On the planet of digital forensics, cellphone investigations are growing exponentially. The volume of mobile devices investigated annually has risen nearly tenfold within the last decade. Courtrooms are relying a growing number of around the information in a cellular phone as vital evidence in cases of all types. Despite that, practicing cellular phone forensics remains to be in its relative infancy. Many digital investigators are unfamiliar with the sector and they are trying to find a “Phone Forensics for Dummies.” Unfortunately, that book isn’t available yet, so investigators ought to look elsewhere for information about how to best tackle cell phone analysis. This post should by no means act as an academic guide. However, you can use it like a starting point to get understanding in the region.
First, it’s vital that you know how we got to where we are today. In 2005, there are two billion mobile devices worldwide. Today, there are over 5 billion and that number is predicted to cultivate nearly another billion by 2012. Because of this just about any individual on the planet has a cellular phone. These phones are not only a method to make and receive calls, but instead a resource to save all information in one’s life. When a cellphone is obtained included in a criminal investigation, an investigator will be able to tell a tremendous amount regarding the owner. In lots of ways, the details found inside a phone is far more important than a fingerprint in this it provides much more than identification. Using forensic software, digital investigators have the ability to see the call list, text messages, pictures, videos, and a lot more all to provide as evidence either convicting or vindicating the suspect.
Lee Reiber, lead instructor and owner of mobile forensics., breaks within the investigation into three parts-seizure, isolation, and documentation. The seizure component primarily involves the legal ramifications. “If you do not have a legal directly to examine the product or its contents then you are likely to supply the evidence suppressed irrespective of how hard you have worked,” says Reiber. The isolation component is an essential “because the cellular phone’s data might be changed, altered, and deleted across the air (OTA). Not only will be the carrier able to do this, nevertheless the user can employ applications to remotely ‘wipe’ the data through the device.” The documentation process involves photographing the telephone at the time of seizure. Reiber says the photos should show time settings, state of device, and characteristics.
After the phone is come to a digital forensics investigator, the unit ought to be examined using a professional tool. Investigating phones manually can be a last option. Manual investigation should simply be used if no tool out there can retain the device. Modern cell phones are similar to miniature computers which need a sophisticated software packages for comprehensive analysis.
When examining a cellular phone, it is essential to protect it from remote access and network signals. As mobile phone jammers are illegal in the usa and most of Europe, Reiber recommends “using a metallic mesh to wrap the device securely then placing the phone into standby mode or airplane mode for transportation, photographing, then placing the phone in a condition being examined.”
Steve Bunting, Senior Forensic Consultant at Forward Discovery, lays out of the process flow as follows.
Achieve and look after network isolation (Faraday bag, RF-shielded box, and RF-shielded room).
Thoroughly document the unit, noting all information available. Use photography to back up this documentation.
If your SIM card is place, remove, read, and image the SIM card.
Clone the SIM card.
With the cloned SIM card installed, conduct a logical extraction from the cell device with a tool. If analyzing a non-SIM device, start here.
Examine the extracted data through the logical examination.
If backed up by both model as well as the tool, perform a physical extraction of your cell device.
View parsed data from physical extraction, which can vary greatly according to the make/model of the cellular phone along with the tool being used.
Carve raw image for various file types or strings of web data.
Report your findings.
The two main things an investigator can do to get credibility inside the courtroom. One is cross-validation in the tools used. It really is vastly critical that investigators do not count on only one tool when investigating a cellphone. Both Reiber and Bunting adamantly recommend using multiple tools for cross-validation purposes. “By crosschecking data between tools, one might validate one tool utilizing the other,” says Bunting. Accomplishing this adds significant credibility on the evidence.
The next method to add credibility is to make sure the investigator carries a solid comprehension of evidence and exactly how it had been gathered. Most of the investigations tools are simple to operate and require a couple clicks to generate a comprehensive report. Reiber warns against becoming a “point and click” investigator now that the equipment are extremely user friendly. If an investigator takes the stand and is not able to speak intelligently concerning the technology employed to gather the evidence, his credibility will be in question. Steve Bunting puts it such as this, “The more knowledge one has from the tool’s function as well as the data 68dexmpky and performance located in virtually any cell device, the greater number of credibility one will have as a witness.”
When you have zero experience and suddenly find yourself called upon to manage phone examinations to your organization, don’t panic. I speak to individuals on a weekly basis in the similar situation searching for direction. My advice is always a similar; enroll in a training course, become certified, seek the counsel of veterans, participate in online digital forensics communities and forums, and speak to representatives of software companies making investigation tools. Through taking these steps, it is possible to change from novice to expert in the short amount of time.