Philipp, you presented a paper at DFRWS about robustness and resilience in digital forensics laboratories. Could you briefly outline your research for our readers?
The main focus of our research is on identifying the key elements of resilience and robustness in digital forensics frameworks. In this paper, we aimed to identify the elements that allow an organization with digital forensic capabilities to adapt to change in a controlled and managed way; one of the main questions was how organisations can sustain their digital forensics capabilities and stay agile within controlled boundaries when dealing with new technological advances, new modi operandi, staff turnover, etc., while at the same time minimizing the risk of non-conformity i.e. ensuring that the basic principles of police work are maintained while adapting to a changing environment.We argue for a focus on robustness and resilience in creating and maintaining the resources required to effectively and efficiently prevent, protect, disrupt and investigate cybercrime in the face of complex and changing requirements. We interpret resilience not just as an approach to addressing unexpected events but also as a practice that aims at actively monitoring relevant factors and managing any deviations from norms or a stable state. Therefore, monitoring, situational awareness and forward looking analysis play a vital role in organisational resilience, as well as related concepts such as knowledge management and quality management.
The paper we presented is a first step in developing an integrated digital forensics framework based on resilience and robustness; it describes and analyses the main elements identified through a structured questionnaire that we sent out to various different law enforcement agencies within the EU. Our approach offers a more holistic view on digital investigations and examinations and, as such, presents an expansion to existing digital forensics investigation frameworks discussed in the literature.
There has been a lot of discussion during the conference about the international nature of cybercrime and how it can make investigations difficult. What would you say are the most important challenges in this area, and what can we as digital forensics investigators do to address them?
When it comes to combating cybercrime, cross-border cooperation among law enforcement but also with the private sector is absolutely essential. I think this is met by a number of challenges such as inadequate legislation and legal tools as well as a lack of standardization and harmonization. This often results in very slow exchange and communication processes. Law enforcement also faces significant problems in relation to attribution i.e. the ability to identify who is behind an online nickname or an IP address linked to criminality or where a server hosting criminal content is based.
Apart from the legal and technical challenges, I also see a need to create new and further strengthen existing trust relationships between the various actors, particularly when it comes to the exchange of information. However, it is important to note that with cross-border cooperation and the exchange of information comes the need to have the necessary digital forensics capabilities. I also believe there is a need for improved coordination of standardized digital forensics training within the EU.
EC3 addresses these challenges in several different ways and in close cooperation with other partners. But this needs the input and support by experts like you in order to identify the best way forward, for instance when it comes to identifying shortcomings, developing standards or creating and validating new tools. Events like the EU DFRWS provide a great opportunity for the digital forensics community to present new ideas, exchange best practices and network with others, including organizations such as EC3.
The criminal abuse of legitimate services that are set up to provide privacy and
anonymity has been another hot topic at this year's conference. In your opinion, is it possible to strike a balance between online privacy for citizens and law enforcement agencies still being able to combat criminal activity on such services? If so, how do you think this might be achieved?
I strongly believe that it is possible to strike a balance between the need to protect the privacy of citizens, provide a secure online environment for industry and create a safe cyberspace for everyone to enjoy, including children and elderly people, and the need for law enforcement to prevent and investigate criminal activity online, including the criminal abuse of encryption and anonymity services.
However, in order to find this balance, all stakeholders, including the public, need to engage in an open and transparent dialogue and agree on a doable approach that meets everyone’s requirements. This should include discussions on the rules by which cyberspace should be governed and if and why they should be different from the rules that govern other domains.
Within the EU clarity on what law enforcement can do to protect citizens and businesses is at the heart of our democratic society. Investigating online crimes obviously includes the use of special powers and techniques that may impact on the privacy of suspects. In order to have the trust of the community and the legitimacy to operate, there has to be clarity for the general public on what special powers law enforcement can use and under what circumstances, what these powers entail, what the conditions are that apply to their use and on the controls that are in place to ensure these powers are used appropriately and proportionately. If this clarity is absent, there is work to do.
