*White Paper Text Version:

Digital devices have changed. Has your SOP?

“Bag and Tag” Original Standard Operating Procedures for mobile forensics, stemmed from the computer forensic world. They instructed investigators and first responders to take possession of the physical device and bring that device back to the lab. The device would then be imaged and returned if needed, or kept in an evidence locker.

Early models of cell phones and tablets were rarely password protected and if so, tools such as Susteen’s Burner Breaker were capable of brute forcing the password within minutes or days. As passcode and password protecting cell phones and other digital devices have become more prevalent, and encryption harder to crack, the need to access devices on- person or in the field has become a necessity.

Although there are limited resources available to break passwords on new iOS and Android devices, these solutions are cost-prohibitive to some agencies and the time needed to access a locked device has risen from days to weeks and even months. A new SOP has been gaining steam since 2019 in the mobile forensic industry. This new way of thinking is to move some, if not most, acquisitions out of the lab and into the field. This new SOP was spearheaded by a new device called the DATAPILOT 10.

The DATAPILOT 10 and now others like it, gave front-line, first responders, and investigators an option to get to digital evidence data quickly and efficiently in the field.

Rescinded Consent:   An issue in the mobile forensics community has always been rescinded consent. This happens primarily with suspects in the case. As the suspect is booked and processed, they have ample time to speak with their attorney who often informs them to rescind their consent for law enforcement to acquire evidence data from their digital device. Any evidence data acquired after this time will no longer be admissible in the case, unless a warrant can be obtained. This process can take time and gives the suspect ample opportunity to wipe the device.

Withdrawn consent can happen with a victim or a witness as well, often in domestic violence, drug, or human trafficking cases where they might still be in contact with the offender.

Time is of the Essence

One in 5 smart phone users is on their device for more than 5 hours a day. There is a great chance that a suspect will be on their device at the time of arrest if executed correctly. Having the ability to access a suspect’s phone in the field, increases the odds of a successful acquisition, as well as decreases the chance for a device to be wiped, locked or broken.  Intelligence gathering capabilities and their effectiveness are increased exponentially if obtained in the first hour.

Operate Like a Surgeon

New methods of performing surgical acquisitions in the field, are complementing the time consuming, yet valued older approach of performing the acquisition, carving and parsing the data and building reports, all back at the lab. Performing Extract Only acquisitions allows an investigator to acquire the entire backup of a device, while saving the parsing of the data for a later time. This can allow the investigator to acquire a full file system acquisition of an iPhone in under an hour. The investigator has now preserved that evidence quickly in the field and can parse through the data at a later time back in the lab. Such acquisitions are needed when all evidence data is required from the device, yet time is of the essence.

Victims and witnesses can easily be compelled to offer an investigator evidence pertinent to their case, however, become less helpful if they know the investigator will need full access to their phone. Victims and witnesses have personal conversations and information on their device, not needed to help the investigator in their investigation and might be less willing to help if they are uneasy about giving full access. Using new techniques like Flex Specific Files and Time Slice Technology help an examiner put a witness or victim’s mind at ease by selecting, and quickly acquiring ONLY the evidence needed to help make a case. Like a surgeon with a scalpel, individual files can be carved out and preserved for evidence. Openness between law enforcement personnel and the community they serve, builds trust between the too, increasing cooperation, and therefore improving the safety of our communities and closing more cases faster.

Gaining actionable intelligence and evidence in the field becomes a force multiplier, as the lab can be freed up to work on analyzing acquired data and producing results that lead to higher conviction rates.

It’s Not Encrypted if it’s in Plain Sight

Encrypted apps have always plagued digital forensic investigators. Although, most forensic tools have the ability to acquire this application data, forensic tools have a hard time parsing the encrypted data and presenting it in a readable format for analyzing.

A new method has been developed to capture and preserve evidence data from apps with hard-to-crack encryption. This method is known as Linked Screen Acquisition. This acquisition type is used by investigators to capture images off the home screen of a digital device. An application that you can view on a target device is open and readable in plain sight. This means any evidence you can see with the naked eye, can be preserved by a linked screen acquisition. Advanced technology like the DATAPILOT 10, even allows for the investigator to take screen captures of Snap Chat conversations, without the app notifying the sender of snap. This is a useful tool when working on a case involving child exploitation.

Surgical Acquisition vs Parsing Acquired Data

Some states are now requiring warrants to be written with exact evidence types and time frames listed on them.

Evidence found outside these exact times and applications is not admissible. This poses a problem for investigators, as the traditional method of acquiring data from cell phones, tablets and other devices, is to perform a “Complete Acquisition.”

A Complete Acquisition pulls large swaths of digital data that include evidence specified and allowed by a search warrant as well as all other dates, times and applications from the target device. This data is then parsed once acquired, to only show the investigator the evidence from the specified dates and apps. This is time consuming as the process to acquire a complete dump of cellphone data can take 12-24 hours on newer phones. This would be like a surgeon dissecting an entire body, despite the x-ray clearly showing only a minimally invasive procedure is needed to repair a broken finger.

Surgical Acquisitions save time, money and resources.

• Access intelligence & evidence on- scene
• Get to devices before locked by passcode
• Only acquire data needed to make your case
• Build bridges with victims and witnesses
• Reduce backlog in the lab
• Save time by using time-slice technology or extract-only
• Increase cooperation from victim
• Acquire evidence before permission has been rescinded