Day 1: FMPF Boot Camp + Securing Evidence Flashcards
Define ACPO Principle 1
Do Not Change Data!
No action taken by Law enforcement agencies, persons employed within those agencies, although agents should change data, which may subsequently be relied upon in court.
Define ACPO Principle 2
Do you know what you are doing?
If you need to handle original data, make sure you are competent and trained enough to do so and can justify your actions.
“In circumstances, where a person finds necessary to access original data, that person must be competent to do so, and be able to give evidence, explaining the relevance and implications of their actions.”
Define ACPO Principle 3
Keep notes!
Build an audit trail! These notes should consist of photos/videos of your actions and observations, a log of actions, output from DF tools, logs from DF tools and a copy of the submission form!
An independent party should be able to use this to replicate your steps and produce the same (or reasonably comparable) results!
“An audit, trail, or other record of all process applied to digital evidence should be created and preserved. An independent third-party should be able to examine this process and achieve the same result.”
Definie ACPO Principle 4
The OIC is responsible for ensuring the law and ACPO principles are adhered to. This doesn’t relieve us of all responsibility for our actions. It means we need to keep the OIC updated and informed with the case, findings and any mistakes that occur.
When an evidence bag is received at the mobile forensics unit lab, what examinable material may be placed inside?
- The handset.
- The SIM card.
- The memory card.
When an evidence bag is received at the mobile forensics unit lab, what examinable material may be found outside of the bag, but pertinent to the evidence inside.
- Backups.
- Cloud Storage.
- Information provided by the phone’s registered network provider (I.e. Call logs, confirmation of ICCID, IMSI, IMEI, MSISDN)
- What is Network Isolation?
- What four types of signal need to be blocked to achieve Network Isolation?
- What are the three main reasons for ensuring devices are network isolated when examined?
- Network isolation is blocking the radio communication of a device in all of its forms so it cannot transmit or receive data.
- GSM (Cellular/Mobile), Wi-Fi, Bluetooth and Location.
- We need to protect ACPO principle 1 by preventing changes on the device. Incoming signal can change the original data on a device.
- If we receive and deliberately read messages or communications after seizure, there is no chance of the recipient accessing them first, so we have committed interception which is illegal!
- An incoming signal could trigger a remote wipe and change all of the data on the device, violating ACPO principle 1!
What steps can be taken to ensure a mobile device is network isolated?
- Put it in a Faraday environment (Box, Bag, Room)
- Enable airplane mode on the device. But bear in mind that this may or may not disable Bluetooth and WiFi and the behaviour may vary across devices. Always double check!
- Turn the device off (Bear in mind that newer IOS and Android use Ultra Wideband emissions even whilst off for tag tracking or contact tracing so this may still mean your device is communicating)
- Remove the original SIM so GSM is disabled (The ICCID and IMSI are needed to talk to the network) and keep it out of the device for the duration of the examination. If you need a SIM present to operate the device, clone it using a dummy SIM with the transmitting ability disabled and insert it into the device, keeping the original SIM safely stored, but outside of the device.
- Use a jammer (You will need a license from OFCOM to legally do this).
Does Flight Mode Disable Location Services?
No. If flight mode is on along with location services, the phone will still track your movements. The location will be cached and sent to the cloud once airplane mode is disabled again.
Can we view all “Significant Locations” stored on the device through manual examination?
No. Typically a small selection will be displayed, but the rest will be cached somewhere in the system. A tool will need to read the device and its memory to find them all.
What is the potential impact from removing the SIM card from a mobile device.
The potential is for the phone to erase its call logs. The device will almost certainly always do this if a SIM with a different ICCID and IMSI is reinserted as the specs determine that call log erasure if what should happen whenever a SIM is removed, however this is the only practical way for many device to detect SIM removal.
What data change may occur if we remove the battery from a phone?
The time and date will be lost or reset?
Why are the potential side effects of removing the SIM card or battery bad for a forensic investigation and should be avoided?
They violate ACPO principle 1 by changing data on the device.
- What is a logical read of a storage device?
- Does the device need to be switched on to perform a logical read?
- A logical read uses the API of operating system/firmware of a device to request files and directories that are “live” and which it can see. We cannot get deleted data from a logical read as the OS cannot see it. You’ll typically get Contacts, SMS, Media, Call Logs and app data. A logical read may typically use a backup file to dredge data the device has knowledge of.
- Yes. This form of read relies on some form of power being supplied to the device in order to access the firmware or operating system in order to request the files it can see.
What is A Full File System Read of a device?
A Full File System read will elevate its permissions (typically to root) in order to gain full access to the underlying OS file system. Once here will have full access to the system files including databases, and even deleted files.
