Archive for December, 2015

Handheld Forensic Investigation

Tuesday, December 8th, 2015

When dealing with a handheld device, a set of additional  considerations must be addressed to ensure that any evidence they contain is captured in a manner that makes is useable in any criminal or civil action. The term “handheld device” is used to describe a range of devices that continues to expand. It includes electronic organisers, tablets, personal digital assistants (PDAs), mobile and smart phones. As they reduce in size, devices that would previously have been called laptop computers. An increasing convergence in the capabilities of small devices in underway, and the distinction between the whole range of handheld devices in shrinking.

In addition to the types of devices previously detailed, and number of other electronic devise fall into the handheld group that might be encountered during searches, which may contain evidence relevant to the investigation. These include pagers, digital cameras, MP3 and MP4 players.

Electronic organisers, PDAs, tablets and smartphones range from very small and very cheap devices that may contain anything from a few telephone entries to expensive devices that have as much processing power and store as the desktop PC of only a few years ago. These devices work on a range of operating systems, such as Linux, Windows CE, the Palm OS and the Symbian OS. Mobile and smart phones range from devices capable of making phone calls and storing a small list of phone numbers to modern 3G and 4G capable devices that have the functionality of a computer.

Small laptops such as the Nokia N810, the Toshiba Libretto, and the HTC “Shift” are fully functional laptops that have been reduces in size to the point where they are treated very much like other handheld devices. The same is true for computer tablets.

Despite the range of hardware and operating systems, all handheld devices these days provide and similar level of functionality. They contain a small microcomputer with a miniature or virtual keyboard and a display screen and memory chips or micro disks on which information is stored.

In some of the devices, the memory is volatile and is kept active by the battery. If this fails or is allowed to fully discharge, all information contained in the device may be lost. However, even then, it may be possible to recover data from flash memory.

Other devices have two sets of batteries. The main battery is used to run the device when it is turned on, while a backup battery maintains information in the memory if and when the main battery fails or is fully discharged. When handheld devices are seized, specialist advice should be obtained at an early stage to determine the most appropriate way to handle and store the device. With handheld devices, special consideration must be given to the isolation of the device to prevent data stored on it from being altered or deleted as a result of connection to a network.

The information stored on a handheld device is likely to be held in volatile memory. Consequently a main concern is to make certain the procedures in place ensure that the evidence stored in the main memory is changed as little as possible. Any changes that occur must take place with the certain knowledge of what is happening internally on the device.

To access most handheld devices, it is typically necessary to switch them on. This means that every effort has to be made to avoid modifying the contents of the device. In addition it is often not possible to create an image of some handheld devices in a manner that can be repeated to achieve the same hash value, because variables such as the clock times are constantly changing.