Implementing Best Practices in Mobile Device Seizure - Part 1 Incident Response

In this lesson, you will:

·????????Implement best practices in mobile device seizure

·????????Define incident and incident response

·????????Comply with legal expectations

Lesson Introduction

This lesson introduces best practices for properly seizing a mobile device. You will learn the seizure process and associated legal aspects and explain how to start a chain of custody. We will also discuss storage and external storage such as MicroSD cards, cloud storage, and backups.

Mobile devices contain an abundant amount of personal information. Mobile devices have become so integrated into our lives; it seems like we can’t seem to set them down. Our mobile device contains the most personal details about ourselves and in the event of a crime, that device is now a potential “witness” to the crime.?

If you are a first responder in law enforcement, you will likely be the person collecting mobile devices at a crime scene. You may also be a litigator with a client needing data extracted from their phone or an IT specialist working with in-house counsel during the eDiscovery process. The process of collecting a mobile device as evidence is the same regardless of your position. Incident response and device seizure are arguably the most important phases in any investigation. If the evidence is not collected properly, the examiner could run the risk of destroying evidence on the device or having information from the examination thrown out in court proceedings.

Topic A: Incident Response

Incident response, also known as incident handling, can be defined in many ways and may vary as it relates to the job task in which you perform. In general, incident response is a systematic approach to collecting evidence from the time of detection to the incident resolution. The key is having an actionable plan for dealing with an incident. This section is a brief introduction defining incidents and incident response as well as the general steps used in incident handling. ?

Incident

An incident can be defined as any violation of a policy, standard or law. In the private sector, corporations internally define what constitutes an incident in their acceptable use policy. In the public arena, or if the incident involves possible criminal actions, the incident may be defined by a civil or criminal legal authority. An example of an incident would include unauthorized and prohibited use of any electronic device including computer systems, mobile devices and/or cell phones. It is important to understand the capacity of electronic devices as the expansion of Internet capacity extends to video game systems, automotive devices and even televisions, which entice criminals. The laws governing computer incidents are defined in Title 18 of the United States Code. For example, 18 USC 1030 “Fraud and Related Activity in Connection with Computers” defines the federal laws governing computer crimes.?

Incident Response

Different levels of incidents require different responses based on their nature and severity. For example, viewing adult pornographic images on a corporate-owned device probably violates a corporate policy, but may not violate a criminal statute. Intentionally accessing a computer system without authorization and removing company intellectual property to start your own company violates a federal statute. Each incident would require a different level of response.

Once the violation has occurred, an incident response should be conducted to systematically respond to the incident.

An incident response is a systematic approach of collecting evidence, from the time of detection to the incident resolution. Corporations and government agencies typically develop an incident response plan to outline various roles and responsibilities of each individual involved and what actions taken pertaining to the various levels of incidents that may occur.

After an incident occurs it is the responsibility of the IT professional, forensic expert, or first responder to initiate the forensic process and properly collect evidence in order to preserve and prevent data destruction.

In the 1990s the U.S. Department of Energy led an initiative to establish a standard process for incident response. This six-step process has been adopted industry wide and can be a guide for your organization as you develop your own incident response procedures.?In order for the process to be successful each step must be followed and clearly defined by your organization in an incident response plan.

1.??????Preparation

2.??????Identification

3.??????Containment

4.??????Eradication

5.??????Recovery

6.??????Lessons Learned?

Some of these steps may not apply to your situation. For example, LE may not use steps 4 and 5 when collecting evidence after a crime has been committed. Remember these are guidelines to help you make your own policies and procedures based on your environment.?

We will continue this lesson in the next article with Topic B: Implement Best Practices in Device Seizure