The following transcript was generated by AI and may contain inaccuracies.
Shaji: Good morning, good afternoon, good evening, wherever you are. I’m Shaji Damodharan. I’m the technical support and training specialist at ADF, and I’m going to be talking to you today about satisfying the Landeck Ruling with ADF Pro.
The agenda for today: I’m going to be covering the Landeck Ruling — just give you a brief introduction about the Landeck case and the subsequent ruling. We’re going to look at the impact on prosecutions and how that ruling affects prosecutions, the effects it has on digital forensic investigations, how we can comply with the Landeck Ruling using ADF Pro, and there’ll be a short demonstration towards the end of the presentation. I’ll conclude with forthcoming enhancements in ADF Pro version 6.3.
Just some housekeeping: this webinar is being recorded. There will be a section in the webinar for you to submit your questions — it’s in the top corner of the screen where you can submit your questions using the question box with a question mark in it. I’ll get to those questions at the end of the session, and there will be a poll throughout the presentation at various points which you can take part in. So it is an interactive session, and we also have a survey with questions at the end as well.
The Landeck Ruling
So let’s start talking about the Landeck Ruling. Before we do, we’ve just got a poll — if you could kindly fill that in, that would be great. Thank you very much.
The Landeck case itself is a very interesting case. It centers on a German citizen who was stopped by Austrian customs officers in February 2021 in relation to a drug-related investigation. The individual was found in possession of a small amount of cannabis — 85 grams — which in Austria is a punishable offense, with a sentence of up to one year imprisonment, so a relatively minor offense.
During the course of that interaction with authorities, the individual’s mobile phone was seized and the authorities made several attempts to access the data on that device. Having been unsuccessful, the device was then transferred to headquarters and further attempts were made to access the data. The case eventually went through the judicial system, and at this point the individual concerned found out that police had tried to access personal data on his mobile phone. He felt that this was an unlawful invasion of his privacy.
He mounted an appeal, and in the course of that case he found that there was no authorization by the authorities to search that device and there was no record of the data and the subsequent attempts to access it. So the individual concerned made an appeal challenging the seizure of his mobile phone.
The case went to the Court of Justice of the European Union. They heard all the evidence and looked at the case, and they came to a number of conclusions. The first was that access to personal data on digital devices constitutes a serious invasion of one’s privacy and data protection — and both of these points are covered under Article 7 and 8 of the EU Charter. That’s the right to a private life, and also the right to have your personal data protected. They also found that there was no independent oversight in terms of authorizing access to that data. In other words, the police were not in a position to self-authorize and then access that data, so there needed to be that independent oversight.
They also found that personal data can be accessed for criminal investigations, but there needs to be satisfaction of proportionality tests. And lastly, that law enforcement agencies must inform the data subject of the grounds for collecting their personal data.
Impact on Prosecutions
So let’s look at the impact on prosecutions.
Firstly, the impact is around law enforcement agencies having access to those devices — there needs to be prior independent authorization required before that personal data is accessed.
There are also privacy, data protection, and proportionality considerations that we need to bear in mind. The right to respect EU privacy and data protection requirements, as I said in the previous slide, is enshrined in EU law. We also need to consider proportionality and why we are going to access that information — what are we seeking to achieve in accessing that information?
There is also the impact on prosecutions in terms of the admissibility of evidence. If we access data on a particular device and it was unlawfully accessed, there’s the potential for that case to be thrown out when it goes through the court system and is challenged.
There’s also going to be the effect on procedural changes. In this instance, there are going to be more procedures to follow — new procedures in terms of obtaining those warrants, documenting the attempts to access that data, and also notifying the individuals — the data subjects — where appropriate.
On the right-hand side, there are a number of cases I’ve highlighted which focus on this point. The first case in the top right corner concerns Dutch Police who stopped an individual at Schiphol Airport and carried out a limited search of that individual’s smartphone. The individual concerned felt that this was an invasion of his privacy, appealed against it, and the courts found in favor of the police because they had done those limited searches on that person’s device in relation to a drugs investigation.
