This project was funded by the European Union’s Justice Programme (2014-2020).

Manel Medina – Prof. Universitat Politècnica de Barcelona (UPC)

LIVE FORensics

2

Summary of the content of the presentationContent

Problems and needs

IntroductionSummary of the project

ObjectivesObjectives of the project

Main partnersEuropean partners linked to the project

Current situation

3

Training plans based on results

Good practices reportDevelopment of the technical report of good practices

ConclusionsAnalysis of the situation and future challenges

Educational activities

Summary of the content of the presentationContent

4

Brief summary of the project: situationIntroduction

1.The volume of data we generate is growing

2.Operators increasingly offer more services in "cloud" environments

3.New window of possibilities for cybercriminals

Challenge for the institutions responsible for prosecuting crime

Directive 2014/41/EU

European investigation Order

5

European Investigation OrderIntroduction

Tool that can be issued to intercept, collectinformation and transmit the results to the authorities of the relevant Member States that have requested the investigation.

6

Problems and needs: questions whose answers are not yet resolved

Current situation

Which government would be the addressee of a lawful request for data by a country attacked in a cloud context?

What governs jurisdiction to enforce for criminal justice purposes?

Location of data?

Nationality of owner of data?

Location of owner of data?

Laws of the territory where the data owner has subscribed to a service?

Territory of the criminal justice authority?

8

Project objectives: LIVE_FOR is focused on four main objectivesObjetives

1.Identify the status of implementation of Directive 2014/41/EU in theEU Member States and the obstacles that hinder faster adoption andtake off.

2.Identify the major differences among the legislations of the MemberStates that may influence on the EIO mechanism implementationdelay.

3.Find out and compare the methods used for seizure andpreservation of digital evidences in the cyber space with reflection tothe cloud service environment.

4.Identify the needs for education and training among the targetedgroup in the Criminal justice and cybercrime investigation withreflection on live forensics.

9

European partners linked to the project

Main partners

Universidad Autónoma de Madrid Hochschule Albstadt-Sigmaringen University

Vrije Universiteit Brussels Universidad de Masaryk Universitat Politécnica de Catalunya

Jozef Stefan Institute of Ljubljana

10

68 Public Prosecutors

In total 150 people from 20 countries participated in the online survey

Online questionnaire

Public Prosecutor JudgeLaw enforcement

Agent OtherInvestigative

Judge

Representative of the Ministry of Justice

45,3%

29,3%

44 Judges

8,7%

13 Law Enforcement Agents

8,7% 4,0% 4,0%

13 from other profiles

6 InvestigativeJudges

6 Representative of the Ministry of Justice

Target of the questionnaire

11

05

101520253035404550

CLOUD ENVIRONMENT

AND CYBERCRIME

DIRECTIVE 2014/41/EU

AND EIO

COLLECTING CROSS-BORDER

AND DIGITAL EVIDENCES

LEGAL ASPECTS OF DIGITAL EVIDENCES

COLLECTION AND SHARING

IN EU

BASIC CYBER SECURITY

TECHNIQUES

LEGAL SYSTEMS IN EU IN THE

AREA OF CYBERCRIME

PROSECUTION

47% 42% 42% 36% 34% 31%

Most relevant and interesting topics for participantsQuestionnaire results

12

0

5

10

15

20

25

30

BASIC DIGITAL

FORENSICS PROCEDURES

AND TECHNIQUES

LIVE FORENSICS

ADVANCED CYBER

SECURITY TECHNIQUES

ADVANCED DIGITAL

FORENSIC PROCEDURES

AND TECHNIQUES

PRACTICAL APPROACH

IN CARRYING DIGITAL

FORENSIC

SPECIFIC NETWORK SECURITY

TECHNIQUES

OTHER

29%24% 23% 23% 23% 23%

2%

Less relevant and interesting topics for participants

Questionnaire results

13

Cloud environment and cybercrime

Directive 2014/41/EU: legal and technical issues

Collecting cross-border digital evidences: legal and technical

issues

Cloud Computing – Cloud ServicesLegal aspects of digital evidence exchange – Evidence Processing

Legal aspects of digital evidence exchange – Criminal Trial Law

Procedure

General Cybercrime – Criminal Cybercrime Behavior

Cloud Forensics - Legal ProcessLegal aspects of digital evidences exchange – Criminal Law Savvy

General Cybercrime Awareness –Cybercrime Risk Awareness

General Cybercrime Awareness –Computer Crime Pattern Recognition

General Cybercrime Awareness –Social Dynamics Recognition

Cloud Forensics – Cloud Network Forensics

Cloud Forensics – Cloud Storage Forensics

General Cybercrime Awareness –Ethical Issues

Cloud Computing – Virtualization

Cloud Computing – Cloud Management Technologies

Most relevant and interesting topics for

participants

Most needed knowledge, skills and

competences for participants

>70%

61 - 70%

51 - 60%

41 - 50%

Questionnaire results

14

Legal aspects of digital evidence collection and sharing in EU Basic cyber security techniques Basic digital forensics procedures

and techniques

Multicultural Communication –Foreign Languages Data Protection – Cryptography Digital Forensics – Computer Forensics