Your research showed that there is a high staff turnover of LE digital forensics examiners, with 50% leaving within the first five years. Did you collect any data that showed the reasons behind this trend?
We did not explicitly ask for the reasons behind the relatively high staff turnover. However, the answers to some of the other questions together with some of the comments we received would suggest that this is linked to the challenges faced by law enforcement such as high workload, limited resources for training and education as well as financial motivations.
The skills and expertise of digital forensic examiners in law enforcement are sought after by the private sector. This is particularly true for companies that have a need to build up in-house digital forensics capabilities or offer such services commercially.
Financial aspects are an important factor in countries with a bigger pay gap. Fortunately, there are many digital forensics examiners and investigators who prefer working for law enforcement as this offers them typically better job security/stability and the possibility to go after the ‘bad guys’.
One of your questions dealt with the use of "court approved" forensics software. How would you define "court approved" in the context of digital forensics software tools, and what do you think needs to be done to improve the approval process?
We used the term ‘court approved’ rather loosely to refer to software tools that are routinely used in court cases and have ideally gone through an approval process. The point was more on the use of tools that allow for an easier validation of the process used to generate evidential data and are therefore more likely to withstand any legal challenge in relation to weight and/or admissibility.
I believe one of the challenges in relation to the approval process of digital forensics software is one of time. One approach could be for the digital forensics community to get even more involved in this process e.g. by sharing new tools, techniques and methodologies, providing expert feedback to tool makers, and helping develop and promote existing standard and industry practices.
Existing initiatives such as UCD’s FREETOOL Project or the Computer Forensic Tool Testing (CFTT) project are examples of already existing successful initiatives in this area. EC3 is actually actively involved in the FREETOOL project and also promotes and supports the development of standards. Moreover, we are a member of and host the meetings of the European Cybercrime Training and Education Group (ECTEG).
How do you think the world of digital forensics will change over the next few years?
As highlighted in our 2014 Internet Organised Crime Threat Assessment Report, we believe that the Internet of Things will be a major challenge for law enforcement together with Big Data. Being able to examine an ever increasing number and variety of smart devices that may hold potential electronic evidence will require law enforcement to constantly update their digital forensics capabilities.
Big Data at a very basic level refers to the need to be able to process large amounts of data from different sources. Given the ever increasing amount of digital data available, it will become more challenging to find the proverbial needle in the haystack and to do so in a way that the extracted data is admissible as evidence in court. This will require better tool support to store, analyze and visualize data; similarly digital forensics specialists will need to acquire better data analytics skills.
Data together with entire infrastructures will continue to move to the Cloud which is already creating technical and legal challenges for digital forensic investigators.
The increased use of encryption will render some of the existing digital forensics approaches less effective. The evolution of virtual currencies will also make it harder for law enforcement to “follow the money”.
All these developments will make attribution and obtaining evidence required for a conviction harder, especially when considering the fact that more crime is moving to Darknets.
I also believe that we will see a continuing trend of specialization in the area of digital forensics and perhaps a more service-based approach, like ‘Tackling Cybercrime as a Service’, where not every agency has to develop capabilities in all technical areas.
EC3 will continue to play a very active role not just in coordinating and supporting successful multi-national and international operations to combat cybercrime but also in contributing to the development of preventive measures and standardized training for law enforcement in the area of digital forensics.
Finally, what do you do in your spare time?
I enjoy spending time with my family and doing sports such as skiing and cycling. But I also like to focus on ‘cyber-related’ issues, which would include reading up on relevant articles and reports.
Philipp Amann is a senior strategic analyst at Europol's EC3 centre, with over a decade of experience in information security management and cybercrime. He has previously held positions in information management and has been a senior manager at the Organisation for the Prohibition of Chemical Weapons and the International Criminal Court.
Forensic Focus interviewed Philipp at DFRWS, the annual Digital Forensics Research Workshop, which took place in Dublin from the 23rd-26th of March. The next workshops will be held in Philadelphia in August 2015, and Switzerland in March 2016. You can find out more and register here.