„Co-funded by the Prevention of and Fight against Crime Programme
of the European Union“
New certification programmes for law enforcement will facilitate the better collection of digital
evidences
Newly developed certification programmes for Lithuanian Law Enforcement agencies (LEA) –„Collection of
electronic objects” and „Windows artefacts” are designed for LEA officers, IT specialists and experts,
carrying out an investigation:


First certification programme „Collection of electronic objects” is designed for LEA operating
groups’ officers, criminal police officers carrying out an investigation, forensic specialists, involved
in examination and review of crime scenes and often facing with problems at collection of digital
evidences. The programme’s objective – to prepare competent investigation officer, who will be
able to act at crime scenes, review or seizing, while electronic objects are detected in place.
Second certification programme “Windows artefacts” is developed and designed for LEA officers
who perform a review of the most common operational system – Windows OS. The programme’s
objective – to prepare competent specialist, who will be able to perform review of Windows OS.
„While cybercrime is growing rapidly, and in most cases the offense or on the spot the electronic items are
found (computers, mobile phones, tablet, etc.), not all officials and experts, who taking place the scene, are
well familiar with prevailing architectures of computer technologies, know the most common forms of
external drives, are not always analysing on the spot existing networks and accesses to them or collecting
information from peripheral devices or computerised systems of common infrastructure, – as highlighted
Sergej Boldyrev, Head of Forensics Division at Vilnius County Police Headquarters. – Thus a part of potential
evidences are not collected, or contrary, often over-collection of equipment and devices is taking place, this
leads to excessive recording, logistic, storage and forensics that burden LEA work.”
Tackling to solve these problems a certification programme “Collection of electronic objects” was
developed.
Once electronic objects are collected, the detail analysis is performing, then the crime evidences or to
investigation relevant information are looked for.
Usually the greatest attention is drawn for analysis of Windows operational system (hereinafter – OS)
(Windows 7, XP, 8, 8.1, Vista), those in 2014 amounted 98.88 % of all used OSs (Source: Kaspersky report on
secure network: Windows use and challenges. KasperskyLab, 2014)
However, the Windows OS can investigate only professionals authorized to conduct IT investigations or
inspections or enrolled into Lithuanian police list of specialists on IT objects forensics. These specialists
were called only in 0.07% cases of all registered offenses in Vilnius County in 2014.
Thus, there remains a chance that some information in Windows OS based electronic items will be not
picked up or lost.
The above mentioned specialists must have higher education in IT, but namely the specialty - IT
professionals by criminals - it does not preparing by any Higher Education institution in Lithuania.
Therefore, one of the quickest ways is to train already employed officers and investigators on how to
investigate the Windows OS based electronic objects for searching the digital evidences and taking them.
1
„Co-funded by the Prevention of and Fight against Crime Programme
of the European Union“
While forensic experts and IT professionals who work in law enforcement, constantly improving
qualifications, however, there is a lack of systematic skills development on a larger scale. Namely a lack of
experts and specialists causes the queues in Lithuanian Forensics Centre and other forensics institutions to
carry out IT forensics.
New certification programme “Windows artefacts” will allow in much shorter period to train and prepare
competent experts and specialists, able to carry out Windows OS artefacts analysis. Numerous proceedings
illustrations help to learn how to properly perform Windows artefact analysis.
Developed certification programmes were presented to interested parties for validation, and pilot trainingsimulation under certification programme “Collection of electronic objects” was organised for LEA officers –
in advance prepared classroom was being simulated a search and collection of electronic object (simulation
of search, collection of items, recording, composing of photo tables etc.). This was followed by training
participants to discuss actions and problem situations encountered in the collection of electronic objects.
Developed certification programmes are going to be incorporated into single framework on LEA officers’
competence improvement. Active discussions about competence map development are going on and
where various training and certification programmes should find its place. Such LEA competence
framework will enable at least partly to standardise competences at national level.
A lot of discussions about standardisation and competence recognition are going on at EU level too:
E.C.T.E.G (European Cybercrime Training and Education Group) at EUROPOL seeks to establish the common
European framework on LEA competences, to standardise LEA training and disseminate training
programmes, developed in other EU countries, and share the best practices.
Mentioned certification programmes were based on Spanish certification programmes “Collection of
electronic objects” and “Analysis of Windows artefacts” via localisation and adaptation to the needs of
Lithuanian LEA and IT forensics carried out in Lithuania.
Development of both certification programmes were funded by the European Commission from ISEC
programme under the project “Lithuanian Cybercrime Centre of Excellence for Training, Research and
Education, L3CE, reference No HOME/2013/ISEC/AG/INT/4000005176). Programmes were localised and
adapted by Vilnius County Police Headquarters, Lithuanian Cybercrime Center of Excellence for Training,
Research and Education, Mykolas Romeris University and company Ekonomines konsultacijos ir tyrimai.
2