Mobile devices, including smartphones, present a variety of unique challenges to investigators involved in forensic examinations of data from these devices. Part of the challenge arises from the fact that there are so many different makes and models of phones using a variety of underlying operating systems. Because of this, there is no one-size-fits-all forensic solution for mobile devices, and in many cases, numerous tools may need to be used to obtain the data needed for a particular investigation. Additionally, traditional digital forensics concepts may not apply due to the way flash memory functions.

Mobile devices are constantly changing when powered on, and there is no way to write block a mobile device because they communicate using modem protocols, such as AT commands and others. Because of these factors, the goal in forensics is to make as little change as possible and to document those changes that were made to the device during the forensic process.1

Just powering on a smartphone generates changes to the data and traces that can be observed during a forensic examination of the device. This is true even if the user does not operate the device other than just powering it on.  The device, once powered on, reaches out to the mobile network to authenticate on the system and may store last-location data related to mobile towers or GPS if it is enabled.

At some point, however, with few exceptions, the phone most likely must be turned on in order to work with it, unless the capability for data extraction through physical, JTAG, ISP (In System Programming), or chip-off methods exists. Therefore, we need to take steps to make as few changes to the device as possible and to control and document the changes we do make.

Another consideration is the current state of the device when you receive it. Is the device HOT or COLD? A HOT device would be one that was recently unlocked with the passcode by the user. A COLD device would be one that was freshly restarted and has yet to be unlocked. These concepts make a difference in handling and how the tools can access the data. For more information on HOT and COLD devices, refer to the Cellebrite webinar provided by Heather Mahalik and Shahar Tal on Android Encryption (https://www.cellebrite.com/en/resources/webinars/).

For more information on the worse mistakes to make on iOS devices, refer to the blog by Elcomsoft: https://blog.elcomsoft.com/2020/01/the-worst-mistakes-in-ios-forensics/. It’s crazy to think that simply looking at the phone could hurt your chances of accessing it if you reset the biometric lock.

As stated earlier, smartphones are specifically designed to communicate with other devices, whether through the mobile network, a data connection, Bluetooth, or similar wireless technologies.

To prevent incoming calls, texts, and other data from affecting the integrity of data of potential evidentiary value on the smartphone, as well as to prevent overreaching legal authority, attempts should be made to block incoming and outgoing signals to the device.

Additionally, it is possible to remotely wipe a smartphone or other mobile device either by use of a variety of mobile applications or by having the carrier remotely wipe the device by reporting it stolen and requesting that it be wiped.

Common methods for isolating smartphones include Radio Frequency (RF) blocking container or jamming appliances.* Be aware that blocking radio frequency signals will drain the battery as the smartphone tries to connect to the mobile network. Faraday devices can be expensive, and use of the devices may not prevent the alteration of mobile phone data if the device fails.² It is also difficult to operate touchscreen devices through Faraday materials, and not all Faraday technologies are see-through or flexible enough to allow manipulation of a smartphone. Additionally, Faraday technologies have a fairly high failure rate and cannot be completely relied on to block wireless signals.³ If a Faraday failure occurs, document any known changes that were made to the phone, including incoming text messages, calls, or other communications.

^*Be sure that it is legal for you to use signal jamming equipment. In the United States, most private and public organizations do not have legal authority to do so.

References:

[1] https://for585.com/byg0f ("Cellular Phone Evidence Data Extraction and Documentation", V.3, Cindy Murphy)

[2] https://for585.com/0q38a (SWGDE Best Practices for Mobile Phone Forensics)

[3] https://for585.com/t5ugz (Eric Katz’s dissertation on Faraday solutions, Purdue)