Mobile Device Forensic: Ultimate Guide for Collection

By

Smartphones have become part of our life, which also increases their involvement in crimes. This creates the emerging demands for forensic examination of mobile phones and other digital devices.

Mobile devices in crime were generally recognized not in by the last few years. However, the forensic investigation of mobile devices is a moderately new field, dating from the early 2000s and late 1990s.

This field can also associate with any digital device that has both internal memory and communication ability, including GPS devices and tablet PCs.

What is Forensic Mobile data collection?

Forensic Mobile data collection is defined as a set of procedures and guidance that bounded along with the seizing of targets’ mobile devices and their peripherals, in order to recover digital evidence or information from that mobile device.

On the other hand, mobile device forensics is a branch of digital forensics associated with the recovery of digital evidence or information from a mobile phone.

List of forensic data collected from a mobile

  • Phonebook or contact records
  • SMS content, application-based messaging and multimedia content.
  • Missed call, Incoming, outgoing call history.
  • Pictures, recordings, and audio-video files.
  • Passwords, swipe codes, client’s account details.
  • To-do lists, notes, timetable and calendar entries, ringtones.
  • Documents, spreadsheets, and other user-created data.
  • Internet browsing history, cookies, search history, analytics information
  • Historical geolocation information, phone tower related area information, Wi-Fi association data
  • Data from different installed applications.
  • System files, usage logs, saved error messages
  • Deleted information from the majority of the entities as mentioned above.

Source: Mobile Digital Forensic

How Mobile becomes a part of crime?

  • A target or victim: Crime in which the computing device is the target of offense. Example: subjected to physical damage or theft.
  • As a weapon: Crime related to fraud or online transactions adopted mobile devices as the weapon.
  • As a witness of crime: A mobile phone may act as the witness of various data and entries. Example: Save data on illegal activities like online frauds.

Related Article:
1. FPLMN (SIM): A detailed Explanation | UPLMN, OPLMN, EPLMN, HPLMN, IPLMN, VPLMN

Mobile Seizure Warrants

Before the seizure of a mobile device, a warrant may or may not be required based on:

  • In case of no search warrant issued, then the seizing of a mobile phone depends on the consent of the owner but it may vary from case to case.
  • If the warrant issued, then search whether the mobile device included in the warrant or not?
  • In the case of a corporate company or office, first, inquire that which individuals and employees have access to the questionable digital device.

Interpreting each of these issues is key to an effective seizure of the evidence at the scene. The inability to answer these essential queries could prompt the exile of evidence recovered at the  crime scene after searching.

Parts of the warrants of Mobile Device Forensic

A mobile device warrants should include:

Before the seizure, or search for a mobile device, the property and the place to be searched should be defined. While creating a legal document to search for a physical place, the officer must define:

  • Physical place
  • The address, and
  • What searching for?

The source of all these data is from prior investigation and probable place where it can be found.
This procedure ensures the person and place to be searched and saves time from unnecessary searches and seizures.

Part 2: Items to Seize

If investigators have information related to the device that is to be searched, can be mentioned in the warrant, which includes:

a. The color of the mobile device.
b. The cell phone manufacturer,
c. Model name,
d. The serial number (not the device’s phone number)
e. The type of cover used for the device—even if not unique.
f. Some other descriptions of the mobile phone include cameras (front or back camera, or both), the position of audio jacks, etc.
g. Description of any unique specific details like scratches, broken screens, etc.

Procedure for Seizing Mobile devices Forensic

  1. Securing the Scene
    • Data Volatility at the Scene: Use of jammers
    • Questions to be Asked
    • Device and Data Security
    • Backups
  2. Exploring the Scene for Evidence
    • Photographing the Mobile forensic evidence
    • Other items at the crime scene
  3. The collection, Processing, and Packaging of Mobile Device Evidence
    • Prior to Collection
    • Bagging Sensitive Evidence
      • Types of Bagging Equipment
      • Properly Bagging Mobile Device Evidence
  4. Documentation Of Evidences: Tags and label
  5. Transporting Mobile Device Evidence

A. Securing the Scene

The safety of the people at a crime scene is paramount, no matter where the crime scene is located.

Ensure that the location of collecting digital evidence is free at any risk and free from any distractions.

The officer-in-charge must ask and conduct a guided inquiry to the authority about the digital evidence or mobile devices, and any other details that might assist the case.

A.1. Data Volatility at the Scene: Use of Jammers

Digital data, especially on a mobile phone, is extremely volatile.

With the majority of the newly developed mobile phones, the user can quickly wipe the mobile’s data by a few clicks or even by sending a remote signal to the device.

Cellular transmissions occur via radio signals, and data transmissions can originate and terminate at the device via the cellular signal or a Wi-Fi network.

And inhibiting the total communication access of the signal can ensure that

  • The device will not be remotely wiped
  • not to wipe the device to protect the data
  • And also, ensure that the device cannot receive any extra additional transmissions such as calls, texts, and other data-related contents from the cellular network as well.

So, the very first step is to isolate the scene that redistricts access to any network communication.

A.2. Questions to be asked

The officer-in-charge must ask and conduct a guided inquiry to the authority about the digital evidence or mobile devices, and any other details that might assist the case.

Questions asked by the forensic examiner (officer-in-charge) may include, but not limited to:

  1. Any security authentication system used or not: locked with passcodes, patterns, and biometrics
  2. Daily usage patterns: light user or heavy user.
  3. Which applications does a person use daily?
  4. How often uses of text messaging?
  5. Who the person often speaks?
  6. How many other mobile devices that person have?
  7. And who other person is assessable to that device?

A.3. Device and Data Security

Mobile device security can be a real problem during the collection of electronically stored data.

There are two major issues in the analysis the electronic data, these are:

  1. User authentication security keys: passcodes, patterns, and biometrics
  2. Data security: encrypted, which made it difficult to extract data.

It is the duty of the officer in charge (whenever possible) to obtain the security keys from the owner. If possible, any authentications and encrypted keys should be unlocked by the device owner at the time of seizing the mobile phone.

After unlocking and removing any encryption, he or she should make the setting permanent so that the device can be successfully examined at a later stage.

A.4. Backups

Sometimes the mobile cells are not physically available but their backups. In that case, fruitful information can be extracted from the backups of a mobile device.

A smart device, such as an android, windows, and iOS device, can create a data backup of a mobile device onto a computer, or a cloud storage platform, or any storage device.

But a key thing is that many backups are encrypted. This adds another level of difficulty while analyzing the information from it.

B. Exploring the Scene for Evidence

After gathering information from the occupants or the people at the scene, the agent should search the area systematically.

Searching can occur in a pattern, by working from the outside to the center of the location, by using a back-and-forth search, or by dividing the location into several smaller portions (also called Zone search method).

Photographs and Sketching: Prior to the search, photographs of the area from all angles should be taken for documentation. In addition, a sketch should be constructed at the crime scene, highlighting the dimensions and locations of various evidence.

B.1. Photographing the Mobile forensic evidence

Photographing the device is forensically important for many reasons. Without this, questions could arise about mobile device validation.

  • When a mobile device is located, it should be photographed at the scene of occurrence as it was found. It includes its conditions and its keyboard and screen, and also any noticeable scratches or other anomalies.
  • Before taking close up photographs, mobile devices or its artifacts should assign an evidence number and evidence tag.
  • If the device is on, close up photographs should include information like time and date that appears on the screen. Screen saver or wallpaper that appears on the screen might provide information of interest.
  • After proper photographing one side of the device, the device turned over to capture details of the opposite side too.

B.2. Other items at the Crime Scene

Many items related to a mobile device can be found at a scene. These electronic storage devices and accessories are essential to your investigation’s overall success.

The other items along with mobile cells that are found in a crime scene:

  • Removable USB drives and SD Cards. Any USB devices at the crime scene should collect for mobile forensic examination. As mobile phones have limited storage onboard and using removable media such as a USB drive can be used to expand storage space and useful information can be saved on USB and SD cards.
  • Chargers and USB Cables: Sometimes the obtaining the power cable and USB cables of the device can help in lowering the cost associated with purchasing power cables.
  • SIM Cards: SIM cards are small chips that function to connect to the respective network operator. The portability of SIM cards increases the difficulty of searching. SIM cards portability was one of the features that GSM (Global Systems for Mobile Communications) devices apart from CDMA (Code Division Multiple Access) phones. Old SIM cards belonging to different mobile devices can also be located and collected during the search.
  • Older Mobile Devices: Often, during a search for a particular device, older devices neglected. But older mobile devices can contain critical data that might be relevant to the current case being investigated.
  • Personal Computers: Sometimes, computers can have backups and information on a mobile device. Additionally, conducting a forensic analysis of the system can also yield passcodes for the device, synched data like media, documents, settings, spreadsheets, etc.

C. The Collection, Processing, and Packaging of Mobile Device Evidence

C.1. Prior to Collection

After the device is found, the next step is to collect it. But before packaging the digital evidence, some following questions and their answer should be established.

Questions asked prior to collection?

  • Are there any biological concerns related to the device?
  • Will the device require to be analyzed at the scene?
  • Is there are any device’s authentication is enabled or not?
  • Is there are any power issues to mobile device power?

