On the planet of digital forensics, cellular phone investigations are growing exponentially. The amount of cellular phones investigated every year has increased nearly tenfold within the last decade. Courtrooms are relying more and more around the information inside a cellphone as vital evidence in cases of all types. Despite that, the technique of cellular phone forensics remains within its relative infancy. Many digital investigators are a new comer to the sector and therefore are looking for a “Phone Forensics for Dummies.” Unfortunately, that book isn’t available yet, so investigators ought to look elsewhere for information on how to best tackle cellular phone analysis. This article should in no way function as an academic guide. However, you can use it as a starting point to achieve understanding in the community.
First, it’s essential to know the way we got to where our company is today. In 2005, there are two billion mobile devices worldwide. Today, there are actually over 5 billion and that number is anticipated to increase nearly another billion by 2012. Because of this nearly every person on Earth posesses a mobile phone. These phones are not just a means to make and receive calls, but alternatively a resource to hold all information in one’s life. When a cell phone is obtained included in a criminal investigation, an investigator will be able to tell a substantial amount concerning the owner. Often, the information found in a phone is much more important when compared to a fingerprint in that it offers much more than identification. Using forensic software, digital investigators are able to view the call list, text messages, pictures, videos, and much more all to serve as evidence either convicting or vindicating the suspect.
Lee Reiber, lead instructor and owner of mobile device forensics tools atlanta., breaks within the investigation into three parts-seizure, isolation, and documentation. The seizure component primarily requires the legal ramifications. “If there is no need a legal straight to examine the unit or its contents you then may very well supply evidence suppressed regardless how hard you might have worked,” says Reiber. The isolation component is an essential “because the cellular phone’s data may be changed, altered, and deleted across the air (OTA). Not just is the carrier capable of doing this, but the user can employ applications to remotely ‘wipe’ the data in the device.” The documentation process involves photographing the cell phone during the time of seizure. Reiber says the photos should show time settings, state of device, and characteristics.
After the phone is taken to a digital forensics investigator, the device ought to be examined having a professional tool. Investigating phones manually is a final option. Manual investigation should just be used if no tool in the marketplace is able to retain the device. Modern mobile phones are just like miniature computers which require a sophisticated software programs for comprehensive analysis.
When examining a mobile phone, it is essential to protect it from remote access and network signals. As cellular phone jammers are illegal in the states and the majority of of Europe, Reiber recommends “using a metallic mesh to wrap the unit securely after which placing the telephone into standby mode or airplane mode for transportation, photographing, then placing the device in a state to get examined.”
Steve Bunting, Senior Forensic Consultant at Forward Discovery, lays out your process flow as follows.
Achieve and maintain network isolation (Faraday bag, RF-shielded box, and RF-shielded room).
Thoroughly document the device, noting information available. Use photography to assist this documentation.
In case a SIM card is in place, remove, read, and image the SIM card.
Clone the SIM card.
Together with the cloned SIM card installed, do a logical extraction in the cell device using a tool. If analyzing a non-SIM device, start here.
Examine the extracted data from the logical examination.
If backed up by the two model and also the tool, do a physical extraction of the cell device.
View parsed data from physical extraction, which will vary greatly based on the make/kind of the cellphone as well as the tool being used.
Carve raw image for a number of file types or strings of web data.
Report your findings.
The two main things an investigator are capable of doing to gain credibility within the courtroom. One is cross-validation from the tools used. It is actually vastly important that investigators usually do not depend on merely one tool when investigating a cellphone. Both Reiber and Bunting adamantly recommend using multiple tools for cross-validation purposes. “By crosschecking data between tools, one might validate one tool while using other,” says Bunting. The process adds significant credibility on the evidence.
The next way to add credibility is to ensure the investigator features a solid comprehension of the evidence and just how it was actually gathered. A lot of the investigations tools are user friendly and require a couple clicks to generate a comprehensive report. Reiber warns against being a “point and click” investigator seeing that the various tools are incredibly easy to use. If the investigator takes the stand and is unable to speak intelligently concerning the technology utilized to gather the evidence, his credibility are usually in question. Steve Bunting puts it similar to this, “The more knowledge one has of the tool’s function and also the data 68dexmpky and function found in any cell device, the greater number of credibility you will have as being a witness.”
If you have zero experience and suddenly realise you are called upon to deal with phone examinations to your organization, don’t panic. I consult with individuals on the weekly basis inside a similar situation trying to find direction. My advice is obviously the identical; enroll in a training course, become certified, seek the counsel of veterans, participate in online digital forensics communities and forums, and talk to representatives of software companies making investigation tools. If you take these steps, you can change from novice to expert in a short length of time.