Guidelines on Cell Phone Forensics
National Institute of Standards and Technology
Executive Summary
Mobile phone forensics is the science of recovering digital evidence from a mobile phone under forensically sound conditions using accepted methods. Mobile phones, especially those with advanced capabilities, are a relatively recent phenomenon, not usually covered in classical computer forensics. This guide attempts to bridge that gap by providing an in-depth look into mobile phones and explaining the technologies involved and their relationship to forensic procedures. It covers phones with features beyond simple voice communication and text messaging and their technical and operating characteristics. This guide also discusses procedures for the preservation, acquisition, examination, analysis, and reporting of digital information present on cell phones, as well as available forensic software tools that support those activities.
The objective of the guide is twofold: to help organizations evolve appropriate policies and procedures for dealing with cell phones, and to prepare forensic specialists to contend with new circumstances involving cell phones, when they arise. The guide is not all-inclusive nor is it prescribing how law enforcement and incident response communities handle mobile devices during investigations or incidents. However, from the principles outlined and other information provided, organizations should nevertheless find the guide helpful in setting policies and procedures. This publication should not be construed as legal advice. Organizations should use this guide as a starting point for developing a forensic capability in conjunction with extensive guidance provided by legal advisors, officials, and management.
The information in this guide is best applied in the context of current technology and practices. Every situation is unique, as are the experiences of the forensic specialists and the tools and facilities at their disposal. The judgment of the forensic specialists should be given deference in the implementation of the procedures suggested in this guide. Circumstances of individual cases; international, federal, state, local laws and rules; and organization-specific policies may also require actions other than those described in this guide. As always, close and continuing consultation with legal counsel is advised.
Implementing the following recommendations should facilitate efficient and effective digital forensic activities involving cell phones and cellular devices.
Organizations should ensure that their policies contain clear statements about forensic considerations involving cell phones.
At a high level, policy should allow authorized personnel to perform investigations of organizationally issued cell phones for legitimate reasons, under the appropriate circumstances. The forensic policy should clearly define the roles and responsibilities of the workforce and of any external organizations performing or assisting with the organization’s forensic activities. The policy should also indicate internal teams and external organizations to be contacted under various circumstances.
Organizations should create and maintain procedures and guidelines for performing forensic tasks on cell phones.
Guidelines should focus on general methodologies for investigating incidents using forensic techniques. While developing comprehensive procedures tailored to every possible situation is not generally feasible, organizations should consider developing step-by-step procedures for performing all routine activities in the preservation, acquisition, examination and analysis, and reporting of digital evidence found on cell phones and associated media. The guidelines and procedures should facilitate consistent, effective, accurate, and repeatable actions carried out in a forensically sound manner, suitable for legal prosecution or disciplinary actions. The guidelines and procedures should support the admissibility of evidence into legal proceedings, including seizing and handling evidence properly, maintaining the chain of custody, storing evidence appropriately, establishing and maintaining the integrity of forensic tools and equipment, and demonstrating the integrity of any electronic logs, records, and case files. The guidelines and procedures should be reviewed periodically, and also whenever significant changes in cell phone technology appear that affect them.
Organizations should ensure that their policies and procedures support the reasonable and appropriate use of forensic tools for cell phones.
Policies and procedures should clearly explain what actions are to be taken by a forensic unit under various circumstances commonly encountered with cell phones. They should also describe the quality measures to apply in verifying the proper functioning of any forensic tools used in examining cell phones and associated media. Procedures for handling sensitive information that might be recorded by forensic tools should also be addressed. Legal counsel should carefully review all forensic policy and high-level procedures for compliance with international, federal, state, and local laws and regulations, as appropriate.
Organizations should ensure that their forensic professionals are prepared to conduct activities in cell phone forensics.
Forensic professionals, especially first responders to incidents, should understand their roles and responsibilities for cell phone forensics and receive training and education on related forensic tools, policies, guidelines, and procedures. Forensic professionals should also consult closely with legal counsel both in general preparation for forensics activities, such as determining which actions should and should not be taken under various circumstances. In addition, management should be responsible for supporting forensic capabilities, reviewing and approving forensic policy, and examining and endorsing unusual forensic actions that may be needed in a particular situation.