forensics tool (e.g. X-Ways, Autopsy, etc.) will have its own tool/plugin to export its output into DFAX/CybOX, but this is a very good starting point. The tool has been shown, as a demo live, during the workshop within the Digital Forensics Research Work held in Lausanne in March 2016.
Technical issues (WP5)
From the Technical point of view the main focus was on the report of the analysis of the systems and protocols that are in place in various important stakeholder organizations (for
example Eurojust, Interpol, Europol and others) and the report on the Proof of Concept application design.
The Technical Issues Work package didn't propose a system that competes with or replaces existing and established systems and tools that forensic, law and law enforcement professionals are using but it will rather identify the gaps in the workflows and issues that professionals are facing when using these systems. It will also propose tools and protocols for bridging any gaps. For this reason the status quo analysis focused on the exchange, chain of custody and preservation aspects of digital evidence in existing systems.
State of Practice on existing systems and projects on Electronic Evidence
At Eurojust different systems are in place:
• s-TESTA and TESTA-NG: Member States have the possibility of using a Secure Network Connection (SNC) for exchange of documents including information regarding cases under investigation that can potentially become evidence. The existing SNC that is deployed and made available by the Commission is the s-TESTA system, which is soon to be replaced by TESTA-NG network connection (Eurojust preference).
• EPOC: it was developed in the context of a series of projects, the latest of which was the three-year EC funded EPOC IV project (April 2009 to March 2012). The aim of the project and system was to create a data format for exchanging structured data (of judicial cases) between different case management systems used at the national level and allow them to be connected using the EPOC system and software tools
Moreover Eurojust in collaboration with Europol have developed and are supporting the Universal Message Format (UMF) protocol for structured messaging.
At INTERPOL it has been developed the I-24/7 global police communications system to connect law enforcement officers in all member countries, enabling authorized users to share crucial police data with one another and to access INTERPOL databases and services 24 hours a day.
The I-24/7 provides the secure network layer based on VPN tunnels over leased lines or the Internet using IPsec and can be used with any transport protocol. Currently it interconnects National Central Bureaus (NCBs) in Europe and it will be extended to support NCBs all over the world. While I-24/7 is installed at NCBs, many member countries have chosen to extend access to other national law enforcement entities at strategic locations, such as border crossings, airports, and customs and immigration posts.
EUROPOL - SIENA system
SIENA stands for Secure Information Exchange Network Application and it is Europol’s messaging system similar to an E-mail system. Europol is using SIENA to communicate with and transmit data to member states. SIENA operates on top of Europol private, dedicated network. A live information exchange system attached to SIENA is also within the same legal framework though technically independent. Europol is also using an SFTP based system that
is more appropriate for transferring large files; it is also an independent system but is part of their messaging and evidence exchange platform. SIENA logs the interactions between its users and follows the data protection principals and security safeguards that Europol is enforcing throughout its systems. SIENA does not have a central repository for data apart from the logs repository. SIENA heavily relies on the standard Universal Message Format (UMF), that it is an extensible XML dialect. It contains tags for representing identities, relationships, and activities as illustrated in Figure 5. It is the language used inside the SIENA system for representation and transmission of structured data as well as other international such as I-Link from Interpol and national databases used by law enforcement agencies.
Netherlands Forensic Institute (NFI) - HANSKEN system
The HANSKEN system has been developed by the NFI and offers a new model to digital forensics investigation by providing it as a service: the Digital Forensics as a Service model (DFaaS). The aim of this model is to separate the investigation actions from the administration of systems (storage, network, software, security, etc.) that traditionally forensic officers are tasked with. Instead the HANSKEN environment takes care of administrative issues and provides forensic analysis services to investigators. HANSKEN also provides ways of sharing storage systems and computational resources across departments or organisations and provides the functionality for exchanging data and analysis outcomes between detectives of different departments.
Proof of Concept Application
The Proof of Concept (PoC) application is a workflow management based on DFAX package management. The PoC doesn't include a service being able to implement the Evidence Exchanging, but it helps to produce standard packages, represented in DFAX language, that can be imported or exported by all organizations equipped with the application. There is no doubt that this application would speed up the current Exchanging process and moreover foster forensics tools interoperability and forensics tools verification.
