Investigative methods are procedures the investigative team can apply, which require no forensic software or hardware tools. The most obvious methods are the following:
- Ask the owner – If a device is protected with a password, PIN, or other authentication mechanism involving knowledge-based authentication, the owner maybe queried for this information during an interview.
- Review seized material – Passwords or PINs may be written down on a slip of paper and kept with or near the phone, at a desktop computer used to synchronize with the mobile device, or with the owner, such in a wallet, and might be recovered through visual inspection. Packaging material for a UICC or a mobile device may disclose a PIN Unlocking Key (PUK) used to reset the PIN value. Device-specific vulnerabilities may also be exploited, such as Smudge attacks. Smudge attacks involved careful analysis of the surface of a touch screen device to determine the most recent gesture lock used.
- Ask the service provider – If a GSM mobile device is protected with a PIN-enabled UICC, the identifier (i.e., the ICCID) may be obtained from it and used to request the PUK from the service provider and reset the PIN. Some service providers can retrieve the PUK online by entering the telephone number of the mobile device and specific subscriber information into public web pages set up for this purpose. Additionally, contacting the device manufacturer might generate more information (e.g., Apple).
Mobile device users may choose weak passwords to secure their devices, such as 1-1-1-1, 0-0-0-0, or 1-2-3-4. Some of these numeric combinations are device default passcodes provided by the manufacturer. It is not recommended to attempt to unlock a device using these combinations due to several risk factors. They may include permanent wiping of mobile device memory, enabling additional security mechanisms (e.g., PIN/PUK), or initializing destructive applications. Mobile devices generally have a defined number of attempts before enabling further security precautions. Before making any attempts at unlocking a mobile device, it is recommended to consider the number of attempts left. There may be an instance where an examiner may choose to accept these risks in cases where this is the only option for data extraction.