How should mobile devices be handled to prevent loss of evidence (data)?

Mobile devices should be isolated from communication networks at the time of seizure in order to prevent the transmission and destruction of data on the device, as well as to maintain the device in its most vulnerable security state.  This can be accomplished in one of the following ways:

A. If the device is seized powered on:

  1. Determine if any security measures (e.g. Secure Startup, PIN, password, pattern-lock, encryption) are enabled;
    1. If unsecured or the passcode is known:
      1. Enable the device’s “Airplane Mode” – a setting available on many mobile devices that suspends the device’s signal transmitting/receiving functions;
        • Disable any other communication settings (e.g. Wi-Fi, Bluetooth, etc.) that are not automatically disabled by enabling Airplane Mode;
      1.  If applicable, remove its battery and Universal Integrated Circuit Card (UICC) (aka Subscriber Identity Module [SIM] card);
      2. Power down the device via its interface or by long-pressing its power button and, if applicable, remove its battery;
        • Depending on enabled security measures, this process may prevent future access to the device
    1. Secured Apple and Android devices with an unknown passcode require specific handling in order maximize the amount of data available for extraction and the speed of passcode identification. The following evidence handling guidelines should be followed:
      1. Ensure the device stays powered on and is sufficiently charged – DO NOT ALLOW THE DEVICE TO POWER OFF OR REBOOT;
      2. Shield the device from communication networks by putting the device into “Airplane Mode” and placing it in a shielded enclosure;
        • If neither options are available, remove* the UICC from the device;
          *Removing the UICC from a device that is powered on may result in the device being placed into a more secure state;
      3. Submit the device to the Central laboratory as soon as possible.

B. If the device is seized powered off:

  1. If applicable, remove its battery and UICC
    1. For applicable mobile devices, it is important to determine if the device (handset) contains a UICC or flash memory card such as a micro Secure Digital (microSD) card
      1. Either card can be located internally, typically under the battery, or externally along the side of the
        device;
      2. These storage devices should be indicated on the RFLE as additional items of evidence; typically as sub-items to the handset.
      3. Also, if the device is reliant on a UICC to authenticate the device to a service provider’s network(s),
        removal may be an additional shielding measure.

The Virginia Department of Forensic Science recommends mobile devices be packaged at the time of seizure and prior to lab submission as follows:

  1. Place in an anti-static bag (e.g. paper envelope)
  2. Wrap in aluminum foil (5 times with heavy duty or 10 times with standard thickness)
    1. This step can be skipped if the device’s battery has been removed or Airplane Mode has been enabled (confirming cellular/data, Wi-Fi, and Bluetooth are disabled)
  3. Place in a >3 mil thick shielded enclosure (e.g., “Faraday” bag)
    1. This step can be skipped if the device’s battery has been removed or Airplane Mode has been enabled (confirming cellular/data , Wi-Fi, and Bluetooth are disabled)
  4. Place in an outer storage bag (container) and seal
    1. If applicable, label that the battery has been removed or Airplane Mode has been enabled (confirming cellular/data, Wi-Fi, and Bluetooth are disabled)

Packing kits may be available from a third party vendor for purchase.