You are on page 1of 10

Scientific Working Group on

Digital Evidence

Best Practices for Mobile Phone Examinations


Disclaimer:

As a condition to the use of this document and the information contained therein, the SWGDE
requests notification by e-mail before or contemporaneous to the introduction of this document,
or any portion thereof, as a marked exhibit offered for or moved into evidence in any judicial,
administrative, legislative or adjudicatory hearing or other proceeding (including discovery
proceedings) in the United States or any Foreign country. Such notification shall include: 1) The
formal name of the proceeding, including docket number or similar identifier; 2) the name and
location of the body conducting the hearing or proceeding; 3) subsequent to the use of this
document in a formal proceeding please notify SWGDE as to its use and outcome; 4) the name,
mailing address (if available) and contact information of the party offering or moving the
document into evidence. Notifications should be sent to forensics@swgde.us.

It is the user’s responsibility to ensure they have the most current version of this document. It is
recommended that previous versions be archived for future reference, as needed, in accordance
with that agency’s policies.

Redistribution Policy:

SWGDE grants permission for redistribution and use of all publicly posted documents created by
SWGDE, provided that the following conditions are met:

1. Redistributions of documents or parts of documents must retain the SWGDE cover page
containing the disclaimer.
2. Neither the name of SWGDE nor the names of contributors may be used to endorse or
promote products derived from its documents.
3. Any reference or quote from a SWGDE document must include the version number (or
create date) of the document and mention if the document is in a draft status.

Best Practices for Mobile Phone Examinations


Version 1.0 (May 21, 2009)
This document includes a cover page with the SWGDE disclaimer.
Page 1 of 10
Scientific Working Group on
Digital Evidence

Best Practices for Mobile Phone Examinations


1.0 Purpose
The purpose of this document is to describe the best practices for mobile phone examinations.

2.0 Scope
This document provides basic information on the logical and physical acquisition of mobile
phones. The intended audience is either examiners in a lab setting or first responders who
encounter mobile phones in the field.

This document is not to be used as a step-by-step guide for executing a proper forensic
investigation when dealing with mobile phones or construed as legal advice.

3.0 Limitations

Mobile phones present a unique challenge to law enforcement due to rapid changes in
technology. There are numerous models of mobile phones in use today. New families of mobile
phones are typically manufactured every three (3) to six (6) months. Many of these phones use
closed operating systems and proprietary interfaces making it difficult for the forensic extraction
of digital evidence.

Some limitations encountered are as follows:

Block Incoming and Outgoing Signals – Attempts should be made to block incoming and
outgoing signals of a mobile phone. Common methods include Radio Frequency (RF) blocking
container or jamming appliances. Blocking RF signals; will drain the battery, may be expensive,
are not always successful and may result in the alteration of mobile phone data.

Cables - Data Cables are often unique to a particular device. Frequently cables are specific to the
forensic tool to be used. Data cables often have a wide variety of connections (e.g. RJ-45, USB,
or RS-232). This results in a large number of cables being required for forensics analysis of
mobile phones.

COM Ports - Some tools may require the use of specific ports. Operating systems may not
release control of ports after use.

Condition of the Evidence – Commercially available tools may not provide solutions to deal
with physically damaged mobile phones.

Drivers - Conflicts may occur due to: existing operating system drivers; proprietary drivers;
driver version inconsistencies; and vendor specific drivers. Ability to find proper drivers may be

Best Practices for Mobile Phone Examinations


Version 1.0 (May 21, 2009)
This document includes a cover page with the SWGDE disclaimer.
Page 2 of 10
difficult. Drivers may be included with the tool or downloaded from a web site. Drivers may
compete for control for the same resource if more than one forensic product is loaded on the
analysis machine.

Dynamic Nature of the Data – Data on active (powered-on) mobile phones is constantly
changing. There are no conventional write-blocking methods for mobile phones.

Hash Values- Individual data objects (e.g., graphics, audio, video files) will most often maintain
consistency between the forensic workstation and the hash value reported by the mobile phone
application.1 Due to the volatility of mobile phone operating systems, overall case file hashes of
system files will typically not be consistent due to file system optimization.

Lack of Training – There is a lack of vendor neutral training.

Legal Issues - Unopened emails, unread text messages, and incoming phone calls of seized
devices may present non-consensual eavesdropping issues, especially if the examination is not
conducted in a timely manner.

Loss of Power – Many mobile phones may lose data or initiate additional security measures
once discharged or shut down.

Passwords – Authentication mechanisms can restrict access to a device and/or data. Traditional
password cracking methods can lead to permanent inaccessibility or destruction of data. There
are different methods to protect a device (i.e., Personal Identification Number (PIN), Phone
Unlock Key (PUK), and handset protection).

Remote Destruction of Data - There are methods to remotely destroy data on a mobile phone.

Industry Standards - Manufacturers and carriers lack standardized methods of storing data
(e.g., closed operating systems, proprietary data connections).

Subscriber Identity Module (SIM) Cards – Lack of or removal of a SIM may prevent the
examiner from accessing data stored on the internal memory of a handset. Inserting a SIM from
another phone may cause the loss of mobile phone data.

Unallocated Data / Deleted Data – Many mobile phone forensic tools may only provide the
logical acquisition2 of data. Deleted data may only be recoverable from a physical acquisition3.

1
Refer to NIST Publication: “Hashing Techniques for Mobile Device Forensics”.
2
Implies a bit-by-bit copy of logical storage objects (e.g., directories and files) that reside on a logical store (e.g., a file system partition).
3
Physical acquisition implies a bit-by-bit copy of an entire physical store (e.g., a memory chip)

Best Practices for Mobile Phone Examinations


Version 1.0 (May 21, 2009)
This document includes a cover page with the SWGDE disclaimer.
Page 3 of 10
4.0 Evidence Collection

A) Seizing Evidence
General guidelines concerning the seizing of evidence are provided as follows:

• Consult with the investigating officer to determine the necessary equipment to take to the
scene.
• Review the legal authority to seize the evidence, ensuring any restrictions are noted. If
necessary during the execution of the seizure, obtain additional authority for evidence
outside the scope of the search.
• All suspects, witnesses, and by-standers should be removed from the proximity of the
mobile phone to prevent modifications to the data.
• Solicit information from mobile phone user to determine the phone number, pass codes,
or PINs.
• Turn off phone immediately, remove battery if practical, and do not turn it back on.

o The benefits of turning off the phone include:


 Preserving call logs and last cell tower location information (LOCI);
 Preventing overwriting deleted data;
 Preventing data destruction signals from reaching the mobile phone;
and,
 Preventing improper mobile phone handling (i.e., placing calls, sending
messages, taking photos, or deleting files)

o The risks of turning off the mobile phone include possibly locking the phone by
password or PIN. Exigency may dictate that the mobile phone remains on for
immediate processing. If the mobile phone must be left on, isolate it from its
network while maintaining power.
 Radio Frequency (RF) shielding – Mobile phones communicate with cell
towers. Allowing this communication will change data on the phone.
 Many mobile phones can be placed in “Airplane” mode preventing
access to cell towers. This requires user input on the handset.
 Disable Wi-Fi, Bluetooth, and IrDA communications if practical

• The seizing officer should be able to recognize different types of mobile phone evidence.
• The scene should be searched systematically and thoroughly for evidence. Document the
scene according to agency policy. Collect associated chargers, cables, peripherals, and
manuals.

Best Practices for Mobile Phone Examinations


Version 1.0 (May 21, 2009)
This document includes a cover page with the SWGDE disclaimer.
Page 4 of 10
B) Handling Evidence

• Evidence should be handled according to agency policy while maintaining a chain of


custody.

• Network isolation of the mobile phone should be maintained.

• Additional forensic analysis – Occasionally, there may be a need to conduct traditional


forensic processes on a mobile phone (DNA, latent prints, etc). These are case
dependant and should be discussed with the investigator about the need for such
evidence as well as the order in which they should be performed. Contact appropriate
crime lab personnel for guidance on processing order to avoid the destruction of
forensic evidence.

• Biological contaminants and physical destruction provide unique challenges to the


recovery of data. Universal precautions should be utilized to protect the health and
safety of the examiner. For more information on how to process contaminated mobile
phones, refer to Workflow Mobile Phone Forensic Examinations by Nederlands
Forensisch Instituut.

5.0 Processing in Lab

A) Equipment Preparation
“Equipment” in this section refers to the non-evidentiary hardware and software the examiner
utilizes to conduct data extraction and analysis of the evidence.

• Equipment should be validated on a regular basis to ensure proper performance is


maintained.
• Current information (e.g. user’s manual) describing the manufacturer’s
software/hardware and other relevant documentation should be recently reviewed and
accessible.
• The most recent stable version of the application should be downloaded, installed,
and validated prior to its use.
• The validation process is documented in: “SWGDE Recommended Guidelines for
Validation Testing.”
• The following site: http://www.cftt.nist.gov/ provides NIST validation reports
illustrating the capabilities and limitations of specific mobile phones tools.

B) Data Acquisition
Levels of analysis - More forensically sound levels should be exhausted before attempting a
lower level of analysis. The levels are as follows:

Best Practices for Mobile Phone Examinations


Version 1.0 (May 21, 2009)
This document includes a cover page with the SWGDE disclaimer.
Page 5 of 10
1) MicroRead – A process that involves the use of a high-power microscope to provide a
physical view of the electronic circuitry of memory. This would typically be used
when acquiring data from physically damaged memory chips.

2) Chip-Off – A process that involves the removal of a memory chip to conduct analysis.

3) Hex dump – A process that provides a physical acquisition of a mobile phone’s file
system. This may provide access to deleted data that has not been overwritten.

4) Logical – A process that provides access to the user accessible files. This process will
not provide access to deleted data.

5) Manual – A process that involves manually using the keypad and handset display to
document data present in the mobile phone’s internal memory.

• The following disciplines exist that examiners may encounter:


o GSM Phones
o Non-GSM Phones
o Subscriber Identity Module (SIM) Cards
o Smart Phones

• Examiners may need to seek additional training to be competent in multiple


mobile phone tools addressing the above-mentioned disciplines.

• Document the physical condition of the mobile phone to be examined.

• The examiner should take precautions to isolate the mobile phone from its
network. The examiner should be aware of the limitations of each of the following
techniques.
o Power off the phone.
o Airplane mode
o RF shielding – Faraday bag, arson can, etc.
o Radio Isolation Card (RIC) – SIM card that isolates the device from cell tower
connectivity. RIC’s do not contain a “cipher key” thus preventing access with
a network.

• The examiner should ensure power is maintained to the mobile phone during the
entire examination.

• Physical acquisition shall be performed before a logical acquisition if possible.

• The examiner may need to use one or more acquisition methods based on the
following order of forensic preference.
1) Cable
2) Photograph/Video data on phone
3) IrDA

Best Practices for Mobile Phone Examinations


Version 1.0 (May 21, 2009)
This document includes a cover page with the SWGDE disclaimer.
Page 6 of 10
4) Bluetooth

• Care should be taken to prevent cross-contamination of evidence between


different cases.

• For all phones that require a SIM, the examiner shall process the SIM twice;
installed and uninstalled from the handset.
o If the mobile phone is inactive (powered off)
 Remove the SIM and acquire its data with a validated tool first. (Note:
Powering on a mobile phone with anything other than the active SIM for
the phone, or a RIC, may result in the loss of data)
o If the mobile phone is active (powered on)
 Data should be acquired from the mobile phone using a validated tool
before removing the SIM. (Note: This may alter the status flags of unread
text messages present on the SIM)

• The examiner should ensure that the data extracted is an accurate depiction of
what is on the suspect device.

C) Examination and Analysis


Examination of data acquired from a mobile phone affords visibility of evidence to
determine the presence or absence of specific data. Analysis of data acquired from a
mobile phone provides significance and probative value to the case.

Various tools at multiple levels of analysis may be required to provide a holistic view of
the data contained within the memory of the mobile phone, SIM, or associated media
(e.g., Compact Flash, MMC, SD Card, MicroSD, etc.).

Hex-dump, Chip-off and MicroRead examinations may require the use of traditional
computer forensic tools to accomplish data carving or data correlation/analysis to display
and save the data in a logical view.

D) Documentation
Documentation should meet the requirements of the examiner’s agency and applicable
policies.

Evidence handling documentation should include but is not limited to:


• Copy of legal authority
• Chain of custody
• Detailed description of the evidence (may include photos)
• Photographs or documentation of any visible damage
• Information regarding the packaging and condition of the evidence upon
receipt by the examiner

Best Practices for Mobile Phone Examinations


Version 1.0 (May 21, 2009)
This document includes a cover page with the SWGDE disclaimer.
Page 7 of 10
Examination documentation should:
• Be case specific
• Contain sufficient detail to allow another examiner, competent in the same
area of expertise, to identify what has been done and to access the findings
independently.
• Include communication notes regarding the case.
• Be preserved according to the examiner’s agency policy.

E) Archive

• Mobile phone acquisitions are unique insofar that the tools may capture data using
proprietary formats.

• The acquisition case files should be archived and maintained consistent with
departmental policy and applicable laws.

6.0 Report
Reports should:

• Seek to address case specific requests from the investigator.


• Provide the reader with all the relevant information in a clear and concise manner.

7.0 Review

• The examiner’s agency should have a written policy establishing the protocols for
review. Types of reviews may include:
o Peer
o Administrative
o Technical

• The examiner’s agency should have a written policy to determine the course of action if
an examiner and reviewer fail to reach agreement.

• Review should include case specific information procedures followed during the forensic
examination process.

• Review processes should be periodically updated.

8.0 Reference Sites and Publications


The below listed resources provide information that may prove helpful to the examiner:

1. NIST Guideline on Cell Phone Forensics


2. www.search.org

Best Practices for Mobile Phone Examinations


Version 1.0 (May 21, 2009)
This document includes a cover page with the SWGDE disclaimer.
Page 8 of 10
3. www.nw3c.org
4. www.mobileforensicscentral.com
5. www.phone-forensics.com
6. ACPO Guidelines
7. www.forensics.nl/
8. www.phonescoop.com
9. www.ssddfj.org

Best Practices for Mobile Phone Examinations


Version 1.0 (May 21, 2009)
This document includes a cover page with the SWGDE disclaimer.
Page 9 of 10
Scientific Working Group on
Digital Evidence

History: SWGDE
Rev # Issue Date Section History
Original draft
1.0 5/21/09 All

Best Practices for Mobile Phone Examinations


Version 1.0 (May 21, 2009)
This document includes a cover page with the SWGDE disclaimer.
Page 10 of 10