SIM Card: The location of each card should be indicated along with its integrated circuit card identifier (ICCID) number, type (standard, micro, nano, as shown next), color, condition, and the telecom company.

Memory Cards: The location of the card at the scene should be documented along with the size (512 MB, 32 GB, and so on), type, color, condition, and brand, as shown next. Any numbering on the exterior must be documented.

Dealing with Power Issues (The Device State): After you locate a mobile device, it’s critical that you determine whether the device is powered on or off and whether or not the device is password protected.

C.2. Bagging Sensitive Evidence

The electronic devices are packed into a special evidence bag. These evidence bags serve two chief functions as signal blocking and anti-static. And protects the mobile device from any electrostatic discharge (ESD).

Each mobile phone and its peripherals such as memory cards, SD cards, SIM cards, etc. should be placed in separate anti-static bags.

Paper bags or Cardboard prefers over plastic bags because sealed plastic containers can produce humidity and condensation which undoubtedly has the capability to damage electronic evidence.

Note: While handling mobile artifacts, the collectors should wear gloves. And artifacts such as memory cards or SIM cards, the collectors avoid touching their gold parts.

C.2.1. Types of Bagging Equipment
  • Anti-static bags: These bags usually used for shipping purposes of computer parts which have the ability to protect the static sensitive parts from electrostatic discharge ESD.
  • ESD bags with rods: They offer both an anti-static and ESD protection. These have rods beds that facilitate electrostatic discharge travel safely to the ground just like electric rods used in high buildings to protect a building from lightning. These bags typically are a mirrored or metal look which is basically due to the coating of the aluminum film. They offer both an anti-static and ESD protection.
  • Signal isolation bags: These are also called Faraday bags, a handy accessory that shields the device from cellular signals. But its ability to protecting a network device from signals is challenged by many studies.

C.3.Properly Bagging Mobile Device Evidence

After documentation and photographs of findings, all evidentiary devices or artifacts should be protected using one of the following methods:

  • Exterior switches: Some mobile devices have exterior toggle switches that turn the sound on and off or up or down. Cover these switches with evidence tape to maintain the position at the time of seizure.
  • The device can have fingerprints on it. Then, the device first treated for latent fingerprints, document and photograph the position of these switches.
  • USB port: Exterior ports should be covered using evidence tape.
  • Headphone port: Headphone jacks should be covered using evidence tape.
  • Camera lens: By taping the camera lens with evidence tape, the device unable to capture any photos or video after device seizure.
  • Battery compartment: Nowadays many devices have inbuilt or non-removable battery b there are also some devices that give access to the battery and also the SIM card and memory card slots. So, in all cases, all the slots and battery should be taped.

D. Documentation Of Evidences: Tags and label

The information that must be listed on each of the evidence bags and box which include but not limited to:

  • Date and time of collecting mobile forensic evidence.
  • Item number: This is a unique value assigned to the seized property.
  • Quantity: This will indicate the number of items for a single item type (for example, micro USB cables, chargers, and so on).
  • Location of collection
  • Property Description: This should include serial numbers, State of the device (on/off and locked/unlocked), markings, and so on.
  • Processing: Whether or not the live acquisition of mobile devices or not. (at scene/at the lab)
  • Owner name (if known)
  • Collector’s information (their initials)
  • Transporting to (laboratory or storage)
  • Special Comments (immediate process, phone on and charging, biohazard, and so on).

E. Transporting Mobile Device Evidence

The transportation of mobile device evidence can be similarly as vital as proper seizure, bagging, and tagging the artifacts. The key points to remember while transporting the mobile device evidence, which is as follows:

  • Avoid placing evidence in a region that had recently transported materials that contained caustic fluids or other wet materials.
  • Mobile device evidence can be susceptible to shock and vibration, so make certain that the proof is secured prior to transport.
  • Mobile device evidence can be harmed by electrostatic discharges and magnetic fields produced by speakers, radios, and large electronics mounted using magnets.
  • Electronic evidence ought not to be transported or stored in close proximity to these devices.
  • Temperature such as extreme hot and cold can damage mobile device evidence. And prolonged exposure to extreme temperatures must be avoided.
  • The electronic evidence must not be placed in a patrol vehicle where the radio transmission system is installed because it serves to be disastrous for electronic evidence. The police radio transmitter and receiver in a patrol car have an ability to create an electromagnetic field that might destroy the useful information of mobile devices.

Related Article:
1. Mobile Data Collection Pyramid (Acquisition Method)
2. Forensic SIM Analysis OF LOCI
3. Tim Lloyd & Omega Engineering Inc [Hack Attack] Forensic Files Case Study

Leave a Comment

Your email address will not be published. Required fields are marked *