people have stated that they would put the handset into a Faraday so they could keep the handset on but not allow it to contact the networks, and I thought that was where you were coming from (ie you dont think that its such a bad idea) my point was that we have some examiners that are receiving the handset,switched off (in this state there is potentially a lot of valuable-AUTOMATED-data ) then they would switch on the handset,within the Faraday,just to record the time and data stamp.
Ifg the SIM was done first all the automated data is collected (at the risk sometimes of losing the time date??)
of course every case has its own quirks but secureing location based automated real evidence should,except in certain bespoke cases,always be the consideration over the time which can be altered either maliciously or by some owner with a penchant for just "playing" with his/her phone (i have lost count of the amount of videos I have seen on handsets that are just the living rooms of individuals pointing at the TV or one of their pals watching TV, and its this, almost compulsion with some people that has them constantly messing with the handset)
You make great points, bigjon. Location data can be so critical to a case.
Actually, my thought on the Faraday bag is that it should be the exception to use it, rather than the standard. I say take notes/photos incident to seizure, then power off and remove the battery.
In the rare circumstance where an officer/agent is concerned about PIN lockup AND there is reason to believe that, if locked, an examiner will not be able to get the device's data AND the officer/agent has access to an uninterruptible power supply, then, I would recommend leaving it powered on, charging on the USP, and secured inside a Faraday bag to be expedited to the lab for analysis.
Thanks, again, for your comments.
IF…AND…AND…THEN… I feel like I'm coding. 😉 (Yes, my code can be this verbose.)
It is good to see the Forensic Focus Members input on this and it would be nice to see input from others too who are participating in the use of isolation containment. Thanks so much to those who have responded thus far.
I hope it wont be depressing for you all to know that there is still much more on this subject needing discussion and clarification. To add additional element to this mix (and there are quite a few more elements to come after these below) if members are prepared to walk this path of shared skill and knowledge and be open to discussion
1) Incoming text messages - should these be allowed?
2) What about received emails
3) User profiled events - handset calendars, SIM Application Toolkit (STK) and Proactive SIM
trewmte,
At the risk of sounding obtuse, would you be so kind as to describe what you mean by "…should these be allowed?" and what you want addressed with #3?
Thanks.
csericks, you are not at risk of sounding obtuse at all, happy to oblige.
POINT ONE INCOMING TEXT MESSAGES
1) If one reads the SIM Card first, which includes SMS saved and deleted data,
2) then the examiner should be able to examine the MS without isolation;
3) which means that if any text messages come in the impact wouldn't affect SIM user or network data because the first read had secured that data - provided of course you use the approprite SIM reader to capture all the relevant data. We often learn where Judges refer to this based upon if the police have already obtained their forensic read why place obstacles in the defence path when they want to examine the exhibit.
4) If the handset was being examined in the clear then any incoming network changes to SIM could be demonstrated by a second read compared to the first. Moreover, if the handset were to receive text messages whilst being examined then the date and time of the text would be able to differentiate between old and new material.
5) Now there was an argument that a new SMS text message could overwrite deleted data (in free space so to speak). Those that raised that argument have not developed that scare to demonstrate substantively there is anything to worry about. (I expect a few may want to comment on that, but I have my comments too).
6) However, detectives thought the idea of incoming text messages after seizure was a brilliant idea because the data could provide important leads/evidence in cases such as kidnap, paedo, drugs, arms smuggling etc etc, which isolation containment creates a barrier to such a possibility.
7) Additionally, and UK centric, the legislation in the UK does not permit intentional blocking of the radio coverage - other than the user switching the mobile OFF or in areas were natural blocking exists or under designated conditions.
There are many more points, but these are some of the issues, which I hope will give food for thought.
The opposite to the above are the isolation containment advocates who worry about potential change to data, but as we have seen data can change anyway under isolation containment. I have not added anymore here so that the these advocates can state their case.
POINT THREE USER PROFILE EVENTS
a) does isolation containment impact on how these user profiled events work
b) what data changes occur in isolation containment
Thank you, trewmte. That sorted it out for me.
If I understand you, correctly, one of the issues you raise is weighing future actionable intelligence in subsequent messages/communications vs. preserving the exact condition of the data when seized. ("On-the-air" vs. "Isolation")
I guess the investigator would need to make a determination to focus on past events or past plus future activity. I would think that officers/agents would want to leave a device on the network to gain as much intel as possible to further support an active case. This conflicts with data preservation objectives, yes. Scope of a warrant would probably help to make that decision.
Very interesting that UK does not allow "airplane" or "isolation" mode. I wonder what the impetus for that is.
1) Incoming text messages - should these be allowed?
2) What about received emails
3) User profiled events - handset calendars, SIM Application Toolkit (STK) and Proactive SIM
Hmmm…
As I said before, I have had little hands on experience with "intelligent" mobiles phones, but -
I know there are applications out there, and can be crafted which can control the device through SMS, or e-mail. It is not hard to develop, and there is even an
Would I want, should I allow someone to send an SMS, e-mail or other command/control to the seized device to alter content?
Just on the incomging text messages thing, the idea of preserving the SIM card early is a good practice, as long as people are aware that many current non-dumb phone models don't bother storing user data to the SIM.
Sonj
There is also the issues associated with incoming calls
Could allowing the handset/SIM to connect to the network inorder to receive SMS be classed as interception?
Forensicator
a paper that was prepared by the home office and the DCG (Data Communications Group) stated that
A mobile telephone, or other device, that has been seized or obtained lawfully by the police (or other public authority) using a statutory power, or is in the lawful possession of the police by other means (for example with the consent of the owner who may be receiving death threats), may be examined for the purpose of gathering evidence.
The examination of a device may include information available on its outer and inner casing, in its electronic memory and on any SIM card or other network card contained within it or obtained separately.
Within the memory of a mobile telephone there may be an indication of “read” and “unread” messages, for example SMS text messages. Although each message will include the content of a communication, that content is in the memory of the device and the communication is clearly no longer in the course of its transmission
When a device is seized it is best practice to either switch off the device or to disconnect it from the network in order to preserve the contents of the mobile telephone memory.
However, there may be circumstances where the investigator or examiner determines it is appropriate in the specific circumstances of an operation or investigation for the device
• to remain on and connected to a network,
• or to be reconnected to a network,
• or, if having been switched off, to be switched back on and reconnected to a network
In this way a record may be made of previously undelivered messages and their evidential value considered. In such circumstances consideration must always be given to the necessity and proportionality of any actual or potential interference with the fundamental rights of any individual. For example, the investigator or examiner must consider whether, and if so why, there is need to receive such messages and for how long, or whether there is a need to reconnect the device to obtain information (whether incriminatory or exculpatory). So long as such decisions are recorded and can be justified in the circumstances lawfulness should not be an issue in any subsequent proceedings.
In circumstances where messages are delivered to the device after it has come into lawful possession of the investigator it is the view of the Home Office and DCG that if the device has been lawfully seized or obtained, and proper consideration has been given to the circumstances of the case, then the receipt of those messages and making record of them will be lawful.
There is nothing in UK law that enables a police officer or public authority investigator to stop the delivery of a communication to an intended recipient. Equally it can be technically impossible for a communication service provider to stop the transmission of a communication or recover messages that are awaiting delivery to a device that has either been disconnected from a network or been switched off by the investigator or examiner