Mobile Device Acquisitions: Why Immediate Action is Critical for Digital Evidence

Dec 23

The world of digital forensics is constantly evolving, and the way mobile devices are handled at the time of seizure is more critical than ever before. Improper handling can "spoil" evidence, making it not admissible in court, or simply make acquisition of data more difficult, leading to the loss of crucial information.

This post, drawing on insights from the presentation "Mobile Device Acquisitions: Critical Considerations for Examiners & Investigators" by Debbie Garner and Jessica Hyde, highlights essential considerations for investigators and examiners, focusing on the preservation of digital evidence.

Core Principles: Preservation, Documentation, and Custody

Regardless of your role—Investigator, Digital Forensic Examiner (DFE), or Prosecutor—proper procedures must be followed immediately:

Photograph and Document

Whether on scene or in the lab, photography and documentation are the first steps.

Record Details: Photograph the phone in place and record key details. This includes the device's condition, serial number, and IMEI number.
Seizure and State: Note the time and date of seizure and record the device's state (on/off, locked/unlocked).
Biohazards: If a device is contaminated, mark it as such to inform the examiner.

Chain of Custody

The chain of custody applies from the point of seizure to the final disposition of the evidence.

Application: It must chronologically document every person that touches the physical device and the resulting digital forensic image created from the device, which also becomes the evidence.
Purpose: A proper chain of custody ensures the forensic image is authentic and has not been altered. It is essential for the evidence to be admissible in legal proceedings.
Essential Documents: You must include the Search Warrant (SW) or Consent to Search form with the device; no examination will happen without it in hand first.

Why Immediate Acquisition is Necessary

Time is critical for digital devices. Recent changes in mobile device technology mean that acquisition is preservation. Data degradation begins immediately. The Scientific Working Group on Digital Evidence (SWGDE) supports this, publishing a Position on Timely Preservation via Digital Acquisition.

Here are the five key reasons to acquire immediately:

Auto-Reboot: Devices may automatically reboot after a period of inactivity, forcing the device from the desirable After First Unlock (AFU) state to the less recoverable Before First Unlock (BFU) state.

iOS inactivity reboot is set at 72 hours.
Graphene OS auto-reboot default is 18 hours.

Artifact Degradation: Temporal artifacts (like location data, deleted photos, browser history, and system artifacts) are volatile data and are quickly lost or overwritten. Earlier acquisition can mean the acquisition of more temporal data.
USB Restricted Mode: This security feature on Graphene OS and iOS disables some USB connections and may enter a "charge only" mode, hindering acquisition attempts.
Recognized Location: Features like Apple’s Stolen Device Protection enable security protocols when the device is away from a significant, recognized location, which may inhibit forensic acquisitions.
Anti-Forensics: Individuals may use "Dead-Man Switches"—apps or settings that can remotely wipe the device if conditions are met (e.g., specific time passes, distress password is said, device is not on the body, or a USB cable connects while locked).

Preservation Tactics: Maintaining Device State

The device state significantly affects data availability.

Keep it Powered On

AFU Mode: If a phone is on and unlocked (AFU), keeping it powered on preserves access to unencrypted data and allows for a more complete forensic extraction.
Prevent Loss: Maintaining power prevents loss of access and reduces the risk of remote wipes upon reboot.
Disable Auto-Lock: If possible, disable the auto-lock feature.
Find the Cord: Examiners do not have every power supply, so please take the time to find the device's correct power cord or power supply.

Network Isolation

Network isolation prevents remote wiping via cellular, Wi-Fi, or Bluetooth.

Faraday Bag or Box: This is the most effective method, as it prevents all network communication. The device should be kept powered on inside the Faraday bag for volatile memory preservation.
Airplane Mode: This is a feasible alternative that preserves battery and allows charging, but has downsides:

It may not block Bluetooth Low Energy (BLE).
Bluetooth or Wi-Fi can still be manually turned on by the user.

SIM Card Removal: Removing the SIM card alone is insufficient as other radios (WiFi, Bluetooth, BLE) remain active.

Types of Mobile Acquisitions

The acquisition method determines the amount of recoverable data, generally moving from least to most complete:

  
      Acquisition Type
      Description
      State Requirement
      Completeness
    
      Manual
      "Thumbing through a phone" by viewing the data on the screen. Can change data and stomp timestamps. Should be recorded.
      Any state with PIN/Passcode Known
      Least Complete
    
      System/Crash Logs
      Designed for recovery system information; can be a snapshot in time or a form of preservation.
      Any state
      Limited
    
      Logical
      Requested file data as interpreted by the operating system, often including backups.
      Any state with PIN/Passcode Known
      Partial
    
      BFU Image
      Device is ON but has NOT been UNLOCKED since the last boot (Before First Unlock). A partial file system image can be obtained, but it is not robust.
      BFU (Before First Unlock)
      Partial/Limited
    
      AFU Image
      Device is ON and has been UNLOCKED since the last boot (After First Unlock). More data is unencrypted; some commercial tools can obtain a partial file system image.
      AFU (After First Unlock)
      More Complete
    
      Full File System
      A process that requests active files and folders, which may contain remnants of deleted data and non-user data. This is the most complete acquisition from modern smartphones.
      Generally AFU (Varies by tool)
      Most Complete

Essential References

Title	Source / Link	Citation Reference
SWGDE Best Practices for Mobile Device Evidence Collection & Preservation, Handling, and Acquisition	https://www.swgde.org/18-f-003/	SWGDE 18-F-003-2.0
SWGDE Position on Timely Preservation via Digital Acquisition	https://www.swgde.org/25-f-001/	SWGDE 25-F-001-1.0
NIST Interagency Report 8387, Digital Evidence Preservation Considerations for Evidence Handlers	https://nvlpubs.nist.gov/nistpubs/ir/2022/NIST.IR.8387.pdf	NIST IR 8387

Mobile Device Evidence: Field Checklist

This checklist summarizes the critical steps needed to preserve mobile device evidence and ensure forensic soundness.

1. Immediate Documentation

Photograph the Device: Take photos of the device in place.
Record Details: Document the item's model, condition (e.g., damaged, dirty), serial number, and IMEI number.
Time & State: Record the time and date of seizure. Record the device's state: on/off and locked/unlocked.
Biohazard Labeling: If the device is contaminated, mark it as a biohazard before packaging.
Secure Documents: Obtain and secure the Search Warrant (SW) or Consent to Search form immediately.

2. Power & Device State Preservation

The goal is to maintain the device in the After First Unlock (AFU) state (unlocked since the last reboot).

Keep it ON: If the device is found powered on, keep it on to preserve volatile data and AFU access.
Disable Auto-Lock: If possible, disable the auto-lock feature.
Power Supply: Search for and package the device's specific power cord or power supply with the device.
Ask for Passcode: Ask the owner for the password, passcode, swipe pattern, or biometric unlock immediately.

3. Network Isolation (Prevent Remote Wipe)

You must prevent the device from connecting to cellular, Wi-Fi, or Bluetooth networks to stop remote wipes, security-induced data loss, and artifact degradation.

  
      Priority
      Method
      Pros
      Cons / Notes
    
      Highest
      Faraday Bag / Box
      
        Blocks all cellular, Wi-Fi, Bluetooth, and NFC signals.
      
        Must keep the device powered on inside the bag.
      
      Secondary
      Airplane Mode
      
        Preserves battery; allows charging; allows use without containment.
      
        Requires manual access; may not block BLE (Bluetooth Low Energy);
        potential for user error (leaving Wi-Fi/Bluetooth on).
      
      Avoid
      Removing SIM Card
      
        Blocks cellular only.
      
        Other radios (Wi-Fi, Bluetooth, BLE) remain active;
        may lock the device and disable biometrics.

4. Packaging & Custody

Package Carefully: Place the device in the appropriate containment (e.g., Faraday bag).
Start the Chain: Initiate the Chain of Custody Tracking Form immediately.
Record Everything: Document the person collecting, the location found, the device state, and the date/time any person touches the evidence.

Jessica Hyde