WIXLIB

NOT PROTECTIVELY MARKEDFinal4Observations4.1 TrainingRisk ExposureRoot causesTraining may not provide sufficient value to Not all examiners have received trainingsuccessfully prosecute an individual and be from a qualified XRY trainer.effective.Training updates are not gnificant3:13Current usage data highlights that from March 2012 – April 2015 that 10 examiners of the 46known users logged on the SNC spreadsheet accounted for 65% of all examinations undertakenthrough the period. A gap is therefore highlighted between training provided and the degree towhich training is used. It is the opinion IA that review of resourcing and training needs could beconsidered to address training issues around how training has been delivered to Districtexaminers.IA have also been advised by the Training School at NYP that it is acceptable to receive training byan individual who is unqualified (if the head of training school is present) and this is acceptable foruse in court. However it is considered that if the practice of District examiners undertaking reviewof more serious crimes is to continue then full and appropriate XRY training should be provided.At present concerns are raised over the benefit of extracted data provided by Districts for moreserious crime as a full download is not performed. There is a risk that an individual may not besuccessfully prosecuted as a result and this raises issues around the value that Districtexaminations can provide.Consideration should be given to a review of training practices with the possibility of providing fullXRY training to 20 individuals who regularly undertake mobile phone examinations. The trainingneeds of these individuals can be more proactively monitored and managed particularly for whena person moves to a role that doesn’t require this training or leaves the organisation. Where thisis the case training can be more readily provided new examiners as needed.Recommendation 1Assessment should be undertaken of the current resourcing requirements of the DistrictInvestigation Hubs, reviewing where training updates may be required and where the trainingof new examiners may be necessary.

NOT PROTECTIVELY MARKEDFinal4.2 Serious CrimeRisk ExposureRoot causesCriminals may not be brought to justice as More serious crimes are being investigatedevidence for more serious crimes is not without the MPU having an awareness of thisobtained from a mobile phone examination tRating3:13Review of the usage of District examinations showed that 26% of examinations undertaken from2012-2015 were serious crime types for example sexual offences and murder cases. Examiners atDistricts should only investigate lesser crimes such as burglary, whereas the MPU should examinemobile phones for those crimes which are more serious and where a more comprehensiveinterrogation of the phone is required. Where these crimes are being interrogated by Districtexaminers there is a risk that these phones will not be subject to the same level of scrutiny as theywould if they were investigated by the MPU, reducing the value that mobile phone investigationscan provide.At the time of the audit IA were advised that when MPU resources are not available (e.g. on aweekend) a District examiner may undertake the investigation. However the MPU do notundertake sufficient review of where these more serious crimes have been examined by Districts.Whilst it is not always practicable for the MPU to authorise these investigations, it is necessarythat they have more of an awareness of what examinations are taking place. It would berecommended that procedure be updated so that in exceptional circumstances Districts canundertake interrogations of more serious crimes. A system of regular dip sampling by the MPU isalso recommended to ensure that review of serious crimes is appropriate and that the overallexamination process is being appropriately followed.Further to this it has been highlighted that the FSD9 submission form is not always evidenced, thisa particular issue for more serious crimes. The form should provide a rationale behind why theexamination was considered necessary and also that DI authorisation was actually granted. It isthe opinion of IA that where a more serious crime was examined that some justification of whythis was deemed appropriate should be provided. This can then be subject to further dip samplingundertaken by the MPU.Recommendation 2The Mobile Phone Unit should undertake regular dip sampling of District level examinations,focussing on the types of crime reviewed and the appropriateness of the District undertakingthem.Recommendation 3

