co-authored by Ian Whiffin, Senior Digital Intelligence Expert, Cellebrite
In the chain of evidence, every step is critical: from finding a device or online account with digital data, to presenting digital evidence to a court so it makes the case for the prosecution. An early step that’s not only critical, but painfully easy to botch, is isolating a device from data or cellular access. By cutting off the device from its access “lifeline,” frontline officers and investigators can prevent existing digital evidence from changing, or even disappearing altogether.
The impact of not isolating a device from wireless or cell access could be problematic for investigators; for example, older, or “burner” phones that have limited memory may delete older data to make way for new messages being received. But there are far worse impacts on devices that are still connected to online access: the device owner could remotely wipe data from a phone, for example.
No matter the scale of the impact, losing evidence right at the beginning of an investigation is not desirable. That’s why officers who find or are given devices need to know how to quickly and safely isolate a device so that its data remains intact. There are several options for isolating a smartphone, the most common device that officers and investigators will encounter. We’ve listed the options below in order of our preference.
1) Faraday bag or box
This is our first choice because it works no matter the device’s manufacturer, operating system, security settings or knowledge of the seizing officer. It’s also likely the easiest and fastest of the solutions. This means a frontline officer simply needs to put the device in a Faraday bag or box, and the job is done, without worrying about which tactic works for each device.
A Faraday box is preferred because it may come equipped with a device charging port. This way, the device can be kept on and charging without taking the chance that the device will connect to a cell or Wi-Fi network – even for a few seconds. That said, a Faraday bag is still a valuable tool.
Faraday solutions may not be the cheapest option and may not be something every officer has on hand. But a few bags or boxes could be something that a patrol supervisor makes available to frontline officers as needed and they are definitely something that should be taken to planned operations such as warrants if there is any suggestion phones may be seized.
There’s also this cheap-and-easy trick if no Faraday boxes or bags are available: aluminum foil. By wrapping the phone carefully in several layers of foil, the frontline officer can isolate the device – but it’s best to get the device to forensic investigators as soon as possible if you’re using this makeshift method.
2) Airplane mode
If an officer doesn’t have a Faraday box or bag, switching a phone into airplane mode is the next-best option. Airplane mode will turn off all radios in the phone so that all communication, with the exception of Bluetooth, will be cut off; the phone won’t be able to receive messages or calls, won’t be reporting its location and more importantly, won’t receive a wipe command.
The benefit of using airplane mode as opposed to doing something more drastic, such as turning the phone off entirely, is that examiners retain the opportunity to extract data from the device, using After First Unlock (AFU) extraction. This opportunity is lost if the device is turned off, because the reboot causes the device to revert back to its most secure state.
The challenge in using airplane mode is that frontline officers need to know how to access and use that setting for the wide variety of devices and operating systems that they encounter. In fact, some devices require a passcode before allowing a user to access settings, meaning that airplane mode may not even be available – unless the officer legally obtains a passcode from a witness or victim.
3) Removing the SIM card
Removing a phone’s SIM card will disable connections to cellular data, but the Wi-Fi antenna would remain active – assuming you can’t access the phone’s setting and turn off Wi-Fi access. However, if the officer holding that device happens to stop at or drive by a location with Wi-Fi, like a cafe, the phone could automatically connect to that Wi-Fi network – and the phone owner’s request for a data wipe could be activated.
Another drawback to removing a SIM card: Some devices will automatically lock themselves if the SIM card is removed. They’ll return to a state similar to a device that has just been rebooted. Unfortunately, that means investigators lose the opportunity to perform an AFU extraction – it’s the same result as turning off a device.
And as with airplane mode, frontline officers need knowledge of many different devices in order to remove SIM cards from phones – not to mention needing tools like a paper clip to pop out the card from some models.
4) Turning off the device
If the above methods are not available to a frontline officer, then turning a device off may be the only option for isolating it from available connections. But as noted above, turning off a phone likely means there’s no chance to perform an AFU extraction for data. In addition, turning off a phone will trigger operations that can alter the device’s data, such as committing a database or losing earlier log data as the new system log data is recorded.
Is isolation always necessary?
If a frontline officer is faced with not-so-great choices for isolating a device, it pays to consider the likelihood that the phone would be tampered with – such as its owner triggering a remote wipe. If the phone belongs to a victim or a deceased person, then the likelihood of it being wiped is probably lower, and the officer could simply bring the device back to the station or forensic lab in whatever state it’s in, on or off.
Likewise, if the owner is in custody and does not have access to the necessary hardware to trigger a wipe, the urgency to isolate the device is reduced. The exception, of course, is if there’s any chance that an associate of the suspect has the ability to trigger the data wipe.
Why “do not disturb” isn’t the same as airplane mode
Frontline officers should not confuse the “do not disturb” setting with airplane mode. “Do not disturb” merely turns off notifications about messaging or phone calls. There’s no forensic value to using “do not disturb” – it won’t isolate the device from connectivity, so there’s no point using this feature.
Whichever isolation method you choose, don’t forget to document
Officers making decisions about isolating devices should carefully document what option they chose and why – even if they decide to simply leave the device as is, or choose the aluminum foil hack. The documentation should also include attempts to isolate the device that couldn’t move forward, such as trying to place the phone into airplane mode. That way, if forensic examiners detect such an attempt, they’ll know it was by an officer, and not by another user of the phone.
Forensic's monthly column, Digital Intelligence in the 21st Century, is authored by Heather Mahalik, Senior Director of Digital Intelligence at Cellebrite. With over 18 years of experience in digital forensics, Mahalik has been an expert of choice for many law enforcement and intelligence agencies. She has worked high profile cases from child exploitation to Osama Bin Laden’s digital media. Check every month for more digital intelligence as Mahalik takes on managing and sharing data, testing and validation, highly encrypted phones and more.