Therefore the PoC will also focus on the digital evidence exchange, persistence and chain of custody. The aim will be not to replace or attempt to compete with existing systems, but try to fill the gaps of functional and data format heterogeneity of existing systems by using standard, semantically rich protocols such as the DFAX language. The PoC application will use this protocols and standard languages to help users produce, manage, export and import structured documents for the description of the evidence exchange and handling actions. It will also provide means for the exchange of such documents. The PoC application is designed to be applied both to a distributed or centralised environment.
The PoC consists of two components:
• web-based application that allows the importing, creating, editing and packaging of documents in the DFAX language that contain data and metadata of the actions performed as part of the digital forensic investigation;
• an extension of the CybOX library to support DFAX elements that can be integrated with forensic tools for exporting their output into the DFAX language.
The methodology was to incrementally develop the prototype of the application and library while receiving feedback from experts in the field and further requirements regarding the functionality and user interface. In addition first attempts for integrating the library with existing forensic tools were made.
The results were the following:
• First prototype of the application was prepared and demonstrated at the DFRWS EU 2016 workshop in Lausanne.
• DFAX library prototype (extension of CybOX Library) was produced and integrated with the Hansken system of the Netherlands Forensic Institute (NFI). The result of this integration was demonstrated and discussed at the DFRWS workshop cited above.
• Input from the DFRWS and meetings with experts that followed helped refining the architecture, guiding the further developments of the PoC application.
• Status quo updates and research on alternatives on the packaging and exchange systems of investigative data.
The implementation of the PoC (application and library), was designed to fill the gap of capturing the investigation actions performed during the lifecycle of a judicial case. The PoC facilitates this process by providing a structure that guides the forensic investigators and a representation language that enables serialization of the investigation metadata, which means also packaging, sharing, reproducibility of results and in general facilitating exchange of digital evidence. Additionally using a structure representation language that has been approved by the forensics community would facilitate the integration of this technology with digital evidence exchange mechanisms and systems in place.
Law Enforcement issue (WP6)
As regards to the Law Enforcement Issues, the main objectives achieved have been to provide an overview and a status quo assessment of the collection, preservation and exchange of electronic evidence from the standpoint of law enforcement and to propose guidelines that could be integrated into a Common European Framework governing this field. The assessment of the status quo governing the collection, preservation and exchange of electronic evidence shall be conducted in light of relevant requirements, notably:
a) The efficiency of police investigations conducted within national jurisdictions as well as thorough regional or international collaboration;
b) The existence of adequate safeguards aiming at the protection of relevant fundamental human rights, such as the right to privacy and data protection principles;
c) The respect for ethical standards of conduct.
The various systems have therefore been assessed on their ability to strike a proper balance between the above interests. The analysis of the systems within the European Union and other pertinent systems worldwide aimed at exploring the challenges encountered and the shortcomings of the existing mechanisms. Through that analysis, best practices and potential
guidelines pertaining to the collection and handling of electronic evidence by law enforcement agencies have been identified.
Based on the analysis of the EVIDENCE questionnaire and the discussions held during the Expert Group Meeting on Electronic Evidence, a number of challenges were identified .
Based on further research and the semi-structured telephone interviews, it was determined that:
1. Different legal systems do pose challenges, but these are not necessarily insurmountable or incompatible to allow for the exchange of electronic evidence. Furthermore, a gradual assimilation can be identified within the evidence processes of different legal systems, but practitioners have warned that the judicial process in their countries may not be fully prepared to carry the consequences this may bring forth.
2. Encryption and anonymization tools hamper criminal investigations and digital forensic analyses. While an online ecosystem of anonymity can be a catalyst for freedom of expression and innovation, it also provides fruitful ground for criminal activities. While experts on cryptography point to the dangers of undermining or weakening encryption, there has been less discussion on how law enforcement will have to adapt its policing capabilities and adopt of more intrusive investigation techniques, including the safeguards such techniques would require.
3. Legal lacunae hamper international law enforcement cooperation. For example the invalidation of the EU Data Retention Directive as well as a lack of international consensus regarding trans-border access to data has led to quite some uncertainty for law enforcement investigating crimes in the online environment.
