Chain of Custody and
Preservation of Evidence
The goal of a forensic
investigator is to obtain evidence utilizing the most acceptable methods, so
the evidence will be admitted according to the law in the trial. Obtaining a
judge’s acceptance of evidence is commonly called an admission of evidence.
Evidence admissibility will require a lawful search and the strict adherence to
the chain of custody rules including evidence collection, evidence
preservation, analysis, and reporting.
According to the
International Organization on Computer Evidence, some general principles should
be followed in recovering digital evidence for a chain of custody:
All of the general forensic and
procedural principles should be adhered to when dealing with digital
Upon seizing digital evidence, any
actions taken should not modify the original evidence.
When it is necessary for personnel to
access the original digital evidence, the personnel should be
appropriately trained for the purpose.
All activities associated with the
seizure, access, storage or transfer of digital evidence must be fully and
properly documented, preserved and available for review.
An individual is responsible for all
actions taken with respect to digital evidence when digital evidence is in
that individual’s possession.
Any agency that is responsible for
seizing, accessing, storing or transferring digital evidence is
responsible for compliance with all six principles (Guidelines for Best
Practice in the Forensic Examination of Digital Technology 17-18).
While a mobile phone is
powered on, it will search for the strongest signal, usually from the nearest
active cellular tower, or a tower that enables the device to obtain the best
signal. As a mobile device is transported, it will continue to search and
adjust to maximize the strength of signal with that tower. The designation of
the most recently connected cellular tower is then recorded as a database entry
in the file system of the cellular phone; thus, when a mobile device moves to a
new area, a new entry will be updated in that database.
The most important step
for a first-responder investigator, when arriving at the scene of a crime and
identifying a mobile device for possible evidence submission, is to determine
how best to preserve that device and its data. Recording and documenting the scene,
including photographs of the mobile device in an undisturbed state, should be
included. It is recommended to power the mobile device off to preserve the data
and battery power. If it is not possible to power the device off in a safe
manner, the phone should be protected from cellular phone towers. Aside from
locking down the mobile device by either disengaging or maintaining the power
supply, the investigator should seize any additional accessories to the device
such as SIM and media cards, headsets, charger cables and cases that could
potentially contain evidence.
When a mobile device has
been powered off, text messages and other data may queue for delivery when the
phone is powered back on and returned to service. The queued messages and data
can overwrite old and deleted messages and/or data once they are delivered to
the carrier. Carrier providers may update system files and roaming services
when the mobile device is connected to the system. There will also be the
potential for corruption of downloaded data as well as the file system of the
device during a forensic examination when the system updates are transmitted to
The equipment that works
the best is Radio Frequency (RF) shielded test enclosure boxes such as the type
from a forensics product vendor like Ramsey Electronics. The Ramsey boxes
ensure the mobile device is isolated from a cellular carrier’s network, and
other RF signals to prevent any incoming or outgoing communications, including
Another option to
transport a mobile device from the crime scene to the crime lab is a Faraday
bag. Faraday bags are specially designed RF plastic coated shielded bags used
to shield a mobile device from external contact. The bags are coupled with a
conductive mesh to provide secure transportation to the laboratory. One issue
with Faraday bags is that oftentimes a cell phone will continue to search for a
signal even while in the protected bag thus zeroing out the register that holds
the location data – and making the device useless as an evidence artifact. Yet
another issue is the increased activity while in the Faraday bag while the
mobile device is powered on that can cause the battery to fail at a faster
pace. With the Apple iPhone in particular, it is imperative for the forensic investigator
to properly seize the mobile device due to the option of the Remote Wipe
feature on the phone. A user can perform this command if the smartphone is
connected to the Internet or phone network. If the device is powered off or
placed in a Faraday bag, it cannot be remotely wiped; however, once powered
back on, the wiping process, if activated, will automatically be invoked.
When choosing a shielding
artifact like one of the above-mentioned products, it is important to enable
the forensics investigator to utilize the necessary tools to complete the
examination and within the shielded area of a forensics laboratory if possible.