This may be a stupid question, but I'm going to ask. D
How do you handle enterprise mobile device acquisitions? Do you have the user ship their phone to you? Do you send your dongle (we use Oxygen) to them and remote into their box to do the acquisition? Is there an enterprise-level solution that runs an agent (thinking EnCase here) that would allow you to acquire their mobile device if they connected it to their computer?
The situation that I'm in now may require mobile device acquisitions for eDiscovery, and I'm not entirely sure how I'm going to pull these devices should they be requested.
Thanks!
http//
New in Oxygen Forensic® Detective v.9.0
Redesigned Enterprise license. Due to the completely new engine the Enterprise license has become more cost-efficient and stable. Now experts can borrow license from the server to work offline in the field. Moreover, the remote connection to the network server has been significantly improved.
We usually have people send us phones for a couple of reasons.
#1 We can get it done more efficiently in a lab setting than in a remote setting. Saving us hassle and the client money (since they don't have to pay for flights, hotels, meals, time sitting around their office twiddling our thumbs, etc.)
#2 FedEx is fast. We get the phone, take care of business, and ship it out asap when we are done. Does not eliminate downtime for the client of course, but overnight shipping is usually around $50, which for us is a good way to maximize our time.
#3 Some times (more often than not lately) we have phones in different parts of the country. We had a case recently with five phones in three different states, and there was no way the client was going to pay for travel to each location. Again, cost-benefit analysis comes in handy. Cost of you flying out there and spending a bunch of money on travel hotels etc. or a fraction of that cost in shipping.
Hi mate,
F-Response can help you if it is an android phone. Remote acquisitions can be done covertly using fresponse. I have personally used its android module, not sure if they have released the ios module. You will have to get the guy install the apk or push the apk in his phone using adb .
Hope it helps. )
I really dont prefer taking evidence drives/phones through courier. Which ever company it is atleast I dont want to be balmed for losing key evidence device. In my view best way is go to the place and acquire.
Hi mate,
F-Response can help you if it is an android phone. Remote acquisitions can be done covertly using fresponse. I have personally used its android module, not sure if they have released the ios module. You will have to get the guy install the apk or push the apk in his phone using adb .
Hope it helps. )
How wise is installing anything on an evidence ?! Maybe this works in the private sector, but into LE forensics this makes the evidence void.
Hi mate,
F-Response can help you if it is an android phone. Remote acquisitions can be done covertly using fresponse. I have personally used its android module, not sure if they have released the ios module. You will have to get the guy install the apk or push the apk in his phone using adb .
Hope it helps. )
How wise is installing anything on an evidence ?! Maybe this works in the private sector, but into LE forensics this makes the evidence void.
What do you think Cellebrite and Oxygen are doing?
From Oxygen's website
Using this new physical bypass method is easy. Simply select Samsung Android dump option after launching our automated Oxygen Forensic® Extractor. Follow the detailed instructions in our wizard, and choose your device model from supplied list. The program will load our custom forensic recovery image onto the device. This method can void the original Samsung warranty by adding the custom forensic recover, but system and user data are not affected by this forensic process. This innovative method currently only works with devices with unlocked bootloaders.
http//
And the King, Cellebrite. They only rely on you to "trust them" that they do not do invasive methods while using bootloaders.
It also avoids data integrity concerns associated with jailbreaking an iOS device, rooting an Android, or other methods that bypass a smartphone’s factory settings, including built-in security and other restrictions, to provide administrative “root” access to its operating system.
http//
I really dont prefer taking evidence drives/phones through courier. Which ever company it is atleast I dont want to be balmed for losing key evidence device. In my view best way is go to the place and acquire.
Less of an issue in my opinion. If the courier loses it, it's hardly your fault, that blame gets put on the courier (and is a fairly rare occurrence, not impossible, but rare). Far more cost effective, and saves everyone time, hassle, and money.
I really dont prefer taking evidence drives/phones through courier. Which ever company it is atleast I dont want to be balmed for losing key evidence device. In my view best way is go to the place and acquire.
Less of an issue in my opinion. If the courier loses it, it's hardly your fault, that blame gets put on the courier (and is a fairly rare occurrence, not impossible, but rare). Far more cost effective, and saves everyone time, hassle, and money.
Define time though. If this is enterprise, time is typically critical as opposed to in LE where investigations span months, if not years. If someone is sending you a device it is typically because of Discovery or litigation in general requiring the device be acquired and analyzed for relevant messages or photos relating to both parties. I'm sure you know the same type of lawyers I do, they expect it yesterday and reasons it can't be done are excuses. This doesn't even take into consideration you are telling a person that their security blanket (AKA phone) is going to be taken away from them for X amount of days. Depending on your environment that may not be acceptable either.
I do agree though, sending it via a vetted service is justifiable, but you better know how to articulate how long the whole process can take. And heaven forbid your company is global and you have to deal with customs and that whole fiasco.
I've never had issues with using couriers to ship phones/hard drives etc, both when I was with LE and now in Corporate. I ship and receive stuff all around Australia regularly and quite frequently internationally as well.
Common sense applies really, make sure the items are securely packaged and safe then use a reputable courier company. Chain of custody is preserved as you will have tracking and signatures on receival.
I'll echo what a few other people have said as well, process the phone yourself if at all possible, if your only option is looking at backups then that can get you good info, however nothing beats having the phone in your hands as you will generally get more info from that download than any backup, particularly with iPhones.
In addition if you are remoting in to a system and copying backups then you are relying on someone else to connect the phone and you are trusting that they have connected the phone they said they did. Can open the door to some continuity problems down the track.