Based primarily on the “Identification of best practices and guidelines to be integrated into a comprehensive European Framework,” one can identify the following main topics for which recommendations were developed:
• Professionalization of digital forensics
• Regulation certification of the profession (training)
• Validation of digital forensics tools
• Accreditation of digital forensics labs
• Building bridges between different actors
• Collaboration with the public and policymakers
• Increasing transparency and accountability, e.g. keeping of statistics and documented case examples
• Evidence sources from other actors: Enhancing trust, e.g. facilitating collaboration with the private sector, participative policing & crowdsourcing, open sources
• Collaboration with the judiciary: strengthening communication, e.g. preventing the overconsumption of digital forensic analysis, training on technical topics within the judiciary
• Modernization of international cooperation
• Short term: Joint International Actions, e.g. Coordinated Operations & Joint Investigation Teams
• Mid-term: Digitization of MLA, e.g. EVIDENCE project, INTERPOL’s e-MLA, etc.
• Long term: Updating International Law, e.g. New treaty, Protocol to existing treaty,
Clearing house body, etc.
Market size (WP7)
From the Market size point of view it emerges a comprehensive framework, characterized by the presence and action of numerous actors, with specific orientations and strategies about the introduction and use of electronic evidence.
The most relevant result presents a map of the main obstacles and facilitating factors for the collection, preservation and exchange of electronic evidence in courts, mainly referring, as said before, to electronic evidence in criminal procedures. The obstacles and facilitating factors are distributed into a number of conventional areas for convenience sake. Here, we are mainly interested in all obstacles and facilitating factors of an organizational, cultural or regulatory (i.e. linked to governance) nature which risk jeopardizing the implementation of any decision at the legal or technical level. Legal, institutional, and strictly technical issues are, therefore, largely taken for granted (because they are addressed in detail in other work packages of the EVIDENCE project) and here discussed in general terms.
To identify the obstacles and facilitating factors, an approach typical of the sociology of knowledge has been adopted, aimed at enhancing, during research on a particular subject, the knowledge already produced by other scientific research actors. This approach involves, first, the production of an "ideal map", or a map based on an initial collection of information on the obstacles and facilitating factors in the use of electronic evidence in courts, as can be found in scientific literature and existing documentation. Below is a basic outline of the structure of the "ideal map", which was not essentially changed in the validation phase.
A list of the 16 obstacles and 17 facilitating factors rated as very important have been prepared:
OBSTACLES (rated as very important)
B. Issues relating to competences and professions
- OPERATORS LACKING EXPERIENCE
- LACK OF TRAINING COURSES
- LACK OF SPECIFIC COMPETENCES IN THE LOCAL POLICE
- DIFFICULTIES IN PRESENTING EVIDENCE AT COURT IN A WAY THAT IS COMPREHENSIBLE
- FEW EXPERTS
- VAGUENESS OF DIGITAL FORENSIC PROFESSION
E. Cultural and personal opposition
- DIFFICULTIES IN FOLLOWING TECHNOLOGICAL CHANGES IN THE FIELD OF ELECTRONIC EVIDENCE
- FAILURE TO TAKE INTO ACCOUNT THE SPECIFICITY OF ELECTRONIC EVIDENCE G. Lack of governance
- LACK OF SPECIALIZED JUDICIAL SERVICES
- ASSIGNMENT OF CASES TO JUDGES WHO ARE NOT EXPERTS IN THE FIELD
- DIFFICULTIES IN THE RELATION BETWEEN LAW ENFORCEMENT AGENCIES AND INTERNATIONAL SERVER PROVIDERS
- DIFFICULTIES RELATED TO THE NON-BINDING NATURE OF INTERNATIONAL COOPERATION IN THIS AREA
- DIFFICULTIES DUE TO LACK OF JURISDICTION H. Difficulties of a functional nature
- LACK OF PROCEDURES OR GUIDELINES FOR OBTAINING, PRESERVING AND PRESENTING ELECTRONIC EVIDENCE
- OVERWHELMING QUANTITY OF DATA REQUIRING ANALYSIS
FACILITATING FACTORS (rated as very important)
A. Creating a favourable technological and professional environment
- COURT INFRASTRUCTURE
- EXISTENCE OF SPECIALIZED SERVICE ORGANIZATIONS
- EXISTENCE OF SPECIFIC RESEARCH AND TRAINING ORGANIZATIONS
- OPPORTUNITIES FOR THE TRAINING OF EXPERTS AND TECHNICIANS
- CONSOLIDATION OF DIGITAL FORENSICS IN THE ACADEMIC SYLLABUS
