Protecting Evidentiary Data
In April 2007, the Scientific Working Group on Digital Evidence (SWGDE) released a document that listed a hierarchy of retrieval methods for the preservation and examination of cellular phone evidence. Essentially, this document suggested processing the evidence using a tiered approach, in the following order:
- forensic cellular/handheld device software
- consumer (open source and/or manufacturer’s) backup software
- menu navigation and photographic/video documentation -menu navigation and transcription of information viewed
- transfer via e-mail or messaging of data to a downloadable device
Frequently a combination of these tiers will be necessary to obtain the most complete data preservation, and to validate the results of an examination.
Once a handheld device has been collected, turned off, packaged, and placed in evidence storage, caution must be used to prevent change to the evidence when the examination is conducted.
When a cellular phone has been powered off, short message service (SMS) text messages and other data queue for delivery when the phone is returned to service. These queued messages and data can overwrite old and deleted messages and data when they are delivered. Service providers will update system files and roaming services when the phone is connected to the system. There is a possibility for corruption of downloaded data as well as the device’s file system, during an examination when the system updates are transmitted to the phone. These events can also cause the loss of evidentiary data.
To prevent this contamination and loss of evidentiary data, it is recommended that RF signal isolation or Faraday shielding be used in the lab for handheld device examinations. There are numerous methods for isolating RF signals in a lab environment which include the use of RF test enclosures (Ramsey Electronics), RF shielding fabrics/wall paper (Axonics International Marketing), as well as signal blocking tents and rooms (RA Mayes Company). RF jamming devices are available, but may be illegal or have other unintended consequences when used, and are not recommended.When choosing a shielding product, it is important to select one that will enable examiners to use the tools necessary for the examination, within the shielded area. An example of this would be the ability to use a camera to document the evidence found using the menu navigation process within the shielded area.
It is crucial to understand that there are a number of obstacles which may be encountered while conducting examinations of handheld devices. The most rudimentary devices may have a limited storage capacity. This can create situations where evidence can easily be lost or overlooked. In some devices, there may only be space for twenty stored call history entries, with a FIFO scheme. FIFO is the acronym for “first in first out.” This creates a situation where the first entry is replaced once the available storage space has been filled. In our example, the moment we receive entry twenty- one, our first entry will be deleted and the new entry (twenty first) is added to our storage space. If we have a phone that has been in storage for several days/weeks/months, and we power it on in an unprotected state, it will connect to the service provider’s network and begin adding queued data that was not available when the device was powered off. This will result in the loss of potentially valuable evidence, by overwriting older and/or deleted entries.