Checklist to Set Up a Successful Mobile Device Forensic Collection

By Josh Markarian | April 29, 2022

The convenience and functionality of mobile phones enables our tech-driven lives. Mobile devices are so ingrained in our daily lives that we rely on them for both our work and personal lives.  

In litigation, digital evidence from these devices can include pictures, videos, email, chat, GPS location, internet history, device connections and as well as the metadata attributed to each artifact. While mobile device technology might be on the cutting edge, the legal industry is constantly evolving to catch up. 

As a result, Forensic Collection and eDiscovery concerns continue to shift due to the changing landscape. At the forefront of these concerns are topics surrounding how devices are used, how information created by these devices is governed, and how data is collected from these sources. 

Relating to the collection side of concerns, one common method for collection is having a Certified Forensic Examiner physically collect the mobile device using tools like Cellebrite UFED or EnCase Mobile Investigator.  

Acquisition and preservation of the entire mobile device is of utmost importance, as it is the most defensible method. The evidence and associated metadata in conjunction with the device as a whole, provides a more complete picture than the evidence alone. As with any collection, it’s always best to provide as much information as possible to facilitate a smooth data collection and the timely return of devices. 

With that in mind, here is a short list of questions to ask custodians upfront to help set up your mobile device forensic collection project for success: 

  • What is the PIN, Pattern, Passcode, or whatever unlock mechanism is being used for the device?  
  • Is there any MDM (Mobile Device Management software) involved?  
  • What is the Make of the device?  
  • What is the Model of the device?  
  • Is this a personal or work device? 
  • What Operating System is being used? 
  • What is the geographic location of the phone?  
  • Does the device have encryption? (yes/no) 
  • Is the device or was it ever backed up to a cloud account? 
Posted in Blog Posts, eDiscovery and tagged , , , , , , , , , , , ,