CWA 17865:2022
(Main)Requirements and Guidelines for a complete end-to-end mobile forensic investigation chain
Requirements and Guidelines for a complete end-to-end mobile forensic investigation chain
This CEN Workshop Agreement (CWA) focuses on the Personnel, Tools, Processes and Legal and Ethical framework specific for mobile forensics and including the following topics:
a) Competencies;
b) device seizure;
c) data preservation;
d) data acquisition;
e) data examination and analysis;
f) documentation of all investigation steps;
g) reporting;
h) evaluation and sharing of information with other LEAs; and
i) legal and ethical considerations.
In addition to the process-related issues, the document covers requirements for new curriculum for training of LEA officers, security practitioners and criminal prosecution experts to ensure that the evidence from mobile devices is court-approved across national borders.
It is recognised that national laws and good practices applied at LEAs vary not only between different European countries but also within these countries. This CWA offers a collection of building blocks covering different aspects of mobile forensics allowing for adjustments based on national laws and regulations as well as internal rules and codes of conduct. It allows LEAs from different countries to accommodate their available technical solutions, at the same time offering a standardised collection of procedures and requirements.
It should be explicitly stated that it is not possible to cover all the possible related topics for mobile forensics. Detailed subject matters and specialisms such as Cloud Forensics, Cell Site Analysis, Interception of Communications are excluded. Similarly, the rules and regulations about chain of custody in general, plus guidance for transmission of evidence across national boundaries are excluded from this standards document.
Zahteve in smernice za celotno verigo forenzičnih preiskav mobilnih naprav od začetka do konca
Ta dogovor v okviru delavnice Evropskega odbora za standardizacijo (CWA) se osredotoča na osebje, orodja, postopke ter pravni in etični okvir, značilen za forenziko mobilnih naprav, ter vključuje naslednje teme:
a) kompetence;
b) zaseg naprav;
c) ohranitev podatkov;
d) pridobivanje podatkov;
e) pregled in analiza podatkov;
f) dokumentiranje vseh korakov preiskave;
g) poročanje;
h) vrednotenje in skupna raba informacij z drugimi organi pregona; ter
i) pravni in etični vidiki.
Ta dokument poleg zadev, povezanih s postopki, obravnava tudi zahteve glede novega učnega načrta za usposabljanje uslužbencev organov pregona, varnostnih strokovnjakov in strokovnjakov za kazenski pregon, s čimer se zagotovi veljavnost sodno odobrenih dokazov iz mobilnih naprav tudi zunaj državnih meja.
Znano je, da se nacionalni zakoni in dobre prakse, ki jih uporabljajo organi pregona, razlikujejo ne le med različnimi evropskimi državami, ampak tudi znotraj teh držav. Ta dogovor v okviru delavnice Evropskega odbora za standardizacijo ponuja zbirko gradnikov, ki zajemajo različne vidike forenzike mobilnih naprav, kar omogoča prilagoditve na podlagi nacionalnih zakonov in predpisov ter notranjih pravil in kodeksov ravnanja. Organom pregona iz različnih držav omogoča, da prilagodijo svoje razpoložljive tehnične rešitve ter obenem zagotavlja standardizirano zbirko postopkov in zahtev.
Izrecno naj se navede, da ni mogoče zajeti vseh možnih povezanih tem za forenziko mobilnih naprav. Podrobne tematike in posebne tehnike, kot so forenzika v oblaku, analiza baznih postaj in prestrezanje komunikacij, niso vključene. Podobno so iz tega dokumenta izključeni pravila in predpisi glede verige skrbništva na splošno ter smernice za prenos dokazov prek državnih meja.
General Information
Standards Content (Sample)
SLOVENSKI STANDARD
SIST CWA 17865:2022
01-maj-2022
Zahteve in smernice za celotno verigo forenzičnih preiskav mobilnih naprav od
začetka do konca
Requirements and Guidelines for a complete end-to-end mobile forensic investigation
chain
Ta slovenski standard je istoveten z: CWA 17865:2022
ICS:
07.140 Forenzika Forensic science
SIST CWA 17865:2022 en,fr,de
2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.
SIST CWA 17865:2022
SIST CWA 17865:2022
CEN
CWA 17865
WORKSHOP
March 2022
AGREEMENT
ICS 07.140
English version
Requirements and Guidelines for a complete end-to-end
mobile forensic investigation chain
This CEN Workshop Agreement has been drafted and approved by a Workshop of representatives of interested parties, the
constitution of which is indicated in the foreword of this Workshop Agreement.
The formal process followed by the Workshop in the development of this Workshop Agreement has been endorsed by the
National Members of CEN but neither the National Members of CEN nor the CEN-CENELEC Management Centre can be held
accountable for the technical content of this CEN Workshop Agreement or possible conflicts with standards or legislation.
