Upload
others
View
4
Download
0
Embed Size (px)
Citation preview
Prospective EESP
use scenarios and solutions
Florence
25th September 2019
Mattia Epifani / CNR-IGSG
• Preparing the floor for the electronic exchange of electronic
evidence in all the EU MS in the specific scenario of
the European Investigation Order (EIO) and Mutual Legal
Assistance (MLA) procedures
• Initiating the harmonization of the legal and technological
frameworks and the stakeholder awareness on the treatment
and the exchange of electronic evidence in the EIO and
MLA procedures
• Implementing a ‘true to life’ example of successfully linking
the EVIDENCE Project to e-CODEX Project’s results in support of an EIO case
EVIDENCE2e-CODEX Project
EVIDENCE2e-Codex project Florence, 25th September 2019
EVIDENCE2e-Codex project Florence, 25th September 2019
E2E project: how can the goal be accomplished?
EVIDENCE2e-Codex project Florence, 25th September 2019
What is missing from this scenario?
• Message, with the EP attached, will travel
through the R.I. and over e-Codex
• The EP could be exchanged as a simple
attachment
• It is essential to use a standard to represent
the EP (data and meta data)
• UCO/CASE language
Standard representation for the EP
EVIDENCE2e-Codex project Florence, 25th September 2019
CASE is a community-developed standard to
support:
• reporting of digital traces
• exchanging of digital traces
• tool validation
www.caseontology.org
Cyber-investigation
Analysis Standard Expression
EVIDENCE2e-Codex project Florence, 25th September 2019
www.caseontology.org
EVIDENCE2e-Codex project Florence, 25th September 2019
EVIDENCE2e-Codex project Florence, 25th September 2019
What does the Evidence Package
contain?
People
InvestigativeAction
Process /Lifecycle
Trace
Relationship
Instrument
Role
Martin Rohde - Forensic ExpertSaga Norén - Police OfficerMagnus Krepper - SuspectMaria Kulle - Judge
Search and seizureForensic Acquisition, Forensic Extraction– Date/Time- Who, What, When
- Input and OutputLegal authorization –
Search warrant /Forensic Tool - Plaso
Chain of Custody
Chain of Evidence
Mobile Device, Disk
File, Message, PhoneAccount,
EmailAccount
Sources of evidence
EVIDENCE2e-Codex project Florence, 25th September 2019
•Computer
•Smartphone
•Media (USB)
•Server
•CCTV
•IoT
•Cloud Infrastructure
Device
•Subscriber Information
•Traffic Data
•Content Data
ISP/CSP
•Voice traffic
•Network traffic
•State Trojan
Interception
• Country A requests a search and seizure of digital devices
• Country B performs the search and seizure of a smartphone
SCENARIO ATransfer of source of evidence
SCENARIO BTransfer of acquired data (forensic image/extraction)
SCENARIO CTransfer of processed/extract data
• Ex. Call Logs, SMS, WhatsApp, Images, etc.
