New NIST Guide Enables Digital Forensics Investigators
NIST has recently released a quick start guide that outlines the procedures used to place test data on a mobile device by forensics experts during an investigation. In many criminal cases, the authorities can gain valuable information by examining smartphones, computers, and tablets belonging to those involved. The NIST guide provides important directions, guidance, and techniques for setting up a device for use with mobile forensic tools.
Criminal Investigations and Legal Trials
Recovering data from digital devices has become an important part of many criminal investigations. The information found on a phone can prove helpful in providing clues as to the whereabouts and activities of suspects. This data is often used during trials and should be as accurate as possible since a legal verdict could be determined based upon what is found on the suspect’s computer, cell phone and/or tablet.
Even the best forensic investigators admit that data extraction from mobile devices can be tedious. This is due to the many differences in the types of data and formats used from one device to the next. Testing can be performed by anyone in the law enforcement community, but the official Federated Testing software must be utilized.
Tools for Law Enforcement
For years, law enforcement and forensic experts have used the data found on mobile phones and computers during the course of their investigations. As this science has moved forward and evolved, it has become necessary to create guidelines for populating mobile test devices. This eliminates much of the guesswork and helps a forensics team to be consistent with their testing procedures. This, in turn, helps to guarantee more reliable results. Consistency and reliability are key aspects of the type of data that can be used during a legal trial.
The two basic strategies for populating a mobile phone, computer or tablet with testing tools are:
- Place test data on a new or sanitized device
- Place test data on a user device and adjust as needed
Mobile forensic tools are primarily used with Federated Testing, but can be used with other test methods. By undergoing these forensics tool tests, investigators can ensure greater accuracy and easy sharing of their results with others in the forensics community.
Contents of the NIST Guide
The NIST Guide begins by describing the primary types of data found on a mobile device or computer, including, but not limited to:
- Text messages
- Social media posts and information
- Call logs
- Contact lists
A mobile device may contain hundreds of data elements that could be helpful to investigators. In many cases, it’s best to narrow down the search to data that seems to be most relevant to the specific case. This can prevent investigators from wasting valuable time on unimportant information. As the case progresses, investigators may determine that other data could also be helpful to uncover. Testing can be performed as necessary on those.
The NIST document is separated into sections and appendices that describe the various methods of populating and documenting data found on a mobile device including the SIM/UICC. These are outlined below:
- Section 2: Document Device Data
- Section 3: Personal Information Management (PIM) Data: Contacts, Calendar & Memos
- Section 4: Stand-alone Data Files
- Section 5: Call Logs
- Section 6: Text Messages
- Section 7: MMS Messages
- Section 8: Location Data
- Section 9: Browser/Email Data
- Section 10: Social Media Data 214
- Section 11: Other Applications of Interest
- Section 12: SIM/UICC Card
How to Begin
The guide provides step-by-step instructions for populating and documenting a device. The guide recommends performing these steps for each mobile device tested.
Begin by choosing the most relevant data types that seem pertinent to your inquiry or investigation. If this data does not result in the information hoped for, testers can always go back and perform these steps on other types of data found on the form.
Appendix A explains all acronyms used in these testing procedures. It is necessary to assign an acronym to each item to reduce the amount of writing or typing. These can be confusing since some are so similar. Therefore, it is recommended that testers keep Appendix A handy to make sure they’re using the right terms when filling out their paperwork.
Appendix B-Mobile Device Documentation
Next, fill out the template found in Appendix B for each device to be tested. This template will ask common questions about the type of equipment including the name of the subscriber, device make, and model, IMEI for the phone and other identifying info. The IMEI can be found by going to Settings, then choosing About and scrolling down to where the IMEI is shown. Enter the number with no spaces or dashes on the form found in Appendix B. In this area, there are many other identifying numbers required on the form.
Appendix C-Mobile Device Data Example
This example form has been filled out for one “Stevie Ray Vaughn”. Though it is somewhat humorous, it shows the types of data to be placed in each portion of the form. His full name, address, email address and birth date are shown. If a photo of the phone’s owner is available, that should also be included. Calendar data can be important because it shows the daily routine, meetings, and people that a suspect might be associated with. It can help investigators create a timeline for the last few days of a person’s life.
Appendix C is quite lengthy due to the fact that SMS and EMS messages are recorded here along with call logs. Many people exchange dozens of text messages with friends each day. Include information about who sent the message and its contents. Make separate entries for unread messages and voicemails. Deleted messages and calls should also be recorded.
Federated Testing Project
The Federated Testing project at NIST is an extension of the Computer Forensics Tool Testing (CFTT) Program. This program has been successful in helping laboratories and forensic experts accurately uncover important information from mobile devices and computers. It enables consistent reporting and sharing of results across various labs and law enforcement agencies found across the United States.