Difference between pages "Cell Phone Forensics" and "Incident Response"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
(Notes)
 
(Initial description)
 
Line 1: Line 1:
== Guidelines ==
+
Incident Response is a set of procedures for an investigator to examine a computer security incident. This process involves figuring out what was happened and preserving information related to those events. Because of the fluid nature of computer investigations, incident response is more of an art than a science.
  
# If on, switch it off. If off, leave off.
+
== Tools ==
  
#* Note only under exceptional circumstances should the handset be left switched on and in any case every precaution to prevent the handset connecting with the Communication Service Provider should be made. Consider use of one of many [[wireless preservation]] or [[RF isolation]] techniques. Note that the slightest signal leakage will allow an overwriting text message through even if a phone call can't get through.
+
=== Individual Tools ===
  
#* Instead of switching off, it may be better to remove the battery. Phones run a different part of their program when they are turned off.  You may wish to avoid having this part of the program run.
+
[[SysInternals]]
  
#* Note that removing the battery or powering off a mobile phone may introduce a handset unlock code upon powering the device on.
+
=== All in One Toolkits ===
  
# Collect and preserve other surrounding and related devices. Be especially careful to collect the power charger. The phone's battery will only last a certain amount of time. When it dies, much of the data on the device may go too!
+
Starting in 2000, [[First Responder's Evidence Disk|FRED]]
+
# Plug the phone in, preferably in the evidence room, as soon as possible.
+
# Retain [[search warrant]] (if necessary - [[LE]]).
+
# Return device to forensic lab if able.
+
# Use [[forensically sound]] tools for processing. However, also remember ACPO Principle 2 says: In exceptional circumstances, where a person finds it necessary to access original data held on a computer or on storage media, that person must be competent to do so and be able to give evidence explaining the relevance and the implications of their actions.
+
  
== Notes ==
+
== Papers ==
  
Expand on as to what to collect:
+
[http://dfrws.org/2002/papers/Papers/Jesse_Kornblum.pdf Preservation of Fragile Digital Evidence by First Responders]
  
* [[ESN]],
+
== Books ==
* [[IMEI]],
+
* [[Carrier]],
+
* Manufacturer,
+
* Model Number,
+
* Color, and
+
* Other information related to [[Cell Phone]] and [[SIM Card]]...
+
  
Process:
+
There are several books available that discuss incident response. For [[Windows]], ''[http://www.windows-ir.com/ Windows Forensics and Incident Recovery]'' by Harlan Carvey is an excellent introduction to possible scenarios and how to respond to them.
# Photograph the [[Cell Phone]] screen during power up.
+
# Research the [[Cell Phone]] for technical specifications.
+
# Research the [[Cell Phone]] for forensic information.
+
# Based on phone type [[GSM]], [[CDMA]], [[iDEN]], or [[Pay As You Go]] determine acquisition tools
+
 
+
GSM:
+
# Phone and SIM Card
+
# SIM Card
+
 
+
CDMA:
+
# Phone
+
 
+
iDEN:
+
# Three major tools exist for iDEN Phones:
+
* iDEN Companion Pro
+
* iDEN Media Downloader
+
* iDEN Phonebook Manager
+
 
+
Pay As You Go:
+
# Phone
+
 
+
== Links ==
+
*[http://www.SmartPhoneForensics.com SmartPhoneForensics.com (Mobile Device Forensics Training and Investigative Support)]
+
*[http://www.Phone-Forensics.com Phone-Forensics.com (Advanced Forum for Practitioners )]
+
*[http://www.Mobile-Forensics.com Mobile-Forensics.com (Research Knowledge Base for Mobile Device Forensics)]
+
*[http://trewmte.blogspot.com trewmte.blogspot.com (Mobile Telephone Evidence Practitioner Site)]
+
*[http://www.Mobile-Examiner.com Mobile-Examiner.com (Forum for Practitioners)]
+
 
+
*[http://www.MobileForensicsCentral.com MobileForensicsCentral.com (Information regarding Cell Phone Forensic Applications)]
+
*[http://www.GSMArena.com GSMArena.com (Technical information regarding GSM Cell Phones)]
+
*[http://www.PhoneScoop.com PhoneScoop.com (Technical information regarding all Cell Phones)]
+
 
+
*[http://www.forensicfocus.com forensicfocus.com(Practitioners Forum)]
+
*[http://www.MobileForensics.com MobileForensics.com (Good article on Cell Phones)]
+
*[http://www.paraben-training.com/training.html Paraben-Forensics.com (Paraben's Handheld Forensic Training Classes)]
+

Revision as of 11:00, 27 February 2007

Incident Response is a set of procedures for an investigator to examine a computer security incident. This process involves figuring out what was happened and preserving information related to those events. Because of the fluid nature of computer investigations, incident response is more of an art than a science.

Tools

Individual Tools

SysInternals

All in One Toolkits

Starting in 2000, FRED

Papers

Preservation of Fragile Digital Evidence by First Responders

Books

There are several books available that discuss incident response. For Windows, Windows Forensics and Incident Recovery by Harlan Carvey is an excellent introduction to possible scenarios and how to respond to them.