In the world of digital forensics, mobile phone investigations are growing exponentially. The quantity of mobile devices investigated annually has increased nearly tenfold within the last decade. Courtrooms are relying more and more in the information inside a cellular phone as vital evidence in the event of all types. Despite that, the technique of cellular phone forensics remains to be in the relative infancy. Many digital investigators are new to the field and they are in search of a “Phone Forensics for Dummies.” Unfortunately, that book isn’t available yet, so investigators must look elsewhere for information on how to best tackle cellular phone analysis. This short article should in no way function as an academic guide. However, you can use it like a starting point to acquire understanding in your community.
First, it’s vital that you know the way we have got to where we are today. In 2005, there are two billion mobile phones worldwide. Today, you will find over 5 billion and this number is predicted to increase nearly another billion by 2012. Which means that virtually every individual on this planet has a cellphone. These phones are not just a means to make and receive calls, but alternatively a resource to keep all information in one’s life. Each time a cellphone is obtained included in a criminal investigation, an investigator is able to tell a substantial amount regarding the owner. Often, the information found in a phone is far more important than the usual fingerprint in that it gives you much more than identification. Using forensic software, digital investigators are able to see the call list, sms messages, pictures, videos, and a lot more all to provide as evidence either convicting or vindicating the suspect.
Lee Reiber, lead instructor and owner of cell phone data recovery atlanta., breaks the investigation into three parts-seizure, isolation, and documentation. The seizure component primarily involves the legal ramifications. “If you do not have a legal ability to examine these devices or its contents you then are likely to have got all the evidence suppressed regardless of how hard you possess worked,” says Reiber. The isolation component is the most important “because the cellular phone’s data could be changed, altered, and deleted on the air (OTA). Not only may be the carrier able to perform this, but the user can employ applications to remotely ‘wipe’ your data from your device.” The documentation process involves photographing the device in the course of seizure. Reiber says the photos should show time settings, state of device, and characteristics.
Right after the phone is delivered to digital forensics investigator, these devices must be examined having a professional tool. Investigating phones manually is really a final option. Manual investigation should only be used if no tool in the marketplace can support the device. Modern mobile phones are exactly like miniature computers that require a sophisticated software packages for comprehensive analysis.
When examining a mobile phone, you should protect it from remote access and network signals. As cellphone jammers are illegal in the United States and a lot of Europe, Reiber recommends “using a metallic mesh to wrap the device securely then placing the cell phone into standby mode or airplane mode for transportation, photographing, after which placing the cell phone in a condition being examined.”
Steve Bunting, Senior Forensic Consultant at Forward Discovery, lays out of the process flow the following.
Achieve and sustain network isolation (Faraday bag, RF-shielded box, or RF-shielded room).
Thoroughly document the unit, noting all information available. Use photography to back up this documentation.
If a SIM card is place, remove, read, and image the SIM card.
Clone the SIM card.
Together with the cloned SIM card installed, conduct a logical extraction of the cell device having a tool. If analyzing a non-SIM device, start here.
Examine the extracted data through the logical examination.
If supported by the two model and also the tool, do a physical extraction from the cell device.
View parsed data from physical extraction, which can vary greatly dependant upon the make/model of the cell phone and the tool being used.
Carve raw image for a variety of file types or strings of web data.
Report your findings.
There are two things an investigator can perform to get credibility from the courtroom. One is cross-validation of the tools used. It really is vastly critical that investigators tend not to depend upon just one tool when investigating a cellphone. Both Reiber and Bunting adamantly recommend using multiple tools for cross-validation purposes. “By crosschecking data between tools, one could validate one tool using the other,” says Bunting. Doing this adds significant credibility on the evidence.
The 2nd way to add credibility is to be certain the investigator features a solid comprehension of the evidence and the way it absolutely was gathered. A lot of the investigations tools are easy to use and require a couple clicks to build a detailed report. Reiber warns against transforming into a “point and click” investigator seeing that the tools are incredibly simple to use. If an investigator takes the stand and is unable to speak intelligently regarding the technology utilized to gather evidence, his credibility will be in question. Steve Bunting puts it such as this, “The more knowledge one has of the tool’s function along with the data 68dexmpky and function present in any cell device, the more credibility you might have as being a witness.”
If you have zero experience and suddenly end up called upon to handle phone examinations for your organization, don’t panic. I speak with individuals with a weekly basis in a similar situation looking for direction. My advice is usually a similar; enroll in a training course, become certified, seek the counsel of veterans, engage in online digital forensics communities and forums, and speak to representatives of software companies making investigation tools. If you take these steps, you may go from novice to expert inside a short amount of time.