This CEN Workshop Agreement can in no way be held as being an official standard developed by CEN and its Members.
This CEN Workshop Agreement is publicly available as a reference document from the CEN Members National Standard Bodies.
CEN members are the national standards bodies of Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France,
Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Republic of North
Macedonia, Romania, Serbia, Slovakia, Slovenia, Spain, Sweden, Switzerland, Turkey and United Kingdom.
EUROPEAN COMMITTEE FOR STANDARDIZATION
COMITÉ EUROPÉEN DE NORMALISATION
EUROPÄISCHES KOMITEE FÜR NORMUNG
CEN-CENELEC Management Centre: Rue de la Science 23, B-1040 Brussels
© 2022 CEN All rights of exploitation in any form and by any means reserved worldwide for CEN national Members.
Ref. No.:CWA 17865:2022 E
SIST CWA 17865:2022
Contents Page
European foreword . 5
Introduction . 7
1 Scope . 9
2 Normative references . 9
3 Terms and definitions . 10
4 Abbreviations . 12
5 Personnel . 13
5.1 Competence . 13
5.2 Impartiality . 14
5.3 Procedural . 14
6 Tools. 14
6.1 Background information . 14
6.2 Overarching Principles related to the selection and use of Mobile Forensic Tools . 15
6.3 Tool Fundamentals . 15
6.4 Methodology . 16
6.5 Tool Selection . 17
6.6 Features . 17
6.6.1 Accessing Data . 17
6.6.2 Decoding Data. 18
6.6.3 Data Integrity . 19
6.6.4 User Knowledge . 19
6.7 Tool Interoperability . 19
6.8 Forensic Tool Log . 20
6.9 Secure Evidential Storage . 20
6.10 Validation and Verification of Tools . 21
6.11 Tool Release Notes . 21
6.12 Risk Register . 22
6.13 Recommendation for an EU Forensic Testing Body. 22
7 Processes . 23
7.1 Background information . 23
7.2 General requirements . 23
7.2.1 Impartiality . 23
7.2.2 Confidentiality . 23
7.2.3 Auditability . 24
7.2.4 Repeatability . 24
7.2.5 Reproducibility . 24
7.2.6 Justifiability . 24
7.2.7 Chain of custody . 25
7.3 Preliminaries . 25
7.4 First response . 26
7.5 Recording . 26
7.6 Labelling . 26
7.7 Packaging . 26
7.8 Item transport and storage. 27
SIST CWA 17865:2022
7.9 Lab Work . 27
7.9.1 Initial inspection phase / device identification . 27
7.9.2 Instruction and authorisation . 27
7.9.3 Tool Selection . 27
7.9.4 Acquisition . 27
7.9.5 Decoding / Decryption . 28
7.10 Analysis . 28
7.10.1 Analytical models . 28
7.10.2 Live analysis . 29
7.10.3 Selection of analysis methods . 29
7.11 Verification and Validation . 29
7.11.1 Verification of methods . 29
7.11.2 Validation of methods . 29
7.11.3 Peer Reviews . 29
7.12 Reporting of results . 30
7.12.1 Written reports . 30
7.12.2 Oral reports at court . 30
7.13 Exchange of data and archiving . 31
8 Legal and Ethical Framework . 31
8.1 General Overview . 31
8.2 Governance of the evidentiary proceedings . 36
8.3 Pre-Trial Criminal Proceedings Considerations . 38
8.3.1 Appropriate logging and protocoling. . 38
8.3.2 Criteria to be met when accessing messages, cloud and sensitive documents. . 38
8.3.3 Importance of the different roles in the criminal procedure – suspect, witness,
victim. 38
8.3.4 Scrutinizing tools and review tools and documenting what tools were used . 39
8.3.5 Clear audit trails. 39
8.3.6 Using accessible language to all parties involved in the criminal procedure. 40
8.3.7 Fair trial implications . 40
8.3.8 Judicial overview of the process . 40
8.4 Trial Phase Criminal Proceedings Considerations . 40
8.5 Prevention of mobile forensics dual-use, misuse, and abuse . 41
Annex A (informative) A Good Practice Guide for Mobile Forensic Tool Selection . 44
A.1 Permissibility .
...
SLOVENSKI STANDARD
01-maj-2022
Zahteve in smernice za celotno verigo forenzičnih preiskav mobilnih naprav od
začetka do konca
Requirements and Guidelines for a complete end-to-end mobile forensic investigation
chain
Ta slovenski standard je istoveten z: CWA 17865:2022
ICS:
07.140 Forenzika Forensic science
2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.
