“Fortune favors the prepared mind.”
Over the past year and a half, the pandemic has changed many facets of daily and working life, and it did not spare forensic collections. While remote collections of mobile devices occurred before the pandemic, they were far less common now, usually reserved for extenuating circumstances. Covid has now flipped that on its head, and in-person collections are now the exception.
All the usual culprits contribute to this change. In-person collections typically require travel, usually on a plane with overnight stays in a hotel. Collections also take place indoors and over several hours, introducing more risk. Individuals having their phones collected usually prefer to be nearby, if not in the same room, while a collection takes place.
The fact that more people work remotely means that in-person collections are even more time-consuming. Gone are the times (at least for now) when a forensic collector could go to a company, perform a series of collections, and return with the needed data. While remote collections address many of these issues, they also introduce some new ones. However, we can minimize these problems if vendors and clients plan and communicate effectively.
The collector first ships a remote collection kit to perform remote collections of mobile devices. This kit is typically a package containing a computer (pre-loaded with the necessary collection software), a hard drive to store the device image, cables to connect the phone for collection, a chain of custody form, and a return label for the kit. After a kit arrives, the collector and the custodian will video conference to walk through the proper settings, connections, and procedures to ensure a forensically sound image of the device. Once the collection has begun, the collector will monitor the process until complete. Finally, the custodian fills out the chain of custody form, ships the kit back to the vendor, and Bob’s your uncle.  Except it does not always happen like that…
Sometimes an operating system receives a security patch update interfering with the collection software; a dongle doesn’t work, essential data does not exist on the phone, a custodian cannot remember their backup password or something else prevents a collection from happening. Therefore, planning and communication provide two main benefits:
- You receive critical information about the devices you are dealing with in advance.
- Both your client and custodian (sometimes the same) have an opportunity to think through the process before collection day.
At Sandline, we use a simple questionnaire for each device as follows:
|Mobile Device Collection Information|
|Custodian Last Name|
|Custodian First Name|
|Custodian Physical Address|
|Anticipated Date of Collection|
|Custodian Email Address|
|Custodian Alternate Telephone Number|
|Mobile Device Management Installed|
|Operating System Installed|
|App 1 Version Installed (if collecting apps)|
|App 2 Version Installed (if collection apps)|
|Device Unlock Passcode|
|Brand Backup Password (Case Sensitive) (if enabled) [i.e. iCloud, Google Drive]|
In addition to the questionnaire, dialogue with the client or custodian provides an opportunity to address preservation measures. For example, the custodian should keep everything from their device and turn off automatic updates to the operating system and any applications that need to be collected. These preservation steps help ensure that there is no accidental data removal and that the collection software is compatible with the app versions. If mobile device management software is on a device, then a company can usually implement these preservation measures remotely.
When we schedule a collection in advance, it also tends to reduce the time a kit will remain away from the vendor. It is common to see a vendor agreement that provides additional fees if not returned within a specified time. Regardless of costs, it also reduces opportunities for accidents, theft, or simply losing the kit, all of which require time, money, and another collection. Both applications and operating systems are updated so frequently that it is nearly impossible for collection software to keep up with the myriad options and versions. When the forensic collector has this information in advance, they can research which cables and dongles to provide, whether the software is compatible, and whether a collection of the backup system will be necessary.
Forensic collections are usually a process that takes time and effort. Even after a forensic collection concludes, you may encounter issues processing what was (or was not) collected. These steps will only eliminate some obstacles to a successful collection, but they will minimize them. Sometimes you will need more time to get this information, but even that knowledge and the conversations it generates will better prepare you for the challenge.
So, what are your thoughts? What other strategies do you use in planning a mobile device collection?
 English expression for “there you have it.”