Mobile Device Collection/Imaging Protocol

By: |Published on: Apr 22, 2024|Categories: Uncategorized| 0 comments

Following is a Mobile Device collection/imaging protocol that may be used in legal demands when there is an evidentiary interest in Mobile Device data. This information will be updated frequently as technology changes. Please provide any input regarding this protocol in the comments section below. There are two different sections below; one should be used if the Device is Off, and the other if the Device is On.

It is important to note that in most cases a Full File-System (FFS) forensic acquisition of the device is necessary. For instance, FFS forensic acquisitions are necessary in the following types of cases;

  • Traffic crash/distracted driving
  • Intellectual property theft
  • Any case involving app-specific data, including communication (i.e., chat) applications, many of which are encrypted.
  • Any case where there is a question about custodian interactions with the device such as deletion, uploads, downloads, installations, locations, etc.

Protocol check-sheets can be downloaded HERE (for device off) or HERE (for device on). Click HERE jump to an Adobe Form that can be completed on-line and saved.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Mobile Device Imaging Protocol – Device Off

(***Discuss any deviations from this protocol with SJDC prior to imaging the device***)

Check each [ ] # as the item is completed and take notes in each section

[ ] 1. Forensic Examiner Information

Note the Name/Title/Location of Person Forensically Imaging the device.

Name/Title/Location of Person Forensically Imaging the device:

[ ] 2. Waiver form (if applicable)

Custodian/Law Firm Waiver/Consent form signature (if applicable).

Name of Person who signed the Waiver:

[ ] 3. Custody Form

Note the date/time of device custody transfer, the name of the person who turned it over, and start a Chain-of-Custody form.

Date/Time Device received:

[ ] 4. Inspect/Photograph/Note Anomalies

Inspect/photograph the phone from all angles and note any anomalies.

Anomalies:

[ ] 5. Note MDM/Parental Controls

**VERY IMPORTANT** – Check for MDM and/or Parental Controls

Check with the custodian and/or any IT admins regarding any Mobile Device Management (MDM) profiles and/or Parental Controls installed/used on the device. Take notes on this (including specific comments made) regarding the presence of MDM/Parental Controls and any related settings. Some MDMs/Profiles may not be removable without administrator assistance, and some MDMs/profiles may reset the device and/or delete data if adjusted/removed.
MDM/Parental Controls:
IT Admin/Parent Comments Made (if applicable):

[ ] 6.  Perform “Faraday” test

If the device is powered off, prior to powering on, conduct a test of a “Faraday” (signal blocking) bag/box/room using a mobile device application (e.g., https://mosequipment.com/pages/mission-darkness-faraday-bag-testing-app).

Date/time Faraday Bag Tested:

Faraday report saved location:

[ ] 7. Remove/Photograph SIM/SD

Remove the SIM card (if MDM is not present) and place the device in the previously tested/verified Faraday bag/box/room and seal it thereby preventing any connections to wireless or mobile network connections (make a note about this). This test should be conducted immediately prior to use in each case The Faraday bag will need to allow device interaction and include inside: data/charging cables and (if gloves are being used) a stylus. Remove/inspect/photograph any externally connected media including, but not limited to, SIM cards and/or MicroSD cards and note any identifying numbers or marks.

Date/Time Device Placed in Faraday Bag:

[ ] 8. Charge phone

Connect a charging cable, and charge the phone as necessary (to 100% battery). Note the time of this step.

Date/Time Phone connected to charging cable:

[ ] 9. Airplane mode/Disable Bluetooth

If the phone powers on when the charging cable is connected immediately place it into Airplane mode, and disable Bluetooth (two separate and necessary steps). If the phone does not power on, it should be allowed to fully charge after which it will be powered on (still in the Faraday bag) and placed into Airplane mode and Bluetooth disabled. Note the time the device powers on and any interactions with the device.

Date/Time Device Powered On:

[ ] 10. Remove from Faraday Bag

After the phone has been placed into Airplane mode and Bluetooth disabled remove it from the Faraday bag and note the time.

Date/Time Device is removed from Faraday Bag:

[ ] 11. Trigger the Creation of Volatile Data

**IMPORTANT – THIS MUST BE DONE BEFORE THE FORENSIC ACQUISITION**

Trigger the creation of volatile device log data (i.e., bug/crash/unified logs/reports, sysdiagnose, etc). These logs should be created and collected in every case

iOS Trip Sysdiagnose instructions
Android Crash Log instructions

Note the date/time of device interactions and sysdiagnose/bug report log execution.

Date/Time of sysdiagnose/bug report log execution:

[ ] 12. Make a forensic image of the Device.

Use specific updated versions of mobile forensic hardware/software (Cellebrite, Verakey, Oxygen, XRY, Elcomsoft, Belkasoft, etc) to accomplish the following;

Make a physical and/or full file-system (FFS) forensic image of the device, followed by a logical acquisition (encrypted if possible), copy device specific information such as make/model/serial number, name of device, etc., and copy keychain/keystore data.