NOT PROTECTIVELY MARKEDFinalPolicy should include exceptional circumstances whereby the Districts can review more seriouscrimes when the MPU is not available.4.3 Data SecurityRisk ExposureRoot causesData from the mobile phone download may Data pertaining to more serious crimes is notbe lost or ialNegligibleReputationSignificantData is not securely held within the DistrictInvestigation cern is raised where data is not encrypted, given that more serious crimes are beinginvestigated there is an increased risk that sensitive data may be lost or misappropriated. IA havebeen advised that District examiners have the capacity to encrypt data but do not utilise this. Giventhat the MPU and external firms used by NYP for mobile phone examinations encrypt data, itwould be considered appropriate for District examiners to undertake this also in order to mitigatethe risks associated with the security of extracted data.Through the course of the review it was highlighted that a number of physical files containing thedisk, FSD9 submission form and Digital Media Examination form could not be located and anumber of these related to more serious crimes, raising wider issues around the security ofextracted data. The data within the Investigation Hubs is held in cabinets that are not alwayslocked and could be accessed by staff who aren’t based within the Hubs. Encryption of theextracted data would therefore mitigate the risks associated with this.Further to this the delivery of the extracted data is passed through internal mail, howevernotification of delivery does not occur therefore data security could be compromised. It washighlighted that Districts often prompt the OIC to attend the Investigation Hub and collect the datadirectly, which is better practice for ensuring appropriate data security.Recommendation 4District procedure should include the necessity to encrypt all extracted data.Recommendation 5Issue a reminder to District examiners of the need to ensure the security of extracted data.Including where extracted data has been sent via internal mail, receiving confirmation fromthe OIC that the data has been received.

NOT PROTECTIVELY MARKEDFinal4.4 Scoring MatrixRisk ExposureRoot causesThe MPU does not have a formal scoringA mobile phone may not be investigated by matrix in place.the key date in the case.The MPU works with a back log 5:8Through discussions within the MPU, it has been identified that a formal system of prioritisinginvestigations is not being used. Whilst a system of categorising investigations by crime type upontheir arrival to the unit is already in use, further action can be taken to prioritise mobile phoneexaminations and therefore reduce any back log that may be in place.A scoring matrix can take into account key factors such as crime type, key date and material to beexamined, to provide a score as a basis for prioritising a particular examination over another. It isconsidered that this is a more efficient method of handling the workload of the MPU. The MPUalready utilises a system for high priority work and undertakes regular review of outstanding work,the scoring matrix would better embed this into MPU procedures.Furthermore the benefit of scoring matrix is that a low scoring examination could be referred asappropriate for District examiners to undertake. This would reduce the risk of a back log occurringand that deadlines for a more serious examination may be missed. This would also be a moreeffective system as the MPU can place more focus on more serious examinations, increasing thevalue of the service they provide to officers.A system similar to this is already in place within the Hi-Tech Crime Unit, therefore it may be thecase to adapt the scoring matrix they have within the department for the purposes of the MPU.Recommendation 6For the initial scoring of MPU examinations to be undertaken, to ascertain their priority leveland ensure the log of outstanding examinations is regularly monitored and reviewed ascontinued good practice.

NOT PROTECTIVELY MARKEDFinal4.5 FSD9 Submission FormRisk ExposureRoot causesDI authorisation is not received for an The FSD9 Submission Forms are not alwaysinvestigation.evidenced by ating5:8In 25/50 examination files an FSD9 submission form was not evidenced, as a result limitedassurance can be provided that the examination was undertaken in compliance with Forceprocedure. The form should evidence that DI authorisation has been received, that the phone hasappropriate grounds to be examined and what the interrogation of the mobile phone is going toachieve.IA were advised that it may be the case that the form is returned to the OIC to be evidenced as apart of the case file. However it is still important for the each District to have a copy for their ownrecords, as the OIC does not always evidence this form through Niche.Given that Niche is the primary method for recording criminal investigations, it would be beneficialto the quality of the case file to scan associated mobile phone information onto the Nicheoccurrence. It would be more efficient to record examination in this way, as the OIC, the examinerand the MPU can access the information if needed. This also reduces the need to maintain paperdocumentation at Districts, reducing the risk of data security issues.Current procedure only specifies the requirement to evidence the disk of the extraction and thenotes, consideration should be given to specific requirements for providing evidence of anexamination performed at a District level.Recommendation 7Current procedure should be updated to include the requirement for the FSD9 submissionform and Digital Media Examination to be scanned on to the Niche record of an occurrence.

