Chapter 8 – Triaging Mobile Evidence

Mobile evidence that is encountered in criminal and civil cases will be in two states: powered “on” or “off.” Specific steps are required, which will depend on the power status of the target evidence. Other factors such as sleep mode, user enabled security, processing of DNA, latent prints, blood, or any other forensic artifacts located on the outside of the device may play a role in how the device may be triaged. In some cases the importance of DNA or other similar processing may precede Faraday steps and will, generally, always be case specific. Standard operating procedures should be in place and outline specifically how to deal with mobile evidence. First responders should carry “field kits” to assist with proper collecting, Faradaying, charging, and preserving digital mobile evidence. Regardless of the forensic tool or utility used, the examination must be validated each time. Examiners must also validate their laboratory tools prior to working on an actual case.