ecrime2018 Live Forensics PL...
Transcript of ecrime2018 Live Forensics PL...
This project was funded by the European Union’s Justice Programme (2014-2020).
Manel Medina – Prof. Universitat Politècnica de Barcelona (UPC)
LIVE FORensics
2
Summary of the content of the presentationContent
Problems and needs
IntroductionSummary of the project
ObjectivesObjectives of the project
Main partnersEuropean partners linked to the project
Current situation
3
Training plans based on results
Good practices reportDevelopment of the technical report of good practices
ConclusionsAnalysis of the situation and future challenges
Educational activities
Summary of the content of the presentationContent
4
Brief summary of the project: situationIntroduction
1.The volume of data we generate is growing
2.Operators increasingly offer more services in "cloud" environments
3.New window of possibilities for cybercriminals
Challenge for the institutions responsible for prosecuting crime
Directive 2014/41/EU
European investigation Order
5
European Investigation OrderIntroduction
Tool that can be issued to intercept, collectinformation and transmit the results to the authorities of the relevant Member States that have requested the investigation.
6
Problems and needs: questions whose answers are not yet resolved
Current situation
Which government would be the addressee of a lawful request for data by a country attacked in a cloud context?
What governs jurisdiction to enforce for criminal justice purposes?
Location of data?
Nationality of owner of data?
Location of owner of data?
Laws of the territory where the data owner has subscribed to a service?
Territory of the criminal justice authority?
8
Project objectives: LIVE_FOR is focused on four main objectivesObjetives
1.Identify the status of implementation of Directive 2014/41/EU in theEU Member States and the obstacles that hinder faster adoption andtake off.
2.Identify the major differences among the legislations of the MemberStates that may influence on the EIO mechanism implementationdelay.
3.Find out and compare the methods used for seizure andpreservation of digital evidences in the cyber space with reflection tothe cloud service environment.
4.Identify the needs for education and training among the targetedgroup in the Criminal justice and cybercrime investigation withreflection on live forensics.
9
European partners linked to the project
Main partners
Universidad Autónoma de Madrid Hochschule Albstadt-Sigmaringen University
Vrije Universiteit Brussels Universidad de Masaryk Universitat Politécnica de Catalunya
Jozef Stefan Institute of Ljubljana
10
68 Public Prosecutors
In total 150 people from 20 countries participated in the online survey
Online questionnaire
Public Prosecutor JudgeLaw enforcement
Agent OtherInvestigative
Judge
Representative of the Ministry of Justice
45,3%
29,3%
44 Judges
8,7%
13 Law Enforcement Agents
8,7% 4,0% 4,0%
13 from other profiles
6 InvestigativeJudges
6 Representative of the Ministry of Justice
Target of the questionnaire
11
05
101520253035404550
CLOUD ENVIRONMENT
AND CYBERCRIME
DIRECTIVE 2014/41/EU
AND EIO
COLLECTING CROSS-BORDER
AND DIGITAL EVIDENCES
LEGAL ASPECTS OF DIGITAL EVIDENCES
COLLECTION AND SHARING
IN EU
BASIC CYBER SECURITY
TECHNIQUES
LEGAL SYSTEMS IN EU IN THE
AREA OF CYBERCRIME
PROSECUTION
47% 42% 42% 36% 34% 31%
Most relevant and interesting topics for participantsQuestionnaire results
12
0
5
10
15
20
25
30
BASIC DIGITAL
FORENSICS PROCEDURES
AND TECHNIQUES
LIVE FORENSICS
ADVANCED CYBER
SECURITY TECHNIQUES
ADVANCED DIGITAL
FORENSIC PROCEDURES
AND TECHNIQUES
PRACTICAL APPROACH
IN CARRYING DIGITAL
FORENSIC
SPECIFIC NETWORK SECURITY
TECHNIQUES
OTHER
29%24% 23% 23% 23% 23%
2%
Less relevant and interesting topics for participants
Questionnaire results
13
Cloud environment and cybercrime
Directive 2014/41/EU: legal and technical issues
Collecting cross-border digital evidences: legal and technical
issues
Cloud Computing – Cloud ServicesLegal aspects of digital evidence exchange – Evidence Processing
Legal aspects of digital evidence exchange – Criminal Trial Law
Procedure
General Cybercrime – Criminal Cybercrime Behavior
Cloud Forensics - Legal ProcessLegal aspects of digital evidences exchange – Criminal Law Savvy
General Cybercrime Awareness –Cybercrime Risk Awareness
General Cybercrime Awareness –Computer Crime Pattern Recognition
General Cybercrime Awareness –Social Dynamics Recognition
Cloud Forensics – Cloud Network Forensics
Cloud Forensics – Cloud Storage Forensics
General Cybercrime Awareness –Ethical Issues
Cloud Computing – Virtualization
Cloud Computing – Cloud Management Technologies
Most relevant and interesting topics for
participants
Most needed knowledge, skills and
competences for participants
>70%
61 - 70%
51 - 60%
41 - 50%
Questionnaire results
14
Legal aspects of digital evidence collection and sharing in EU Basic cyber security techniques Basic digital forensics procedures
and techniques
Multicultural Communication –Foreign Languages Data Protection – Cryptography Digital Forensics – Computer Forensics
Principles
Multicultural Communication –Intercultural Legal Communication
Investigation Techniques – Investigation Planning
Multicultural Communication –Cultural Competency
Investigation Techniques – Fake Accounts Handling
Investigation Techniques – Technical Information Acquisition
