Pearson suggests removing the phone's battery and leaving the phone off without turning the phone on for any reason, including looking at the electronic phone book. He also emphasizes the importance of putting procedures in place for first responders to collect evidence in a pristine manner.Guidelines establish policies and procedures
Even if they are not examining their own cell phones, law enforcement agencies should be familiar with the "Guidelines on Cell Phone Forensics: Recommendations of the National Institute of Standards and Technology" (NIST) by Wayne Jansen and Rick Ayers. (www.csrc.nist.gov). A finalized version of the guidelines was recently published in June.
The intent of the guide is to help organizations establish policies and procedures for dealing with cell phones, and to prepare forensic specialists to contend with new circumstances involving cell phones. An executive summary points out that the guide is not all-inclusive, nor does it prescribe specifically how to handle mobile devices during investigations or incidents.
Guidelines on preserving, collecting, packaging, transporting and storing evidence will be especially helpful when setting policies and procedures for first responders.
NIST references the Mobile Phone Forensic Tools Sub-Group of the Interpol European Working Party on IT Crime, which identified how the United Kingdom's Association of Chief Police Officers (ACPO) Principles of Evidence apply to seizing mobile phones, and offers these guidelines:
- Isolate the phone from other devices used for data synchronization;
- Pull the plug from the back of the computer if the device is found in a cradle or connected via a cable;
- Seize the phone, cradles and cables;
- Do not remove media cards, SIMs or other hardware residing in the phone; and
- Product manuals also should be seized.
The guidelines indicate "isolating the phone from the radio network is important to keep new traffic, such as SMS messages, from overwriting existing data, if the phone is turned on when found.
"Besides the risk of overwriting potential evidence, the question may arise whether data received on the phone after seizure is within the scope of the original authority granted."
Cell phones should be packaged, transported and stored in evidence bags. NIST guidelines recommend using static-proof bags and hard containers to prevent keys from being pressed and radio frequency isolation bags for phones left on.
SEARCH, The National Consortium for Justice Information and Statistics, a non-profit membership organization created by and for the states, offers a description of basic hardware and software specifications required to retrieve information from cell phones.
"Creating a Cell Phone Investigation Toolkit: Basic Hardware and Software Specifications" can be found at www.search.org/files/pdf/CellphoneInvestToolkit-0806.pdf. As part of the publication, SEARCH lists specific products and suggestions to prevent a phone from receiving a signal.Challenges of cell phone forensics
Even when cell phones are in pristine condition when they arrive in the laboratory, digital evidence recovery typically is not an easy task.
"Cell phones are not my favorite," politely describes Cpl. Rodney Van Horn of the Charleston (South Carolina) Police Department's Digital Evidence Unit. But, he says, "If an investigation requires examining cell phones, they must be done."
Kessler sums up the problem by saying there is little consistency with hardware and software interfaces. New cell phone models, with different operating systems and cabling requirements, are constantly evolving and forensic software has difficulty keeping pace.
"I don't like receiving an item for examination and not knowing whether or not the program can produce results with it," Van Horn says.
Not all cell phones can be examined with software.
Cell phone forensics is similar to computer forensics because examiners aim to preserve data in its original format.
But, Bill Teel, president and founder of Teel Technologies, a cell phone forensics solution provider, says it's not as easy to do this with cell phones as it is with computers. Examiners cannot wholly image a phone and all its data, he explains.