In the world of digital forensics, cellphone investigations are growing exponentially. The number of cell phones investigated each and every year has risen nearly tenfold during the last decade. Courtrooms are relying a growing number of around the information in the mobile phone as vital evidence in the event of all types. Despite that, the practice of mobile phone forensics continues to be within its relative infancy. Many digital investigators are new to the area and therefore are trying to find a “Phone Forensics for Dummies.” Unfortunately, that book isn’t available yet, so investigators ought to look elsewhere for information about how to best tackle cell phone analysis. This post should by no means function as an academic guide. However, it can be used like a first step to achieve understanding in the area.
First, it’s important to know how we got to where our company is today. In 2005, there are two billion cell phones worldwide. Today, there are actually over 5 billion and that number is expected to grow nearly another billion by 2012. This means that nearly every human being on Earth has a cell phone. These phones are not just a way to make and receive calls, but alternatively a resource to store all information in one’s life. Whenever a mobile phone is obtained within a criminal investigation, an investigator has the capacity to tell an important amount in regards to the owner. In many ways, the info found within a phone is more important than the usual fingerprint because it offers considerably more than identification. Using forensic software, digital investigators can begin to see the call list, sms messages, pictures, videos, and even more all to offer as evidence either convicting or vindicating the suspect.
Lee Reiber, lead instructor and owner of mobile forensics tools atlanta., breaks the investigation into three parts-seizure, isolation, and documentation. The seizure component primarily necessitates the legal ramifications. “If there is no need a legitimate right to examine the product or its contents you then will probably have got all the evidence suppressed regardless of how hard you possess worked,” says Reiber. The isolation component is an essential “because the cellular phone’s data may be changed, altered, and deleted within the air (OTA). Not only is definitely the carrier able to do this, but the user can employ applications to remotely ‘wipe’ the data in the device.” The documentation process involves photographing the telephone in the course of seizure. Reiber says the photos should show time settings, state of device, and characteristics.
Right after the phone is taken up digital forensics investigator, the device needs to be examined having a professional tool. Investigating phones manually is a last resort. Manual investigation should only be used if no tool out there is able to support the device. Modern mobile devices are similar to miniature computers which need a sophisticated software programs for comprehensive analysis.
When examining a mobile phone, it is essential to protect it from remote access and network signals. As cellular phone jammers are illegal in america and most of Europe, Reiber recommends “using a metallic mesh to wrap the unit securely and then placing the phone into standby mode or airplane mode for transportation, photographing, then placing the cell phone in a state to get examined.”
Steve Bunting, Senior Forensic Consultant at Forward Discovery, lays the process flow the following.
Achieve and sustain network isolation (Faraday bag, RF-shielded box, and/or RF-shielded room).
Thoroughly document these devices, noting all information available. Use photography to support this documentation.
In case a SIM card is place, remove, read, and image the SIM card.
Clone the SIM card.
With the cloned SIM card installed, conduct a logical extraction of your cell device with a tool. If analyzing a non-SIM device, start here.
Examine the extracted data in the logical examination.
If backed by both the model and also the tool, execute a physical extraction from the cell device.
View parsed data from physical extraction, which will vary greatly based on the make/kind of the mobile phone as well as the tool used.
Carve raw image for many different file types or strings of information.
Report your findings.
The two main things an investigator can do to acquire credibility inside the courtroom. The first is cross-validation in the tools used. It really is vastly crucial that investigators usually do not count on merely one tool when investigating a cellphone. Both Reiber and Bunting adamantly recommend using multiple tools for cross-validation purposes. “By crosschecking data between tools, one might validate one tool using the other,” says Bunting. Doing this adds significant credibility towards the evidence.
The second way to add credibility is to make sure the investigator has a solid idea of the evidence and just how it was actually gathered. Most of the investigations tools are user friendly and require only a couple clicks to produce a comprehensive report. Reiber warns against transforming into a “point and click” investigator now that the various tools are really easy to use. If an investigator takes the stand and is unable to speak intelligently in regards to the technology utilized to gather evidence, his credibility will be in question. Steve Bunting puts it like this, “The more knowledge one has in the tool’s function and the data 68dexmpky and function seen in any cell device, the better credibility you will have like a witness.”
When you have zero experience and suddenly realise you are called upon to take care of phone examinations for your personal organization, don’t panic. I speak with individuals on the weekly basis in a similar situation searching for direction. My advice is definitely a similar; enroll in a training course, become certified, seek the counsel of veterans, engage in online digital forensics communities and forums, and speak with representatives of software companies making investigation tools. If you take these steps, it is possible to go from novice to expert within a short timeframe.