On earth of digital forensics, mobile phone investigations are growing exponentially. The number of mobile phones investigated every year has grown nearly tenfold within the last decade. Courtrooms are relying more and more on the information inside a mobile phone as vital evidence in the event of all types. Despite that, the practice of mobile phone forensics remains in their relative infancy. Many digital investigators are unfamiliar with the field and they are looking for a “Phone Forensics for Dummies.” Unfortunately, that book isn’t available yet, so investigators have to look elsewhere for information on how to best tackle cell phone analysis. This post should in no way function as an academic guide. However, it can be used being a first step to get understanding in the area.
First, it’s essential to recognize how we reached where our company is today. In 2005, there was two billion cell phones worldwide. Today, there are actually over 5 billion and therefore number is expected to develop nearly another billion by 2012. Because of this just about any individual on this planet carries a cell phone. These phones are not just a way to make and receive calls, but alternatively a resource to save all information in one’s life. Every time a cellphone is obtained within a criminal investigation, an investigator will be able to tell a substantial amount about the owner. Often, the data found in the phone is more important than the usual fingerprint because it gives you considerably more than identification. Using forensic software, digital investigators are able to start to see the call list, texts, pictures, videos, and even more all to serve as evidence either convicting or vindicating the suspect.
Lee Reiber, lead instructor and owner of mobile phone forensics., breaks up the investigation into three parts-seizure, isolation, and documentation. The seizure component primarily requires the legal ramifications. “If there is no need a legitimate right to examine these devices or its contents you then will likely supply evidence suppressed regardless of how hard you might have worked,” says Reiber. The isolation component is the most essential “because the cellular phone’s data could be changed, altered, and deleted on the air (OTA). Not only will be the carrier able to do this, but the user can employ applications to remotely ‘wipe’ the data from the device.” The documentation process involves photographing the phone at the time of seizure. Reiber says the photos should show time settings, state of device, and characteristics.
Right after the phone is delivered to digital forensics investigator, these devices ought to be examined using a professional tool. Investigating phones manually is actually a final option. Manual investigation should simply be used if no tool out there has the capacity to secure the device. Modern cell phones are like miniature computers that require a sophisticated applications for comprehensive analysis.
When examining a cell phone, it is very important protect it from remote access and network signals. As mobile phone jammers are illegal in america and most of Europe, Reiber recommends “using a metallic mesh to wrap the product securely then placing the phone into standby mode or airplane mode for transportation, photographing, and then placing the device in a state to become examined.”
Steve Bunting, Senior Forensic Consultant at Forward Discovery, lays out the process flow as follows.
Achieve and keep network isolation (Faraday bag, RF-shielded box, and RF-shielded room).
Thoroughly document the device, noting all information available. Use photography to aid this documentation.
When a SIM card is place, remove, read, and image the SIM card.
Clone the SIM card.
With the cloned SIM card installed, do a logical extraction in the cell device with a tool. If analyzing a non-SIM device, start here.
Examine the extracted data from your logical examination.
If backed by both model as well as the tool, do a physical extraction of the cell device.
View parsed data from physical extraction, that will vary greatly according to the make/type of the cellphone and the tool getting used.
Carve raw image for many different file types or strings of data.
Report your findings.
There are two things an investigator can perform to get credibility within the courtroom. The first is cross-validation of your tools used. It is actually vastly important that investigators do not rely on merely one tool when investigating a cellular phone. Both Reiber and Bunting adamantly recommend using multiple tools for cross-validation purposes. “By crosschecking data between tools, one could validate one tool while using other,” says Bunting. Accomplishing this adds significant credibility towards the evidence.
The second way to add credibility is to ensure the investigator features a solid knowledge of evidence and just how it was actually gathered. Lots of the investigations tools are easy to use and require a couple clicks to produce a complete report. Reiber warns against becoming a “point and click” investigator seeing that the instruments are extremely user friendly. If an investigator takes the stand and struggles to speak intelligently regarding the technology accustomed to gather the evidence, his credibility are usually in question. Steve Bunting puts it this way, “The more knowledge one has of your tool’s function and the data 68dexmpky and performance seen in virtually any cell device, the greater credibility you might have like a witness.”
In case you have zero experience and suddenly find yourself called upon to deal with phone examinations for the organization, don’t panic. I talk to individuals on the weekly basis in the similar situation searching for direction. My advice is always the identical; enroll in a training course, become certified, seek the counsel of veterans, participate in online digital forensics communities and forums, and consult with representatives of software companies making investigation tools. By taking these steps, it is possible to go from novice to expert in a short period of time.