Hello, and welcome to this presentation about law enforcement educational challenges for mobile forensics. My name is Georgina Humphries, and I work for the Norwegian Police University College and the Nordic Computer Forensic Investigators team, and I’m currently working on a mobile forensics project namely FORMOBILE – an EU funded project. I would like to thank my colleagues Mr Rune Nordvik, Dr Harry Manifavas, Mr Phil Cobley and Dr. Matthew Sorell for their input into this research.
The main goals of this research are to understand the current status of mobile forensics education and training, and to identify to what extent the current offerings cover aspects and phases of the mobile investigation chain, from crime scene through to court and in particular for law enforcement.
The overall FORMOBILE project aim is to create an end to end mobile investigation chain striving to improve digital safety and security in the EU. We’ve focused on aspects such as tools, standards, and training. And the overall aim of the training work package is to identify, develop and deliver a novel curriculum for mobile forensics for law enforcement.
A brief summary of the paper and our findings show that course descriptors are often broad and lack details. Courses often focused on the phase of acquisition, and investigation chain phases, such as analysis, inquiry, reporting, and so on, may not be covered in as much depth.
And the lack of courses for law enforcement personnel, such as investigators and the judicial audience, and even management is apparent. And there are known challenges with the development and delivery of education and training, and digital and computer forensics, and these are similar for mobile forensics courses.
To give a background, there is a significant volume of literature in digital forensics, education and training with a particular focus on learning methods, challenges, and topics, and in particular areas such as cloud and mobile forensics, encryption, malware, and network communications, there is a requirement for improved education in the context of mobile forensics.
Training and education in digital mobile forensics is documented that it should involve theory and practice, and there is a requirement for realistic data sets, which are often unavailable in the mobile forensics domain. Gaps in digital and mobile forensics education also include legal and judicial communities, and there is a lack of internationally accepted standards in mobile forensics.
So what is the problem? Albeit there is a substantial volume of educational courses and training courses on offer in digital forensics, but what are the challenges for educators and trainers with the constant evolution of technology, security and techniques in mobile forensics, do such courses consider law enforcement requirements, and do they target the different personnel across an entire mobile forensic investigation chain?
And as I said before, this includes from the crime scene through to the court. So it includes people such as first responders, regular investigators, digital mobile forensic analysts and experts, legal experts, such as prosecution, and then overall, managers at a higher level too. In this research we’ve used various methods and these include a literature review.
So the collection and review of existing research in digital and mobile forensic education. It also includes the gathering of course information from online sources, course descriptors and specifications from across 30 countries, in fact. There were 300 we found, which were whittled down to 152, which focused on some element of mobile forensics. Unfortunately, some of the courses didn’t provide enough information for us to analyze. And therefore the number eventually was 94.
The information was collected following the Didactic Relationship Model by Himm and Hipp. And this considers things such as learning objectives, frameworks, content, evaluations, and so on. We then used thematic analysis to code and categorize and theme the information that we had.
In addition to this, we distributed a qualitative questionnaire of which we received 27 responses from educators and trainers. Of which 21 included mobile forensics and questions focused on the content of a course, including learning outcomes, topics,and so on, the educator or trainer’s experiences, things they felt were skills shortages or challenges in the mobile forensics domain, and in education and training of this area.
In addition to this, we conducted three interviews with trainers. These were trainers who had filled out the questionnaire and documented that they had more than one course offering in mobile forensics.
To gain greater insight into the course information, the structures and experiences, and in particular engagement with law enforcement, interviews were useful. However, we have to consider at this stage for both the questionnaires and the interview responses, that these are based upon interviewee experiences and their own perceptions, so there may be some bias.
Limitations that I’ve mentioned include the broad and limited course information and the fact that we have no access to the course materials. We were also limited to the online sources that we could find in terms of offerings for mobile forensics.
But these usually included university or commercial offerings, and the availability of in-house law enforcement training is not considered at this stage because they’re not documented online. Furthermore, we don’t know the update status of the courses. Generally a course may have a specification that lasts for a certain period and nor do we know the reaction to the courses themselves.
But why should we look at mobile forensics? It is not uncommon for an investigation to include at least one mobile device that requires some level and form of acquisition, examination, analysis, and so on, and mobiles are used to continuously share and store information and can house a plethora of information for an investigation and often used for criminal activities, to communicate, et cetera.
So what do our results show us? When we consider the 94 courses using the mobile forensic investigation chain on your screen now, we categorized them into the different chains using their descriptors. This chain includes a number of phases from the crime scene through to the court, and it also includes the context and decisions.
So the before and the after, so the context being things such as your pre-information and your preparation for a case, through to the court where a decision may be made and, based on the decision, what you should do with the devices and the data, for example, and the various stages in between, including acquiring the data from the devices, analyzing the data on the phones and writing about your findings and presenting in the court.
