I am working on a presentation on conducting a hasty cell phone examination without leaving noticeable signs of the exam. I was hoping to get some comments from the group on this topic.
First let me describe a hypothetical situation, so that you have a general idea of what I am getting at.
A soldier in (name some deployment country here) is running a checkpoint. As a driver comes through, he is asked to exit the vehicle and undergo a physical search. The driver has a phone with him, and for whatever reason, it would be useful to pull the data from the subject's phone. While the driver is out of sight of his phone, the soldier performs the data extraction. Once the driver is finished with the physical search lane, he returns to his vehicle and all of his belongings are returned to him, including the phone. It is desired that the driver NOT notice that his phone has been examined.
Here are some considerations for this situation
1. The process does NOT need to be forensically sound. The soldier is not gathering evidence.
2. The soldier does not need to analyze the data on scene. He only needs to retrieve the data.
3. It is imperative that the subject not realize his phone has had data extracted. Its fine that he realizes it has been handled, just not that any data has been actually copied from the phone. This does not mean the subject is expected to perform any type of deep examination himself, just that when he, an "average joe" phone user, takes the phone back and goes about using it as normal, there should not be any indicators that will clue him in that his phone was tampered with. IE Changed settings, password lock outs, installed software etc.
4. A full physical extraction is not absolutely necessary. Call Logs, SMS, contact lists, Photos and Videos are the priority targets here.
5. Time available is short. We can be a little flexible on this, but 5-10 minutes out of the subject's sight is a good goal.
Considering the above, I'd like to hear your thoughts, or experiences with this type of situation. The format I am looking at right now is probably broken down into three distinct sections.1 Prepping the phone (recording its current state- locked/unlocked, time/day settings etc), 2 doing the extraction, 3 removing any artifacts and reverting any settings that had been changed (time/language/home screen)
I'd also like to consider stumbling blocks like locked screens, locked sims, etc.
I'd like to stick to a process that's simple enough for a non forensics guy to pick up easily. For that reason, plus cost and portability, I'm strongly leaning towards CelleBrite as the tool.
I am only discussing the technical details of this exercise in this thread. We do not need to address the legal, philosophical stuff, privacy issues, search authorities, etc. Not a concern for this discussion.
Feel free to PM me if you prefer. Thanks.
Hi JRHTC,
As previously posted today by myself and probably by many others over the course of time, unfortunately there is not a 'one stop shop' for all make and model of cell phone.
So with that in mind I am only going to concentrate on Micro Systemations XRY kit. I use this every day! I also use a multitude of other software, I believe this may be the quickest to achieve what you require although possibly not the most portable.
The nice thing that you can do with XRY is set up individual download profiles, for example, contacts, call logs and text messages. This means that a download could only take a minute or so.
Some makes, BlackBerry in particular, will give up all their data extremely quickly including image and video files.
With forensics out of the window, I personally wouldn't turn the phone off, take the SIM card out or remove any media card.
Simply grab the phone, plug the correct cable into the phone and attach to the PC, select your profile, download the data, return the phone - done!
XRY should retrieve the time and date of the device and also, depending on how accurate your PC clock is, will give you the time of examination.
If the SIM card is locked, as long as you don't turn the phone off you should be able to get all the data you need.
If the handset is locked and time is against you, you may want to accept that you won't get any data out of it without the risk of being caught, so just return the cell phone.
Lastly, if in doubt - Don't do anything!!
Hope this is a start - I'm sure there's plenty more ideas out there!
crashed