Investigators and examiners are faced with tough, real-time, on-scene decisions that can have unforeseen consequences weeks or months later. One such decision is how to best handle mobile devices encountered in the field and the different states of these devices. There are many well-known collection tips in the DFIR community such as: if it is off, leave it off, if it is on—capture the screen contents (i.e. any apps that may be running, the battery level, etc.).
Keep confiscated phones in the green
Why might the battery level be important in an investigation? One of the most critical reasons is that if the phone dies you are not just losing power to the device, you are also losing out on a potential opportunity to collect critical volatile data from that current session, the ability to capture device contents when the password is unknown, and much more.
On the flip side, if the phone is on, there is an increased sense of urgency. Device acquisition must be performed soon—before the phone dies or we must connect this device to charge while it is waiting to be shipped to the lab for acquisition and analysis.
When a device is on, we know that we need to isolate the device from the network and reduce the chance of a remote wipe or loss of data. A good precaution against these possibilities is to place the phone in a Faraday bag and isolate the device. Under more dire conditions, a few sheets of tin foil or something similar can also be used to prevent the device from connecting to a network. This is a problem in itself, as annotated in the NIST Special Publication 800-101 Revision 1, Guidelines on Mobile Device Forensics, "When the phone's signal is blocked, it will drain the battery rapidly trying to connect to the network. Keeping the mobile device on, but radio isolated, shortens battery life due to increased power consumption as devices unable to connect to a network raise their signal strength to maximum. To conserve power, some mobile devices are normally configured to enter energy savings mode and shut off the display after a short period of inactivity." (Ayers, Brothers, Jansen, 2014)
To further complicate this all too frequent scenario, most forensic software products require that a device have a certain level of charge in order to acquire a device appropriately. As the phone loses charge and drops below various battery thresholds, service interruptions and acquisition errors are more likely to occur due to insufficient power.
In these tense and time sensitive moments it is important to keep your wits and remember to collect the phone charger that is used with the specific device and use that for your extraction when at all possible. If you can locate the charger, place it in an evidence bag with the phone. This will help immensely with your acquisition later where typically available extraction cables do not work with your specific device.
Does your phone charging station look like this?
If you have any additional pointers or stories to share with the community regarding the importance of charging a mobile device for acquisition, please share your thoughts with us at sales@belkasoft.com.
References
Ayers, R., Brothers, S., & Jansen, W. (2014, May). Guidelines on mobile device forensics—NIST