On the planet of digital forensics, cellular phone investigations are growing exponentially. The volume of mobile devices investigated every year has grown nearly tenfold over the past decade. Courtrooms are relying more and more in the information in the cellphone as vital evidence in cases of all. Despite that, the practice of cell phone forensics remains to be within its relative infancy. Many digital investigators are a novice to the area and are searching for a “Phone Forensics for Dummies.” Unfortunately, that book isn’t available yet, so investigators need to look elsewhere for information on how to best tackle cellular phone analysis. This article should by no means serve as an academic guide. However, you can use it as being a 1st step to acquire understanding in your community.
First, it’s essential to know the way we have got to where our company is today. In 2005, there was two billion cellular phones worldwide. Today, there are actually over 5 billion and that number is predicted to cultivate nearly another billion by 2012. Because of this nearly every people on this planet carries a cellular phone. These phones are not only a method to make and receive calls, but a resource to keep information in one’s life. When a cellphone is obtained within a criminal investigation, an investigator will be able to tell a significant amount regarding the owner. In many ways, the info found within a phone is more important than a fingerprint for the reason that it gives much more than identification. Using forensic software, digital investigators can view the call list, texts, pictures, videos, and a lot more all to serve as evidence either convicting or vindicating the suspect.
Lee Reiber, lead instructor and owner of cell phone forensics atlanta ., breaks the investigation into three parts-seizure, isolation, and documentation. The seizure component primarily involves the legal ramifications. “If you do not have a legal right to examine the unit or its contents then you may very well supply evidence suppressed no matter how hard you may have worked,” says Reiber. The isolation component is the most important “because the cellular phone’s data can be changed, altered, and deleted within the air (OTA). Not merely is the carrier capable of doing this, although the user can employ applications to remotely ‘wipe’ the data from your device.” The documentation process involves photographing the device during the time of seizure. Reiber says the photos should show time settings, state of device, and characteristics.
Following the phone is delivered to a digital forensics investigator, the device should be examined with a professional tool. Investigating phones manually can be a last resort. Manual investigation should basically be used if no tool on the market will be able to secure the device. Modern cell phones are exactly like miniature computers that need a sophisticated applications for comprehensive analysis.
When examining a cellphone, it is important to protect it from remote access and network signals. As cell phone jammers are illegal in the usa and most of Europe, Reiber recommends “using a metallic mesh to wrap the device securely and then placing the device into standby mode or airplane mode for transportation, photographing, and after that placing the telephone in a condition to become examined.”
Steve Bunting, Senior Forensic Consultant at Forward Discovery, lays out of the process flow the following.
Achieve and sustain network isolation (Faraday bag, RF-shielded box, and/or RF-shielded room).
Thoroughly document the unit, noting all information available. Use photography to back up this documentation.
When a SIM card is in place, remove, read, and image the SIM card.
Clone the SIM card.
With the cloned SIM card installed, execute a logical extraction of the cell device with a tool. If analyzing a non-SIM device, start here.
Examine the extracted data through the logical examination.
If backed up by both model as well as the tool, conduct a physical extraction from the cell device.
View parsed data from physical extraction, that will vary greatly according to the make/type of the cellphone along with the tool being utilized.
Carve raw image for various file types or strings of web data.
Report your findings.
There are two things an investigator can perform to achieve credibility within the courtroom. One is cross-validation of the tools used. It is vastly crucial that investigators usually do not rely on merely one tool when investigating a cell phone. Both Reiber and Bunting adamantly recommend using multiple tools for cross-validation purposes. “By crosschecking data between tools, one might validate one tool using the other,” says Bunting. The process adds significant credibility towards the evidence.
The second method to add credibility is to be certain the investigator includes a solid idea of evidence and how it had been gathered. Most of the investigations tools are user friendly and require only a couple clicks to generate a detailed report. Reiber warns against becoming a “point and click” investigator seeing that the tools are really easy to use. If the investigator takes the stand and struggles to speak intelligently concerning the technology accustomed to gather the evidence, his credibility are usually in question. Steve Bunting puts it this way, “The more knowledge one has from the tool’s function along with the data 68dexmpky and function present in virtually any cell device, the better credibility you will have as a witness.”
For those who have zero experience and suddenly find yourself called upon to handle phone examinations for your personal organization, don’t panic. I speak with individuals on the weekly basis in a similar situation trying to find direction. My advice is usually exactly the same; join a training course, become certified, seek the counsel of veterans, embark on online digital forensics communities and forums, and speak with representatives of software companies making investigation tools. By taking these steps, it is possible to move from novice to expert in the short length of time.