NOT PROTECTIVELY MARKEDFinal4.6 Data QualityRisk ExposureRoot causesInformation pertaining to the investigation The SNC spreadsheet is not always completedon the Niche record is not accurate.fully with examination ng5:8The review mapped data from the SNC spreadsheet of District investigations across to the Nicheoccurrence. It has been highlighted that in 28% of cases examined the date the mobile phone wasexamined did not match on the two records. IA also found discrepancies in crime type and thedate the mobile phone was seized and whilst crime type discrepancies can be explained throughchanges through the course of the investigation, discrepancies in date seized or date examinedraise issues around how continuity of evidence is maintained.The Niche record should keep an accurate record of the mobile phone and discs location, ensuringthat continuity of evidence is maintained. It is recommended that the OIC and the examiner mustkeep examination information such as the submission form and returns form on the Niche record,as at present this does not occur.The SNC spreadsheet is also not always completed, with a number of gaps including the examinerwho performed the examination, the authorising officer, and the date the phone examinationtook place.If the SNC spreadsheet is to continue to be used to log District examinations then the MPU shouldreview the SNC spreadsheet and map information towards Niche to review the accuracy of theinformation recorded. As a part of dip sampling that has been recommended the MPU shouldconsider mapping information from the SNC spreadsheet across to Niche to ensure accuracy ofrecords is maintained. It would also be necessary to remind DI’s of the need to complete thisspreadsheet appropriately, liaising with the examiner to ensure that the information submitted iscorrect.Recommendation 8Detective Inspectors should be appropriately reminded of the need to complete the SNC

NOT PROTECTIVELY MARKEDFinalspreadsheet for mobile phone examinations, liaising with OIC and District examiner wherefurther detail may be needed.

NOT PROTECTIVELY MARKEDFinal#12RecommendationAssessment should be undertaken of the currentresourcing requirements of the District InvestigationHubs, reviewing where training updates may be requiredand where the training of new examiners may benecessary.The Mobile Phone Unit should undertake regular dipsampling of District level examinations, focussing on thetypes of crime reviewed and the appropriateness of theDistrict undertaking them.Category of Rec. Management ActionSignificantSignificantThe Forensic Science Regulator hasrecently announced the scope of therequirements for regulation of DigitalForensics. This will include area basedmobile phone examinations. TherequirementsfallundertheInternational Standards Organisationsstandard 17025. Introduction of 17025is being managed by Richard Cockerilland Mark Bates. A paper is currentlybeing prepared for the Command Teamand will include the requirements toemploy a Quality Manager who willensure that policies are up to date andwill audit adherence to them.Compliance will be reviewed by the UKAccreditation Service UKAS. Trainingwillbeincludedwithintherequirements. This is expected to be inplace by July 2016 with mandatoryformal accreditation by October 2017ISO17025 will require a review ofprocedures and formal internal auditingof complianceActionManager& SatisfactoryResponseCompletion(IA View)DateRichard CockerillDigital ForensicsManagerJuly 2016Richard CockerillDigital ForensicsManagerJuly 2016NOT

