Worldwide of digital forensics, cell phone investigations are growing exponentially. The quantity of mobile phones investigated annually has grown nearly tenfold during the last decade. Courtrooms are relying a lot more around the information in a mobile phone as vital evidence in the event of all. Despite that, the practice of cellular phone forensics remains to be within its relative infancy. Many digital investigators are new to the field and are searching for a “Phone Forensics for Dummies.” Unfortunately, that book isn’t available yet, so investigators must look elsewhere for information about how to best tackle cellphone analysis. This short article should in no way function as an academic guide. However, it can be used as being a starting point to gain understanding in the region.
First, it’s crucial that you recognize how we have got to where we have been today. In 2005, there was two billion cellular phones worldwide. Today, there are actually over 5 billion and that number is expected to develop nearly another billion by 2012. Because of this nearly every person on Earth posesses a mobile phone. These phones are not just a way to make and receive calls, but alternatively a resource to save information in one’s life. Whenever a cellular phone is obtained as part of a criminal investigation, an investigator can tell a significant amount concerning the owner. In several ways, the data found in a phone is far more important when compared to a fingerprint in this it gives considerably more than identification. Using forensic software, digital investigators are able to view the call list, texts, pictures, videos, and much more all to offer as evidence either convicting or vindicating the suspect.
Lee Reiber, lead instructor and owner of cell phone forensics., breaks up the investigation into three parts-seizure, isolation, and documentation. The seizure component primarily requires the legal ramifications. “If there is no need a legitimate straight to examine the product or its contents you then may very well supply the evidence suppressed irrespective of how hard you may have worked,” says Reiber. The isolation component is an essential “because the cellular phone’s data may be changed, altered, and deleted within the air (OTA). Not merely will be the carrier capable of doing this, but the user can employ applications to remotely ‘wipe’ the data in the device.” The documentation process involves photographing the phone during seizure. Reiber says the photos should show time settings, state of device, and characteristics.
Following the phone is taken up a digital forensics investigator, the unit ought to be examined having a professional tool. Investigating phones manually is really a last resort. Manual investigation should just be used if no tool on the market can support the device. Modern mobile devices are just like miniature computers which need a sophisticated applications for comprehensive analysis.
When examining a mobile phone, it is essential to protect it from remote access and network signals. As cellular phone jammers are illegal in the states and most of Europe, Reiber recommends “using a metallic mesh to wrap the device securely then placing the cell phone into standby mode or airplane mode for transportation, photographing, after which placing the device in a condition being examined.”
Steve Bunting, Senior Forensic Consultant at Forward Discovery, lays out your process flow as follows.
Achieve and sustain network isolation (Faraday bag, RF-shielded box, and RF-shielded room).
Thoroughly document these devices, noting all information available. Use photography to support this documentation.
In case a SIM card is within place, remove, read, and image the SIM card.
Clone the SIM card.
With all the cloned SIM card installed, perform a logical extraction of your cell device by using a tool. If analyzing a non-SIM device, start here.
Examine the extracted data from the logical examination.
If backed by the model and also the tool, execute a physical extraction in the cell device.
View parsed data from physical extraction, which can vary greatly depending on the make/model of the cellphone and the tool used.
Carve raw image for many different file types or strings of web data.
Report your findings.
There are two things an investigator can do to get credibility in the courtroom. The initial one is cross-validation of your tools used. It is actually vastly crucial that investigators will not count on merely one tool when investigating a cell phone. Both Reiber and Bunting adamantly recommend using multiple tools for cross-validation purposes. “By crosschecking data between tools, one could validate one tool utilizing the other,” says Bunting. Accomplishing this adds significant credibility for the evidence.
The next strategy to add credibility is to make certain the investigator has a solid knowledge of the evidence and exactly how it had been gathered. Most of the investigations tools are simple to operate and require only a couple clicks to produce a complete report. Reiber warns against transforming into a “point and click” investigator since the tools are incredibly easy to use. If an investigator takes the stand and is not able to speak intelligently in regards to the technology employed to gather the evidence, his credibility are usually in question. Steve Bunting puts it such as this, “The more knowledge one has of the tool’s function along with the data 68dexmpky and function seen in any cell device, the more credibility you might have as a witness.”
In case you have zero experience and suddenly realise you are called upon to take care of phone examinations for your organization, don’t panic. I consult with individuals on a weekly basis within a similar situation looking for direction. My advice is definitely the same; enroll in a training course, become certified, seek the counsel of veterans, engage in online digital forensics communities and forums, and talk to representatives of software companies making investigation tools. By taking these steps, you may range from novice to expert inside a short period of time.