Once the make and model of the mobile device are known, available manuals should be retrieved and studied. The manufacturer’s website is a good place to begin. Typing the model number into a search engine may also reveal a significant amount of information about the mobile device. As mentioned earlier, the device being acquired largely dictates the choice of forensic tools. The following criteria have been suggested as a fundamental set of requirements for forensic tools and should be considered when a choice of tools is available:
- Usability – the ability to present data in a form that is useful to an investigator
- Comprehensive – the ability to present all data to an investigator to identify inculpatory and exculpatory evidence.
- Accuracy – the quality of the output of the tool has been verified
- Deterministic – the ability for the tool to produce the same output when given the same set of instructions and input data
- Verifiable – the ability to ensure accuracy of the output by having access to intermediate translation and presentation results
- Tested – the ability to determine if known data present within the mobile device internal memory is not modified and reported accurately by the tool.
Experimenting with various tools on test devices to determine which acquisition tools work efficiently with specific mobile device types is highly recommended. Besides gaining familiarity with the tool’s capabilities, experimentation allows special-purpose search filters and custom configurations to be set up before use in an actual case. In addition, it allows for the installation of any needed software updates from the manufacturer.
Established procedures should guide the technical process of acquisition, as well as the examination of evidence. New circumstances may arise sporadically that require adjustment to existing procedures, and in some situations, require new procedures and methods to be devised. Some examples include: UICCs being permanently bonded into a mobile device, mobile devices capable of supporting multiple UICCs, and mobile devices that block logical acquisition ports until a connection is made with a cell tower. Procedures must be tested to ensure that the results obtained are valid and independently reproducible. Testing should occur on the same model of mobile device before attempting procedures on the case device. The development and validation of the procedures should be documented and include the following steps:
- Identifying the task or problem
- Proposing possible solutions
- Testing each solution on an identical test device and under-known control conditions
- Evaluating the results of the test
- Finalizing the procedure