NOT PROTECTIVELY MARKEDFinal3Policy should include exceptional circumstances wherebythe Districts can review more serious crimes when theMPU is not available.SignificantDistrict procedure should include the necessity to encryptall extracted data.4567SignificantIssue a reminder to District examiners of the need toensure the security of extracted data. Including whereextracted data has been sent via internal mail, receivingconfirmation from the OIC that the data has beenreceived.For the initial scoring of MPU examinations to beundertaken, to ascertain their priority level and ensurethe log of outstanding examinations is regularlymonitored and reviewed as continued good practice.Current procedure should be updated to include therequirement for the FSD9 submission form and DigitalMedia Examination to be scanned on to the Niche recordof an occurrence.Guidance has recently been issuedextending the circumstances in whichdistricts can review mobile phones. Thiswill be published in the updatedprocedure referred to above.Richard Cockerill will ensure that areakiosk equipment is configured in such away that all output is encrypted. Thiswill be included in the aboveprocedures.SignificantRichard Cockerill is to further remindstaff of the need to ensure security ofextracted data. The requirement is to beincluded in the procedure.Merits AttentionThe volume of mobile phonesubmissions makes compliance with theHTCU matrix untenable under currentresourcingarrangements.Allsubmissions which relate to IndecentImages of Children are required to besubmitted to HQ and these will now besubject to HTCU processes. Those casesidentified as urgent, such as MajorCrime Enquiries, will continue to beprioritised on a case by case basis.Volume crime will continue to bemanagedbyinvestigationhubsupervisors in line with their competingdemands.Merits AttentionRichard Cockerill will circulate thisrequirement and include it withinupdated procedures under 17025.Richard CockerillDigital ForensicsManagerJuly 2016Richard CockerillDigital ForensicsManagerJanuary 2016Richard CockerillDigital ForensicsManagerDecember 2015Richard CockerillDigital ForensicsManagerJuly 2016Richard CockerillDigital ForensicsManagerJuly 2016NOT

NOT PROTECTIVELY MARKEDFinal85Detective Inspectors should be appropriately remindedof the need to complete the SNC spreadsheet for mobilephone examinations, liaising with OIC and Districtexaminer where further detail may be needed.Merits AttentionThe updated procedures and Nicherequirements will negate the need forthe spreadsheet to be maintained in themedium to long term.Richard CockerillDigital ForensicsManagerJuly 2016RecommendationsNOT

NOT PROTECTIVELY MARKEDFinal6: Appendix: Assurance LevelInternal Audit assesses the effectiveness of internal control, within the scope of what is audited. This measure istherefore a relative one.FundamentalSignificantMerits AttentionCategory1234Classification of RecommendationsAction is needed to address risks that could impact onthe organisation’s ability to achieve its objectives.Action will typically be organisation-wide and benecessary at the highest level. Other fundamentalrecommendations will be made in regard to potentiallyserious breaches of statutory obligations.Action is needed to address risks that impact primarilyon one major business area or to address lower risks onan organisation-wide basis.Action is advised to enhance control, remedy minorbreaches of current controls or to improve efficiency.DescriptionReasonable assurance can be provided that the main risks considered are beingeffectively managed; action may still enhance the management of risk in a smallnumber of areas. In addition Internal Audit has identified that the approachtaken to address risk as representing good practice in this area.Reasonable assurance can be provided that the main risks considered are beingeffectively managed. Limited management action may be required to addressa small number of significant issues.Limited assurance can be provided that the main risks considered are all beingeffectively managed. Significant management action is required to addresssome important weaknesses.Inadequate assurance can be provided that the risks identified are beingeffectively managed. Significant weaknesses have been identified in the riskmanagement action, these are likely to involve major and prolongedintervention by management. These weaknesses are such that the objectivesin this area are unlikely to be met.

NOT PROTECTIVELY MARKEDFinal7Appendix: Overall Assessment CriteriaRisks in this report have been assessed using the following criteria. It is the same criteria as that used by NorthYorkshire Police to assess risk for the Risk Register.ProbabilityNilImpact CategoriesFinancial ( )- Default- mplianceNil 20%Highly Improbably(HI)Negligible0 100kIncreased financialimpact less than 100000Negligible adversepublicity. Minimalimpact upon publicperceptionNegligible impactupon ability to deliverservice and meetForce targetsNegligible prospect oflegal challenge20% - 40%Unlikely (

Final Report Issued 11 th November 2015 Mobile Phone Examination Final Report Final 1 Executive Summary Mobile phones are an important source of information in the detection and disruption of criminals. Mobile phone examinations are currently undertaken by examiners at District Investigation Hubs,