Worldwide of digital forensics, mobile phone investigations are growing exponentially. The quantity of mobile phones investigated annually has increased nearly tenfold over the past decade. Courtrooms are relying a lot more on the information inside a cellular phone as vital evidence in cases of all. Despite that, practicing cellphone forensics is still within its relative infancy. Many digital investigators are a new comer to the sector and therefore are trying to find a “Phone Forensics for Dummies.” Unfortunately, that book isn’t available yet, so investigators need to look elsewhere for information about how to best tackle cell phone analysis. This post should by no means serve as an academic guide. However, it can be used as being a starting point to gain understanding in the region.
First, it’s vital that you recognize how we have got to where we have been today. In 2005, there are two billion mobile devices worldwide. Today, there are actually over 5 billion and that number is anticipated to cultivate nearly another billion by 2012. This means that virtually every person on this planet posesses a cell phone. These phones are not just a means to make and receive calls, but alternatively a resource to store information in one’s life. Whenever a mobile phone is obtained included in a criminal investigation, an investigator has the capacity to tell a substantial amount regarding the owner. Often, the info found in the phone is much more important when compared to a fingerprint because it offers considerably more than identification. Using forensic software, digital investigators have the ability to see the call list, texts, pictures, videos, plus much more all to serve as evidence either convicting or vindicating the suspect.
Lee Reiber, lead instructor and owner of mobile forensics tools atlanta., breaks in the investigation into three parts-seizure, isolation, and documentation. The seizure component primarily requires the legal ramifications. “If there is no need a legitimate directly to examine the product or its contents you then may very well have evidence suppressed irrespective of how hard you might have worked,” says Reiber. The isolation component is a vital “because the cellular phone’s data can be changed, altered, and deleted across the air (OTA). Not just is definitely the carrier able to perform this, however the user can employ applications to remotely ‘wipe’ the information from your device.” The documentation process involves photographing the cell phone in the course of seizure. Reiber says the photos should show time settings, state of device, and characteristics.
Once the phone is taken up digital forensics investigator, the unit should be examined having a professional tool. Investigating phones manually is actually a last resort. Manual investigation should basically be used if no tool available on the market is able to keep the device. Modern mobile devices are exactly like miniature computers which require a sophisticated software applications for comprehensive analysis.
When examining a cell phone, it is important to protect it from remote access and network signals. As mobile phone jammers are illegal in the usa and most of Europe, Reiber recommends “using a metallic mesh to wrap the product securely then placing the telephone into standby mode or airplane mode for transportation, photographing, and then placing the telephone in a condition to get examined.”
Steve Bunting, Senior Forensic Consultant at Forward Discovery, lays out your process flow as follows.
Achieve and keep network isolation (Faraday bag, RF-shielded box, or RF-shielded room).
Thoroughly document the device, noting all information available. Use photography to assist this documentation.
If a SIM card is at place, remove, read, and image the SIM card.
Clone the SIM card.
With all the cloned SIM card installed, perform a logical extraction from the cell device by using a tool. If analyzing a non-SIM device, start here.
Examine the extracted data from your logical examination.
If backed by the two model as well as the tool, perform a physical extraction from the cell device.
View parsed data from physical extraction, that will vary greatly dependant upon the make/kind of the cell phone and also the tool used.
Carve raw image for a number of file types or strings of data.
Report your findings.
There are 2 things an investigator is capable of doing to acquire credibility in the courtroom. The first is cross-validation of the tools used. It really is vastly important that investigators do not depend on only one tool when investigating a mobile phone. Both Reiber and Bunting adamantly recommend using multiple tools for cross-validation purposes. “By crosschecking data between tools, one could validate one tool while using other,” says Bunting. The process adds significant credibility towards the evidence.
Another way to add credibility is to make sure the investigator includes a solid comprehension of evidence and how it was actually gathered. Many of the investigations tools are easy to use and require only a couple clicks to build a detailed report. Reiber warns against transforming into a “point and click” investigator seeing that the equipment are really user friendly. If the investigator takes the stand and is unable to speak intelligently regarding the technology used to gather the evidence, his credibility are usually in question. Steve Bunting puts it similar to this, “The more knowledge one has in the tool’s function as well as the data 68dexmpky and performance seen in any given cell device, the greater number of credibility you will have being a witness.”
If you have zero experience and suddenly end up called upon to manage phone examinations to your organization, don’t panic. I consult with individuals with a weekly basis in the similar situation looking for direction. My advice is obviously the identical; enroll in a training course, become certified, seek the counsel of veterans, take part in online digital forensics communities and forums, and talk to representatives of software companies making investigation tools. By using these steps, you can go from novice to expert within a short length of time.