Evidence

Evidence can be store in a variety of devices or locations. Keep in mind that sometimes these devices could be hidden or disguised as other items. When collecting evidence ensure a through search has been completed, so that nothing is missed.

Hidden SD Card

This is actually for sale on Amazon, and quickly looking, you might just think it is a regular nickel!

USB Lighter

There are also tutorials online that show how easy you can hide a USB drive in a lighter!

Flash Drive Necklace

Again, for sale on Amazon. It looks like a necklace, but has USB storage!

USB Toothpaste

Not only will this help fight cavities, but it will also store data! This is an easy thing that you can even do at home!

Instructions.

USB Barbi

If you ever wonder what to do with your old Barbi, why not turn her into a USB Drive?

I know some of these might seem ridiculous and crazy, but this was done on purpose to show that you can't take anything for eye value.

Protecting Evidence

As previously discussed, take pictures and document everything! Even though it is a mobile or IoT device, documentation is key! If possible, place any device in "Airplane Mode." This can disable communication and prevent someone from remotely wiping the device. Also, fingerprinting the device can help prove who is using it. Remember to look for evidence of DNA (skin flakes, saliva, hair) on the device.

If a mobile device is powered on, do not turn it off. The device should be placed in a Faraday Bag as soon as it has been processed. A Faraday Bag will block all communication and prevent data from being overwritten.

If a mobile device is powered off, leave it off. Powering it on would trigger the need for authentication, which we wish to avoid. Also, powering on the device could change any existing data on it.

What to look for?

Where could this information be found? Mobile devices have four main locations where data can be stored:

On the device - the eternal storage of the device
The Subscriber Identity Module (SIM) provides a unique number that identifies the owner. If a device does not have a SIM, it will not function. Some SIM cards offer the ability to store data. Carriers are moving to an eSIM, so the device might not have a physical SIM.
Memory Card - Think SD cards.
Cloud - This is not stored locally but online using a cloud provider for storage.

Look for the following items when analyzing a mobile device:

Address book - provides contact information
Calendar(s) - can provide details about where and who the person was with
Call history - provides details about recent communications
Cloud storage - Lots of providers (DropBox, Google, Box, etc) look for any data/files to analyze later
Deleted data - Look for anything that has been deleted to analyze
E-mail - provides details about communications and contacts
Maps - where have they gone or what have they been looking for (Apple, Google, Waze, etc)
Music - could have recorded conversation as music
Notes/Documents - could have notes that could be of assistance in the case
Photos - can help provide details of contacts and where they have been or what they have been doing

Locked Phones

If a phone asks for a password, do not attempt to guess it, as devices might be configured to wipe after a specified number of failed attempts. To gain access to the device, you could always ask the user, and they might give it up quickly and easily. This is the best-case scenario. Another method might be to do a successful smudge attack about 68% of the time. Also, the Government might have other methods to access devices through zero-days or other methods.

MicroSD Card

Even if the phone is locked, look to see if the device supports a MicroSD card. This could be another method to view data on the device.

Google Sites

Report abuse