Need Help with Scen...
 
Notifications
Clear all

Need Help with Scenario based questions/Law Enforcement/Test  

Page 1 / 2
  RSS
MobileDNA
(@mobiledna)
New Member

Hey all,

New member - love the forums they have a multitude of information. I have searched for a while and haven't found what I am looking for so here goes…

I am a small business owner who will soon be offering small classes to law enforcement and would like some help if possible designing some test questions and real life results.

I am looking for examples (in a test format in a perfect world) where one could use a pen and paper to solve. I have created a few Suspect A is captured, iPhone on the table is not locked, battery at 40%. What should the officer do first? What could happen if the phone dies? etc…

I don't know if this is possible, just asking to see if anything is out there or if anyone has suggestions on what they run into the most doing forensic searches?

The main software I use currently is Cellebrite UFED Ultimate.

Thanks for the help!

Adam

Quote
Posted : 26/02/2014 1:33 am
DCS1094
(@dcs1094)
Active Member

I hope I have not got the wrong end of the stick and I appreciate guidelines/methods may differ in the US to the UK, but here it goes

1. Questions on forensic guidelines, what a forensic analyst must adhere to. (in the UK it would be ACPO guidelines).

2. What would you do if presented with an exhibit bag containing a mobile phone (which cannot be fully accessed without a SIM Card) and a SIM Card (which was not inserted and may/may not be associated with the device) separately and what could the affects be if the SIM Card was inserted into the mobile phone?

3. What methods could be applied to prevent network connection to a device?

4. If a device was not seized in the correct manner (e.g. a battery was removed) what could be affected on the device in question? or if the device was turned on/activated with a memory card inserted, what would the affects be?

5. If the connection port is damaged/missing, what would you do? what alternatives methods could be used to obtain the notable data?

6. What data extraction method would you apply if the points to prove for the case was focused on obtaining deleted data? what alternative methods could you use to carve for deleted pictures files etc?

7. If you wanted it to be software specific (you mention you mainly use Cellebrite); scenario you have completed a file system data extraction from an iOS/Android device, physical analyser has decoded WhatsApp chat messages, however you are missing chat BBM chat messages, what others methods could you use to view (SQLite db files) or/and parse the BBM data using third party tools?

I hope this helps. They are kind of basic things, but I wasn't to sure if you wanted more Q's on how data is stored and file systems etc………. )

ReplyQuote
Posted : 26/02/2014 2:57 am
MobileDNA
(@mobiledna)
New Member

I love it. Thank you!

ReplyQuote
Posted : 26/02/2014 3:01 am
ForensicRanger
(@forensicranger)
Active Member

To provide a proper answer I need to know who your target group is. I know LE - but more specifically. Front line officers who will be executing searches, seizing equipment and then forwarding it their respective digital crimes unit for further/detailed analysis and examination?

ReplyQuote
Posted : 03/03/2014 7:17 pm
MobileDNA
(@mobiledna)
New Member

This would be for front line officers. More of an introduction to cell phone forensics. Information around what can be found or used would be helpful. My target would be smaller le departments without the technology yet.

Hope that helps.

Adam

ReplyQuote
Posted : 03/03/2014 8:44 pm
hcso1510
(@hcso1510)
Active Member

Adam,

I know I am mixing apples and oranges, but here is another scenario.

You are called to a possible child abduction at the local Wal-Mart. Store security has already confirmed a small female child was led outside the front door by a white male. The suspect forced the child in a blue van and drove off. A mother stated her niece had a cell phone in her jacket with the phone number 423-123-4567.

Question What do you do with the number and are the capabilities of all cellular service providers the same?

ReplyQuote
Posted : 04/03/2014 1:24 am
MobileDNA
(@mobiledna)
New Member

Thanks Ed. I hadn't thought of that one yet. Appreciate it!

ReplyQuote
Posted : 04/03/2014 1:33 am
ForensicRanger
(@forensicranger)
Active Member

This would be for front line officers. More of an introduction to cell phone forensics. Information around what can be found or used would be helpful. My target would be smaller le departments without the technology yet.

Hope that helps.

Adam

Then, imho, it should be about the preservation of evidence and not about cell phone forensics. That's what I pass on the the front line folks who seize evidence when I present.

Depending on your laws, can officer search a cell phone at the scene based on SITA? What about going through the device back at the office a few hours after the arrest?

Do they know they are altering data when they go through a device?

One of the best examples I can think of is someone who goes through a cell phone back at the office after it was seized based on SITA. They read SMSs and now changed the flags from UNREAD to READ. Can/will this alter the outcome of an investigation / trial?

DCS1094 has some great examples, but I would suggest keeping any analysis out the training session unless they are qualified - and from what I gather, the folks you're looking to train aren't. Focus on evidence preservation Pulling battery vs pulling sim card vs a few layers of tinfoil; if they go through a phone at the scene/office, ensure proper note taking and awareness of read vs unread messages/emails; when should they get CDRs…. those sorts of questions.

