What The Association of Chief Police Officers, (ACPO) says about Faraday Solutions:
Guide for mobile phone seizure & examination
Principle 1:
No action taken by law enforcement agencies or their agents should change data held on a computer or storage media which may subsequently be relied upon in court. Only in a Phone-Shield Faraday Bag is this possible without resorting to turning the mobile phone off. » Go to Principle 1
Principle 2:
In circumstances where a person finds it necessary to access original data held on a computer or on storage media, that person must be competent to do so and be able to give evidence explaining the relevance and the implications of their actions. Done in a Phone-Shield Faraday Bag, no network interference will occur, no time and date settings will be lost. » Go to Principle 2
Principle 3:
An audit trail or other record of all processes applied to computer-based electronic evidence should be created and preserved. An independent third party should be able to examine those processes and achieve the same result. » Go to Principle 3
Principle 4:
The person in charge of the investigation (the case officer) has overall responsibility for ensuring that the law and these principles are adhered to. » Go to Principle 4
Principle 1
No action taken by law enforcement agencies or their agents should change data held on a computer or storage media which may subsequently be relied upon in court.
Seizure / Preservation of Evidence
Principle 1 has the following implications for personnel involved in the seizure of mobile phones.
Isolate device from network - this may be achieved by one of the following techniques:
Turn device off at the point of seizure
Authentication codes (e.g. SIM PIN and/or handset security codes) may be required to regain access
to the device and data. This may delay examination. In circumstances where delay is unacceptable, such life at risk, specialist advice should be sought. In the case of some overseas service providers PUKs may never be available. If the device is left on, changes MAY occur to content which would be undesirable (scheduled scripts etc.)
Place device in shielded container/bag
Battery life will be reduced due to power increase as handset tries to connect to network. Therefore, immediate delivery to examination unit is required. For devices that have volatile memory, consideration should be given to charging the device at appropriate intervals to ensure that data is not lost.
Examination
Principle 1 has the following implications for personnel involved in the examination of mobile phones.
Isolate device from network - this may be achieved by one of the following techniques:
• Use a jamming device - NOT RECOMMENDED
Such devices are illegal in many countries. Use of such a device may also interfere with network coverage outside of the examination area.
• Use a shielded room - RECOMMENDED
For a fixed room, cost is relatively high and examinations tied to specific location (i.e. reduced mobility). “Faraday tents” are a cheaper and portable solution but are likely to be less secure than a fixed room (and cables cannot be fed into the tent as they will act as antennae). Battery life will be reduced due to power increase as handset tries to connect to network - device should be
fully charged prior to examination. The Phone Shield Faraday Bag by Disklabs will resolve this issue. Not only tested, but re-usable and not expensive.
• Use a shielded container/box
This may allow examinations to be conducted safely at different geographic locations.
Battery life will be reduced due to power increase, as handset tries to connect to network.
As such, the device should be fully charged prior to examination or a portable power source attached to the device within the enclosure. Cables into the box must be fully shielded to prevent intrusion by network signals.
• Use an “access card” type SIM that will mimic the identity of the original SIM card and will not allow network access
This does allow examinations to be conducted safely at different geographic locations.
Such cards need to be configured with the exact subscriber/card identity to “fool” the handset into
thinking that the original SIM is present. Although the user data is preserved, there is a possibility that other data on the handset may be lost or changed as a result of such a card being inserted.
• Request that service provider disable the subscriber account
This would require intervention by the service provider who may not be willing to co-operate. Such an approach has not been thoroughly tested and the effects on the handset and SIM are not fully understood at the time of writing. Therefore, this is not a recommended approach at this time, however, if the subscriber account is disabled, any voicemail held on the system for that account may be lost.
Use software which is designed for forensic use wherever possible
Most tools acquire data via requests to the operating system therefore 2-way data transfer is inevitable. The Device may not be supported by a forensic tool only by a handset manager type product. If using non-forensic tools: • they should be tested in safe environment with same
make/model of device prior to use on actual exhibit so that their operation / effects are understood.
• they should be used as late as possible in the examination process.
Use a secure reliable connection interface which minimises data change on the device
Check cable is secure, generally reliable and has least impact on handset. Infra red is less secure, less reliable and will normally require interaction on the exhibit to activate. Bluetooth is currently the least secure of the choices of interface and data will typically be written to the handset during the activation / authentication process. When using Bluetooth be aware that there is a risk of infection of the examining computer equipment by a software virus which may compromise current and subsequent examinations. Cable is the preferred interface, followed by infra-red then Bluetooth then WiFi. WiFi interfaces may be available in the near future and will require evaluation at that time to assess their suitability.
Examiners should accept that the process of reading some data types will affect their state
For example, retrieving un-read SMS messages via the handset may result in their status changing to
“Read”. This may be unavoidable but should be logged. Subsequent examinations may therefore produce different results.
Plan the examination process to avoid the loss of data which is very important to the case
Sequence of Examination (i.e. handset vs.SIM) will depend upon a number of factors and the decision may lead to data loss. The decision on sequence will depend to some extent upon case specifics (e.g. importance of date and times), as well as the examination environment and tools available. Removing the SIM typically requires battery removal which MAY lead to loss of time and date information.
Allowing the battery to become completely discharged may also result in the loss of date and time information. Therefore, provision should be made for early (and maybe repeated) charging to minimise this risk. Turning the handset on with the original SIM card present may lead to changes of data on the SIM card (e.g. Location Area Information).
Principle 2
In circumstances where a person finds it necessary to access original data held on a computer or on storage media, that person must be competent to do so and be able to give evidence explaining the relevance and the implications of their actions.
Seizure / Preservation of Evidence
Principle 2 has the following implications for personnel involved in the seizure of mobile phones.
