I hope I have not got the wrong end of the stick and I appreciate guidelines/methods may differ in the US to the UK, but here it goes
1. Questions on forensic guidelines, what a forensic analyst must adhere to. (in the UK it would be ACPO guidelines).
2. What would you do if presented with an exhibit bag containing a mobile phone (which cannot be fully accessed without a SIM Card) and a SIM Card (which was not inserted and may/may not be associated with the device) separately and what could the affects be if the SIM Card was inserted into the mobile phone?
3. What methods could be applied to prevent network connection to a device?
4. If a device was not seized in the correct manner (e.g. a battery was removed) what could be affected on the device in question? or if the device was turned on/activated with a memory card inserted, what would the affects be?
5. If the connection port is damaged/missing, what would you do? what alternatives methods could be used to obtain the notable data?
6. What data extraction method would you apply if the points to prove for the case was focused on obtaining deleted data? what alternative methods could you use to carve for deleted pictures files etc?
7. If you wanted it to be software specific (you mention you mainly use Cellebrite); scenario you have completed a file system data extraction from an iOS/Android device, physical analyser has decoded WhatsApp chat messages, however you are missing chat BBM chat messages, what others methods could you use to view (SQLite db files) or/and parse the BBM data using third party tools?
I hope this helps. They are kind of basic things, but I wasn't to sure if you wanted more Q's on how data is stored and file systems etc………. )
wow, great questions, would love to see the answers -)
Adam,
I would add something to your legal section about possible fifth amendment implications of asking someone for their pass code and what that might do to the evidence obtained from the search.
Let's say you had an Android, but the screen lock had not kicked in yet. Are there settings that one could modify like USB debugging, stay awake or mass storage that could make it easier for a forensic examiner at a later time? I know this goes beyond just isolating the device, but I believe it deserves some consideration.
Wow. Thank you for the responses.. Now if I can get a volunteer to type all of them up lol..
You guys are awesome. Keep it coming…
Adam
My suggestion for scenario based questions is have the scenario and then ask multiple choice questions. The students may be more receptive of choice rather than narrative answers. I was a vehicle contact instructor, and tried to stay with choice and true/false questions. Scenarios were used more for practical exercises.
For front line/first responders, they need to know how to preserve evidence. Get the device off of network (AP mode, remove battery), packaging, obtaining PINs from the owner. Also identifying what evidence is. Anything with search and seizure that concerns the law, it be best left to the District Attorney. I have seen in the same DA's Office different opinions on search and seizure laws. You don't want to give bad advice on seizing a mobile device if the officer does not have authority.
I have to agree with RCWI with the points he made.
I also want to add that I am a LEO and I have to tell you that looking at some of the questions generated in this post, many are a little too involved and technical for the First Responder. Now if you were posing these scenarios to a an officer/detective who specialized in mobile forensics or Mobile Device Interrogation they would be suitable.
Related to scenario questions…I am creating instructional materials to go along with the Placing the Suspect Behind the Keyboard book.
If anyone is interested in lending a hand, either by review or more help, I would be grateful. The materials (powerpoints, lesson plans, scenarios, quizzes, homework, etc…) will be freely available, coincide with the book's chapters, geared toward academic courses and any training program, and each chapter will be able to stand individually as its own topic. So, you can pick and choose the topics you need without worrying that the previous topics are needed as a foundation.
If interested, send me a note and I'll send you an invite to the Dropbox folder. Oh yeah, you can modify the materials to fit your curriculum as you see fit (brand it with your company or school or your name if you want). You don't have to be a professor, teacher, or instructor to help create, modify, or review the materials but certainly if you are, this is a good chance to develop the materials like you would like it done.
It would just be nice that if you make the materials better along the way, to share with all of us. You don't have to share, but my mom said that I am supposed to wink
Contaminating Evidence ONE - http//
Contaminating Evidence TWO - http//
Contaminating Evidence THREE - http//
Contaminating Evidence FOUR
http//
Contaminating Evidence FIVE
http//