Whenever a client calls with a complex investigation we quickly run through a checklist of volatile evidence that they should preserve, including cellphones. These are obvious digital items that make sense to archive before they disappear:
- Alarm system logs,
- Access control activity,
- Video from the area of concern,
- Network logs, especially DHCP, firewall, proxy and host logs.
Cellphones belong on this list too. Often the contents of phones give strong clues about activity of concern. Cases that we have investigated had really interesting drama recorded on cellphones. They ranged from plans for a murder to lost vacation photos.
Not long ago a friend asked to have a phone used by his son analyzed. The son died recently. It was possible to recover texts sent to his mother just before he died. These might have been the last “I love you, mom” messages from him. We were honored to be part of the process.
Corporate investigators often have access to phones that are provided to employees. They can be accessed if a policy is in place informing users that there can be no reasonable expectation of privacy.
Just “looking at what is on the phone” is not a recommended procedure, however. This can alter evidence. A better process involves writing down the screen unlock code, putting the phone in airplane mode, turning the phone off and securing it in a shielded bag. Analyzing the contents can be done later with hardware/software designed for the purpose. We recommend a professional approach using Cellebrite tools.
Litigation holds can/might/should include cellphones too. It is not necessary to take the phone away permanently… just long enough to create a forensic image. The image can be preserved anticipating legal possible legal action. Cellphones are often an important part of eDiscovery.