Implementing Best Practices in Mobile Device Seizure - Part 2
Continuing in Lesson 2 we dive into the best practices of device seizure.
Topic B: Implement Best Practices in Device Seizure
As a forensic investigator/examiner, you may be called upon to perform device seizure as part of the Collection stage of the forensics process. When seizing a device, the first priority is to minimize changes to the device in order to protect the data. The best practices you are about to learn in this lesson are designed specifically to meet this objective.??
Device Seizure?
The actions taken at this stage will determine your ability to extract data from the device. This is the one area where you may not be able to recover from a mistake. The most important step you can take to protect data on the mobile device is to remove the device from the network. If the device remains on the network, any incoming calls, text, or other data could overwrite the current data, or worse, a remote wipe can be initiated resulting in total loss of all data on the device. You can remove the device from the network by simply placing the mobile device into airplane mode and ensuring WiFi and Bluetooth are both disabled, or by removing the device's SIM card if available.
It is best to keep power to the device; avoid turning off the device unless absolutely necessary, such as you are not able to activate airplane mode. This can prevent the possible destruction of volatile data when the device is powered down.
There are situations where you would need to remove the battery from the mobile device or power the device down in the event the device has been submerged in liquid or the device has incurred physical damage. As the examiner seizing the device, it will be your decision, how best to proceed in those situations. In most cases, simply placing the device into airplane mode and ensuring WiFi and Bluetooth are disabled will be sufficient to prevent the destruction of data on the mobile device.
The next step in the device seizure process is to ensure you can access the device data. If the device is unlocked, it is critical that the device remains unlocked (unless you know the device passcode). To prevent the device from locking disable the auto-lock feature in the device settings. Once you have disabled the auto-lock feature, ensure the device remains powered on and prevent locking the device. At this point in the process, if you have the capability, examiners should conduct a logical image of the device as quickly as possible.
Options to remove the device from the network:
·????????Enable airplane mode
·????????Remove SIM card (not all CDMA phones have SIM cards)
·????????Use Faraday bag
·????????Turn off the device or remove the battery (not all devices allow the removal of the battery)?
Faraday Technology
There are many mobile devices on the market without airplane mode capabilities. These mobile devices are typically older cell phones. If you are not able to access the airplane mode feature of a mobile device, or it does not have the capability, Faraday technology is an option to isolate the device from the service provider network. Michael Faraday was a scientist who invented the Faraday cage while conducting experiments on static electricity. Faraday’s ice pail experiment demonstrated how an electric charge would stay on the outside of a charged conductor while the exterior charge had no influence on items enclosed within a conductor. This discovery proved electricity could not pass through metal mesh; it simply travels around it. A Faraday bag or cage is lined with metal mesh and prevents the radio frequency signals from reaching the mobile device inside the bag or cage.
When a mobile device losses connection with the network, the device will increase signal strength to maximum power in an attempt to re-establish connectivity with the network. The mobile device’s battery life shortens due to the increased power consumption. Maintaining power to the device is important, it is advisable to enclose a portable supplemental power source inside the faraday container with the mobile device. Also, after some period, failure to connect to the network may cause certain mobile devices to reset or clear network data that otherwise would be useful if recovered.
Faraday bags are available for purchase from many vendors. In the event, you do not have a Faraday bag, you can wrap the device in tin foil to create a simple Faraday cage.??
Documenting Physical Device Details
Once the mobile device is placed in airplane mode and you are in a safe location, it is important to document information about the device, this starts your chain of custody. Examiners will need to take notes about the condition of the device, including a picture of the device. A picture will show the original state of the device when seized. If for any reason a claim is made regarding damage to the device while in your custody, the picture and your contemporaneous notes can prove otherwise. Examiners will need to document the following notes about the device upon seizure:
Documenting Power-on Device Details
Many of the devices you will encounter are discovered powered on, in which case you can document additional information that is typically available on the home screen. However, as you handle the device, keep in mind it is critical to minimize changes to the device. Limit key presses and only perform actions necessary to remove the device from the network (if not already done so) and to document the information.
Documenting Power-on Device Details?
If you make any changes, such as disabling the auto-lock feature, document your actions in your notes.
领英推荐
Device Ownership
In some situations, you may need to establish ownership of the mobile device in order to determine who may have authority to consent or release the device. When establishing ownership of the device, listed below are questions you may want to ask:
·????????Who pays the phone bill?
·????????How long have you had the device?
·????????Do you share the device? If so, whom do you share it with?
·????????Do you sync the device with a computer?
·????????Does the device have a pin code or password? What is it?
Chain of Custody Document
As a mobile device examiner, you may need to create a chain of custody for the evidence provided to you, if one is not already established. A chain of custody may also need to be created for evidence that is created from your examination. If you are in a lab setting, you will likely receive evidence that is already collected by a first responder. As evidence is exchanged from one person to the next, a chain of custody must accompany the evidence. As examiners create an image of a phone, best evidence is created and as such you may have to create a chain of custody for the image file. In both of these situations, you as the examiner must be able to verify that while evidence was in your possession, positive control was maintained over the evidence and clearly documented on the chain of custody form.
Components of a Chain of Custody
As shown above, examiners will need to identify the evidence item and record information about the device. Document the make, model, serial number, and service provider. It is also important to document the SIM card information such as the IMEI, ICCID and ESN. In the notes section, examiners can document the condition of the device and the current state you received it. An example of what to include in the notes section would include the device power status (on or off) and a photograph of the device.
A typical chain of custody will have the following information:
·????????Date/time of device transfer
·????????Location and purpose of device transfer
·????????Chronological listing of person(s) releasing and receiving the device
·????????If shipped, a tracking number to account for the device in transit
·????????Any note that may help explain the transfer and any changes in the condition
Imaging Forms
When creating a forensic image of a device, document details about the image file. Include the following items in the record:
·????????Case number, Evidence number, Imaged by, Image name, Image type, Image hash
·????????Make, model and any identifying information such as the IMEI
·????????If images of evidence are stored on a local server, provide the image drive path
Documenting details about the image will assist examiners that may perform analysis months or even years later. Proper documentation and storage can help keep evidence organized and prevent cross-contamination of evidence.