The middle case relates to the UK — while not directly impacted by the Landeck Ruling, it highlights the importance of seizing and acquiring data on mobile phones. This was a case concerning the Home Office where there was a blanket policy in place to capture the data from devices of individuals who had illegally crossed the Channel and arrived in the UK. Several of these individuals took the case through the appeal courts and it was found that it was a serious invasion of privacy in relation to accessing all of the data on their phones.
Finally, there’s the case at the bottom, which relates to a Slovak businessman who was a suspect in the killing of a journalist. This individual’s mobile phones were seized by Slovak authorities who sought assistance from Europol. All of the data on these devices was downloaded, and whilst no information was found in relation to the actual killing of the journalist, the individual concerned took the case through the appeal courts. It was subsequently found in his favor — it was deemed a serious invasion of his privacy and right to a private life, and he was awarded several thousands of euros in damages.
Effects on Digital Investigations
Let’s look at the effects of this on digital investigations. Before we do that, I believe we have another poll.
So what does this actually mean for digital investigations? When we are talking about digital devices and the data on these digital devices, the searches themselves can be seen as quite intrusive — very intrusive, in fact. There’s a lot of personal and sensitive data on these devices. If I think about my own personal phone, I’ve got health data, data relating to family and life events that I store in my calendar. So there’s a lot of information there, and a lot of it is personal and sensitive.
That leads on to the point about the risk of collateral intrusion and how do we mitigate against that.
There is now a new default position with this Landeck Ruling — and I appreciate it is EU-centric — but there is this new default position of applying for prior authorization from an independent body, whether that’s through a court or an independent authority. We need to also bear in mind applying the principle of proportionality tests: what are we looking for in the data, and why do we need access to this data?
It means that we need to take further steps before we even access that data — applying for the warrants and completing that paperwork.
When we’re talking about proportionality, what we’re doing is focusing on and acquiring relevant data that is proportionate to the offense that we are investigating. We need to be mindful of doing that targeted data collection — not having that mindset where we are gathering everything, but being very focused and targeted in our collection of data. That leads on to the point about it not being a fishing expedition — we’re not just gathering everything just in case.
What all of this means is that we’re going to have tailored digital forensic strategies, and that’s going to vary case by case and offense by offense.
We know that in digital investigations, documentation and justification are critical — they’re absolutely vital. We’ve already talked about the proportionality aspects of it and the need to obtain prior authorization before we’ve even accessed the data.
All of this just seeks to ensure that we comply with those processes — because we know that when we go through the judicial process and present that evidence at court, one of the things that is scrutinized is whether we have followed those procedures and processes. All of this is going to mean that we revise and amend our digital forensic standard operating procedures.
The risk of not doing these things and being non-compliant is that the evidence we put before the courts is going to be challenged or even excluded. There’s the potential for cases to be thrown out. So all of these considerations are things we must bear in mind when doing our digital investigations.
Evidence from Victims and Witnesses
We’ve looked at that from a prosecution point of view, but what about evidence from victims and witnesses? There are going to be concerns from individuals who are victims or witnesses to a crime about reporting crimes — because they’re worried about their personal and private data being accessed on devices that they may have captured evidence on.
And again, this leads onto the point about mitigating the risks. How do we minimize those risks of collateral intrusion and privacy?
If we take into account and mitigate those risks, what we can do is build confidence and ensure that we’re engaging with members of the public who will be a lot more forthcoming in providing evidence of crimes. That leads on to having a much greater likelihood of successful outcomes — firstly in terms of safeguarding victims, but also in prosecuting offenders and bringing them through the judicial process and before the courts.
How ADF Pro Can Help
So how can ADF Pro help? We just have another poll here.
Before we talk about how we can comply with the ruling using ADF Pro — for anybody who’s not familiar with ADF Pro, I think it would be useful to give a brief introduction about the tool itself.
ADF Pro is our flagship tool. It enables you to triage computers, digital media, and mobile devices. We can run it in a number of different modes — if you’ve got your forensic machine, you can have it installed on your desktop and run it in live and boot mode as well. Using Collection Key, we’ve got some additional capabilities around RAM extraction and drive imaging as well, and it’s all done in a forensically sound manner.
In terms of mobile devices, we can do that advanced logical acquisition, which is strong on iOS and Android devices, and we’ve also got a fantastic capability around screen capture. We can also optically character recognize the text that we’ve captured in our screen captures.
How are we going to satisfy the Landeck Ruling with ADF Pro? Within the tool, we’ve got search profiles — and I’ll talk more about this in the slides that follow. We’ve also got captures that we can utilize.
With our search profiles and captures, what we can do is perform that targeted data collection. What that means is that we will be complying with the Landeck Ruling. Our search profiles and captures also give users greater control and flexibility.
Search Profiles
Let’s look in a bit more detail at search profiles and the particular captures that we use.
As I said in that previous slide, the key is going to be our search profiles. Our search profiles are essentially a combination of artifact and file captures — and I’ll talk more about this in the next few slides. What our search profiles allow us to do is modify them in order to meet our investigational requirements. They can be customized and tailored by users, and they can also be shared and imported.
Looking at the composition of a search profile — as I said, it consists of artifact captures and file captures.
Artifact captures are going to encompass a number of different captures. It will include details about applications, communications platforms, device data, information about the device itself. We know that mobile devices contain geolocation data, so we’ll have that data there as well, and we’ll have some web browsing history as well.
When we talk about artifact captures, we are recovering those specific records and information. You can see in the screenshot on the left-hand side a number of different artifact captures — looking at the one around USB history, we’ve got 15 records there that relate to the Microsoft Windows operating system that we have captured details for.
These artifact captures cannot be edited or created by users, so they’re provided by default in the tool itself.
We’ve also got file captures, and with file captures we can do that tailoring and customization — so we can look at specific files and file properties. We can look at keywords and generate keyword lists, import hashes and hash values to search against, and we can also compare files using visual similarities.
In terms of file captures, we’ve got the ability to recover files that match certain criteria. As I said in the previous slide, we can specify the particular file properties — so if you’re interested in looking for a particular file type, such as an image, and you are only interested in acquiring JPEG images, then we can specify that.
You can include keywords, so if you have a keyword list we can import that using the keyword import function. You can also generate your own keyword list as well. In relation to keywords, we’ve also got a regular expression keyword builder within the tool that you can utilize, and we can also match against hash values. All of this is supplied with the program and it can be tailored by the user.
What this means is that with our captures, we can do that targeted data collection. It’s going to be much more laser-focused and very specific in what we are looking for. On the right-hand side, you can see a capture within a search profile — we’ve got a number of different captures within there where we are looking for specific things. It means that we’ve got that level of granularity in terms of our searching and search capability.
And what does that mean in the grand scheme of things? It means that we’re going to be legally compliant when we are doing those scans of devices — we’re only looking for the information that’s relevant to our investigation. That follows on naturally that we are balancing those privacy concerns against the investigational need.
So when we put it all together, we’ve got our search profile — it’s going to consist of some artifact captures that are supplied as default with the tool, but also some file captures that we can tailor and customize.
So what do the results look like? Here we’ve got a screenshot of the results of running a tailored and targeted data collection. In the top right corner, you can see we’ve got 215 records out of a possible 6,437 — so we’ve really refined that data collection and we’re focusing only on the data that matters to our investigation.
Live Demonstration
I’m going to run a demonstration now. Oh, we’ve just got a poll up on screen — just wait for that to finish.
So I’m in ADF Pro now. This is our home screen, and what I’m going to do is go into the scan setup and key management, and we’ll have a look at the search profile that I’ve created. So I’m going into Manage Search Profiles and I’ve created this canine search profile — let’s have a look at that.
Within our canine search profile, we’ve got a number of different captures in the capture group section on the left-hand side. If I look within the child exploitation section, we’ve got the keywords in file names that are specific to child exploitation — there’s a keyword list built into the tool that we’re going to utilize in our capture.
Within the device data section, I’ve also got some information about the operating system information and USB history checked. In the canine-specific capture group — which is a group I’ve created — I’ve got some hashes that are specific to my case that I would like to search against. Within the canine hashes, you can see there are 413 hash values that I’ve imported into this specific capture group.
Within the canine keywords capture group — again, a capture I’ve created — consisting of keywords that are going to be specific to my case. And you can see there are a number of different keywords that I’m bringing into the case that I’m going to be searching against.
So what does that look like? I’m just going to go into the Scan Review — Scan Results section.
Here we’ve got a scan of a device — it’s a comprehensive scan, so it’s quite detailed. You can see the number of different artifacts that are being captured. It’s a very thorough search, running all artifact captures and collecting a lot of data. We can see on the right-hand side in the statistics column that it took 4 minutes and 40 seconds and we collected 12,366 files.
If we have a look at another scan result above — where we’ve run a search profile specific to that case. So the specific canine search profile I showed you earlier: we’ve got some keywords, hash matches, and other artifacts that we’re searching for. If we look within the statistics section, we can see that is a considerably quicker scan duration time — 34 seconds — and we’ve captured 353 files. So we are now looking specifically at files that are relevant to our investigation.
We can delve into that a bit more. If we click into the view section and look at those specific results — going to the picture section, we can see all of our results where matches that have been tagged have been pushed right to the top. If we click on the first one, we can see we’ve got a keyword hit against that particular file. If we click on another file, we’ll see a match against the hash — we’ve got a matching hash value there.
So we can see that we are looking at data that’s specific to our case.
That was just a quick demonstration of search profiles and captures and how they can be utilized in order to comply with the Landeck Ruling.
Forthcoming Enhancements — ADF Pro Version 6.3
Now let’s look at some of the enhancements we’re going to see in the forthcoming release of ADF Pro version 6.3.
In 6.3, we’re going to have the ability to do a targeted data collection where we do the extraction and the acquisition, utilize our captures, and then delete that acquisition and focus only on the targeted data we’ve collected.
We’ve also going to have the ability to sanitize our preview where we’ve got matches against hashes — a really useful capability within the tool that we are going to have in version 6.3. This is just showing you the output: we’ve run a scan and we can see we’ve got matches against hashes, and this material will be sanitized.
So again, we’re thinking about the wellbeing and welfare of the investigators that are using our tool and ensuring that they’ve got that capability there to sanitize the results. And again, this is just another view demonstrating the sanitized preview where you’ve got hash matches.
Conclusion
To conclude — what are the key takeaways?
The key takeaways are that we can maximize using those search profiles and captures within ADF Pro and build that tailored and flexible framework. We’re going for that targeted data collection — being very specific and laser-focused in what we are gathering and what we are looking at. That follows on naturally that we’re going to be complying with and mitigating against those concerns around collateral intrusion and privacy. And ultimately, we’re going to be complying with the Landeck Ruling.
That concludes this presentation. Thank you so much for your time today. I’ve just left my details on the screen — if you would like to request a free trial, you can scan that QR code. We will be presenting at the Digital Investigations Conference in Zurich next week, so if you are out there and have time, please do come see us as we’ll be running a workshop around this particular scenario.
Thank you for your time today. Let me just have a look at the questions and see what we have.
Q&A
So that’s a really good question there from Chandra about the Landeck Ruling: does it apply only to EU citizens regardless of where they are physically, or to anyone in the EU at the time of the investigation? In this specific instance, it relates to the individual while they were in the EU. From my understanding of the case, it applies to anyone in the EU at the time of the investigation.
Another great question: independent authority must be acquired before accessing data — is it still legal to have possession of the device while waiting to find that authority? Again, great question from Chandra. That would depend on the laws local to your country around criminal investigations, so I’m not entirely sure on that one.
If we don’t have any further questions, I would just like to thank you all again for your time today. It’s been a pleasure speaking to you all — please do come and see us. Thank you.