**CONTACT SJDC IF THE FORENSIC TOOLS AVAIALBLE DO NOT SUPPORT A PHYSICAL/FFS ACQUISITION**

As a last resort (after contacting SJDC to discuss alternative options) an encrypted Apple/iTunes style backup may be used to capture an encrypted backup (of an Apple device).

Take notes on all aspects of the forensic imaging including any limitations that prevent the acquisition of a physical or FFS acquisition.

Imaging notes/limitations (e.g., unsupported FFS, inaccessible/locked, time-restricted, etc): 

[ ] 15. Capture the volatile data created in step 11.

See instructions for capturing this data here.

Note the name and hash value for the .zip file containing the volatile data:

[ ] 16. Take photographs/notes of the device user interface

Including (but not limited to);

  • [ ] Date/time
  • [ ] Time zone
  • [ ] Make
  • [ ] Model (for iOS tap on the model number to capture the A####)
  • [ ] Serial Number
  • [ ] IMEI(s)
  • [ ] ICCID (SIM Card) Number
  • [ ] Phone number
  • [ ] Carrier
  • [ ] Operating System Version/build
  • [ ] Storage availability/allocation (by app/service/file type)
  • [ ] Security/permission settings
  • [ ] Device/account/user/data sync information
  • [ ] Cloud sync/storage information (accounts, settings, storage capacity, etc)
  • [ ] Subscriptions
  • [ ] Payment information
  • [ ] Apps & app settings
  • [ ] Connected/synced devices (Smart watch, tablets, computers, automobiles, additional phones, IOT devices, etc)
  • [ ] Digital wellbeing/screen time data
  • [ ] Any/all active apps (scroll through each)
  • [ ] The first few messages/entries (or specific relevant messages/data from relevant times) in various apps such as communications, social media, pictures/videos (for validation purposes)
  • [ ] Other pictures/notes appropriate to the facts of the case

General Case Notes:

[ ] 16. Copy and verify the copied data

Copy and verify the copied data, including opening the various copied extractions in Mobile Forensic software packages to ensure the images are usable and not corrupted. Note all forensic image information and separately copy and store any logs created during the imaging process.
Copy/Save Forensic Acquisition/Information log files (e.g., log/.ufd file/volatile data).

Storage location of Forensic Acquisition/Information log files (e.g., log/.ufd file/volatile data):

[ ] 17. Image externally mounted media

Separately image any externally mounted media (e.g., SIM cards, MicroSD cards) and take detailed notes regarding this process.

Sim Card Information/Notes:

MicroSD Information/Notes:

[ ] 18. Revert changed settings

Revert any settings changed during the forensic process (e.g., disable Developer Mode/USB Debugging, enable screen timeout/lock, etc).

[ ] 19. If appropriate power cycle and verify device is in working condition

Take a note/picture to document that device was in working condition after the forensic acquisition.

[ ] 20. Power off and return the device

Power off and return and/or place the device into evidence storage. Take notes about the evidence transfer and complete the the Chain-of-Custody.

Date/Time Device Powered Off:
Date/Time Device Returned:

Take notes about:
1) Any issues encountered – Issues:
2) Any device/imaging anomalies – Device/Imaging Anomalies:
3) Any statements made by the custodian(s) regarding the device(s) – IE, dis/continued use, not using at time of a crash, un/installs, backups made, etc. – Custodian Statements:

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Mobile Device Imaging Protocol – Device On

(***Discuss any deviations from this protocol with SJDC prior to imaging the device***)

Check each [ ]# as the item is completed and take notes in each section

[ ] 1. Disable all device communications

Place the device in Airplane Mode, disable Bluetooth, turn off Wi-Fi, and remove the SIM card (if present).

Note the time that communications were disabled:

[ ] 2. Charge phone

Connect a charging cable, and charge the phone as necessary (to 100% battery). Note the time of this step.

Date/Time Phone connected to charging cable:

[ ] 3. Note Forensic Examiner Information

Note the Name/Title/Location of Person Forensically Imaging the device.

Name/Title/Location of Person Forensically Imaging the device:

[ ] 4. Waiver form (if applicable)

Complete the custodian/Law Firm Waiver/Consent form signature (if applicable).

Name of Person who signed the Waiver:

[ ] 5. Custody Form

Note the date/time of device custody transfer, the name of the person who turned it over, and start a Chain-of-Custody form.

Date/Time Device received:

[ ] 6. Inspect/Photograph/Note Anomalies

Inspect/photograph the phone from all angles and note any anomalies.

