- Practical Mobile Forensics
- Satish Bommisetty Rohit Tamma Heather Mahalik
- 406字
- 2021-12-08 12:31:06
Good forensic practices
Good forensic practices apply to the collection and preservation of evidence. Following the good forensic practices ensures that evidence will be accepted in a court as being authentic and accurate. Modification of evidence, either intentionally or accidentally, can affect the case. So, understanding the best practices is critical for forensic examiners.
Securing the evidence
With advanced smartphone features such as Find My iPhone and remote wipes, securing a mobile phone in a way that it cannot be remotely wiped is of great importance. Also, when the phone is powered on and has service, it constantly receives new data. To secure the evidence, use the right equipment and techniques to isolate the phone from all networks. With isolation, the phone is prevented from receiving any new data that would cause active data to be deleted.
Preserving the evidence
As evidence is collected, it must be preserved in a state that is acceptable in court. Working directly on the original copies of evidence might alter it. So, as soon as you recover a raw disk image or files, create a read-only master copy and duplicate it. In order for evidence to be admissible, there must be a method to verify that the evidence presented is exactly the same as the original collected. This can be accomplished by creating a hash value of the image. After duplicating the raw disk image or files, compute and verify the hash values for the original and the copy to ensure that the integrity of the evidence is maintained. Any changes in hash values should be documented and explainable. All further processing or examination should be performed on copies of the evidence. Any use of the device might alter the information stored on the handset. So, perform only the tasks that are absolutely necessary.
Documenting the evidence
Be sure to document all the methods and tools that are used to collect and extract the evidence. Detail your notes so that another examiner could reproduce them. Your work must be reproducible; if not, a judge may rule it inadmissible.
Documenting all changes
It's important to document the entire recovery process, including all the changes made during the acquisition and examination. For example, if the forensic tool used for the data extraction sliced up the disk image to store it, this must be documented. All changes to the mobile device, including power cycling and syncing, should be documented in your case notes.