On the planet of digital forensics, mobile phone investigations are growing exponentially. The amount of mobile phones investigated each and every year has increased nearly tenfold within the last decade. Courtrooms are relying more and more on the information within a cellular phone as vital evidence in the event of all types. Despite that, the technique of cellphone forensics is still in the relative infancy. Many digital investigators are a new comer to the area and are searching for a “Phone Forensics for Dummies.” Unfortunately, that book isn’t available yet, so investigators must look elsewhere for information on how to best tackle mobile phone analysis. This article should in no way act as an academic guide. However, it can be used being a first step to acquire understanding in your community.
First, it’s important to understand how we got to where our company is today. In 2005, there have been two billion mobile devices worldwide. Today, there are over 5 billion and this number is expected to cultivate nearly another billion by 2012. This means that nearly every human being on Earth comes with a cellular phone. These phones are not only ways to make and receive calls, but a resource to store information in one’s life. When a cellular phone is obtained within a criminal investigation, an investigator can tell an important amount in regards to the owner. In lots of ways, the data found in the phone is more important compared to a fingerprint in that it provides far more than identification. Using forensic software, digital investigators have the ability to start to see the call list, texts, pictures, videos, and much more all to serve as evidence either convicting or vindicating the suspect.
Lee Reiber, lead instructor and owner of mobile forensics atlanta., breaks in the investigation into three parts-seizure, isolation, and documentation. The seizure component primarily requires the legal ramifications. “If you do not have a legal straight to examine these devices or its contents then you are likely to supply evidence suppressed regardless of how hard you might have worked,” says Reiber. The isolation component is a vital “because the cellular phone’s data can be changed, altered, and deleted over the air (OTA). Not simply will be the carrier capable of doing this, but the user can employ applications to remotely ‘wipe’ the data in the device.” The documentation process involves photographing the phone in the course of seizure. Reiber says the photos should show time settings, state of device, and characteristics.
Once the phone is come to a digital forensics investigator, the unit ought to be examined with a professional tool. Investigating phones manually is actually a final option. Manual investigation should just be used if no tool on the market can retain the device. Modern mobile devices are exactly like miniature computers which need a sophisticated applications for comprehensive analysis.
When examining a cellular phone, you should protect it from remote access and network signals. As mobile phone jammers are illegal in the United States and a lot of Europe, Reiber recommends “using a metallic mesh to wrap the unit securely and after that placing the telephone into standby mode or airplane mode for transportation, photographing, after which placing the cell phone in a condition to be examined.”
Steve Bunting, Senior Forensic Consultant at Forward Discovery, lays the process flow the following.
Achieve and maintain network isolation (Faraday bag, RF-shielded box, or RF-shielded room).
Thoroughly document the device, noting information available. Use photography to assist this documentation.
When a SIM card is at place, remove, read, and image the SIM card.
Clone the SIM card.
With all the cloned SIM card installed, do a logical extraction of the cell device using a tool. If analyzing a non-SIM device, start here.
Examine the extracted data from the logical examination.
If supported by both model along with the tool, execute a physical extraction from the cell device.
View parsed data from physical extraction, that can vary greatly dependant upon the make/kind of the cellphone as well as the tool being used.
Carve raw image for various file types or strings of web data.
Report your findings.
There are two things an investigator are capable of doing to achieve credibility within the courtroom. One is cross-validation of the tools used. It really is vastly crucial that investigators usually do not depend upon just one single tool when investigating a cellphone. Both Reiber and Bunting adamantly recommend using multiple tools for cross-validation purposes. “By crosschecking data between tools, one might validate one tool using the other,” says Bunting. The process adds significant credibility on the evidence.
Another way to add credibility is to be certain the investigator features a solid idea of evidence and the way it absolutely was gathered. Most of the investigations tools are simple to operate and require only a couple clicks to produce a complete report. Reiber warns against being a “point and click” investigator since the instruments are so simple to operate. If an investigator takes the stand and is unable to speak intelligently in regards to the technology employed to gather evidence, his credibility will be in question. Steve Bunting puts it similar to this, “The more knowledge one has from the tool’s function and the data 68dexmpky and function seen in any given cell device, the greater number of credibility you will have as a witness.”
When you have zero experience and suddenly realise you are called upon to handle phone examinations to your organization, don’t panic. I talk to individuals over a weekly basis in the similar situation looking for direction. My advice is obviously the identical; join a training course, become certified, seek the counsel of veterans, participate in online digital forensics communities and forums, and speak with representatives of software companies making investigation tools. By using these steps, you are able to range from novice to expert inside a short period of time.