Mobile Device Collection/Imaging Protocol

Following is a protocol for Mobile Device collection/imaging that may be used in legal demands when there is an evidentiary interest in Mobile Device data. This information will be updated and a check-sheet for download will be added in future versions.

It is important to note that in most cases a Full File-System (FFS) forensic image of the device is necessary. For instance, FFS forensic acquisitions are necessary in the following types of cases;

  • Traffic crash/distracted driving
  • Intellectual property theft
  • Any case involving app-specific data, including communication (i.e., chat) applications, many of which are encrypted.
  • Any case where there is a question about custodian interactions such as deletion, uploads, downloads, installations, locations, etc.

Click HERE to download a check-sheet or Click HERE jump to an Adobe Form that can be completed on-line and saved.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Mobile Device Imaging Protocol

(Discuss any deviations from this protocol with SJDC prior to imaging the device)

Check each [ ]# as the item is completed and take notes in each section

[ ] 1. Name/Title/Location of Person Forensically Imaging the device: 

[ ] 2. Custodian/Law Firm Waiver/Consent form signature (if applicable).

Custodian Name:

[ ] 3. Note the date/time device custody transfer and the person’s name who turned it over and start a Chain-of-Custody form:

Date/Time Device received:

[ ] 4. Inspect/photograph the phone from all angles and note any anomalies.

Anomalies:

[ ] 5. Without powering the device, determine and note (to the extent possible before power on) the exact model number of the device.

Exact Model Number (e.g., A1234, SM-5678, etc.):

[ ] 6. VERY IMPORTANT – Check with the custodian and/or any IT admins regarding any Mobile Device Management (MDM) profiles and/or Parental Controls installed/used on the device. Take notes on this (including specific comments made) regarding the presence of MDM/Parental Controls and any related settings. Some MDMs/Profiles may not be removable without administrator assistance, and some MDMs/profiles may reset the device and/or delete data if adjusted/removed.
MDM/Parental Controls:
IT Admin/Parent Comments
(if applicable):

[ ] 7.  If the device is powered off, prior to powering on, conduct a test of a “Faraday” (signal blocking) bag/box/room using a mobile device application (e.g., https://mosequipment.com/pages/mission-darkness-faraday-bag-testing-app).  The report should be attached to this note (“Add Media” button above).

Date/time Faraday Bag Tested:

Faraday report saved location:

[ ] 8. Remove the SIM card (if MDM is not present) and place the device in the previously tested/verified Faraday bag/box/room and seal it thereby preventing any connections to wireless or mobile network connections (make a note about this). This test should be conducted immediately prior to use in each case The Faraday bag will need to allow device interaction and include inside: data/charging cables and (if gloves are being used) a stylus. Remove/inspect/photograph any externally connected media including, but not limited to, SIM cards and/or MicroSD cards and note any identifying numbers or marks.

Date/Time Device Placed in Faraday Bag:

[ ] 9. Connect a charging cable, and charge the phone as necessary (to 100% battery). Note the time of this step.

Date/Time Phone connected to charging cable:

[ ] 10. If the phone powers on when the charging cable is connected immediately place it into Airplane mode, and disable Bluetooth (two separate and necessary steps). If the phone does not power on, it should be allowed to fully charge after which it will be powered on (still in the Faraday bag) and placed into Airplane mode and Bluetooth disabled. Note the time the device powers on and any interactions with the device.

Date/Time Device Powered On:

[ ] 11. After the phone has been placed into Airplane mode and Bluetooth disabled remove it from the Faraday bag and note the time.

[ ] 12. If the device is on/active when received, immediately remove the SIM card, place it into Airplane mode, and disable Bluetooth (two separate and necessary steps). Note the time of this and any apps/data being displayed.

[ ] 13. Collect Volatile Data. Trip/collect volatile device log data (i.e., bug/crash/unified logs/reports, sysdiagnose, etc). These logs should be created in every case

iOS Trip Sysdiagnose instructions

Sysdiagnose logging may be disabled by MDM – if so, determine if feasible by disabling MDM without modifying/wiping the device data.

Since tripping an iOS sysdiagnose using the volume/power buttons for 1.25 seconds can be tricky the method below is suggested. 

Following is a path to trip a sysdiagnose on iOS that keeps you from having to do the volume/power buttons method, which can create screenshots and/or trip it more than once.