Principles

Multicultural Communication –Intercultural Legal Communication

Investigation Techniques – Investigation Planning

Multicultural Communication –Cultural Competency

Investigation Techniques – Fake Accounts Handling

Investigation Techniques – Technical Information Acquisition

Most relevant and interesting topics for

participants

Questionnaire results

Most needed knowledge, skills and

competences for participants

Live forensics Advanced cyber security techniques Advanced digital forensics procedures and techniques

Live Data Forensics – Smartphone Live Data Analysis

Interception of telecommunications –Mobile Operating Systems Digital Forensics – Reverse Engineering

Live Data Forensics – Memory Dump Analysis

Interception of telecommunications –Telecommunications infrastructure

Digital Forensics – Forensics Workstation

Live Data Forensics – Volatile Data Analysis

Intercept of telecommunications –Signal Processing

Data protection – Data Protection Acts

Data protection – Data Leakage Protection

51 - 60%

41 - 50%

31 - 40%

Idem

15

Practical approach in carrying digital forensics

Specific network security techniques

Digital Forensics – Forensic File Analysation

Network Security – Network Security Design

Network Security – Network Analysis

Network Security – Network Devices

Most needed knowledge, skills and

competences for participants

31 - 40%

Most relevant and interesting topics for

participants

Questionnaire results

16

StructureWorkshop – September 13 - 20

Based on the previous results, a series ofworkshops is taking place. The subdivision intwo days enables course participants withprevious experiences or a specific area ofinterest to only briefly go over the alreadyknown theoretical materials on day one, andfocus on the second day to join the practicaldemonstration of executing thosetechnological measures.

Day 1- online seminarFirst day will be an online seminar focused on theoretical knowledge

Day 2 – day of attencanceSecond day will be focused on practical exercices

17

Content of day 1 (Sept 13) - theoretical backgroundWorkshop

10:00 – 10:30 Welcome and introductionVaclav Stupka, Masaryk University, Brno

10:30 – 11:00 European Investigation Order, updated information about the implementation process in Europe.Eurojust (will be confirmed)

11:00 – 11:30 Best practices on applying EIO for gathering e-evidence from the cloudLewin Rexin, Hochschule Albstadt-Sigmaringen, Balingen

11:30 – 12:00 New European activities in the area of Electronic EvidenceBarbora Jekielek Henzl, Czech Ministry of Justice, Prague

12:00 – 12:30 Break

12:30 – 13:00 Digital Evidence – basics and relevant propertiesMarian Svetlik, Masaryk University, Brno

13:00 – 13:30 Best practices in the application of the EIOManel Medina, Universitat Politècnica de Catalunya, Barcelona

13:30 – 14:00Cybernetics Training Polygon KYPO – Introduction & demonstration in an area of cybersecurity and cybercrimeMasaryk University, Brno

14:00 – 14:15 Discussion & ConclusionsGreat thanks for your support.

18

Content of day 2 (Sept 20) - day of attendanceWorkshop

09:00 – 10:15 LIVE_FOR Project partner, Czech Cybercrime and Cybersecurity Centre of

Excellence (C4e), Masaryk University

09:15 – 10:15 Updated European Initiatives in area of the Electronic Evidence, Czech Ministry of

Justice

10:15 – 11:15 Using Electronic Evidence in International Cooperation. EC3

11:15 – 12:15 European Investigation Order from local point of view. Czech Prosecution Office

13:15 – 14:15 Best practices - Digital Forensics Principles and Legal Guides. Universitat

Politècnica de Catalunya

14:15 – 15:15 KYPO – Cybernetics Training Polygon – Introduction & Digital Evidence Practical

Scenario. C4e, Masaryk University

19

Good practices reportDevelopment of the report of good practices based on the questionnaire results

20

Good practices reportDevelopment of the report of good practices: technical part

Best practices that are expected to be followed in cases when application of the EIO directive is applied.

The first chapters define the technical part. It is aimed to facilitate the knowledge needed to carry out a forensic analysis in both traditional computing and cloud environments.

Basic general concepts definition: functioning of the Internet, the typical topologies of communication networks, how the information exchange process is carried out and which is the definition and use of metadata.

Characteristics of the cloud environment, analysis of the risks and advantages associated with it, and typical practical cases that can be used as a reference are also defined.

21

Good practices reportDevelopment of the report of good practices: legal part

The legal part is aimed to provide a reliable method and a series of best practices on gathering e-evidence abroad by using the EIO.

This part of the document can be used as a guideto complete properly each of the steps needed in the EIO.

22

PROSECUTORS JUDGES POLICE

UNIVERSITIES OTHER INSTITUTIONS

Good practices reportWho is the target

23

With the growing importance of EIO and IT-forensics, the

demand for well-trained operators who are able to work in

their daily business with complicated technological

investigation measures increases.

LIVE_FOR addresses this need by providing a training

curriculum that communicates the fundamental background

knowledge in legal and forensic subjects, but also focuses on

practical use of both, EIO and IT-forensics.

The curriculum aims to be practice and hands-on oriented,

therefore examples, self assessment questions and demo

application are an important part of the planned trainings.

ConclusionOne last word about the project

24

WHAT WHY WHERE WHEN WHO HOW

Any Question ???

25

medina@ac.upc.edu

Thank you for your attention