We have tried to document where each different personnel or example of personnel within law enforcement may fit within this chain and while this chain identifies mobile forensic investigations, there is no need that this could not include digital investigations or be applied to online investigations, for a crime scene is not just a physical crime scene, but a digital one too.
As I said, each of the courses were considered and classified using this chain. What we found is that using early information from the courses such as descriptors, so these were categorized into mainly acquisition, followed by a little analysis.
So as you can see, of the 94 courses we examined, the information online told us that acquisition was the phase that was most covered by these courses, be it training and education, followed by analysis at 23 and analysis with acquisition at 13 and so on and so forth.
Additional thematic analysis of the more in-depth content about the courses, such as learning outcomes and other content that we could find, demonstrated that acquisition again, followed by analysis, were the most prevalent topics.
As you can see acquisition shows the total occurrence of 948 codes, and analysis 644, followed by forensic readiness, operating systems, automation, investigation, network, and so on, but topics such as the crime scene, documentation, decryption, encryption, visualization, and so on were further down our total occurrences.
Topics rarely coded included mobile network forensics, internet of things, and other small scale devices, encryption and decryption. The cloud, crime scene, visualization and so on. And these were relatively light or with little to no emphasis on mobile forensic investigations.
What we have to consider at this stage is that in educational courses, encryption, decryption and the crime scene are often included in separate distinct modules. And these were not included at this stage. This may also be apparent for other audiences and stakeholder groups within law enforcement.
Questionnaire and interview responses also revealed important topics and skill shortages. They were themed into four categories. These were forensic readiness, automation, analysis and investigation. All that we had just seen in our previous results. However, far below acquisition. As you can see, acquisition is not mentioned here.
But these things included a lack of basic knowledge and skills in forensics and investigation, a lack of higher skilled practitioners and their reliance on tools. But as you can see analysis and investigation are important topics, but where there are skill shortages, and often these are not covered by the courses that we saw based on their general descriptors, or learning outcomes.
However, when we look at the data from our questionnaire learning outcomes, we asked the interviewees to split into knowledge, skills, and competencies, and responses were then coded and learning outcomes were categorized and show some form of analysis of key focus. Meanwhile course descriptors, previously, show acquisition as the key focus.
So maybe interpreted that more education and training for tasks involving analysis are required from the various stakeholders. And to what effect these in courses actually include analysis. At this stage we cannot answer this because we do not have access to the content or materials from the courses. But what we can say is course descriptors focus on acquisition.
In addition, interviews revealed with the three participants several challenges for educators and trainers, and these were themed into the following. Keeping up to date – and this was about keeping up to date with the discipline, the constant advancements and challenges, the fast paced environment of mobile devices and mobile forensics and the need to continually update the material on a regular basis, basically on each run of a course.
It also created legislation, standards, principles, and procedures, and the lack of consistency in standards, and the fact that there is no one adopted standard across mobile forensics, and there are various jurisdictional challenges. So it makes it hard to teach due to the variances and leads to fragmentation. So standards are just generically covered in education and training courses.
It also included the awareness and education, so larger volumes of data and resources, little education for the wider criminal justice systems. So for example, prosecutors, judges, and so on. The fact that first responders require greater awareness and education about mobile devices and forensics, and the lack of focus on investigators, particularly in the area of analysis.
Furthermore, tools and automation were mentioned. The need for tools is apparent, but there must be a balance between automation and education. There is a need for the fundamental understandings to be able to utilize the tool and without the tools dampening the understanding of the practitioner. Essentially the practitioners may have to go to court as an expert witness. For example, if you’re an analyst, but you need to know the fundamentals of what happens and what is going on. Some understanding of how the tools work.
There was also mention of security encryption and advances in technologies. Mobile devices come straight out of the box with some form of security hardening. And there are future data access problems which may affect law enforcement, and features that work against law enforcement motivation, and these have to be considered, but how do we prepare and educate and train for these.
Overall, the courses may not cover the entire end to end mobile forensic investigation chain, and courses seemingly focused particularly on acquisition, with maybe a little bit of analysis, but several stakeholders in the law enforcement group, lack education and training offerings on the market. For example, those investigators, the general investigators, the prosecution, the judges, and the managers.
And there are several challenges that law enforcement face such as security, cloud forensics, the volumes of data and the lack of standardization, which are a similar burden to educators and trainers, but topics such as available data sets in mobile forensics, phases and techniques for analysis, cloud forensics, the standards, good practices, network communications, small scale devices, and other things such as sensors require further consideration in the mobile forensics education and training.
Future work of the FORMOBILE training package would include extension of this research to identify law enforcement requirements in mobile forensic domains, and particularly also the challenges in which they face and maybe the skills shortages, and a dedicated training team will utilize these results and extend this research to create a new curriculum for law enforcement, which will consider all the stakeholder groups. So from first responder, analysts, experts, investigators, and the judicial audience, and even the management.
I thank you for listening and I would like to take any questions you may have. Thank you.