Need Help with Scen...
 
Notifications
Clear all

Need Help with Scenario based questions/Law Enforcement/Test

21 Posts
9 Users
0 Likes
1,301 Views
(@mobiledna)
Posts: 10
Active Member
Topic starter
 

Hey all,

New member - love the forums they have a multitude of information. I have searched for a while and haven't found what I am looking for so here goes…

I am a small business owner who will soon be offering small classes to law enforcement and would like some help if possible designing some test questions and real life results.

I am looking for examples (in a test format in a perfect world) where one could use a pen and paper to solve. I have created a few Suspect A is captured, iPhone on the table is not locked, battery at 40%. What should the officer do first? What could happen if the phone dies? etc…

I don't know if this is possible, just asking to see if anything is out there or if anyone has suggestions on what they run into the most doing forensic searches?

The main software I use currently is Cellebrite UFED Ultimate.

Thanks for the help!

Adam

 
Posted : 26/02/2014 1:33 am
(@dcs1094)
Posts: 146
Estimable Member
 

I hope I have not got the wrong end of the stick and I appreciate guidelines/methods may differ in the US to the UK, but here it goes

1. Questions on forensic guidelines, what a forensic analyst must adhere to. (in the UK it would be ACPO guidelines).

2. What would you do if presented with an exhibit bag containing a mobile phone (which cannot be fully accessed without a SIM Card) and a SIM Card (which was not inserted and may/may not be associated with the device) separately and what could the affects be if the SIM Card was inserted into the mobile phone?

3. What methods could be applied to prevent network connection to a device?

4. If a device was not seized in the correct manner (e.g. a battery was removed) what could be affected on the device in question? or if the device was turned on/activated with a memory card inserted, what would the affects be?

5. If the connection port is damaged/missing, what would you do? what alternatives methods could be used to obtain the notable data?

6. What data extraction method would you apply if the points to prove for the case was focused on obtaining deleted data? what alternative methods could you use to carve for deleted pictures files etc?

7. If you wanted it to be software specific (you mention you mainly use Cellebrite); scenario you have completed a file system data extraction from an iOS/Android device, physical analyser has decoded WhatsApp chat messages, however you are missing chat BBM chat messages, what others methods could you use to view (SQLite db files) or/and parse the BBM data using third party tools?

I hope this helps. They are kind of basic things, but I wasn't to sure if you wanted more Q's on how data is stored and file systems etc………. )

 
Posted : 26/02/2014 2:57 am
(@mobiledna)
Posts: 10
Active Member
Topic starter
 

I love it. Thank you!

 
Posted : 26/02/2014 3:01 am
ForensicRanger
(@forensicranger)
Posts: 122
Estimable Member
 

To provide a proper answer I need to know who your target group is. I know LE - but more specifically. Front line officers who will be executing searches, seizing equipment and then forwarding it their respective digital crimes unit for further/detailed analysis and examination?

 
Posted : 03/03/2014 7:17 pm
(@mobiledna)
Posts: 10
Active Member
Topic starter
 

This would be for front line officers. More of an introduction to cell phone forensics. Information around what can be found or used would be helpful. My target would be smaller le departments without the technology yet.

Hope that helps.

Adam

 
Posted : 03/03/2014 8:44 pm
hcso1510
(@hcso1510)
Posts: 303
Reputable Member
 

Adam,

I know I am mixing apples and oranges, but here is another scenario.

You are called to a possible child abduction at the local Wal-Mart. Store security has already confirmed a small female child was led outside the front door by a white male. The suspect forced the child in a blue van and drove off. A mother stated her niece had a cell phone in her jacket with the phone number 423-123-4567.

Question What do you do with the number and are the capabilities of all cellular service providers the same?

 
Posted : 04/03/2014 1:24 am
(@mobiledna)
Posts: 10
Active Member
Topic starter
 

Thanks Ed. I hadn't thought of that one yet. Appreciate it!

 
Posted : 04/03/2014 1:33 am
ForensicRanger
(@forensicranger)
Posts: 122
Estimable Member
 

This would be for front line officers. More of an introduction to cell phone forensics. Information around what can be found or used would be helpful. My target would be smaller le departments without the technology yet.

Hope that helps.

Adam

Then, imho, it should be about the preservation of evidence and not about cell phone forensics. That's what I pass on the the front line folks who seize evidence when I present.

Depending on your laws, can officer search a cell phone at the scene based on SITA? What about going through the device back at the office a few hours after the arrest?

Do they know they are altering data when they go through a device?

One of the best examples I can think of is someone who goes through a cell phone back at the office after it was seized based on SITA. They read SMSs and now changed the flags from UNREAD to READ. Can/will this alter the outcome of an investigation / trial?

DCS1094 has some great examples, but I would suggest keeping any analysis out the training session unless they are qualified - and from what I gather, the folks you're looking to train aren't. Focus on evidence preservation Pulling battery vs pulling sim card vs a few layers of tinfoil; if they go through a phone at the scene/office, ensure proper note taking and awareness of read vs unread messages/emails; when should they get CDRs…. those sorts of questions.

Food for thought -)

 
Posted : 04/03/2014 2:19 am
hcso1510
(@hcso1510)
Posts: 303
Reputable Member
 

Adam,

You might consider, depending on your audience, showing them an exam of a phone that had some unread sms, then show them another exam of the phone after you have read the sms.

In showing them the two different reports you can show them that the tools utilized have the ability to tell on the person that seized the device. i.e. did they take immediate steps to isolate the device from the network , or did they go back to the office, rifle through the device and just sit back and wait to look at incoming messages.

 
Posted : 04/03/2014 2:44 am
(@dcs1094)
Posts: 146
Estimable Member
 

This would be for front line officers. More of an introduction to cell phone forensics. Information around what can be found or used would be helpful. My target would be smaller le departments without the technology yet.

Hope that helps.

Adam

Then, imho, it should be about the preservation of evidence and not about cell phone forensics. That's what I pass on the the front line folks who seize evidence when I present.

Yep, was not too sure it this was on pre-examination checks or/and device seizure. Now I know it's focused on seizure, I would echo ForensicRanger's comments on questions to do with effects of removing the battery etc and only my Q's 1,2,3,4. Too many times do I see a basic handset with the battery removed and nothing left in situ. (Just because an IMEI was wanted from the label to speed up the billing process); but little do they know and now the date/time is default! (unless BB). I don't blame officers, it comes down to what little training they have received on the matter I assume!

 
Posted : 04/03/2014 4:22 am
Page 1 / 3
Share: