File #2535: "2018_Book_HandlingAndExchangingElectroni.pdf"

2018_Book_HandlingAndExchangingElectroni.pdf

Text

1|Contents|6
1|Part I Setting the Scene|8
2|1 Introduction: Opportunities and Challenges for Electronic Evidence|9
3|1.1 The Current Scenario|10
3|1.2 Digital Forensics|12
3|1.3 Legal Framework in Europe|14
3|1.4 The Volume|15
3|1.5 Final Reflections|17
3|References|18
2|2 Present and Future of the Exchange of Electronic Evidence in Europe|19
3|2.1 Introduction|19
3|2.2 The EU's Action on the Subject of ElectronicEvidence: Modernising the Procedures|21
3|2.3 Operational Initiatives of European Institutions|25
3|2.4 European Project Action to Promote the Exchange of Electronic Evidence|28
4|2.4.1 European Project Initiatives|28
5|2.4.1.1 The Evidence Project|28
5|2.4.1.2 The e-Codex Project|30
5|2.4.1.3 The e-MLA Project (Interpol)|31
5|2.4.1.4 The Programme of the Council of Europe: Council of Europe Cybercrime Programme|31
5|2.4.1.5 The UNODC-United Nations Office for Drugs and Crime Project|32
3|2.5 Suggestions for the Creation of a Common European Framework for the Exchange of Electronic Evidence|32
3|2.6 Future Scenarios|35
3|References|38
1|Part II International Perspective|39
2|3 e-Evidence and Access to Data in the Cloud Results of the Cloud Evidence Group of the Cybercrime Convention Committee|40
3|3.1 Background|40
3|3.2 Key Issues|41
4|3.2.1 Subscriber Versus Traffic Versus Content Data|41
4|3.2.2 Mutual Legal Assistance|41
4|3.2.3 Loss of (Knowledge) of Location|42
4|3.2.4 A Provider Offering a Service in the Territory of a State|42
4|3.2.5 Voluntary Disclosure by Private Sector Entities|42
4|3.2.6 Emergency Procedures|42
4|3.2.7 Data Protection and Other Safeguards|43
3|3.3 Recommendations|43
4|3.3.1 More Efficient Mutual Legal Assistance|43
4|3.3.2 Guidance Note on Article 18 on the Production of Subscriber Information|44
4|3.3.3 Domestic Regimes for the Disclosure of Subscriber Information|44
4|3.3.4 Practical Measures to Improve Cooperation with Providers|44
4|3.3.5 An Additional Protocol to the Budapest Convention on Cybercrime|45
3|3.4 Conclusions and Follow Up|45
2|4 The Evolution of Expressing and Exchanging Cyber-Investigation Information in a Standardized Form|47
3|4.1 Introduction|48
3|4.2 Motivation|48
3|4.3 Background|50
3|4.4 UCO Overview|51
3|4.5 CASE Overview|53
3|4.6 Provenance|55
3|4.7 Fully-Structured Data in CASE|58
3|4.8 Representing Actions in CASE|58
3|4.9 Action Lifecycle|59
3|4.10 Guiding Principles|60
3|4.11 Conclusions and Next Steps|61
3|References|61
2|5 ``All Along the Watchtower'': Matters Not Yet Solved Regarding Communication Interception Systems and Electronic Data Retained on Foreign Servers|63
3|5.1 Athens, October 2008|63
3|5.2 Once Upon a Time There Was the Problem of VoIP Calls and the Interception of Their Communications|64
3|5.3 The Interception of @.com Email Accounts|66
3|5.4 The Current State of Interceptions: Via Trojans—of VoIP Communications Systems (Including Today's Online Instant Messaging Systems) with Encryption Protocols and of @.com Email Accounts|69
3|5.5 USA vs. EU|71
3|References|75
1|Part III Institutional/Operational Perspective|76
2|6 Electronic Evidence: Challenges and Opportunities for Law Enforcement|77
3|6.1 Introduction|78
3|6.2 Methodology|79
4|6.2.1 Questionnaire|79
4|6.2.2 Expert Group Meeting|81
4|6.2.3 Semi-structured Telephone Interviews|82
4|6.2.4 Other Sources of Information|82
3|6.3 Status Quo on the Handling of Digital Evidence by LEAs|83
4|6.3.1 Status Quo Throughout the Lifecycle of Digital Evidence|84
5|6.3.1.1 Investigative Measures for the Collection and Acquisition of Digital Evidence|84
5|6.3.1.2 The Preservation of Digital Evidence|86
5|6.3.1.3 The Forensic Analysis of Digital Evidence|86
5|6.3.1.4 The Presentation of Digital Evidence Before Court|88
5|6.3.1.5 The Transfer of Digital Evidence|89
4|6.3.2 Status Quo on the Collaboration Between Agencies Responsible for Implementation|89
4|6.3.3 Status Quo on the Use of Channels for International Cooperation|91
3|6.4 Challenges Hampering Law Enforcement Investigations and Forensic Analyses Involving Digital Evidence|91
4|6.4.1 Different Legal Systems: A Challenge to International Law Enforcement Cooperation?|92
4|6.4.2 Encryption and Anonymisation Tools: Hampering Investigations and Digital Forensics|93
5|6.4.2.1 The Encryption Debate: Moving to Europe|94
5|6.4.2.2 Online Anonymous Ecosystems: A Catalyst for Serious Crime|95
5|6.4.2.3 Continuing the Debate...|96
4|6.4.3 Legal Lacunae: Hampering International Law Enforcement Cooperation|97
5|6.4.3.1 Data Retention: European Case Law|97
5|6.4.3.2 Remote Access to Data in the Cloud|99
3|6.5 Recommendations to Strengthen Law Enforcement Action in the Field of Digital Evidence|100
4|6.5.1 The Professionalisation of Digital Forensics|101
5|6.5.1.1 Independent Certification of Digital Forensics Professionals|101
5|6.5.1.2 Method Validation|102
5|6.5.1.3 Accreditation of Digital Forensics Labs|104
4|6.5.2 Enhancing Collaboration Between LEAs and Other Actors in the Digital Evidence Domain|105
5|6.5.2.1 Collaboration with the Public and Policymakers: Increasing Transparency and Accountability|105
5|6.5.2.2 Evidence Sourced from Other Actors: Enhancing Trust|107
5|6.5.2.3 Collaboration with the Judiciary: Strengthening Communication|111
4|6.5.3 The Modernisation of International Cooperation|114
5|6.5.3.1 International Cooperation Within the EU: From Mutual Assistance to Mutual Recognition|115
5|6.5.3.2 Joint International Actions as MLA Avoidance Tactic|116
5|6.5.3.3 Expediting MLA Procedures|118
3|6.6 Conclusions|121
3|References|123
2|7 International Digital Forensic Investigation at the ICC|126
3|7.1 Introduction|126
3|7.2 Overview of Digital Evidence Lifecycle in the ICC Investigation|127
4|7.2.1 ICC Organizational Structure and Legal Basis|127
5|7.2.1.1 ICC Structure and Roles of Each Organ|127
5|7.2.1.2 Legal Basis|128
4|7.2.2 Digital Evidence Lifecycle in the ICC|128
5|7.2.2.1 Preservation and Collection|128
5|7.2.2.2 Analysis|130
5|7.2.2.3 Disclosure|130
5|7.2.2.4 Presentation in Proceedings|130
3|7.3 Challenges|131
4|7.3.1 Challenges in Investigations Based on Cooperation|131
5|7.3.1.1 Jurisdiction on the Data in Cloud|132
5|7.3.1.2 Delay and Data Loss|133