Most relevant and interesting topics for
participants
Questionnaire results
Most needed knowledge, skills and
competences for participants
Live forensics Advanced cyber security techniques Advanced digital forensics procedures and techniques
Live Data Forensics – Smartphone Live Data Analysis
Interception of telecommunications –Mobile Operating Systems Digital Forensics – Reverse Engineering
Live Data Forensics – Memory Dump Analysis
Interception of telecommunications –Telecommunications infrastructure
Digital Forensics – Forensics Workstation
Live Data Forensics – Volatile Data Analysis
Intercept of telecommunications –Signal Processing
Data protection – Data Protection Acts
Data protection – Data Leakage Protection
51 - 60%
41 - 50%
31 - 40%
Idem
15
Practical approach in carrying digital forensics
Specific network security techniques
Digital Forensics – Forensic File Analysation
Network Security – Network Security Design
Network Security – Network Analysis
Network Security – Network Devices
Most needed knowledge, skills and
competences for participants
31 - 40%
Most relevant and interesting topics for
participants
Questionnaire results
16
StructureWorkshop – September 13 - 20
Based on the previous results, a series ofworkshops is taking place. The subdivision intwo days enables course participants withprevious experiences or a specific area ofinterest to only briefly go over the alreadyknown theoretical materials on day one, andfocus on the second day to join the practicaldemonstration of executing thosetechnological measures.
Day 1- online seminarFirst day will be an online seminar focused on theoretical knowledge
Day 2 – day of attencanceSecond day will be focused on practical exercices
17
Content of day 1 (Sept 13) - theoretical backgroundWorkshop
10:00 – 10:30 Welcome and introductionVaclav Stupka, Masaryk University, Brno
10:30 – 11:00 European Investigation Order, updated information about the implementation process in Europe.Eurojust (will be confirmed)
11:00 – 11:30 Best practices on applying EIO for gathering e-evidence from the cloudLewin Rexin, Hochschule Albstadt-Sigmaringen, Balingen
11:30 – 12:00 New European activities in the area of Electronic EvidenceBarbora Jekielek Henzl, Czech Ministry of Justice, Prague
12:00 – 12:30 Break
12:30 – 13:00 Digital Evidence – basics and relevant propertiesMarian Svetlik, Masaryk University, Brno
13:00 – 13:30 Best practices in the application of the EIOManel Medina, Universitat Politècnica de Catalunya, Barcelona
13:30 – 14:00Cybernetics Training Polygon KYPO – Introduction & demonstration in an area of cybersecurity and cybercrimeMasaryk University, Brno
14:00 – 14:15 Discussion & ConclusionsGreat thanks for your support.
18
Content of day 2 (Sept 20) - day of attendanceWorkshop
09:00 – 10:15 LIVE_FOR Project partner, Czech Cybercrime and Cybersecurity Centre of
Excellence (C4e), Masaryk University
09:15 – 10:15 Updated European Initiatives in area of the Electronic Evidence, Czech Ministry of
Justice
10:15 – 11:15 Using Electronic Evidence in International Cooperation. EC3
11:15 – 12:15 European Investigation Order from local point of view. Czech Prosecution Office
13:15 – 14:15 Best practices - Digital Forensics Principles and Legal Guides. Universitat
Politècnica de Catalunya
14:15 – 15:15 KYPO – Cybernetics Training Polygon – Introduction & Digital Evidence Practical
Scenario. C4e, Masaryk University
19
Good practices reportDevelopment of the report of good practices based on the questionnaire results
20
Good practices reportDevelopment of the report of good practices: technical part
Best practices that are expected to be followed in cases when application of the EIO directive is applied.
The first chapters define the technical part. It is aimed to facilitate the knowledge needed to carry out a forensic analysis in both traditional computing and cloud environments.
Basic general concepts definition: functioning of the Internet, the typical topologies of communication networks, how the information exchange process is carried out and which is the definition and use of metadata.
Characteristics of the cloud environment, analysis of the risks and advantages associated with it, and typical practical cases that can be used as a reference are also defined.
21
Good practices reportDevelopment of the report of good practices: legal part
The legal part is aimed to provide a reliable method and a series of best practices on gathering e-evidence abroad by using the EIO.
This part of the document can be used as a guideto complete properly each of the steps needed in the EIO.
22
PROSECUTORS JUDGES POLICE
UNIVERSITIES OTHER INSTITUTIONS
Good practices reportWho is the target
23
With the growing importance of EIO and IT-forensics, the
demand for well-trained operators who are able to work in
their daily business with complicated technological
investigation measures increases.
LIVE_FOR addresses this need by providing a training
curriculum that communicates the fundamental background
knowledge in legal and forensic subjects, but also focuses on
practical use of both, EIO and IT-forensics.
The curriculum aims to be practice and hands-on oriented,
therefore examples, self assessment questions and demo
application are an important part of the planned trainings.
ConclusionOne last word about the project
24
WHAT WHY WHERE WHEN WHO HOW
Any Question ???