The Evidence Collector that’s Always with You

The Evidence Collector that’s Always with You

  • Blog Post
  • Posted on 1 April 2019

By David Kerstjens, Digital Forensics Lead

It is an integral part of our life these days and an item that is rarely further than arms reach. There are thousands of different models running various operating systems. With each year comes a larger device with the latest devices having a storage capacity of up to 512GB with expandable memory of another 512GB. As you would have guessed, I’m talking about mobile phones. 1TB is a lot of data but what sort of useable data can we get from a mobile phone?

Let’s think of it in terms of an investigation. One of your staff members has been accused of stalking and harassing a fellow staff member. What steps do you take to secure the potential evidence that is located on their work mobile and what type of evidence would you find?

Can you obtain the device?

The first step is to work out whether you have any legal right to obtain the device. Some companies will issue their staff a mobile device and other companies may allow Bring Your Own Device (BYOD). Certain states even allow surveillance of personal devices when they are being used at work using work Wi-Fi systems. In some instances, a person may provide consent for their mobile device to be imaged and reviewed and in these instances, you would ensure they have provided written confirmation. In other instances, you may need to rely on the company policies or you may not have any right to the device itself. The key to this first step is the policy the staff member has agreed to which will require discussion with your IT and Legal Team.

Secure Evidence

Similar to any electronic devices which may contain key data, if the device is on, try to utilise a power source to keep the device powered on. If the device is off, leave the device in this state. If the device is on, enable Airplane/Flight Mode. This will ensure they are not able to remotely wipe the device. You will need to obtain the PIN code from the staff member in majority of instances. Some devices can be accessed using software without the PIN code however this will not be applicable to the latest devices.

Forensically Acquire Device

Mobile phones are becoming increasingly more difficult to obtain the data from so we would recommend you utilise Forensic software and hardware to take an image of the device. Forensic software will have varying levels of interactions with the mobile device, which can affect whether the data itself is defensible, so make sure you research what software is forensically sound and you obtain suitable training in case the matter requires attendance in Court. Through suitable training and certification, you will be able to justify the actions you have taken in imaging the device and explain how the information was obtained from the data set.

Avenues of Investigation

The following are some potential avenues of investigation that relate to data obtained from a mobile device:

  • Correspondence between the two parties:
    • This could include call logs, SMS/MMS/iChat messages, various chat applications such as WhatsApp, WeChat, Viber, Messenger etc.
  • Correspondence between the accused and third parties that may mention the defendant.
  • Internet History.
    • This could show the accused performing searches online for the defendants’ address, social media accounts etc.
  • Media.
    • This could include photos or videos that the accused has taken of the defendant which could also include valuable data such as time stamps and GPS coordinates.
  • Location data
    • This could provide GPS coordinates to indicate at certain points of time where the accused was in relation to the defendant.
  • Recover deleted data.
    • In some instances, data that has been deleted such as messages can be recovered. As with all deleted data, time is of the essence. The likelihood of recovering deleted data will decrease with time, especially with mobile devices.
  • Linked Devices
    • Bluetooth history from the device may indicate linked devices such as smartwatches or car entertainment units which could provide further avenues to investigate.
  • Cloud Storage
    • The above considerations relate to data contained on the device however a review of the applications may provide further avenues to investigate such as cloud storage of the device or individual applications.

These avenues of investigation can be performed alongside the defendants’ statement and a forensic image of their mobile device to corroborate or contradict their claims.

At the end of the day, forensic evidence can be a key source of truth to decipher between contradicting statements.

For more information, contact us.

Share this post