There are three types of forensic acquisition or collection methods for cellular phones: logical, physical, and/or manual. Depending on the type of acquisition
performed on a cell phone, the amount and type of evidence that can be collected will vary due to the limitations that may be imposed by the method being used.
37.2.1. Logical acquisitions
Logical acquisitions of cell phones are performed using cell phone forensic software. A logical acquisition typically only recovers data on a cell phone that is not deleted. Depending on the phone and the forensic tools used, some or all of the data might be able to be acquired. For instance, where only some of the data can be acquired, this means that the text messages, contact list, and call history might be acquirable using the cell phone forensics tools, but the images and ringtones are not. Even if only existing data can be captured from a cell phone, there are good reasons for performing a logical acquisition instead of simply taking pictures of the information on the phone from the device itself. When a logical acquisition is performed, the data can be preserved in stasis and the phone returned to the custodian to which it belongs. You would then have a snapshot in time of the cell phone evidence as it existed when the acquisition was performed, which preserves that evidence and also allows for verification. Some cell phone forensic tools allow multiple phones to be added to one case, which allows the data from multiple phones to be compared using graphs and diagrams. Examples of this are included later in this chapter. If a logical acquisition is not performed, then the possibility of performing these analysis functions is off the table.
Although it is uncommon, it is possible to get deleted data when performing a logical acquisition. This only applies to phones where the unallocated space on the phone can be acquired as if it were a logical file. This allows an examiner to carve out information from the unallocated space that might be of interest in a case.
37.2.2. Physical acquisitions
Physical acquisitions of cell phones are also performed using cell phone forensic software. A physical acquisition of a cell phone is the acquisition of the data at the hardware level. In other words, a physical acquisition is able to acquire all of the data present on a device, regardless of the file system, operating system, or other factors that act as limitations when performing a logical acquisition. If a physical acquisition is possible, this is almost always the best option when acquiring cell phone evidence. Physical acquisitions are able, in almost every situation, to get all the types of data from a cell phone, and also the unallocated space. An examiner can then carve out deleted information from the unallocated space. An example of this is shown in
Fig. 37.3. For more information on unallocated space and deleted data carving, see
Chapter 29.
37.2.3. Manual examinations
With cell phones, a physical acquisition is usually the best option, and logical acquisitions are the second best option. Manual examinations should be the last
option when performing a forensic acquisition of a cell phone. A manual examination introduces a greater degree of risk than the previous acquisition methods in the form of human error. With physical and logical acquisitions, the manipulation of the actual cell phone from the keypad and menu on the device is minimal. With a manual acquisition, the entire process must be performed using the keypad and menu to navigate through the cell phone.
When you get a new cell phone, it can be difficult to operate at first since there is a learning curve associated with getting familiar with the keypad, menu, and other ways to manipulate the controls of the phone. The chance of you accidentally creating evidence, such as accidentally hitting a speed dial button and creating a call attempt, is greater. The chance of deleting evidence is also greater; for example, you might accidentally delete a text message instead of just viewing the next one as you intended.
A correctly performed manual examination will reduce the risks of modifying the original evidence. With correct procedures and thorough documentation, a manual examination is a viable option when acquiring cell phone evidence. The quality of a manual cell phone examination really depends on the competency of the examiner; if correct procedures and thorough documentation are not part of the manual examination, it can call into question whether or not the evidence was actually preserved, or if any tampering, intended or otherwise, occurred during the examination of the cell phone.
A manual examination of a cell phone typically involves an examiner manipulating the cell phone to the different areas of information, such as text messages or call history, and taking pictures of the screen with a camera. While this is viewed as acceptable by some members of the digital forensics community, to others this is not enough.
Pictures only tell part of the story; what could have happened during the time between the individual pictures being taken? Pictures alone do not provide any real verification that the phone evidence has not been modified or tampered with. The only way to make a truly verifiable manual examination of a cell phone is to also record the process using a digital video camera running continuously throughout the process with no breaks, pauses, or edits. The video should begin before the phone is taken out of the secure evidence container and should be powered on in view of the camera. At the end of the examination, the phone should be powered down in view of the camera and placed back into a secure evidence container.