Results CEPOL and ENFSI Forensic IT working group joint meeting common results Prof. Dr. Zeno Geradts Senior forensic scientist Chairman ENFSI Forensic IT Working group Tallinn, 2014 Netherlands Forensic Institute
Yesterday common results CEPOL and ENFSI What are by your professional opinion the three most important problems in relation between police investigators and IT experts on national and international level since first response up to court conviction of criminals? From police investigators point of view: 1. Gap between both parties 2. Lack of understanding on international issues 3. Training is waisted because people move to commercial 4. Training at universities is not linked to real world From IT expert s point of view: 1.
From Police From police investigators point of view: 1. Gap between both parties educate and collaborate 1. Reviewing results of forensic examinations 2. Communicating with examiner 3. Understanding what is possible 2. Lack of understanding on international issues harmonize laws 3. Training is wasted because people move to commercial companies more incentives to stay 4. Training at universities is not linked to real world more communication and exchange to make it fit Keeping pace with technology Open source investigation Staff shortages
Solutions Problem 1 Gap between both parties. Investigators need to have a reasonable knowledge of the skills of the IT experts in order to enhance the operation between both entities and help them deliver results. Knowledge of older investigators needs to be improved. Younger investigators not as great an issue; new generation know IT better.
Problem 1 Investigators must know their limitations (chip- off etc.) but must not be afraid to conduct basic digital investigations (viewing the contents of a live mobile device). Communication between technical people and investigators needs to improve; i.e., meet in the middle. Reports for police can be too technical and requests from investigators often not detailed enough to direct the IT expert.
From experts 1-. Volume of evidence. Either in capacity or number of artifacts. Which faces a problem with the filed investigator to know what evidence to get in the field and the priority of each to get the necessary information for the investigation. The solution in the field should be a training to the investigators (ALSO ISSUE TO FIND TIME) to let them know which evidence is interesting for the case. As well as introducing some triage tools in the field. In the labs, the solution could a better efficiency in the filter and analysis tools. To process all data in an automatic way.
From experts (2) 2-. Complexity of systems to be analyzed. Some of the embedded systems or files systems which are no standard takes a lot of time to analyze. It's more common to find encrypted devices which are impossible to analyze. A change in the laws could force some private companies to provide or decrypt information under certain circumstances and a search warrant. 3-. Complex investigations with hundreds of evidence to analyze. The expert in the lab doesn't know what to look for because the investigator has not told him..
Experts (3) Couple of solutions has been proposed. One to make a meeting with all investigators and forensic experts to prioritize the evidences to be processed and to know what to look for in each one. Second solution is to incorporate a forensic expert in to the investigators team from the very beginning so he/she will know at the end what to search and coordinate the rest of the experts in the lab Solution 3 Retention and professionalization of staff across Europe should be promoted. Salary scales should be introduced, where investigators are rewarded for their expertise.
Caseload management survey Survey : some labs stop intake above a certain number of cases (> 6 months (ICGRN / NFI) (effective) One lab with backlog of > 4 years (no intake control) Terrorism related cases are always accepted and given highest priority(most labs) Time depends very much on new developments, complexity 1/21/201021-10-08 ENFSI FIT-WG
Caseload management survey (2) If cases are in > 10 months, try to do overwork or ask if they have to be done Intake of cases strict selection of parts that can be done Speed up cases with automation / lean six sigma 1/21/201021-10-08 ENFSI FIT-WG
Management of expectation Old situation: No restrictions on the annual number of research applications No standard delivery Lack of communication and prioritization consequence: work Backlogs Long delivery times inefficiency dissatisfied customers Frustrated NFI employees
Management of expectation By working with a Service Level Agreement (SLA) An SLA is a written agreement between a supplier and a purchaser of certain services and / or products In an SLA: a description of the services to be provided; the rights and duties of both the supplier and the buyer in respect of the agreed quality level (service level) of services to be delivered (services) and / or products; performance requirements to the service, such as availability and delivery, and the constraints.
