Good forensic practices apply to the collection and preservation of evidence. Following good forensic practices ensures that evidence will be accepted in a court as being authentic and accurate. Modification of evidence, either intentionally or accidentally, can affect the case. So, understanding the best practices is critical for forensic examiners.
With advanced smartphone features such as Find My iPhone and remote wipes, securing a mobile phone in a way that it cannot be remotely wiped is of great importance. Also, when the phone is powered on and has service, it constantly receives new data. To secure the evidence, use the right equipment and techniques to isolate the phone from all networks. With isolation, the phone is prevented from receiving any new data that would cause active data to be deleted. Depending on the case, sometimes traditional forensic measures, such as fingerprints or DNA testing, may also need to be applied to establish a connection between a mobile device and its owner. If the device is not handled in a secure manner, physical evidence may be unintentionally tampered with and may be rendered useless. It is also important to collect any peripherals, associated media, cables, power adapters, and other accessories that are present at the scene. At the scene of investigation, if the device is found to be connected to a personal computer, pulling it directly would stop the data transfer. Instead, it is recommended to capture the memory of the personal computer before pulling the device, as this contains significant details in many cases.
As evidence is collected, it must be preserved in a state that is acceptable in court. Working directly on the original copies of evidence might alter it. So, as soon as you recover a raw disk image or files, create a read-only master copy and duplicate it. In order for evidence to be admissible, there must be a method to verify that the evidence presented is exactly the same as the original collected. This can be accomplished by creating a forensic hash value of the image. A forensic hash is used to ensure the integrity of an acquisition by calculating a cryptographically strong and non-reversible value of the image/data. After duplicating the raw disk image or files, compute and verify the hash values for the original and the copy to ensure that the integrity of the evidence is maintained. Any changes in hash values should be documented and explainable. All further processing or examination should be performed on copies of the evidence. Any use of the device might alter the information stored on the handset. So, only perform the tasks that are absolutely necessary.
Whenever possible, a record of all visible data should be created. It is recommended to photograph the mobile device along with any of the other media found, such as cables, peripherals, and so on. This will be helpful in case questions arise later on about the environment. Do not touch or lay hands on the mobile device when photographing it. Ensure that you document all the methods and tools that are used to collect and extract the evidence. Detail your notes so that another examiner can reproduce them. Your work must be reproducible; if not, a judge may rule it inadmissible. It's important to document the entire recovery process, including all the changes made during the acquisition and examination. For example, if the forensic tool used for the data extraction sliced up the disk image to store it, this must be documented. All changes to the mobile device, including power cycling and syncing, should be documented in your case notes.
Reporting is the process of preparing a detailed summary of all the steps taken and conclusions reached as part of the examination. Reporting should include details about all the important actions performed by the examiner, results of the acquisition, and any inferences drawn from the results. Most of the forensic tools come with built-in reporting features which will autogenerate the reports while providing scope for customization at the same time. In general, the report may contain the following details:
- Details of the reporting agency
- Case identifier
- Forensic investigator
- Identity of the submitter
- Date of evidence receipt
- Details of the device seized for examination including serial number, make, and model
- Details of the equipment and tools used in the examination
- Description of steps taken during examination
- Chain of custody documentation
- Details of findings or issues identified
- Evidence recovered during the examination, ranging from chat messages, browser history, and call logs to deleted messages, and so on
- Any images captured during the examination
- Examination and analysis information
- Report conclusion
