There a material differences in what is collected depending on which of the two forensically-sound collection methodologies is used. And, there are no “do-overs.” A second, later collection will positively not be able to capture data that was present at the time of the original collection. Knowing the differences in the methodologies is essential to making an informed and defensible decision about which methodology you direct your forensic/eD partner to pursue.
The Very Basics
There are two general forensically sound mobile device collection methodologies:
- Limited “Logical” – a copy of the phone-executed back-up in a “forensically sound” manner
- “Surface Level” collection- very limited metadata, no geolocation, etc.
- Messaging: Native only; No deleted messages, no 3rd party apps (eg, WhatsApp)
- Full File System – robust, leveraging advanced forensic tool technologies to execute
- Collects deleted data, including messages
- Includes 3rd party messaging apps, geolocation, enhanced metadata, etc.
- Materially broader and deeper scope of content/data collected
Critical Cloud-Stored Mobile Device Data:
- Commonly, cloud back-ups contain content no longer on the device itself.
- Cloud message sync repository. Where message sync is enabled (becoming the default), a collection is not complete without collecting this repository. For more, see: [insert link]
Generally Recommended
Full File System (FFS) collection to include collection of available device backups and all available cloud sync message repository content.
Rational
(a) Defensibility from spoliation claims;
(b) For Messaging- you must include collecting the Cloud Sync Repository for a reasonably complete collection;
(c) Only One Shot. More often than not, clients later return looking for content that is only available through an FFS collection and the desired content is highly likely to no longer be available. Do an FFS up front, or risk losing the content forever.
And, always ACT FAST! Mobile device content is destroyed very quickly, including inadvertently through normal usage. At a minimum, immediately preserve/collect and later return to production and/or examination as needed.
Last note: the availability of the FFS methodology changes with every Android or iOS update, among other variables; Only two software developers claim to be actively updating their tool to keep up with the Android and iOS releases, and only one of these truly does so on a timely bases; to that end, confirm with your forensics vendor that the tool they use is actually capable of a FFS collection for the specific device model and operating system version in your matter.
Next Practitioner’s EDGE Installment: Where Has the Critical User Activity Evidence Gone?
To receive this next EDGE Tip in Protek’s continuing Practitioner’s EDGE Alerts/Tips installments, please feel free to send an email to info@protekintl.com with the subject line “Send EDGE.”
0 Comments