Practical Mobile Forensics
上QQ阅读APP看书,第一时间看更新

The evidence intake phase

The evidence intake phase is the starting phase and involves paperwork that captures ownership information and the type of incident the mobile device was involved in, and outlines the kind of data the requester is seeking. Developing specific objectives for each examination is the critical part of this phase. It serves to clarify your goals. Before the physical seizure process begins, you should be familiar with federal, state, and local laws pertaining to an individual's rights. If the right procedures are not followed, the investigation may be considered illegal in a court of law. The procedure and the legality may vary based on whether you are a government agent or a private party. For example, in the US, fourth amendment rights prevent any searching or seizure by a government agent without having a proper search warrant. The search warrant should clearly authorize the seizure of the mobile device as well as the kind of data that needs to be collected. After a successful seizure, care should be taken to ensure that a chain of custody is established not only for the device but also for the data collected. 

According to NIST ( https://csrc.nist.gov/), chain of custody refers to a process that tracks the movement of evidence through its collection, safeguarding, and analysis life cycle by documenting each person who handled the evidence, the date/time it was collected or transferred, and the purpose of the transfer.

Also, while seizing the device, care should be taken not to modify any data present on the device. At the same time, any opportunity to help the investigation should not be missed. For example, at the time of seizing the device, if the device is unlocked, then try to disable the passcode.