Food for thought -)

ReplyQuote
Posted : 04/03/2014 2:19 am
hcso1510
(@hcso1510)
Active Member

Adam,

You might consider, depending on your audience, showing them an exam of a phone that had some unread sms, then show them another exam of the phone after you have read the sms.

In showing them the two different reports you can show them that the tools utilized have the ability to tell on the person that seized the device. i.e. did they take immediate steps to isolate the device from the network , or did they go back to the office, rifle through the device and just sit back and wait to look at incoming messages.

ReplyQuote
Posted : 04/03/2014 2:44 am
DCS1094
(@dcs1094)
Active Member

This would be for front line officers. More of an introduction to cell phone forensics. Information around what can be found or used would be helpful. My target would be smaller le departments without the technology yet.

Hope that helps.

Adam

Then, imho, it should be about the preservation of evidence and not about cell phone forensics. That's what I pass on the the front line folks who seize evidence when I present.

Yep, was not too sure it this was on pre-examination checks or/and device seizure. Now I know it's focused on seizure, I would echo ForensicRanger's comments on questions to do with effects of removing the battery etc and only my Q's 1,2,3,4. Too many times do I see a basic handset with the battery removed and nothing left in situ. (Just because an IMEI was wanted from the label to speed up the billing process); but little do they know and now the date/time is default! (unless BB). I don't blame officers, it comes down to what little training they have received on the matter I assume!

ReplyQuote
Posted : 04/03/2014 4:22 am
 Anonymous

I hope I have not got the wrong end of the stick and I appreciate guidelines/methods may differ in the US to the UK, but here it goes

1. Questions on forensic guidelines, what a forensic analyst must adhere to. (in the UK it would be ACPO guidelines).

2. What would you do if presented with an exhibit bag containing a mobile phone (which cannot be fully accessed without a SIM Card) and a SIM Card (which was not inserted and may/may not be associated with the device) separately and what could the affects be if the SIM Card was inserted into the mobile phone?

3. What methods could be applied to prevent network connection to a device?

4. If a device was not seized in the correct manner (e.g. a battery was removed) what could be affected on the device in question? or if the device was turned on/activated with a memory card inserted, what would the affects be?

5. If the connection port is damaged/missing, what would you do? what alternatives methods could be used to obtain the notable data?

6. What data extraction method would you apply if the points to prove for the case was focused on obtaining deleted data? what alternative methods could you use to carve for deleted pictures files etc?

7. If you wanted it to be software specific (you mention you mainly use Cellebrite); scenario you have completed a file system data extraction from an iOS/Android device, physical analyser has decoded WhatsApp chat messages, however you are missing chat BBM chat messages, what others methods could you use to view (SQLite db files) or/and parse the BBM data using third party tools?

I hope this helps. They are kind of basic things, but I wasn't to sure if you wanted more Q's on how data is stored and file systems etc………. )

wow, great questions, would love to see the answers -)

ReplyQuote
Posted : 04/03/2014 2:27 pm
hcso1510
(@hcso1510)
Active Member

Adam,
I would add something to your legal section about possible fifth amendment implications of asking someone for their pass code and what that might do to the evidence obtained from the search.

Let's say you had an Android, but the screen lock had not kicked in yet. Are there settings that one could modify like USB debugging, stay awake or mass storage that could make it easier for a forensic examiner at a later time? I know this goes beyond just isolating the device, but I believe it deserves some consideration.

ReplyQuote
Posted : 04/03/2014 6:46 pm
MobileDNA
(@mobiledna)
New Member

Wow. Thank you for the responses.. Now if I can get a volunteer to type all of them up lol..

You guys are awesome. Keep it coming…

Adam

ReplyQuote
Posted : 04/03/2014 10:26 pm
rcwi
 rcwi
(@rcwi)
New Member

My suggestion for scenario based questions is have the scenario and then ask multiple choice questions. The students may be more receptive of choice rather than narrative answers. I was a vehicle contact instructor, and tried to stay with choice and true/false questions. Scenarios were used more for practical exercises.

For front line/first responders, they need to know how to preserve evidence. Get the device off of network (AP mode, remove battery), packaging, obtaining PINs from the owner. Also identifying what evidence is. Anything with search and seizure that concerns the law, it be best left to the District Attorney. I have seen in the same DA's Office different opinions on search and seizure laws. You don't want to give bad advice on seizing a mobile device if the officer does not have authority.

ReplyQuote
Posted : 12/03/2014 3:50 pm
S1gnal
(@s1gnal)
New Member

I have to agree with RCWI with the points he made.

I also want to add that I am a LEO and I have to tell you that looking at some of the questions generated in this post, many are a little too involved and technical for the First Responder. Now if you were posing these scenarios to a an officer/detective who specialized in mobile forensics or Mobile Device Interrogation they would be suitable.

ReplyQuote
Posted : 24/04/2014 10:49 pm
Page 1 / 2
Share: