Cb4abc Bfac8250

Best practices for collecting mobile devices in a civil case vs criminal case

The collection of mobile devices in civil cases vs criminal may differ for several reasons. The primary difference is after a mobile device has been imaged or the data extracted, it is returned to a state of usage.  In criminal cases once the device is imaged, it is kept powered off and held as evidence.

As such, a recommended process for mobile device collections in civil matter may have different procedures and areas to consider and best practices are covered below.

Areas of Consideration and Discussion:

  • Collection
  • Acquisition/Imaging
  • Analysis
  • Reporting

 

l.      Collection:

In order to use a mobile device collection successfully in a scenario where the device will not be held into custody, steps to should be taken to preserve and validate the data collection whether the collection is a logical or physical mobile device extraction.

a.     Prior to moving the mobile device, ensure that it has been properly documented and/or photographed.

b.     Create a historical record of personnel access, condition and location of the mobile device.  Only if necessary or requested, document the transfer of the evidence from location-to-location or person-to-person in a chain-of-custody form approved by the Law Firm or Attorney.

c.     Mobile devices, such as smartphones, tablets, smart watches, etc. have to be treated as live collections – meaning the devices are not only constantly changing, but once the device is collected and then returned to an active state, the device will no longer be an identical copy of the collection. Therefore, these collections are termed as “Snapshots” of the actual device.

d.     Use a power source while imaging the mobile device to prevent a power off during the collection process.

e.     Prior to imaging, place the mobile device into Airplane/Flight Mode to eliminate all incoming and outgoing transmissions. This is considered a proper isolation method and even if the device is going to be used after the collection is completed, isolating the device during the collection is recommended.

f.      If necessary, locate the “auto-lock” or “screen timeout”, set to “never” or the maximium time allowed to prevent the device from locking during imaging .

g.     Document or notify the device custodian or owner of any changes that are made to the original configuration of the mobile device in order for them to choose to reset them after the imaging process.

II.        Acquisition/Imaging is the process of extracting a forensic copy and/or snapshot-image and/or logical data files and application based information from the internal and external storage media inside the mobile device, whenever possible avoiding the alteration of the original evidence.  Prior to performing the acquisition process, obtain the necessary court order or consent to search from a person with consent authority.

a.     Consent to Search: A signed consent to search form obtained from the owner or custodian is needed to Acquire/Image the device.

b.     During the Acquisition/Imaging steps, personnel shall:                                          

Ensure the destination storage media is forensically clean or digitally sterile of any previously stored data, by conducting a forensics process called “wiping” on the storage media.

Format the wiped storage location/media using the Windows extended File Allocation Table (exFAT).                                     

Create a folder on the forensically clean storage media with a unique name relative to the matter; example:  201725_device/model_forensicimagename_32GB_Item1.  Some information which can be included are:

1.     Device Owner Name and/or Case Number

2.     Device Name/Model (evidence and/or serial number, if possible)

3.     Extracted Data Name/Type

4.     Data Storage size

5.     Evidence Item Number

c.     Launch the mobile forensics tool/software authorized for use to acquire or image mobile device evidence and complete the imaging process.

d.     During the initial acquisition/imaging process, the tool/software will allow for the inclusion of a unique signature or “digital fingerprint” of the extracted data and/or image file.  This unique signature is called a hash signature or value.  At minimum, the investigator/examiner shall obtain an MD5 hash value for the evidence.

e.     Once completed, verify the acquisition/image is readable and accessible by forensics software.

III.          Analysis

a.     Utilize appropriate software/tool in accordance with training and/or certification.

IV.          Reporting

a.     Reporting can be verbal and/or written and/or in a format requested by the Law Firm or Attorney.

Leave a Reply

Your email address will not be published. Required fields are marked *