Anomalies:

[ ] 7. Note MDM/Parental Controls

**VERY IMPORTANT** – Check for MDM and/or Parental Controls

Check with the custodian and/or any IT admins regarding any Mobile Device Management (MDM) profiles and/or Parental Controls installed/used on the device. Take notes on this (including specific comments made) regarding the presence of MDM/Parental Controls and any related settings. Some MDMs/Profiles may not be removable without administrator assistance, and some MDMs/profiles may reset the device and/or delete data if adjusted/removed.
MDM/Parental Controls:
IT Admin/Parent Comments Made (if applicable):

[ ] 8. Remove SIM/Airplane Mode/Disable Bluetooth

If the device is on/active when received, immediately remove the SIM card, place it into Airplane mode, and disable Bluetooth (two separate and necessary steps). Note the time of this and any apps/data being displayed.

Date/Time of SIM removal, airplane mode, and Bluetooth disabled, apps displayed:

[ ] 9. Trigger the Creation of Volatile Data

**IMPORTANT – THIS MUST BE DONE BEFORE THE FORENSIC ACQUISITION**

Trigger the creation of volatile device log data (i.e., bug/crash/unified logs/reports, sysdiagnose, etc). These logs should be created and collected in every case

iOS Trip Sysdiagnose instructions
Android Crash Log instructions

Note the date/time of device interactions and sysdiagnose/bug report log execution.

Date/Time of sysdiagnose/bug report log execution:

[ ] 10. Make a forensic image of the Device.

Use specific updated versions of mobile forensic hardware/software (Cellebrite, Verakey, Oxygen, XRY, Elcomsoft, Belkasoft, etc) to accomplish the following;

Make a physical and/or full file-system (FFS) forensic image of the device, followed by a logical acquisition (encrypted if possible), copy device specific information such as make/model/serial number, name of device, etc., and copy keychain/keystore data.

**CONTACT SJDC IF THE TOOLS AVAIALBLE DO NOT SUPPORT A PHYSICAL/FFS ACQUISITION**


As a last resort (after contacting SJDC to discuss alternative options) an encrypted Apple/iTunes style backup may be used to capture an encrypted backup (of an Apple device).
Take notes on all aspects of the forensic imaging including any limitations that prevent the acquisition of a physical or FFS acquisition.

Imaging notes/limitations (e.g., unsupported FFS, inaccessible/locked, time-restricted, etc): 

[ ] 11. Capture the volatile data created in step 9.

See instructions for capturing this data here.

Note the name and hash value for the .zip file containing the volatile data:

[ ] 12. Take photographs/notes of the device user interface

Including (but not limited to);

  • [ ] Date/time
  • [ ] Time zone
  • [ ] Make
  • [ ] Model (for iOS tap on the model number to capture the A####)
  • [ ] Serial Number
  • [ ] IMEI(s)
  • [ ] ICCID (SIM Card) Number
  • [ ] Phone number
  • [ ] Carrier
  • [ ] Operating System Version/build
  • [ ] Storage availability/allocation (by app/service/file type)
  • [ ] Security/permission settings
  • [ ] Device/account/user/data sync information
  • [ ] Cloud sync/storage information (accounts, settings, storage capacity, etc)
  • [ ] Subscriptions
  • [ ] Payment information
  • [ ] Apps & app settings
  • [ ] Connected/synced devices (Smart watch, tablets, computers, automobiles, additional phones, IOT devices, etc)
  • [ ] Digital wellbeing/screen time data
  • [ ] Any/all active apps (scroll through each)
  • [ ] The first few messages/entries (or specific relevant messages/data from relevant times) in various apps such as communications, social media, pictures/videos (for validation purposes)
  • [ ] Other pictures/notes appropriate to the facts of the case

General Case Notes:

[ ] 13. Copy and verify the copied data

Copy and verify the copied data, including opening the various copied extractions in Mobile Forensic software packages to ensure the images are usable and not corrupted. Note all forensic image information and separately copy and store any logs created during the imaging process.
Copy/Save Forensic Acquisition/Information log files (e.g., log/.ufd file/volatile data).

Storage location of Forensic Acquisition/Information log files (e.g., log/.ufd file/volatile data):

[ ] 14. Image externally mounted media

Separately image any externally mounted media (e.g., SIM cards, MicroSD cards) and take detailed notes regarding this process.

Sim Card Information/Notes:

MicroSD Information/Notes:

[ ] 15. Revert changed settings

Revert any settings changed during the forensic process (e.g., disable Developer Mode/USB Debugging, enable screen timeout/lock, etc).

[ ] 16. If appropriate power cycle and verify device is in working condition

Take a note/picture to document that device was in working condition after the forensic acquisition.

[ ] 17. Return the device

Take notes about the evidence transfer and complete the the Chain-of-Custody.

Date/Time Device Powered Off:
Date/Time Device Returned:

Take notes about:
1) Any issues encountered – Issues:
2) Any device/imaging anomalies – Device/Imaging Anomalies:
3) Any statements made by the custodian(s) regarding the device(s) – IE, dis/continued use, not using at time of a crash, un/installs, backups made, etc. – Custodian Statements:

Submit a Comment

Your email address will not be published. Required fields are marked *

Call Now Button