5|7.3.1.3 Reliability|133
5|7.3.1.4 Non-cooperation|133
4|7.3.2 Technical Challenges|134
5|7.3.2.1 Device Diversity|134
5|7.3.2.2 Anti-forensics and Data Protection|134
5|7.3.2.3 Language Diversity|135
5|7.3.2.4 Open Source Data: Volume and Processing|135
4|7.3.3 Legal Challenges: Evidentiary Value of Digital Evidence|136
3|7.4 What is Required to Tackle the Challenges|136
4|7.4.1 Building a Knowledge Base|137
4|7.4.2 Digital Evidence Container Standard Setup|137
4|7.4.3 Provision of Trainings and Raising Awareness|138
4|7.4.4 Technology Sharing and Joint Development|138
3|7.5 Conclusion|139
3|References|139
2|8 The Online Environment as a Challenge for Privacy and the Suppression of Crime|141
3|8.1 Data is the New Oil|141
3|8.2 Challenges for Law Enforcement|142
4|8.2.1 An Unfortunate Example: Ransomware|142
4|8.2.2 Not Only Big Brother is Watching You: Spyware|143
4|8.2.3 The Infamous Encryption Debate|144
3|8.3 Data Protection in the Fight Against Cybercrime|145
4|8.3.1 New Europol Regulation, More Personal Data Protection|145
4|8.3.2 Supervision|146
3|8.4 Conclusion|147
3|References|148
2|9 Electronic Evidence in Criminal Trials: The Use of PowerPoint Presentations by Prosecutors and Attorneys in the Courtroom|149
3|9.1 Introduction|149
3|9.2 Training Courses on Electronic Evidence in Criminal Trials|150
3|9.3 The Use of PowerPoint Presentations by Prosecutors and Attorneys in the Courtroom|150
3|9.4 Conclusion|159
3|References|159
1|Part IV Evidence Project Perspective|160
2|10 The Conceptual Representation of the ``Electronic Evidence'' Domain|161
3|10.1 Introduction|162
3|10.2 A Snapshot of Electronic Evidence and Its Exchange|163
3|10.3 Electronic Evidence Across Disciplines|163
3|10.4 Electronic Evidence Legal and Technical Scenario|167
3|10.5 Methodology|170
3|10.6 Defining Digital and Electronic Evidence|171
3|10.7 From the ``Electronic Evidence'' Domain Analysis to the Class Categorization|173
3|10.8 The Categorization Classes|175
3|10.9 Conclusion|184
3|References|185
2|11 The European Legal Framework on Electronic Evidence: Complex and in Need of Reform|187
3|11.1 Introduction|187
3|11.2 International and European Legislation and Practices|190
4|11.2.1 European Union Legal Instruments|191
4|11.2.2 Council of Europe Legal Instruments|195
5|11.2.2.1 Investigative Powers|198
5|11.2.2.2 Jurisdiction|199
5|11.2.2.3 International Cooperation|199
5|11.2.2.4 Mutual Assistance|200
5|11.2.2.5 Gaps in the Investigative Framework|201
4|11.2.3 Guidelines and Best Practices|203
4|11.2.4 Actors|205
3|11.3 National Legislation and Practices|209
4|11.3.1 Differences and Similarities Between Member States|210
5|11.3.1.1 Applicable Law|211
5|11.3.1.2 New Technologies and Investigative Measures|213
5|11.3.1.3 Lawful Interception|214
5|11.3.1.4 Preservation and Use|214
5|11.3.1.5 Admissibility and Probative Value|215
5|11.3.1.6 Cross-Border Scenarios|217
4|11.3.2 Challenges and Shortcomings|221
4|11.3.3 Criteria for Uniform Regulation|224
5|11.3.3.1 Should the Prevailing Rules on Collection, Preservation and Use of Electronic Evidence in Europe be Harmonised?|225
5|11.3.3.2 Should the Prevailing Rules on the Transfer and Exchange of Electronic Evidence in Europe be Harmonised?|228
3|11.4 Conclusion|230
3|References|232
2|12 Digital Forensic Tools Catalogue, a Reference Point for the Forensic Community|233
3|12.1 Introduction|233
3|12.2 The Need for a Digital Forensic Tools Catalogue|236
3|12.3 Digital Forensic Tools Catalogue|237
3|12.4 Tools Data|242
3|12.5 Catalogue Browsing|243
4|12.5.1 Tools Retrieval: Example 1|244
4|12.5.2 Tools Retrieval: Example 2|244
3|12.6 Catalogue: Update and Maintenance|248
4|12.6.1 Digital Forensics Experts Group Network|249
4|12.6.2 Catalogue Web Editor|250
3|12.7 Prospective Future|251
3|References|252
2|13 Privacy Protection in Exchanging Electronic Evidence in Europe|253
3|13.1 Introduction|253
4|13.1.1 Criminal Investigation and Fundamental Rights to Privacy|253
4|13.1.2 Electronic Evidence and Data Protection|255
3|13.2 Methodology|257
4|13.2.1 General Objectives|257
4|13.2.2 The Methodological Outset|258
4|13.2.3 The Technological Outset and Its Privacy Impact|259
4|13.2.4 Addressing the Privacy Impact|260
3|13.3 European Legal Framework and International Law|261
4|13.3.1 Competences of the European Union|261
4|13.3.2 European Fundamental Rights to Privacy and Data Protection|261
4|13.3.3 European Secondary Data Protection Law|262
5|13.3.3.1 Directive 95/46/EC|262
5|13.3.3.2 Directive 2002/58/EC|264
5|13.3.3.3 Directive 2006/24/EC|265
5|13.3.3.4 2008/977/JHA|265
5|13.3.3.5 2008/978/JHA|266
4|13.3.4 EU and CoE Conventions|267
5|13.3.4.1 Convention on Mutual Legal Assistance in the European Union|267
5|13.3.4.2 European Convention on Mutual Assistance in Criminal Matters (CoE)|271
5|13.3.4.3 Cybercrime Convention (CoE)|271
4|13.3.5 CoE Recommendation 87 (15)|272
4|13.3.6 Europol Rules on the Collaboration Between Member States LEAs and Their Data Protection Rules|275
4|13.3.7 Eurojust Rules on Data Protection|278
4|13.3.8 Data Protection Reform Package|280
4|13.3.9 The ePrivacy Reform Package|282
3|13.4 Summary and Recommendation|283
3|References|284
2|14 Some Societal Factors Impacting on the Potentialities of Electronic Evidence|287
3|14.1 Electronic Evidence as Innovation|287
3|14.2 The ``Social Arena'' of Electronic Evidence and Types of Actors Involved|289
4|14.2.1 A Map Describing the ``Social Arena'' of Electronic Evidence|289
4|14.2.2 The Roles of the Different Types of Actors: A Complex Picture|290
3|14.3 Obstacles and Facilitating Factors for the Introduction of Electronic Evidence in Courts|294
4|14.3.1 Study of ``Structural'' Factors|294
4|14.3.2 The Construction of a Map of the Obstacles and Facilitating Factors|294
4|14.3.3 Obstacles|295
4|14.3.4 Facilitating Factors|298
4|14.3.5 Obstacles (Rated as Very Important)|300
4|14.3.6 Facilitating Factors (Rated as Very Important)|302
4|14.3.7 Some Remarks About Obstacles and Facilitating Factors|302
3|14.4 The Social Fabric of Electronic Evidence: From Interpretation to Decision-Making|304
3|References|306
2|15 Standard for the Electronic Evidence Exchange|309
3|15.1 Introduction|309
4|15.1.1 Existing Formal Language|312
4|15.1.2 The Digital Forensics XML|312
4|15.1.3 CybOX Language|315
4|15.1.4 DFAX Language|316
5|15.1.4.1 Element Case|318
5|15.1.4.2 Authorization|320
5|15.1.4.3 Subjects|320
5|15.1.4.4 Forensic Action|320
5|15.1.4.5 Provenance Records|321
4|15.1.5 Forensic Case|321
3|15.2 Problems to Be Addressed in Exchange Languages|325
3|15.3 An Initiative to Promote the Adoption of the DFAX Standard|329
3|15.4 Conclusions|331
3|References|332
2|16 Connecting the Dots: A Tale of Giants and Dwarfs, or How to Manage, Disseminate, Network and Present Your Research|334
3|16.1 Introduction|334
3|16.2 Status Quo|336
3|16.3 The Way Forward|337
3|16.4 There Is No Persuasion Without Inspiration|339
3|16.5 The Best Ambassadors of a Project Are the People, Not the Tools|340
3|16.6 Keep It Simple, Focused and Realistic|341
3|16.7 In Any Case, Stay Flexible|343
3|16.8 The Story Is More Important than the Words|343
3|16.9 Using the Narrative|343
3|16.10 The Competition Is Your Best Friend|344
3|16.11 Empathy Is Key|344
3|16.12 The EVIDENCE Story|345
3|16.13 Conclusions|346
3|References|346
2|17 Systems for Electronic Evidence Handling and Exchange|348
3|17.1 Introduction|348
3|17.2 State of Practice on Systems for Electronic Evidence|349
3|17.3 Analysis of Technical Objectives|349
4|17.3.1 Goals Analysis|352
5|17.3.1.1 Top Level Goals|352
5|17.3.1.2 Efficient Data Exchange|354
5|17.3.1.3 Trusted Data Exchange|355
3|17.4 Proof of Concept Application|356
4|17.4.1 Application Scope and Scenario|357
4|17.4.2 Architecture|357
4|17.4.3 Implementation|360
5|17.4.3.1 Platform and Data Model|360
5|17.4.3.2 Application Functionality|361
5|17.4.3.3 DFAX Extension Library|362
5|17.4.3.4 Forensic Investigation Document Packaging|363
4|17.4.4 Secure and Trusted Exchange of Electronic Evidence|365
5|17.4.4.1 Integration with a Secure Exchange System|365
5|17.4.4.2 Alternative Exchange Approaches|367
3|17.5 Conclusions and Future Work|369
3|References|371
2|18 The Way Forward: A Roadmap for the European Union|372
3|18.1 Introduction|372
3|18.2 Status Quo|374
4|18.2.1 Law and Policy|374
4|18.2.2 Data Protection|377
4|18.2.3 Actors|377
4|18.2.4 Law Enforcement|378
4|18.2.5 Technical Standards|380
3|18.3 Strategic Goals|381
4|18.3.1 Enhancing Legislation|381
4|18.3.2 Enhancing Law Enforcement and Professionalising Digital Forensics|382
4|18.3.3 Enhancing Technical Standards|382
4|18.3.4 Enhancing Trust|383
4|18.3.5 Further Research|383
3|18.4 Roadmap|384
4|18.4.1 Short-Term Solutions|387
5|18.4.1.1 Objective: Enhanced Law Enforcement|388
5|18.4.1.2 Objective: Further Research|389
4|18.4.2 Medium-Term Solutions|390
5|18.4.2.1 Objective: Enhanced Legal Provisions|391
5|18.4.2.2 Objective: Enhanced Exchange|392
5|18.4.2.3 Objective: Enhanced Trust|393
5|18.4.2.4 Objective: Enhanced Technical Standards|394
4|18.4.3 Long-Term Solutions|398
5|18.4.3.1 Objective: Enhanced Legal Framework|399
5|18.4.3.2 Objective: Enhanced Policies|405
5|18.4.3.3 Objective: Enhanced Law Enforcement|405
5|18.4.3.4 Objective: Professionalisation in the Field of Digital Forensics|406
3|18.5 Conclusion|408
3|18.6 The EVIDENCE Road Map and the Future of Electronic Evidence in Europe|412
3|Reference|417