Mobile Forensics and Chain of Custody (COC) - Oct_21_(Vol IV, _Issue_1)
Mobile devices have become extremely crucial in any investigation whether it relates to civil or criminal matter. In our earlier newsletter, we discussed a few important aspects related to the acquisition and imaging process of various storage devices. Let us discuss some important aspects related to mobile forensics, especially pertaining to the Chain of Custody (CoC).
The use of a mobile device is as pervasive as it is helpful, especially in the context of digital forensics, because these devices amass huge quantities of data, which can be extracted as evidence to facilitate the investigation.
Getting access to the data is certainly a challenge especially when a seized device is locked. But this is only one issue, the other potential risk is maintaining the Chain of Custody (CoC) which is crucial as it always comes first during trial.
As we all know, the term CoC is associated with paper trail that records the sequence of custody, control and transfer including electronic evidence obtained from the mobile device. Hence, following are crucial aspects related to CoC:
-
What was the time when the device was seized?
-
What was the transaction at the time of seizure?
-
Was the device turned on or off and if on, what was being displayed on the device?
-
What was the physical condition of the device?
-
Who took control of the physical device and what were the specifications of the device such as serial number, model, make etc?
-
How was the device secured after obtaining its custody?
It is important to mention that typically the extracted data and physical device are admitted in the Court, therefore it is essential that everyone who has come in contact with the device must be listed in the CoC form. All such persons who have handled the evidence are required to be documented through CoC because when the evidence will be presented, the role and involvement of each of them has to be explained to the court.
This process is essential because the collection of data occurred before data analysis took place. As a result, once imaging is done from the device, it must be logged through the CoC as well. For example, when evidence is extracted from a mobile device and stored in a USB device, one needs to document this transaction to confirm that steps associated with the physical device were followed because the USB device will also need to be admitted in court.
At Alliance IFA’s Mobile Forensic Division, we use forensic tools that can provide lawful access to locked iOS and Android devices within 24 hours. We have the ability to quickly extract data from a mobile device to ensure that we are maintaining demonstrative control over the evidence. Since, we are able to access data from a locked device within hours, there is no need to send it to a third-party vendor for data extraction where the possibilities of device tempering and loss of evidence can’t be denied.
Our team has 4 basic traits:
-
Speed
-
Access
-
Depth
-
Control (Ability to maintain evident chain of custody)
The amount of evidence that can be collected from a single mobile device is beyond comprehension and we at Alliance IFA not only access the evidence quickly, but also extract the full system
******************************************************************************************
Author:
Prabhat Kumar, Chief Investigation Officer