“Fortune favors the prepared mind” –Louis Pasteur
Over the past year and a half, the pandemic has changed many facets of daily and working life, and it did not spare forensic collections. While remote collections of mobile devices took place before the pandemic, they were far less common than they are now, usually reserved for extenuating circumstances. Covid has now flipped that on its head, and in-person collections are now the exception.
When a forensic collector has this information in advance, they can research which cables and dongles to provide, whether the software is compatible, and whether collection of the backup system will be necessary.
Kyle Brent, Sandline Discovery
All the usual culprits contribute to this change. In-person collections typically require travel and usually on a plane with overnight stays in a hotel. Collections also take place indoors and over several hours which introduces more risk. Individuals having their phone collected usually prefer to be nearby if not in the same room while a collection is taking place.
The fact that more people work remotely means that in-person collections are even more time consuming. Gone are the times (at least for now) when a forensic collector could go to a company, perform a series of collections, and return with the needed data. While remote collections address many of these issues, they also introduce some new ones. But the issues can be minimized if vendors and clients plan and communicate effectively.
In performing remote collections of mobile devices, the collector first ships a remote collection kit. This kit is typically a package containing a computer (pre-loaded with the necessary collection software), a hard drive to store the device image, cables to connect the phone for collection, a chain of custody form and a return label for the kit. After a kit arrives, the collector and the custodian will video conference to walk through the proper settings, connections, and procedures to ensure a forensically sound image of the device. Once the collection has begun, the collector will monitor the process until complete. The custodian fills out the chain of custody form, ships the kit back to the vendor, and Bob’s your uncle.[1] Except it does not always happen like that…
Sometimes an operating system receives a security patch update that interferes with the collection software, or a dongle does not work (or is the wrong connection), or what is needed from the collection does not exist on the phone and a custodian cannot remember their backup password, or something else prevents a collection from happening. Planning and communication provide two main benefits:
- You receive important information about the devices you are dealing with in advance.
- Both your client and custodian (sometimes they are one in the same) have an opportunity to think through the process in advance of collection day.
At Sandline we use a simple questionnaire for each device as follows:
| Mobile Device Collection Information |
| Custodian Last Name |
| Custodian First Name |
| Custodian Physical Address |
| Anticipated Date of Collection |
| Custodian Email Address |
| Custodian Alternate Telephone Number |
| Device Make |
| Device Model |
| Mobile Device Management Installed |
| Operating System Installed |
| App 1 Version Installed (if collecting apps) |
| App 2 Version Installed (if collection apps) |
| Device Unlock Passcode |
| Brand Backup Password (Case Sensitive) (if enabled) [i.e. iCloud, Google Drive] |
In addition to the questionnaire, the dialogue with the client or custodian also provides an opportunity to address preservation measures. The custodian should obviously not delete anything from their device, but they should also turn off automatic updates to both the operating system and any applications that need to be collected. These preservation steps help ensure that data is not inadvertently removed and that the collection software is compatible with the app versions. If mobile device management software is installed on a device, then a company can usually implement these preservation measures remotely.
When a collection is scheduled in advance, it also tends to reduce the amount of time a kit will remain away from the vendor. It is not uncommon to see a vendor agreement that provides for additional fees if they are not returned within a specified amount of time. Regardless of fees, it also reduces opportunities for accidents, theft, or simply losing the kit, all of which require time, money, and another collection. Both applications and operating systems are updated so frequently that it is nearly impossible for collection software to keep up with the myriad options and versions. When a forensic collector has this information in advance, they can research which cables and dongles to provide, whether the software is compatible, and whether collection of the backup system will be necessary.
Forensic collections are seldom a quick and clean process. Even after a forensic collection is completed, you may encounter issues processing what was (or was not) collected. These steps will not eliminate all obstacles to a successful collection, but they will minimize them. Sometimes you will not be able to get this information in advance, but even that knowledge and the conversations that it generates will better prepare you for the challenge in front of you.
So, what are your thoughts? What other strategies do you use in planning a mobile device collection?
[1] English expression for “there you have it.”