Devices
EVIDENCE2e-Codex project Florence, 25th September 2019
EVIDENCE2e-Codex project Florence, 25th September 2019
EIO – Timeline in the Evidence Exchange Context
• Search and Seizure
• Case preparation (Select methods and
tools)
• Forensic Acquisition (Imaging)
• Forensic Extraction (Data processing)
• Tools comparison
Actions
EVIDENCE2e-Codex project Florence, 25th September 2019
• Application useful to generate UCO / CASE
languange object
• It can be used by
• LE / JA to describe non-technical actions
• FL to describe technical actions
• For example a «Search and Seizure» action
• Authorization (JA)
• Performer (LE)
• Location
• Result
Tool: UCO / CASE Generator
EVIDENCE2e-Codex project Florence, 25th September 2019
Search and Seizure
EVIDENCE2e-Codex project Florence, 25th September 2019
manufacturer SamsungModel SM-G900FIMEI 356765064657669Serial Number FDG764192Storage capacity 64 GBClock setting 2018-05-31 6:00Mobile account +393319420019Item number ITEM_00001
Carrier Telecom ItaliaSimType SIMSIMForm Micro SIMICCID 89390100001847875453IMSI 222014603559590Phone Number 393319420019PIN 7571PUK 86245177
Search and Seizure
EVIDENCE2e-Codex project Florence, 25th September 2019
Search and Seizure
EVIDENCE2e-Codex project Florence, 25th September 2019
• Digital forensics Tools Catalogue
• About 1500 tools mapped
• Acquisition and Analysis tools
• Tools categorized based on• Features (Computer/Mobile/Network)
• License type (Free/Commercial/Only LE)
• Platform (Windows/Linux/MacOS)
Tool: Digital Forensics Tools Catalogue
EVIDENCE2e-Codex project Florence, 25th September 2019
EVIDENCE2e-Codex project Florence, 25th September 2019
Tool: Digital Forensics Tools Catalogue
EVIDENCE2e-Codex project Florence, 25th September 2019
Tool: Digital Forensics Tools Catalogue
https://www.dftoolscatalogue.eu/
EVIDENCE2e-Codex project Florence, 25th September 2019
https://www.dftoolscatalogue.eu/
EVIDENCE2e-Codex project Florence, 25th September 2019
https://www.dftoolscatalogue.eu/
EVIDENCE2e-Codex project Florence, 25th September 2019
Forensic Acquisition
EVIDENCE2e-Codex project Florence, 25th September 2019
Forensic Acquisition
EVIDENCE2e-Codex project Florence, 25th September 2019
Forensic Acquisition
Forensic Acquisition
Data processing and extraction
EVIDENCE2e-Codex project Florence, 25th September 2019
SMS Messages
EVIDENCE2e-Codex project Florence, 25th September 2019
NOT deleted SMS Messages
CELLEBRITE UFED PA
EVIDENCE2e-Codex project Florence, 25th September 2019
NOT deleted SMS Messages
MAGNET AXIOM
EVIDENCE2e-Codex project Florence, 25th September 2019
Exporting data from different tools
EVIDENCE2e-Codex project Florence, 25th September 2019
Comparing reports
EVIDENCE2e-Codex project Florence, 25th September 2019
• Intermediate software layer developed to convert
the output of a forensic tool in UCO/CASE standard
• As a PoC it supports
• XML report generated by Cellebrite UFED
• XML report generated by Magnet Axiom (WIP)
• XML Logicube Falcon hardware duplicator
Tool: UCO / CASE Converter
EVIDENCE2e-Codex project Florence, 25th September 2019
EVIDENCE2e-Codex project Florence, 25th September 2019
• Support the development of UCO / CASE
language in forensic tools
• Develop tools to map/convert the output
produced by different tools in UCO / CASE
• Work with software developers and cloud
providers to facilitate the native adoption of UCO /
CASE language
The future…
EVIDENCE2e-Codex project Florence, 25th September 2019
Conversion and parsing tools
EVIDENCE2e-Codex project Florence, 25th September 2019
Obtaining Cloud Provider datahttps://www.facebook.com/records/login/
EVIDENCE2e-Codex project Florence, 25th September 2019
Obtaining Cloud Provider data
EVIDENCE2e-Codex project Florence, 25th September 2019
Analyzing Cloud Provider data
EVIDENCE2e-Codex project Florence, 25th September 2019
Obtaining Cloud Provider datahttps://legalrequests.twitter.com/
EVIDENCE2e-Codex project Florence, 25th September 2019
Analyzing Cloud Provider data
EVIDENCE2e-Codex project Florence, 25th September 2019
Analyzing Cloud Provider data…
EVIDENCE2e-Codex project Florence, 25th September 2019
Conversion and parsing
Cloud Provider data
EVIDENCE2e-Codex project Florence, 25th September 2019
EVIDENCE2e-Codex project Florence, 25th September 2019
Thanks for your attention
Questions?
Mattia Epifani / CNR-IGSG