From settings go to accessibility > touch > assistiveTouch > enable assistiveTouch and select double tap > analytics >  a little “button” will  appear on the screen (usually right side) . To trip a sysdiagnose double tap the new button once (in later iOS versions a note will appear at the top of the screen showing “gathering analytics”). This will create a new sysdiagnose log on the device that will be available (in approximately 8-10 minutes) when the device is imaged with a full-file-system acquisition.  Prior to imaging the device verify successful sysdiagnose log presence by navigating to settings–> Privacy & Security–>Analytics & Improvements–>Analytics Data (the new log will show “sysdiagnose” and the current date/time in the new folder name – filter by typing “sys” in search box)

Android Debug Data instructions

Unlock developer options
NOTE:The following steps may differ depending on your device model, Android version, and vendor customizations.
On the Android device, go to Settings.
Select About phone (on some devices, you may see About device or About).
Tap Software information.
Tap the Build number panel 7 times.
Developer options are now unlocked.

Create a bug report
On the Android device, go to Settings.
Select Developer options.
NOTE: If you do not see Developer options, repeat the steps in the Unlock developer options section of this article.
Ensure the Developer options slider is On.
Tap Take bug report, (on some devices, you may see Bug report).
NOTE: If you are unable to select Take bug report, you may need to scroll down and enable the USB debugging setting first.
If prompted, select Full report ▸ Report.
The bug report may take several minutes to complete. 

Using ADB  (connected to a computer)
from https://developer.android.com/studio/debug/bug-report

To get a bug report directly from your device, do the following:
On a PC with ADB (preferred) connect to the device and run adb bugreport [path to directory].

Or, Enable Developer Options. In Developer options, tap Take bug report.
Select the type of bug report you want and tap Report.
After a moment, you get a notification that the bug report is ready.
To share the bug report, tap the notification and follow instructions.
The bug report will be stored on the device and available with a full-filesystem acquisition.

Note the time and any device interactions while collecting this volatile log data.

Date/Time of sysdiagnose/bugreport log execution:

[ ] 14. Use specific updated versions of mobile forensic hardware/software (Cellebrite, Verakey, Oxygen, XRY, Elcomsoft, Belkasoft, etc) to accomplish the following;

Make a physical and/or full file-system (FFS) forensic image of the device, followed by a logical acquisition (encrypted if possible), copy device specific information such as make/model/serial number, name of device, etc., and copy keychain/keystore data. As a last resort an encrypted iTunes backup may be used to capture an encrypted backup (of an Apple device).
Take notes on all aspects of the forensic imaging including any limitations that prevent the acquisition of a physical or FFS acquisition.

Imaging notes/limitations (e.g., unsupported FFS, inaccessible/locked, time-restricted, etc): 

[ ] 15. Take photographs/notes of the device user interface, including (but not limited to); date/time, time zone, make/model/serial Number/IMEI(s)/ICCID/Phone number, carrier, operating system with exact version/build, storage availability/allocation (by app/service/file type), security/permission settings, various account information, device/account/user/data sync information, cloud sync/storage information (accounts, settings, storage capacity, etc), subscriptions, payment information, apps & app settings, connected/synced devices (Smart watch, tablets, computers, automobiles, additional phones, IOT devices, etc), digital wellbeing/screentime data, the first few messages/entries (or specific relevant messages/data from relevant times) in various apps such as communications, social media, pictures/videos (for validation purposes). Take notes as appropriate to the goals of the case.
General Case Notes:

[ ] 16. Copy and verify the copied data, including opening the various copied extractions in Mobile Forensic software packages to ensure the images are usable and not corrupted. Note all forensic image information and separately copy and store any logs created during the imaging process.
Forensic Information (attach image log/.ufd file to this note – “Add Media” above):

[ ] 17. Separately image any externally mounted media (e.g., SIM cards, MicroSD cards) and take detailed notes regarding this process.

Sim Card Notes:

MicroSD Notes:

[ ] 18. Power off the device and return it and/or place it into evidence storage. Take notes about evidence transfer, including the COC.

Time Device Returned:

Take notes about:
1) Any issues encountered – Issues:
2) Any device/imaging anomalies – Device/Imaging Anomalies:
3) Any statements made by the custodian(s) regarding the device(s) – IE, dis/continued use, not using at time of a crash, un/installs, backups made, etc. – Custodian Statements:

Call Now Button