B. Activities aimed at promoting the introduction and management of electronic evidence - STANDARDIZATION OF PROCEDURES
- PRODUCTION AND DISSEMINATION OF GUIDELINES
- CREATION OF PARTNERSHIPS
- EXISTENCE OF OPPORTUNITIES FOR MEETINGS AND EXCHANGES - EXISTENCE OF PROFESSIONAL NETWORKS
- PROACTIVE ROLE OF PROFESSIONAL ASSOCIATIONS
C. Support policies
- STANDARDIZATION OF ELECTRONIC DOCUMENT CERTIFICATION - ENHANCEMENT AND COORDINATION OF EXPERTISE
- TRANSNATIONAL EXCHANGE OF INFORMATION AND EXPERTISE - INVOLVEMENT OF INTERNET GOVERNANCE BODIES
- COORDINATION OF LAW ENFORCEMENT AGENCIES
- DISSEMINATION AND MAINSTREAMING PRACTICES
An overview of facilitating factors rated as very important tends to confirm what was said about the obstacles: the importance of both the "operational" and "cognitive" aspects of the problem of electronic evidence. The "operational" practices assessed as very important (and therefore to be supported in future) include those relating to the provision of infrastructure, operational cross-border coordination, and determination of procedural standards. While the "cognitive" practices include those relating to training, the provision of services, and the dissemination of experiences.
The identification of obstacles and enablers can provide important information on what may be the actual societal conditions of a technological and institutional transformation that involves the use of electronic evidence in courts in a way that is as broad, controlled, efficient and respectful of the rights of citizens as possible.
The map was based on a qualitative and exploratory approach, thus it is not applicable to individual national contexts, nor allows immediate extrapolations from the European context. However, the quality and typology of the respondents that contributed in the validation procedure means that it can certainly be a useful tool for legislators, policy makers, and other actors in the field of justice, who are interested to better understand the social dynamics involved in an innovation such as the electronic evidence, and facilitate governance at national and European level.
This map addresses a complex and dynamic situation. In this sense, the map should be seen as intrinsically partial and provisional. It can be usefully complemented in future, even outside the EVIDENCE project, by applying it to specific countries and by extending verification to a broader European context than could be considered here.
Road map (WP9)
The Final goal of the Project consisted in the drafting of the EVIDENCE Road Map including all the findings and the recommendations of the different Work packages. From the Roadmap point of view the following work was done:
Actions needed to realise the Common European Framework have been identified in two stages. In the first stage WP9 leader provided a partially filled template to all WP leaders. All WP leaders were requested to complete the template as regards:
• Challenges: what are the challenges identified by the WP;
• Description of the challenge: detailed description per challenge;
• Proposed solution: what are the solutions to the challenge as identified in the deliverables or as discussed during meetings, workshops, etc.;
• Actors involved: by whom should the solution be addressed, does it require European or national level action, which institution or body is best able to address the challenge;
• Priority: does the challenge require immediate action or can it be delayed. As the Roadmap will consist of stages, the priority of an action will determine in which stage the action will be addressed; • Allocated time: does the challenge need to be addressed on the short, medium or long term. As the Roadmap will consist of stages, the allocated time of an action will determine in which stage the action will be addressed;
• Feasibility: is the solution likely to solve the challenge. Feasibility will determine whether or not an action will eventually be addressed in the Roadmap and if yes in which stage the action will be addressed;
• Desirability: is the proposed solution the most desirable one or are there any other options and what are the constraints. Desirability will determine the best possible solution to address the challenge.
In the second stage all solutions were translated into action and categorised by legal, political, technical, ethical and social, LEA action and professionalisation in the field of digital forensics and further research.
