Evidence Protection - Forensic Laboratory and Analysis of Smartphones, Computers, Apps, Tablets and mobile devices

SECURING EVIDENCE CORRECTLY

In order to secure evidence correctly, it is neccessary to have access to equipment, knowledge but salso standardized procedures. This is important for cases of corporate crime and other public crimes. In companies high management can course severe damages and even lead to companies going out of business. Here is its important to play by the rules to get hold of hidded assets and filter out falsified evidence.

IS IT POSSIBLE TO MAKE EVIDENCE USELESS AT COURT?

When evidence is not collected and analyzed by the book of rules then a court may see it as proven that the chain of custody is no longer valid and may dismiss the evidence as worthless.

some companies and entrepreneurs think they can fool the justice departments by creating falsified evidence. Some even want to save a lot of money and start running a “quick and dirty” backup activity. This eventually results in a long list of law violations. Data privacy laws and even communication laws may be violated, too.

At the first sight these companies things they have saved 8.000 EUR to 580.000 EUR on a professional forensic investigation, but eventually they will lose in court or even suffer a considerable financial loss as the other party can evaluate the evidence by simply asking the court or an expert to evaluate the way evidence was gathered. If evidence violated several laws it may even be fully dismissed.

Conducting a fraud investigation or a forensic laboratory analysis required a lot of work and diligence. People tend to confuse forensics with a simple backup. People with a non-neutral interest in the outcome should never try to collect the evidence themselves. This rule applies for auditors, police and other professionals. Therefore individuals and companies should not try to go the wrong path. Besides that, the fines for violating privacy laws can be quite costly in some countries.

Therefore it is important to conduct a forensic analysis with people who have professional training, certifications and equipment.IMPORTANT STEPS TO PROTECT THE CHAIN OF CUSTODY

When securing evidence from mobile devices our forensic experts and clients should follow these recommendations:

The devices (Handy, Smartphone, Dictaphone, USB Stick, …) containing evidence should no loger be used and also no be in reach of the accused person.
When a smartphone is still switched on, then it is best to active “Flight mode” (flugmodus). This reduces the risk of outside inflience from Wifi, GSM, bluetooth and other elements. If the phone is not switched on then do not power up phone just to active flyight mode. To check the situation, just pres once on the home button or power putton.
Secured phones are to be kepts inside the Faraday Bag.
In a preferable situation one has all pins and accesscodes (e.g. itunes backup passwords)
Look out for original documentation the GSM provider shiped with the phone as here are often PIN and PUK available.

In accordance with the current use of the device (home or business usage) it can be necessary to check further parameters:

Is the device connected with a Mobile Device Management? MDM Systems can be used to wipe evidence containing devices from long distance!
Visual Check: what is the current state (Damages, charged up, accessories??). The charging cable is not vital but can be of help if a device has a special power conector (i.e. tablets of notebooks).
If possible, it is recommended to collect technical information on the device itself (Serial number, IMEI Number, Operating System, Memory Capacity, PIN code, PUK).
Serial numbers of SIM cards.
The IMEI Number of device.
Was the device syncronized with a computer? then also collect that computer for analysis
Are there any backups on a computer for particular mobile devices (Smartphone, PDA, GPS, …)
Are there any case relevant files stored on external hard drives or memory cards?
Have cloud services (e.g. Dropbox, Facebook, SkyDrive, iCloud) been used by the device or user?

Following important recommendations for our clients should they be confronted with corporate crime:

Never conduct inhouse your own examinations on devices as data bay be lost or integrity degraded
Never allow a Computer Service provider restoere emails with out the necessary consultations. You can violate employment laws and data privacy laws. You might be sued for good reason.
Never conduct a full examination on all employees without necessary reason and selection. It is illegal to declare all employees as violators.
Remember to follow good compliance standards.