Worldwide of digital forensics, cell phone investigations are growing exponentially. The volume of mobile phones investigated each year has grown nearly tenfold within the last decade. Courtrooms are relying a growing number of about the information in a cellular phone as vital evidence in the event of all. Despite that, the technique of cellphone forensics continues to be in their relative infancy. Many digital investigators are unfamiliar with the field and are in search of a “Phone Forensics for Dummies.” Unfortunately, that book isn’t available yet, so investigators have to look elsewhere for information about how to best tackle cellphone analysis. This post should in no way act as an academic guide. However, it can be used being a initial step to acquire understanding in the region.
First, it’s vital that you recognize how we have got to where our company is today. In 2005, there was two billion cell phones worldwide. Today, you can find over 5 billion which number is anticipated to develop nearly another billion by 2012. This means that virtually every people on Earth carries a cellular phone. These phones are not only a method to make and receive calls, but alternatively a resource to save information in one’s life. When a cellphone is obtained as part of a criminal investigation, an investigator will be able to tell an important amount about the owner. In many ways, the info found inside a phone is a lot more important compared to a fingerprint for the reason that it offers a lot more than identification. Using forensic software, digital investigators have the ability to begin to see the call list, text messages, pictures, videos, and even more all to provide as evidence either convicting or vindicating the suspect.
Lee Reiber, lead instructor and owner of mobile forensics tools., breaks in the investigation into three parts-seizure, isolation, and documentation. The seizure component primarily necessitates the legal ramifications. “If you do not have a legal ability to examine the unit or its contents then you certainly will likely supply the evidence suppressed regardless of how hard you might have worked,” says Reiber. The isolation component is the most essential “because the cellular phone’s data can be changed, altered, and deleted on the air (OTA). Not simply may be the carrier able to perform this, but the user can employ applications to remotely ‘wipe’ your data in the device.” The documentation process involves photographing the cell phone during the time of seizure. Reiber says the photos should show time settings, state of device, and characteristics.
Once the phone is taken up a digital forensics investigator, the unit ought to be examined using a professional tool. Investigating phones manually is a last option. Manual investigation should only be used if no tool on the market is able to support the device. Modern mobile devices are just like miniature computers which need a sophisticated software applications for comprehensive analysis.
When examining a mobile phone, it is important to protect it from remote access and network signals. As cell phone jammers are illegal in the usa and many of Europe, Reiber recommends “using a metallic mesh to wrap the unit securely and then placing the telephone into standby mode or airplane mode for transportation, photographing, and after that placing the device in a condition to be examined.”
Steve Bunting, Senior Forensic Consultant at Forward Discovery, lays out your process flow as follows.
Achieve and keep network isolation (Faraday bag, RF-shielded box, or RF-shielded room).
Thoroughly document the device, noting information available. Use photography to assist this documentation.
When a SIM card is at place, remove, read, and image the SIM card.
Clone the SIM card.
Together with the cloned SIM card installed, perform a logical extraction in the cell device by using a tool. If analyzing a non-SIM device, start here.
Examine the extracted data from your logical examination.
If backed by the two model along with the tool, conduct a physical extraction in the cell device.
View parsed data from physical extraction, which will vary greatly according to the make/kind of the cellphone as well as the tool being used.
Carve raw image for a variety of file types or strings of web data.
Report your findings.
There are 2 things an investigator are capable of doing to achieve credibility inside the courtroom. One is cross-validation from the tools used. It can be vastly crucial that investigators tend not to depend upon just one tool when investigating a cell phone. Both Reiber and Bunting adamantly recommend using multiple tools for cross-validation purposes. “By crosschecking data between tools, one might validate one tool utilizing the other,” says Bunting. Doing this adds significant credibility to the evidence.
The next strategy to add credibility is to make sure the investigator features a solid idea of evidence and how it was actually gathered. Lots of the investigations tools are easy to use and require a couple clicks to build a detailed report. Reiber warns against transforming into a “point and click” investigator given that the equipment are so simple to operate. If an investigator takes the stand and is not able to speak intelligently concerning the technology used to gather the evidence, his credibility are usually in question. Steve Bunting puts it this way, “The more knowledge one has in the tool’s function along with the data 68dexmpky and function found in any cell device, the better credibility you will have as a witness.”
In case you have zero experience and suddenly discover youself to be called upon to handle phone examinations to your organization, don’t panic. I talk to individuals on a weekly basis in a similar situation trying to find direction. My advice is obviously the same; register for a training course, become certified, seek the counsel of veterans, participate in online digital forensics communities and forums, and talk to representatives of software companies making investigation tools. By taking these steps, it is possible to move from novice to expert inside a short amount of time.