How to Properly Handle Phones Seized for Investigation
Lab practitioners must often deal with multiple mobile devices simultaneously. Add to this the stress of everyone seeming to need their results yesterday and the added angst of backlogs that may already be piling up, and it’s no surprise that your head can feel like it’s spinning.
Getting a protocol in place that helps you properly handle each seized device in a methodical, step-by-step way, can stop those knots from creeping up in the pit of your stomach.
The following tips and videos will help set you on the right path and bring your stress level down a notch or two.
If you receive a device that is powered on, make sure you isolate it from the network to ensure that no communications come in or go out. This includes a remote wipe or lock request. Make sure to disable Wi-Fi, Bluetooth, and any other remote access settings.
As always, document the steps you take when handling digital evidence.
For powered-on devices, make sure you do not accidentally lock the device or put it into a “cold” state by removing the SIM. Keep all components intact and acquire the device as is. For devices that are powered-off, you can remove and write-block the SD card to obtain a full extraction prior to extracting the device.
Knowing how to handle a device that enters your lab is crucial. Start by asking yourself, “Is the device in a ‘hot’ or ‘cold’ state?”
A “hot” state would be a device that is powered-on and has recently been unlocked by the user, which means that the password may exist in the device’s memory and can be accessed by leveraging Cellebrite UFED.
A “cold” state would be a device that is powered-down or hasn’t been unlocked by the user for a period of time. These devices are harder to acquire as the passcode is needed to decrypt the data on the device. As Shahar Tal states, “decryption happens on the device or not at all,” for many phones we commonly see. Keep in mind that you may need to leverage Cellebrite Premium or Cellebrite Advanced Services (CAS) for further assistance.
A common question that comes our way after a phone has been seized is, “Now what?” This is where people often struggle, and hindsight is always 20/20. Did you make the right decision when you tried to gain access to the device or not?
In this blog, we’ll take a look at a typical access procedure and walk you through the steps to ensure you get everything right to eliminate any second guessing.
Let’s begin by saying you receive a phone and it’s turned on.
- If a phone is on you need to immediately isolate it from the network. The phone I’m using in this example was on, so the first thing you want to do is put the device into “airplane mode.”
- The next step is to go into the settings and make sure there is no way for any communication to come in to the device. Turn off “hotspots” or any GPS locations. Do not remove the SIM or SD card at this point. There have been scenarios where people have found that devices lock up when the SIM card is removed.
- Use your Cellebrite UFED to get a good acquisition of the device.
- Once you are happy with your acquisition, you always want to open it and make sure the data is not encrypted. If you get a device and it’s turned off, I recommend that you remove any external components. In this example, I’m working with an iPhone. If it were an Android and it was turned off, I would write-protect the SD card, remove the SIM card, and make sure I got a proper acquisition of it.
There is a strong chance you will stumble upon a device, like the one I’m looking at here, that says the phone is encrypted for security.
- If you come across a device and it’s in this cold state where it says your phone is encrypted for security reasons, this is the worst-case scenario. Devices like this may require Cellebrite Premium to unlock them or you may need to send them off to Cellebrite Advance Services to gain access.
This also happens on iOS devices. As we look at my iPhone in this example, I can tell that it is going to unlock right now. If you were working on a similar iOS device and it did not unlock, this is also something that Cellebrite offers as a service for, so you can gain access and continue with your investigation.
In the next blog we’ll cover How to Discover Artifacts in Cellebrite Physical Analyzer.