Considerations for Handling Mobile Devices During an Investigation

There are special considerations for preserving and obtaining electronic evidence on mobile devices. Mobile devices can be threatened by remote wipes, remote control, battery failure, network connectivity issues, and loss of volatile memory. How is the data actually extracted?

Data extraction may be performed using manual and logical methods. Manual extraction involves manipulating the mobile device physically by using the buttons, keyboard, and touch screen to review the device's contents for digital evidence. Logical extraction uses a forensics workstation or device to connect to and extract the digital evidence from the mobile device with minimal manual manipulation of the device itself.

Logical extraction extracts files and data that are logically present on the file system. Physical extraction is quite different in that a bit-by-bit copy of any data present on the device is made, regardless of file system management or the type of operating system.

What techniques, software, and hardware might the examiner use to document findings of manual, logical, and physical extraction? The resource below, "Software-Forensic Toolkits," may provide insight. What software and hardware items within the device should be included in the extraction? The "Tangential Equipment" resource below provides an overview of some of the mobile devices to be checked.

Hardware items such as storage (internal and external), volatile memory, application software, system software, and SIM cards may all be part of your investigation. The resources below offer some scenarios that might be useful when gathering information from mobile devices.

References

Ayers, R., Brothers, S., & Jansen, W. (2014). Guidelines on mobile device forensics, revision 1. NIST Special Publication 800-101. National Institute of Standards and Technology. http://dx.doi.org/10.6028/NIST.SP.800-101r1

US Department of Justice. (2004). Forensic examination of digital evidence: A guide for law enforcement. https://www.ncjrs.gov/pdffiles1/nij/199408.pdf