Policy only goes so far. Also understand how you’re going to obtain the data. Just as with a civilian’s device, it’s not appropriate to “thumb through” text messages, images, or other data. That would be like thumbing through all the pictures, files and personal effects within an officer’s home.
“Digital first responder” training is imperative for everyone in the agency, including any officer or commander responsible for conducting internal investigations. This training helps the investigator understand how to preserve digital evidence.
For instance, it would not be enough to put an iPhone in Airplane Mode. The investigator also needs to turn off its wi-fi. Doing one but not the other would still allow the device to send and receive data from wi-fi access points, changing data on the device.
Investigators should also be sure to collect data and power cables for all relevant devices. While Android phones use micro USB and therefore have interchangeable power cords, other makes and models do not; Apple iOS devices, for instance, do not have consistent power cabling. If you don’t collect the right cables, you may face having to purchase one.
Keep cables with the devices they’re meant to go with, separate from other devices and cables. Label everything: device make and model, whose it is, case control number. If for some reason you could not collect the cable, note that too.
Internal investigations may start in the field rather than in the office. In this event, a small “first responder” kit (which should be standard issue in all field vehicles) should be maintained. The kit should include a Faraday bag or box to help you isolate the device as you transport it from the scene to the office or forensic lab.
If the device is locked, obtain its password. This may be part of consent to search -- be sure to maintain consent forms for BYOD scenarios -- or the employee may be compelled to provide the password. Keep in mind that the officer may be unwilling or unable (if physically injured) to provide the password. In this event, know whether your agency’s or government’s IT staff maintains device passwords, and whether they can be reset over the network.
Finally, once you have the device and all necessary legal authority, examine or assign the examination like you would any other evidence device. Know who in your agency or region can perform mobile forensic examinations, and how to contact the on-call specialist.
If you are the one doing the examination, it is wise to undergo training on how to use the forensic tool, including obtaining any necessary certifications. It may also be wise to perform any search in the presence of the officer’s union representative or attorney, or request independent examination by a district attorney’s or attorney general’s investigative staff.
Communicate with employees
Employees should understand that nothing on their personal mobile device is truly “private.” It could become discoverable for any reason at all. Employees should be taught to assume their mobile devices may be searched at any time, and that the old saying “better to ask forgiveness than permission” may not be true of mobile device usage.
Clearly communicate what policies exist and why, along with any changes that are made as soon as they are made. Make sure employees also understand the SOP that goes along with those policies and what their rights are. Know how to answer any questions they might ask, which means working with the city attorney to address them.
Annual in-house training, complete with scenarios and/or role-play, can help in this regard. Regular briefings on offenses, right and wrong responses, implications and consequences of each, and what officers are required to report should all be built into this type of training.
Just like social media posts, mobile device content can affect your credibility as a witness in court, and your usage habits can affect the public’s perception of your professionalism. Strong policies, procedures, and training can help both officers and agencies protect themselves and one another from damaging mobile device misuse.
For more information: