No matter how long you have been working in mobile device digital forensics, you know that smartphones are often the most crucial piece of evidence in criminal investigations. Some think mobile device forensics starts once the phone is handed off to the digital forensic examiner to extract and analyze the data, and that is far from the case. The mobile device forensics process starts as soon as a mobile device, such as a phone or tablet, is identified on scene, seized from a suspect, or handed over by a victim.
Proper seizure, handling, and documenting practices are essential to securing and maintaining data integrity. Here are a few mobile device forensics dos and don’ts that can help you and your agency ensure you are following best practices.
Three Do’s of Mobile Device Forensics
DO obtain proper legal authority before accessing and collecting data from a seized device so you can present the digital evidence in court.
DO document everything you can about the device – where was the device found, the device’s condition, who took control of the evidence? Keeping a record of this information from the start will help you show the chain of custody.
DO keep the device powered on and isolate it from cellular and Wi-Fi networks by placing it in a faraday solution to mitigate risks and increase your chances of extracting critical evidence.
Three Don’ts of Mobile Device Forensics
DON’T alter the device state unless it is necessary to preserve the digital evidence. If you take any steps to do so, document them.
DON’T engage biometric readers. Triggering these could potentially count as an unlock attempt or alter evidence within the device.
DON’T end your search when you find a mobile device. A wide array of additional devices could be part of the same ecosystem and may contain actionable intelligence.
These dos and don’ts just begin to scratch the surface on best practices for mobile device digital forensics.