In the second stage all solutions were translated into action and categorised by legal, political,technical, ethical and social, LEA action and professionalisation in the field of digital forensics and further research.
These categorized actions resulted in a report which will be taken forward in the Roadmap in order to realise the missing Common European Framework.
When we started working on the activities of the EVIDENCE Project the domain, the knowledge on this domain and the awareness about it was very limited and few persons were able to speak about it in a comprehensive way. Even actors directly involved in the treatment of electronic evidence by default (public prosecutors, LEAs and judges) demonstrated real important gaps and challenges in their knowledge and training.
The status quo at the beginning of the EVIDENCE project was “I know electronic evidence exists, I know I cannot make it without but I don’t know how to deal with it and treat and handle it without compromising it... ”.
So, starting from this scenario during these two and a half years of activity the EVIDENCE project’s approach was to be aware of the different challenges and gaps and try to build upon these the final solutions.
The EVIDENCE project acted always interdisciplinary rather than mono-disciplinary and to keep the eyes into the real “Texture” of electronic evidence domain facing the reality and the real dynamics of the context. We built up our proposal and Road Map hand to hand with the stakeholders and their work and practices with the aim not to reinvent the wheel but rely on what is working and starting from this to propose original and shared solutions paving the future of electronic evidence in Europe.
We were able to build up a wise and well balanced EVIDENCE Network including the following actors:
• Communities involved into the Electronic evidence handling and exchanging: DFRWS, DFAX/CybOX communities, NIST, INTERPARES
• EU Institutions: EUROJUST, EUROPOL, COE Cybercrime Convention, OLAF-Digital Forensics Unit and DPO
• International Institutions: INTERPOL, ICC
• Digital Forensics Software companies: Cellbrite, Oxygen Forensics, Magnet Forensics
• ISP: Facebook, Yahoo, Microsoft, Google, Apple and Samsung.
• Public Prosecutors, Judges and LEAs of EU MS
• EU Projects: LASIE Project, e-Crime, GIFT, MAPPING, SIIP, e-Codex
• Other actors:
• Netherlands Forensic Institute (NFI)
• University of Lausanne, Ecole des Sciences Criminelles
• National Criminal Investigation Service (NCIS)
• Norway, European Cybercrime Training and Education Group (ECTEG)
• IISFA-International Information Systems Forensics Association
• interPARES Community
• DFRWS-Digital Forensics Research Workshop group
The Impact of the EVIDENCE project is big. The added value realized by the results of the Project to its context is evidenced by the many positive reactions and feedback received from the electronic evidence community. From when we started in 2014 we have been able in two and a half years to generate awareness, stimulated the debate, opening/setting up a dialogue and creating specific a network and community also merging into the EVIDENCE one the various communities and stakeholders belonging to different disciplines and domains. Furthermore, although not foreseen by the DoW and by the Specific type of action financed by the EC, we were able to realize the following concrete results and tools:
• The Electronic evidence categorisation tool
• The Electronic evidence Map of actors
• The EVIDENCE Catalogue of digital forensics tools and the EVIDENCE Proof of Concept • The EVIDENCE proposal for a standard language and approach for the exchanging
• Developing tools for fostering the use of this standard
• The EVIDENCE Road Map
During the EVIDENCE final Conference we received a lot of positive feedback for the work done from various stakeholders who were at the Conference, in the same room (and this is already a result itself) discussing on the achievements and on the Road Map, sharing their views and exchanging opinions. We can assert that the EVIDENCE work can be sustainable as there is room for implementing the results in the near future and as the community is strongly looking to us waiting to see the future implementation and use of all achieved results.
List of Websites:
official project website
Digital Forensics Tools Catalogue
Grant agreement ID: 608185
1 March 2014
31 October 2016
€ 2 303 649
€ 1 924 589
CONSIGLIO NAZIONALE DELLE RICERCHE
Deliverables not available
Publications not available
Grant agreement ID: 608185
1 March 2014
31 October 2016
€ 2 303 649
€ 1 924 589
CONSIGLIO NAZIONALE DELLE RICERCHE
Grant agreement ID: 608185
1 March 2014
31 October 2016
€ 2 303 649
€ 1 924 589
CONSIGLIO NAZIONALE DELLE RICERCHE