Worldwide of digital forensics, cellular phone investigations are growing exponentially. The volume of mobile phones investigated every year has grown nearly tenfold in the last decade. Courtrooms are relying more and more around the information in the cell phone as vital evidence in the event of all types. Despite that, the concept of mobile phone forensics is still within its relative infancy. Many digital investigators are a new comer to the area and they are looking for a “Phone Forensics for Dummies.” Unfortunately, that book isn’t available yet, so investigators ought to look elsewhere for information about how to best tackle mobile phone analysis. This article should by no means function as an academic guide. However, it can be used being a first step to gain understanding in the region.
First, it’s crucial that you understand how we reached where we are today. In 2005, there are two billion mobile devices worldwide. Today, you will find over 5 billion and that number is anticipated to develop nearly another billion by 2012. This means that nearly every people on Earth comes with a cellphone. These phones are not just ways to make and receive calls, but instead a resource to hold information in one’s life. Whenever a cell phone is obtained as part of a criminal investigation, an investigator will be able to tell a substantial amount concerning the owner. In many ways, the details found in a phone is much more important when compared to a fingerprint because it gives a lot more than identification. Using forensic software, digital investigators have the ability to start to see the call list, texts, pictures, videos, and a lot more all to offer as evidence either convicting or vindicating the suspect.
Lee Reiber, lead instructor and owner of mobile phone data recovery atlanta., breaks in the investigation into three parts-seizure, isolation, and documentation. The seizure component primarily requires the legal ramifications. “If you do not have a legal ability to examine the unit or its contents then you are likely to have the evidence suppressed irrespective of how hard you have worked,” says Reiber. The isolation component is an essential “because the cellular phone’s data might be changed, altered, and deleted over the air (OTA). Not just is definitely the carrier able to do this, however the user can employ applications to remotely ‘wipe’ your data in the device.” The documentation process involves photographing the cell phone at the time of seizure. Reiber says the photos should show time settings, state of device, and characteristics.
Right after the phone is delivered to a digital forensics investigator, the device needs to be examined having a professional tool. Investigating phones manually is actually a final option. Manual investigation should basically be used if no tool on the market has the capacity to support the device. Modern cell phones are exactly like miniature computers that require a sophisticated software programs for comprehensive analysis.
When examining a cell phone, you should protect it from remote access and network signals. As cell phone jammers are illegal in the United States and many of Europe, Reiber recommends “using a metallic mesh to wrap the device securely and after that placing the cell phone into standby mode or airplane mode for transportation, photographing, and after that placing the device in a state to become examined.”
Steve Bunting, Senior Forensic Consultant at Forward Discovery, lays out your process flow the following.
Achieve and sustain network isolation (Faraday bag, RF-shielded box, or RF-shielded room).
Thoroughly document the unit, noting all information available. Use photography to back up this documentation.
If your SIM card is at place, remove, read, and image the SIM card.
Clone the SIM card.
Together with the cloned SIM card installed, perform a logical extraction from the cell device with a tool. If analyzing a non-SIM device, start here.
Examine the extracted data in the logical examination.
If backed up by both the model and also the tool, conduct a physical extraction from the cell device.
View parsed data from physical extraction, that can vary greatly based on the make/style of the cellphone and also the tool being utilized.
Carve raw image for various file types or strings of data.
Report your findings.
There are two things an investigator can do to achieve credibility inside the courtroom. The initial one is cross-validation of the tools used. It is vastly important that investigators tend not to rely on just one tool when investigating a cellular phone. Both Reiber and Bunting adamantly recommend using multiple tools for cross-validation purposes. “By crosschecking data between tools, one could validate one tool utilizing the other,” says Bunting. The process adds significant credibility to the evidence.
The 2nd approach to add credibility is to make certain the investigator carries a solid knowledge of the evidence and how it was gathered. Lots of the investigations tools are easy to use and require a couple clicks to generate an in depth report. Reiber warns against becoming a “point and click” investigator given that the equipment are so simple to operate. If an investigator takes the stand and struggles to speak intelligently in regards to the technology used to gather the evidence, his credibility are usually in question. Steve Bunting puts it such as this, “The more knowledge one has from the tool’s function and the data 68dexmpky and function located in any given cell device, the greater credibility you will have like a witness.”
If you have zero experience and suddenly end up called upon to handle phone examinations for the organization, don’t panic. I talk to individuals on a weekly basis in a similar situation searching for direction. My advice is always the same; join a training course, become certified, seek the counsel of veterans, engage in online digital forensics communities and forums, and speak to representatives of software companies making investigation tools. Through taking these steps, you are able to change from novice to expert within a short length of time.