Method 1: Always Off Rule for Cell Phones¹

This method works well if there will be a time delay in examination of the phone that could potentially result in battery discharge and data loss:

•  Seize the phone and turn it off for evidence preservation

•  May remove the battery to prevent phone from accidentally being turned on

•  Only turn the phone on when a trusted tool directs you to do so

The benefits of turning off the phone during collection include:

•  Preserving call logs and last cell tower location information (LOCI)

•  Preventing overwriting deleted data

•  Preventing data destruction signals from reaching the mobile phone

•  Preventing improper mobile phone handling (for example placing calls, sending messages, taking photos, or deleting files)

The risks of turning off the mobile phone include possibly engaging protection mechanisms, such as encryption, passwords, PIN codes, and more.² Turning off the phone also results in loss of data from RAM. However, it is unlikely you will capture that data due to constraints that will be discussed later in this course. Make sure to use caution when turning off a device that was HOT (aka. Recently unlocked with a passcode) as this may be your only chance to get the most thorough dump of data from that phone.

References:

[1] Det. Cynthia Murphy, Collection of Cell Phones as Evidence: Suggested Practices (Madison, WI: Madison Police Department, 2011).

[2] https://for585.com/0q38a (SWGDE Best Practices for Mobile Phone Forensics)