Worldwide of digital forensics, cellphone investigations are growing exponentially. The quantity of cell phones investigated annually has risen nearly tenfold over the past decade. Courtrooms are relying a growing number of about the information within a cellular phone as vital evidence in the event of all types. Despite that, the practice of mobile phone forensics remains in the relative infancy. Many digital investigators are a new comer to the area and are searching for a “Phone Forensics for Dummies.” Unfortunately, that book isn’t available yet, so investigators must look elsewhere for information on how to best tackle cellular phone analysis. This informative article should by no means act as an academic guide. However, it can be used like a first step to gain understanding in the community.
First, it’s important to recognize how we have got to where we have been today. In 2005, there were two billion mobile devices worldwide. Today, you will find over 5 billion and that number is expected to increase nearly another billion by 2012. Because of this nearly every people on this planet posesses a mobile phone. These phones are not just a method to make and receive calls, but instead a resource to save all information in one’s life. Each time a mobile phone is obtained within a criminal investigation, an investigator will be able to tell a significant amount about the owner. In lots of ways, the details found within a phone is more important when compared to a fingerprint in that it gives considerably more than identification. Using forensic software, digital investigators have the ability to begin to see the call list, text messages, pictures, videos, plus much more all to offer as evidence either convicting or vindicating the suspect.
Lee Reiber, lead instructor and owner of cell phone data recovery., breaks up the investigation into three parts-seizure, isolation, and documentation. The seizure component primarily necessitates the legal ramifications. “If there is no need a legal straight to examine these devices or its contents then you certainly will likely have all the evidence suppressed regardless how hard you might have worked,” says Reiber. The isolation component is an essential “because the cellular phone’s data might be changed, altered, and deleted over the air (OTA). Not just is the carrier capable of doing this, although the user can employ applications to remotely ‘wipe’ the information from your device.” The documentation process involves photographing the device during seizure. Reiber says the photos should show time settings, state of device, and characteristics.
Right after the phone is delivered to a digital forensics investigator, these devices ought to be examined by using a professional tool. Investigating phones manually is a last resort. Manual investigation should only be used if no tool on the market is able to secure the device. Modern cellular phones are exactly like miniature computers which need a sophisticated software packages for comprehensive analysis.
When examining a cell phone, it is very important protect it from remote access and network signals. As cellphone jammers are illegal in america and a lot of Europe, Reiber recommends “using a metallic mesh to wrap these devices securely and after that placing the device into standby mode or airplane mode for transportation, photographing, after which placing the cell phone in a condition to become examined.”
Steve Bunting, Senior Forensic Consultant at Forward Discovery, lays out the process flow as follows.
Achieve and maintain network isolation (Faraday bag, RF-shielded box, or RF-shielded room).
Thoroughly document the device, noting information available. Use photography to back up this documentation.
When a SIM card is within place, remove, read, and image the SIM card.
Clone the SIM card.
With all the cloned SIM card installed, conduct a logical extraction from the cell device using a tool. If analyzing a non-SIM device, start here.
Examine the extracted data through the logical examination.
If maintained by both model and also the tool, conduct a physical extraction in the cell device.
View parsed data from physical extraction, that can vary greatly dependant upon the make/style of the cellphone and the tool used.
Carve raw image for many different file types or strings of web data.
Report your findings.
There are two things an investigator can do to get credibility inside the courtroom. One is cross-validation of your tools used. It is actually vastly critical that investigators do not rely on just one tool when investigating a cellular phone. Both Reiber and Bunting adamantly recommend using multiple tools for cross-validation purposes. “By crosschecking data between tools, one might validate one tool while using other,” says Bunting. Doing this adds significant credibility on the evidence.
The 2nd strategy to add credibility is to make certain the investigator carries a solid knowledge of the evidence and exactly how it was gathered. A lot of the investigations tools are simple to use and require only a couple clicks to build an in depth report. Reiber warns against being a “point and click” investigator seeing that the equipment are extremely simple to use. If an investigator takes the stand and is not able to speak intelligently concerning the technology employed to gather the evidence, his credibility will be in question. Steve Bunting puts it this way, “The more knowledge one has in the tool’s function and the data 68dexmpky and function present in any cell device, the greater credibility one will have being a witness.”
If you have zero experience and suddenly realise you are called upon to take care of phone examinations for the organization, don’t panic. I consult with individuals over a weekly basis in a similar situation trying to find direction. My advice is usually the same; join a training course, become certified, seek the counsel of veterans, engage in online digital forensics communities and forums, and speak with representatives of software companies making investigation tools. Through taking these steps, it is possible to move from novice to expert within a short amount of time.