Just wanted to see what general concensus was in relation to keeping cloned sim cards after completing a case. When you are finished with a case, if you needed to clone a sim card, do you keep the cloned sim card and later re-use it? Or do you now consider part of the evidence and keep it with the original evidence? I've heard arguments on both sides, but wondering what other services do.
Here are the steps I perfom in my class when doing evidence retention, etc.
1. Original evidence (Flash Drive)
2. Make a forensic copy of the the evidence (Flash Drive)
3. Seal the orginal evidence in an evidence bag
4. Make a copy of the copy you have
5. ONE of those copies are for working your case & the other is a back up in case the "working copy" gets messed up
6. When case is completed wipe both drives & prepare for the next case
You still have the original sealed in you ever need it again you can get it, unless it is returned back to your client, etc.
I'm still new in this field so take my advice with caution =)
The only difference I have is I make two copies off the original, instead of copy of a copy. but, the purpose is the same, master and work copies.
There is nothing inherently original about the clone card. All of the data stored on it will be found on the original SIM. It is the original SIM card which is the primary evidence; not the clone which is just a copy.
So if for some reason you needed to re-examine the device at a later stage and duplicate the results of the original investigation; creating a brand new clone SIM on a completely different clone card will still produce the same results; thus satisfying the forensic integrity of the examination.
The only possible exception I can think of to this would be if you chose to manually create a clone card and then made a mistake by entering the wrong IMSI / ICCID data.
If this happened you would have inadvertently created a new piece of evidence and you should probably keep this ‘incorrect clone card’ just to show what went wrong. Because on a GSM device this could lead to some of the call history data being deleted from the handset and you might have to explain how that occurred.
Other than that rare possibility – I see no forensic argument for retaining the clone. There is however a commercial argument for encouraging you to use a new clone card every time you perform an examination; because it generates extra revenue every time you purchase new cards.
If however your forensic clone card is reusable; then practically I would recommend you do reuse them as it will probably save you a fortune long term to recycle and not retain each one.
Perhaps do not destroy any master copy clone card until you have it in writing from the officer that destruction is required.
A reason why you might retain (subject to investigation/legal requirements/data protection if applicable) a master copy of the data obtained from the original SIM is in cases of the original SIM/handset being handed back to the owner where an investigation at that time means the suspect is subject to no further enquiries at that time. However, it might be that same person may subsequently become a suspect again. If the owner gets rid of or destroys the SIM at least you will still have "….part of an original or copy of an original", albeit the master copy data would be one step removed from the original data. This can be an improved position to be in as opposed to relying on a printed document containing some data.
The above is not new but was introduced for the first time in my SIM Card training courses 2000/2001. I can even show you the device/cards that we were using back then. I mention this for the purposes of continuity of a useful 'best practice' procedural policy (but subject to legal requirements/data protection).