Management of expectations The performance requirements for the services to be supplied are formulated adhv key performance indicators (KPIs); each performance requirement is translated into one or more performance indicators, which are testable. Subsequently, a standard established for each performance indicator, which may not be exceeded. The restrictions that apply to the recipients of the services are formulated in the form of requirements that customers must adhere. These requirements are translated into performance indicators which standards are linked.
Management of expectations With the help of an SLA that reached a similar picture arises about the products and deliver services at client and provider. Essential to an SLA is that (implicitly or explicitly) it is agreed that certain services are not delivered. Both parties have an interest since extra performance usually also cost extra money. Here, Bron: Wikipedia
Service level agreement SLA is not made only once, because each organization is exposed in the course of time to change, which will have an impact on the agreements reached; should be evaluated on a regular basis are; and if necessary adjusted. Bron: Wikipedia
Forensic Service Level Agreement Given the annual budget of the Ministry of Security and Justice: Agreement between three parties: Public Prosecutor (OM), Police and NFI Which the capacity of the NFI tailored to the expected annual requirements of core customers Agreements in the field of: Case Study (K1) Research & Development (R & D) (K2) Education for policemen and magistrates (judges and prosecutors) (K3)
Capacity
Making Service Level Agreement It is crucial to have stakeholder involvement Steering Police, OM and NFI (SPON): representatives of OM, ECFO police and NFI tactical perspective Customers Platform: customer delegation at the strategic level strategic perspective
Totstandkoming SLA Products Capaciteit Magistrates and Police Input NFI Budget Departement security and justice Inputsession SPON Customer input sessions customers platform SPON Capacitity NFI Draft SLA SPON Customers Final SLA
Development of SLA at NFI Involvement of stakeholders has increased The quality of the discussion is improved 2008 first SLA 2009 'negotiated' SLA 2010 customer-oriented product 2011 capacity shift based on input chain partners 2012 R & D component of the SLA; input sessions on product content > 2013 long-term perspective, flexibility is added as a goal, online customer portal MijnNFI available > 2014 Cuts; translated into SLA o.b.v. input chain partners
Tools to maintain the SLA ICT system to calculate the production capacity of the NFI (capacity model) Case Information System (Promis) MijnNFI: online customer portal with PDC and monitoring function The ability to take action (SPON) regarding the influx of cases
Capaciteit op productgroepniveau, instroom per product zichtbaar
Regulations of cases Het NFI levert waar mogelijk een flexibiliteit van +10% per maand, met de aantekening dat de klant verantwoordelijk is voor saldering in de periode daarna. Het totaal per product dat wordt geleverd op jaarbasis blijft ongewijzigd en staat aangegeven in de SLA 2014. (Uit: SLA OM-Politie-NFI 2014) Als the demand for a particular product or product is structurally higher than the capacity, run the working stocks and hence the delivery times. In close consultation with the SPON three types of intake measures are possible: SLA-regulation, whether or not prioritizing the Rural Officer forensic research (where the inflow up the agreed SLA capacity) Intake Restriction with prioritizing the National Officer forensic research (where the intake temporarily lower than the agreed SLA capacity) Inflow Stop (this is temporarily not possible influx normalized to the working stocks)
Melding m.b.t. instroommaatregel op productdetailpagina
Deel 3 Verdere ondersteuning aanvragers met MijnNFI
MijnNFI Homepage (ingelogd)
Customer activity cycle Guidelines Forensic question wizard Information system on traces chose product Make request Read reports send electronic request Status of request
Challenges Critical systems Shut down? Copy? Ignore? Virtualization storage, networks, servers Locate the data? Whose jurisdiction? Who is the owner? Shielding One time use phone / email account Encryption / keys get stolen Closed networks / secure cloud computing
Challenges Exponentionally Increasing amounts of data Keeping up-to-date in methods and technology Challenge to keep employees Technology is used more broadly and by more people Expertise is not enough, validation is needed Standard work in efficient operations Required: closer co-operation, internationally and public-private
Discussion