The Examination Computer and Precautions to Take
It has already been stated in this book that it is very important to preserve the integrity of the digital evidence obtained from the telephone from the time it was seized until it is presented in court. It is important for many digital evidence incident response team members to use a checklist so that they know that they did not forget anything . Once the evidence is obtained, a chain of custody form should be filled out. Each time the evidence is copied, processed, or transported, it should be documented on the chain of custody form. If others receive a copy of the evidence for prosecution or defense purposes, they too should sign for it.
When the examiner is ready to investigate the phone, he may have a checklist to make sure that the examination machine is ready. This computer, known as the examination computer can be a laptop or a desktop. The main requirement is that it has at least a Pentium 90 for processing speed and enough RAM to operate the cell phone forensic software. There must also be enough available storage for the contents of the seized phone. This may be a challenge with an older computer but fortunately old computers with Windows 98 had USB ports and this allows USB external storage devices to be used. The examination computer should have a current, properly licensed copy of the examination software used for the phone.
Because this examination computer is used to download the data from the phone and then prepare it in a readable format for examination, it is best to check in the operating system that the USB port is working properly. In Windows 7, one can go to Control Panel, Device Manager, Universal Serial Control Bus, and then double click. It would also be a good idea to close all unnecessary programs.
The examination computer should also be protected from unwanted outside connectivity. That means that the wireless ports, infrared ports, Bluetooth ports, modem port, and Ethernet port should all be disabled. The examination computer may also be checked for viruses by running a current version of a properly licensed antivirus program to remove the possibility of a virus altering the data. A properly licensed program for antispyware should also be run. A scrubbing program such as CCleaner that deletes all unallocated hard drive space and clears temp files should be run, too.
The examiner may also wish to prepare a Faraday cage or a stronghold tent such as the one from the Paraben Corporation so that no signals will escape or penetrate the area where the cell phone examination is being conducted . The examiner may elect to sit in the stronghold tent when conducting the examination so that the evidence is not tainted by outside signals from hackers or people who wish to compromise the examination.
Each person that enters and leaves the examination facility should sign in and sign out. If an examiner retires, transfers, or quits, the cylinders for the locks should be rekeyed. It is recommended that each examiner have a badge with his name, organization, weight, and height. If a person has a dramatic change in appearance due to weight or facial hair change, then a new picture should be placed on the badge. Cameras should also be placed at the entrances and exits so that visitors, examiners, and illegal entries are documented on film. If one contacts ASIS International, they have a bookstore that sells the Certified Protection Professional (CPP) set of study guides that address these physical security best practices.
Precautions : Examining Phone—High-Profile Case
If it is a high-profile case, then it may be important to make sure that the examination room is in a Tempest facility with no possibility of eavesdropping. This means that only filtered power is used so that the wiring for the outlets cannot be used for transmitting data from the examination room . Heating and air conditioning ducts should have a grate in them so that someone cannot climb in the facility and eavesdrop on the investigation or compromise the data. The Spy Museum in Washington, DC, has an air conditioning duct that the public can crawl through to get a real example of this method of spying.
The walls of the examination facility should be like the ones at the New Jersey Regional Computer Forensics Laboratory (RCFL). This contains a mesh wire system so that a criminal cannot easily breach the security of a wall. There should also be no false ceiling or raised floors where people can easily hide eavesdropping equipment or crawl into. The walls should have copper so that signals cannot escape. A guard and a close-circuit television are also necessary. It is also suggested that the examination of the digital device should not be conducted in a room where there is a flat roof above. This is because criminals can use a Sawzall or reciprocating saw to cut a hole in the roof after hours and get to the evidence. The NIST has a set of guidelines that discuss the security needed for Tempest facilities .
The digital examiner should also make sure that his credentials are current and not out of date before performing the examination on the cell phone. If he took online instruction, attended a workshop, or got any continuing education, it should be noted on the resume in case the examiner’s credentials are questioned in court. Before the examination begins, the examiner should question all possible weaknesses or conditions that could cause doubt with a jury if the case should ever go to court.
Precautions: Protecting Equipment from Static Electricity
Cell phones are electromechanical devices with operating systems and can be affected by low batteries, humidity, temperature, and other complex environmental factors. Sometimes, examination machines have intermittent hardware failures on USB ports and hard drives.
The operating systems may also get corrupted. It is therefore important that cell phone examiners have more than one forensic tool and examination station because of all the complex variables that must work together in order for a cell phone to be seized and the electronic evidence to be collated by the examination software. I have demonstrated the same cell phone on the same examination machine numerous times with varying results.
