The ON/OFF method works well if the phone can be examined in a timely manner. The ON/OFF rule is explained here.

If the phone is on, do NOT turn it off. If the phone is OFF, leave it OFF. Place ON cell phones in a Faraday bag, arson can, or four to five layers of aluminum foil, or place the phone in Airplane mode (if equipped) to prevent the phone from communicating wirelessly, which could potentially destroy evidence. Maintain power to the battery so that the phone doesn’t die, causing potential loss of some or all data, depending on the phone model. Gather any associated cables, accessories, or documentation for the device.

Remember that turning off a password-protected cell phone could render the data on the phone inaccessible if the phone is turned off. Also, turning on a phone to go through it looking for numbers, contacts, text messages, pictures, or anything else may destroy valuable evidence.¹

Exigency may dictate that the mobile phone remains on for immediate processing. If the mobile phone must be left on, isolate it from its network while maintaining power.²

•  Radio Frequency (RF) shielding: Mobile phones communicate with cell towers. Allowing this communication changes data on the phone.

•  Many mobile phones can be placed in Airplane mode, limiting access to cell towers (911 calls still available). This requires user input on the handset.

•  Disable Wi-Fi, Bluetooth, RFID, and IrDA communications if practical.

Before beginning examination of a mobile device, to avoid legal penalty or exclusion of evidence, ensure that you have proper legal authority to perform the forensic examination.

Legal authority varies by jurisdiction and can be significantly different depending on where you live and what sort of examination you are performing.

In the U.S., case law regarding mobile devices is in a state of flux. If you have any questions about whether what you are doing is legally acceptable, consult legal counsel. Search of cell phones incident to arrest has been determined to be unlawful in most circumstances by the U.S. Supreme Court (Riley v. California).³

Be particularly conscious of the fact that a mobile device is a “window” to access other user accounts where the data exists not on the device itself, but in the cloud or in an account on the internet. Legal authority to perform a search of data contained within the mobile device does NOT normally extend to data stored on the internet but accessed by the device.

References:

[1] Det. Cynthia Murphy, Collection of Cell Phones as Evidence: Suggested Practices (Madison, WI: Madison Police Department, 2011).

[2] https://for585.com/0q38a (SWGDE Guide to Mobile Phone Forensics)

[3] https://for585.com/mez8q (Riley v. California)