What guidelines does NIST provide for handling mobile device evidence? | BOT24

What guidelines does NIST provide for handling mobile device evidence?


If you are interested in mobile forensics The NIST document (http://csrc.nist.gov/publications/nistpubs/800-101/SP800-101.pdf) covers guidelines you should meticulously review. The guidelines are in reference to Cell Network Characteristics, Mobile Phone Characteristics, Identity Module Characteristics, Forensic tools, tools that deal specifically with (U)SIM, Handset Tools, Integrated Toolkits, Tool capabilities and what to look for in tools, Planning how personnel fulfill these roles when responding and participating in an investigation, talks about chain of custody due to devices being easily manipulated so you must take due care, Procedural Models are explored, Preservation involving the search, recognition, documentation, and collection of electronic based evidence, Ensuring that the proper authorizations (e.g., a search warrant or consent from the owner) are in place is paramount for beginning an investigation, Evidence must be accurately accounted for and identified,  Isolating the phone from other devices used for data synchronization is important to keep new data from contaminating existing data and other ways of collecting evidence,  Packaging, Transporting, and Storing Evidence such as once the device is ready to be seized, the forensic specialist should seal the device in a static proof bag and tag it. The doc also discusses Acquisition the process of imaging or otherwise obtaining information from a digital device and its peripheral equipment and media, devices need to be identified by the make, model, and service provider, the device  being acquired largely dictates the choice of forensic tools, knowledge about types of volatile and non-volatile memory over which several general categories of data can reside: storage for the operating system code, including the kernel, device drivers, and system libraries, unobstructed device a device that does not require a password or other authentication techniques to be satisfied to gain access to the device and perform an acquisition, recovery of data and talking to the person who initiated investigation once its on lab, also the document goes into how to handle GSM phones and CDMA phones.

The following should be further emphasized:

Preservation and Documentation
When you take possession of the evidence it is essential not to disturb the crime scene. One can not simply remove the mobile phone from the crime scene therefore due care has to be taken to preserve other forms of evidence like finger prints and DNA traces as well. Inclusive with all evidence is the necessary documentation which must comprise of should include at least some pictures with the  phone not being modified and  information on the time and location. Also take note if  the mobile device was switched on or off.
Acquisition
Here is were you obtain data from the mobile device which could been done in several ways. The best case scenario would be to copy data forensically from the device inclusive the SIM card. In certain situations technical issues may not allow for a digital accusation of the device whereby only screen shot photos of the device can be taken.
Examination and Analyses
Here is where the acquired data is analyzed in reference to a potential violation or possible crime. Examination of the mobile device can either be performed manually or with software applications which all differ but you should use a few of them for validation purposes and to make sure you do not miss a critical piece of evidence.
Reporting
Reporting evidence is one of the most significant steps in the process. Remember when acquiring evidence and presenting it in a court of law a large amount of time could have gone by therefore the investigator needs to be able to present his evidence in a conclusive manner and provide informative information on the process and tools he/she utilized and I cannot emphasize enough how important proper documentation is. This is why the forensic process must be extremely efficient when one goes to court otherwise, how one collects and the methodology used to acquire the evidence can be questioned and discarded.


Reference: http://csrc.nist.gov/publications/nistpubs/800-101/SP800-101.pdf
Share on Google Plus

About Bradley Susser

    Blogger Comment
    Facebook Comment

0 comments :

Post a Comment