Cell Phone Forensics
Revision as of 22:04, 29 October 2007 by Rmislan
- If on, switch it off. If off, leave off.
- Note only under exceptional circumstances should the handset be left switched on and in any case every precaution to prevent the handset connecting with the Communication Service Provider should be made. Consider use of one of many wireless preservation or RF isolation techniques. Note that the slightest signal leakage will allow an overwriting text message through even if a phone call can't get through.
- Instead of switching off, it may be better to remove the battery. Phones run a different part of their program when they are turned off. You may wish to avoid having this part of the program run.
- Note that removing the battery or powering off a mobile phone may introduce a handset unlock code upon powering the device on.
- Collect and preserve other surrounding and related devices. Be especially careful to collect the power charger. The phone's battery will only last a certain amount of time. When it dies, much of the data on the device may go too!
- Plug the phone in, preferably in the evidence room, as soon as possible.
- Retain search warrant (if necessary - LE).
- Return device to forensic lab if able.
- Use forensically sound tools for processing. However, also remember ACPO Principle 2 says: In exceptional circumstances, where a person finds it necessary to access original data held on a computer or on storage media, that person must be competent to do so and be able to give evidence explaining the relevance and the implications of their actions.
Expand on as to what to collect:
- Model Number,
- Color, and
- Other information related to Cell Phone and SIM Card...
- Photograph the Cell Phone screen during power up.
- Research the Cell Phone for technical specifications.
- Research the Cell Phone for forensic information.
- Based on phone type GSM, CDMA, iDEN, or Pay As You Go determine acquisition tools
- Phone and SIM Card
- SIM Card
- Three major tools exist for iDEN Phones:
- iDEN Companion Pro
- iDEN Media Downloader
- iDEN Phonebook Manager
Pay As You Go:
Articles and Reference Materials
- E-Evidence.Info Articles, Papers, Presentations, etc.
- Forensic Analysis of Mobile Phones
- Forensics and the GSM Mobile Telephone System
- Law Enforcement, Forensics and Mobile Communications
- Mobile Phone Forensics & PDA Forensics Links
- Netherlands Forensic Institute: Mobile Phone Forensics Examination - Basic Workflow and Preservation
- U.S. National Institute of Standards and Technology Documents
- Creating a Cell Phone Investigation Toolkit: Basic Hardware and Software Specifications
- E-Evidence.Info Mobile Forensic Tools
- ForensicFocus.com(Practitioners Forum)
- Hex-Dump.com(Advanced Forum for Hex Dump and Memory Analysis)
- Mobile-Examiner.com (Forum for Practitioners)
- Mobile-Forensics.com (Research Forum for Mobile Device Forensics)
- Mobile Forensics Training Forum (Mobile Device Investigative Support and Training)
- SmartPhoneForensics.com (Mobile Device Forensics Training and Investigative Support)
- Phone-Forensics.com (Advanced Forum for Practitioners)
- TREW Mobile Telephone Evidence (Mobile Telephone Evidence Practitioner Site)
- GSMArena.com (Technical information regarding GSM Cell Phones)
- MobileForensicsCentral.com (Information regarding Cell Phone Forensic Applications)
- PhoneScoop.com (Technical information regarding all Cell Phones)
- Small Scale Digital Device Forensics Information