Incorrect procedures or improper handling of a mobile device during a seizure may cause loss of digital data. Moreover, traditional forensic measures, such as fingerprints or DNA testing, may need to be applied to establish a link between a mobile device and its owner or user. If the device is not handled properly, physical evidence may be contaminated and rendered useless.
Alertness to mobile device characteristics and issues (e.g., memory volatility) and familiarity with tangential equipment (e.g., media, cables, and power adapters) are essential. For mobile devices, sources of evidence include the device, UICC, and associated media. Associated peripherals, cables, power adapters, and other accessories are also of interest. All areas of the scene should be searched thoroughly, ensuring related evidence is not overlooked.
Equipment associated with the mobile device, such as removable media, UICCs, or personal computers, may prove more valuable than the mobile device itself. Removable media varies in size and can be easily hidden and difficult to find. Removable memory cards are often identifiable by their distinctive shape, and electrical contacts located on their bodies are used to establish an interface with the device. Personal computers may be particularly useful in later accessing a locked mobile device if the personal computer has established a trusted relationship. For example, Apple incorporates a pairing process whereby an existing pairing record file can be used by tools [Zdz12] to access the mobile device while it is still locked.
When interviewing the owner or user of a mobile device, consider requesting any security codes, passwords, or gestures needed to access its contents. For example, GSM devices may have authentication codes set for the internal memory and/or the UICC.
While securing a mobile device, caution should be taken when an individual can handle the mobile device. Many mobile devices have master reset codes that clear the contents of the device to original factory conditions. Master may be performed remotely, requiring proper precautions such as network isolation to ensure that evidence is not modified or destroyed.
Mobile devices may be found in a compromised state that may complicate seizure, such as immersion in a liquid. In these situations, forensic examiners should adhere to agency-specific procedures. One method involves the removal of the battery preventing electrical shorting. At the same time, the remainder of the mobile device is sealed in an appropriate container filled with the same liquid for transport to the lab, provided the liquid is not caustic. Some compromised states, such as blood contamination or use with explosives (i.e., as a bomb component), can pose a danger to the technician collecting evidence. In such situations, consult a specialist for specific instructions or assistance.
Mobile devices and associated media sometimes are found in a damaged state caused by accidental or deliberate action. Devices or media with visible external damage do not necessarily prevent the extraction of data. Take damaged equipment back to the lab for closer inspection. Repairing damaged components on a mobile device and restoring the device to working order for examination and analysis may be possible.
Undamaged memory components may also be removed from a damaged device and their contents recovered independently. This method should be used with caution, as it is not possible with all devices.