The cell phone may be acquired on the first time but many times it takes three or four attempts before the process is successful and complete. It is not anyone’s fault but there are so many factors concerning the environmental factors. The discharge of static electricity in the winter months is a big concern. That is why it is important to wear a grounding strap, use an antistatic mat, or use a static potential equalizer known as a “Static Buster” as pictured in Figure 1.5. If none of these option are possible, at least touch a metal object before touching the phone or computer.
Figure 1.5: Static potential equalizer—Static Buster
CCEs often tell me that it can take one or many times to acquire the evidence on the cell phone because of the correct parameters on the variables of the phone and examination machine that must be within acceptable boundaries for the process to work. Some cell phone examiners that use powerful desktops to run the forensic cell phone software will connect the desktop to an uninterruptible power supply because the power often intermittently goes out in the summer due to storms. Brown outs from too many air conditioners running on hot days is another reason for intermittent power losses. Even a short bit of power loss will cause the desktop computer to reset and reboot, thus ruining the data acquisition from a cell phone with high-capacity storage in it. Therefore, many cell phone examiners will have two examination machines with uninterruptible power supplies, and a licensed copy of BitPim, Device Seizure, Susteen Secure View, and Mobil Edit. Others will have a Cellebrite and a small portable storage device for incident response in the field. Because of the number of things that must be right, having a wide range of tools is considered a must.
Susteen Secure View can now incorporate the data of its e-forensic competitors in its reports so now juries and judges do not have to read a multitude of reports for each device. Cloke, Goldsmith, and Bennis, experts in workplace conflict and resolution, give numerous examples that one might consider parables, which appear to teach that more can be gained from cooperation than competition . This lesson has appeared to be internalized by Susteen, the maker of Secure View. Many forensic examiners have said that they have also bought Secure View so that they can incorporate the data from other forensic tools such as Device Seizure of the Cellebrite UFED products in their main report.
The Need for a Faraday Bag
Cell phones are devices that connect to telecommunication networks through wireless signals. Some cell phones can also connect to Bluetooth devices or wireless networks. If the security features are not enabled on the cell phone, then it may be possible to connect to the phone and alter, delete, or add digital evidence to the phone. It is very important that the digital evidence be preserved from the time of seizure until it is presented as evidence in court. If evidence is suspected of being tampered with, it could be ruled as inadmissible in court. Therefore, it is important for CCEs to preserve digital evidence by using a Faraday bag and noting its usage on the chain of evidence form. Smith and Bace, authors of a forensic testimony book, discuss the importance of preserving evidence and protecting the integrity of digital evidence .
Faraday bags look very similar to antistatic bags. The difference is that the antistatic bag prevents damage to the device from small electrical charges that have built up and are discharged from static electricity, but it does not protect the device from outside connectivity. Static bags are obtained commonly when purchasing electronic equipment such as a wireless weather station, computer memory chips, or an EZPass transponder for the car that makes it convenient to pay tolls. The Faraday bag is based on the concept of a Faraday cage. The Faraday cage is an enclosure that prevents outside signals from penetrating the cell phone or examination equipment . The Faraday bag is made with materials that block wireless signals from entering the bag, thus protecting the integrity of the device in the bag from outside influences.
The Faraday bag will not prevent the device from internal data alteration by items such as logic bombs. A logic bomb is set to go off if certain conditions are met. If a person was supposed to simultaneously press a set of keys daily to keep a destructive program from running on the cell phone, this would be one example of a logic bomb. The phone that was seized from someone may be protected from outside control of hackers with the use of a Faraday bag, but the phone may be victim to a logic bomb if certain conditions are not met while the phone is in possession of the CCE.
I was once teaching a class about cell phone forensics to a class of visiting cybercrime students from Kyungnam University from South Korea . One of the students asked if another type of metallic bag such as an aluminum foil bag could be used in an emergency situation if no Faraday bag was available. To demonstrate an answer to the student’s question, I placed various cell phones in aluminum foil bags and asked students to call the phone. The signal was blocked. The phones also did not appear as wireless device icons on the student’s laptop display. The lesson learned was that aluminum foil bags give some protection from connectivity but a proper Faraday bag is best. I explained that the effectiveness of the aluminum foil bags was not known and that could offer an unwanted line of questioning in court. Each tool and methodology used in the collection, preservation, and examination of digital evidence should be able to withstand the Frye Test . The Frye Test helps ensure that the tools and methodologies used to gather, process, and examine evidence in an investigation are accepted as general practice by authorities in that field.
From: Digital Forensics for Handheld Devices
Author: Eamon P. Doherty, Fairleigh Dickinson University, Teaneck, New Jersey
Published: August 17, 2012 by CRC Press