Ensure that seizing personnel are trained to deal with mobile devices and are equipped with appropriate packaging materials. Seizing personnel should be aware that mobile devices may have the ability to wipe data and hence any manual interaction with the device should be minimised. Although this is not currently common, it is likely that destructive tools/scripts will appear in the way as they have with PCs.
Examination
Principle 2 has the following implications for personnel involved in the examination of mobile phones:
Ensure that examiners have received relevant and current training in the tools and procedures that they will use. Before undertaking real case work, an examiner should have prior and recent experience of examining a device of similar functionality with the tool(s)/process to be used. This is particularly relevant if using non-forensic tools which may synchronise the device and PC and possibly cause changes to the evidence stored on the device. The sequence of examination should also take into account the consequences if any forensic tools that introduce agents are used. These violate Principle 1 and the examiner must assess the impact it may have on the integrity of any evidential data and record the decision to use such software. Inserting a different SIM into a handset will, in most cases, result in the deletion or hiding of user data (e.g. call registers). As such, this practice should be avoided. If the handset is on, the authentication codes may be active (e.g. PIN lock on SIM and/or handset security codes) and hence handset-first examination may be preferable (otherwise entire examination is delayed).
All examinations should include some degree of manual examination (i.e. navigating through the menu structure of the phone and capturing the contents of the screen display)
The device may not be supported by tools hence manual examination may be the only option for data acquisition. Even if the device is supported by tools, manual examination should be conducted to verify results and ensure completeness of download. Examiners should familiarise themselves with the operation of a device prior to examination (e.g. download of user manual, practice with same make/model). Specifically, the examiner should identify buttons which may result in changes to user data (e.g. the green “Send” button) and which button(s) will cancel an operation and return to the main menu (e.g. the red “End” button).
Exercise care when dealing with access PINs/passwords to avoid permanent damage to the device
The first step for SIM cards should be to check the number of remaining attempts for PIN & PUK using a forensic tool. It may be appropriate to “try” the PIN based on service provider defaults etc. in order to avoid the delay in receiving the PUK from the service provider. Three attempts can be made to enter the correct PIN. However, one PIN attempt should always be left in case the PIN is provided by owner or some other means. The PUK should NEVER be guessed as ten incorrect entries will result in the contents of the SIM card being forever irretrievable.
Principle 3
An audit trail or other record of all processes applied to computer-based electronic evidence should be created and preserved. An independent third party should be able to examine those processes and achieve the same result.
Seizure / Preservation of Evidence
Principle 3 has the following implications for personnel involved in the seizure of mobile phones.
Make appropriate use of photography and/or video to record the status of the exhibit.
Consideration should be given to photographing the scene at which the device was seized.
The status of the exhibit at the point of seizure should be recorded. Any on-screen information should be noted and/or photographed.
Examination
Principle 3 has the following implications for personnel involved in the examination of mobile phones.
Ensure that a log of actions taken with the exhibit is maintained
Any changes to the data which occur during the examination should be noted (e.g. accidental changes during manual examination, arrival of incoming messages etc.) Consideration should be given to recording results of the examination (e.g. photography or video) for inclusion within final reports. This is particularly relevant for manual examinations. Even for automated downloads, photographs can be used to indicate the condition of the exhibit and to provide a record of certain key information (e.g. numbers of contacts in the phonebook, numbers of SMS messages etc.), such that the results of forensic tools can be validated. The details of tools and products used (including version
numbers) should be recorded.
Principle 4
The person in charge of the investigation (the case officer) has overall responsibility for ensuring that the law and these principles are adhered to.
Seizure / Preservation of Evidence
Principle 4 has the following implications for personnel involved in the seizure of mobile phones.
The investigating officer should ensure that personnel involved in seizing mobile devices are
appropriately trained.
Examination
Establish effective communication between the examiner(s) and the investigating officer. Only the investigating officer can fully understand the importance or relevance of specific data held on the device. In some situations, the most suitable examination process may result in the loss of specific data (e.g. date and time from battery removal). The examiner cannot fully appreciate the importance or relevance of such information without guidance from the investigating officer. Clear and open dialogue between the examiner and investigating officer is required to ensure that data which
is critical to the case is not lost.
The examiner should recommend an examination strategy which is appropriate to the nature of the case and explain the implications of this to the investigating officer
At the basic level, standard forensic tools should retrieve active handset and SIM data (i.e. what can be viewed via the handset by the user). In addition, deleted SMS messages can be retrieved from the SIM. At an intermediate level, the use of flash dump techniques may be able to recover deleted and other useful handset data, but requires specialist hardware and expertise. At the most advanced level, physical removal of memory chips is possible, but requires very specialist hardware and expertise. Such techniques may be able to recover deleted handset data (possibly over and above that from
flash dumps).
Other considerations
The following issues should also be considered when dealing with mobile phone exhibits.
The examination should take into consideration any requirements to preserve other forensic evidence
(DNA, fingerprints, firearms, narcotics)
The sequence of examination is critical (e.g. fingerprint retrieval techniques may result in the handset
being unusable). Examining a handset, without taking appropriate precautions, might destroy vital fingerprint or DNA evidence.
Seizing personnel should aim to take any other material and equipment related to the device
Cables, chargers, packaging, removable media cards, manuals, phone bills etc. may assist the enquiry and minimise the delays in any examination. Packaging materials and associated paperwork may be a good source of PIN / PUK details. Consideration should be given to seizing PC equipment
that may have been used to synchronise or otherwise connect to the handset. Finally, be aware that some handsets may have automatic housekeeping functions, which clear data after a number of days. For example, some Symbian phones start clearing call/event logs after 30 days, or any other user defined period.