CEN
CWA 17865
WORKSHOP
March 2022
AGREEMENT
ICS 07.140
English version
Requirements and Guidelines for a complete end-to-end
mobile forensic investigation chain
This CEN Workshop Agreement has been drafted and approved by a Workshop of representatives of interested parties, the
constitution of which is indicated in the foreword of this Workshop Agreement.
The formal process followed by the Workshop in the development of this Workshop Agreement has been endorsed by the
National Members of CEN but neither the National Members of CEN nor the CEN-CENELEC Management Centre can be held
accountable for the technical content of this CEN Workshop Agreement or possible conflicts with standards or legislation.
This CEN Workshop Agreement can in no way be held as being an official standard developed by CEN and its Members.
This CEN Workshop Agreement is publicly available as a reference document from the CEN Members National Standard Bodies.
CEN members are the national standards bodies of Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France,
Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Republic of North
Macedonia, Romania, Serbia, Slovakia, Slovenia, Spain, Sweden, Switzerland, Turkey and United Kingdom.
EUROPEAN COMMITTEE FOR STANDARDIZATION
COMITÉ EUROPÉEN DE NORMALISATION
EUROPÄISCHES KOMITEE FÜR NORMUNG
CEN-CENELEC Management Centre: Rue de la Science 23, B-1040 Brussels
© 2022 CEN All rights of exploitation in any form and by any means reserved worldwide for CEN national Members.
Ref. No.:CWA 17865:2022 E
Contents Page
European foreword . 5
Introduction . 7
1 Scope . 9
2 Normative references . 9
3 Terms and definitions . 10
4 Abbreviations . 12
5 Personnel . 13
5.1 Competence . 13
5.2 Impartiality . 14
5.3 Procedural . 14
6 Tools. 14
6.1 Background information . 14
6.2 Overarching Principles related to the selection and use of Mobile Forensic Tools . 15
6.3 Tool Fundamentals . 15
6.4 Methodology . 16
6.5 Tool Selection . 17
6.6 Features . 17
6.6.1 Accessing Data . 17
6.6.2 Decoding Data. 18
6.6.3 Data Integrity . 19
6.6.4 User Knowledge . 19
6.7 Tool Interoperability . 19
6.8 Forensic Tool Log . 20
6.9 Secure Evidential Storage . 20
6.10 Validation and Verification of Tools . 21
6.11 Tool Release Notes . 21
6.12 Risk Register . 22
6.13 Recommendation for an EU Forensic Testing Body. 22
7 Processes . 23
7.1 Background information . 23
7.2 General requirements . 23
7.2.1 Impartiality . 23
7.2.2 Confidentiality . 23
7.2.3 Auditability . 24
7.2.4 Repeatability . 24
7.2.5 Reproducibility . 24
7.2.6 Justifiability . 24
7.2.7 Chain of custody . 25
7.3 Preliminaries . 25
7.4 First response . 26
7.5 Recording . 26
7.6 Labelling . 26
7.7 Packaging . 26
7.8 Item transport and storage. 27
7.9 Lab Work . 27
7.9.1 Initial inspection phase / device identification . 27
7.9.2 Instruction and authorisation . 27
7.9.3 Tool Selection . 27
7.9.4 Acquisition . 27
7.9.5 Decoding / Decryption . 28
7.10 Analysis . 28
7.10.1 Analytical models . 28
7.10.2 Live analysis . 29
7.10.3 Selection of analysis methods . 29
7.11 Verification and Validation . 29
7.11.1 Verification of methods . 29
7.11.2 Validation of methods . 29
7.11.3 Peer Reviews . 29
7.12 Reporting of results . 30
7.12.1 Written reports . 30
7.12.2 Oral reports at court . 30
7.13 Exchange of data and archiving . 31
8 Legal and Ethical Framework . 31
8.1 General Overview . 31
8.2 Governance of the evidentiary proceedings . 36
8.3 Pre-Trial Criminal Proceedings Considerations . 38
8.3.1 Appropriate logging and protocoling. . 38
8.3.2 Criteria to be met when accessing messages, cloud and sensitive documents. . 38
8.3.3 Importance of the different roles in the criminal procedure – suspect, witness,
victim. 38
8.3.4 Scrutinizing tools and review tools and documenting what tools were used . 39
8.3.5 Clear audit trails. 39
8.3.6 Using accessible language to all parties involved in the criminal procedure. 40
8.3.7 Fair trial implications . 40
8.3.8 Judicial overview of the process . 40
8.4 Trial Phase Criminal Proceedings Considerations . 40
8.5 Prevention of mobile forensics dual-use, misuse, and abuse . 41
Annex A (informative) A Good Practice Guide for Mobile Forensic Tool Selection . 44
A.1 Permissibility .
...
Questions, Comments and Discussion
Ask us and Technical Secretary will try to provide an answer. You can facilitate discussion about the standard in here.