BlackBag may have a digital evidence tool to assist investigators when digital examiners are not available
By: Justin Matsuhara
A gang investigator is getting ready to interview a suspect who has provide consent to search two mobile devices. The investigator takes the devices to the digital examiner for acquisition and analysis. The digital examiner, who is working a child exploitation investigation involving multiple digital media evidence, looks at the stack of cases on the desks and tells the investigator it will be a few days before they can get to the mobile devices. The gang investigator responds, “I am walking into an interview, and the suspect provided me the devices under consent, so I need it done now”.
What about other times when a digital examiner is not available? An officer stops the car of suspect who provides consent for the search of their mobile device; an investigator on the scene of a search warrant located an unlocked mobile device that falls within the scope of the warrant.
What if investigators did not have to wait for the digital examiner? What if there was a digital forensic tool in your toolbox to help you get the job done? Is there a tool that could provide investigators access to these devices to help alleviate the immediate need? BlackBag may have a digital evidence tool to assist investigators when digital examiners are not available.
Mobilyze is a triage and acquisition tool for Android and iOS mobile devices. It works directly with BlackLight and can also be used as a standalone acquisition tool. With a learning curve of less than two hours, Mobilyze provides any investigator, with or without a digital forensic background, a tool to acquire an Android or iOS mobile device. Viewing of data is almost immediate upon acquisition allowing investigators to search through the acquired data for incriminating or exculpatory data as the acquisition occurs. Now if the person withdraws consent, then the investigator may have already identified probable cause to seize the device for further analysis.
If neither are found, and the person withdraws consent, simply stop the acquisition and the data acquired up to the point of disconnect is retained. Should the investigation take a turn and the investigator develops probable cause and legal means of accessing the previously acquired data, the data already acquired is preserved and may be used to assist with the investigation. Do your current digital forensic tools provide this ability?
If the above situations are not what you would encounter with your daily workflow, but you still have a need to acquire Android and iOS devices, BlackLight is fully capable of acquiring both. However, BlackLight will not afford you the two noted features of Mobilyze; immediate viewing of acquired data during acquisition and retaining of data if disconnected in the middle of an acquisition.
In many cases, investigators will depend on the acquired data from Mobilyze for their respective case. But what if the data needs to be further analyzed? The Mobilyze interface provides a limited access to the data acquired, while BlackLight provides more robust features to interact with the acquired data. If the investigator needs a more thorough analysis, the acquired data can be provided to a trained digital examiner for ingestion into BlackLight for a deeper analysis of the data.
Ingesting the Mobilyze acquisition into BlackLight is simple. In BlackLight, select the ADD button for Evidence, then navigate to the location where you stored the Mobilyze acquisition. Select the acquisition folder that represents the acquired phone data (UDID or serial number).
Once selected, choose your Ingestion Options and click START.
So, if you are an investigator that needs to triage a mobile device prior to interviewing a suspect, victim, and/or witness, or if you need to quickly acquire and preserve mobile data immediately, implement Mobilyze into your workflow.
If you are a digital forensic examiner that doesn’t have enough hours in a day, have each of your agency investigators trained and certified on the use of Mobilyze. They can acquire their own devices related to their investigation. They can triage the data and provide you only the datasets that need further analysis in BlackLight.
About the Author:
Justin Matsuhara is a retired detective from California. He completed the California Department of Justice computer and mobile forensic series of courses. He holds to Robert Presley Institute of Criminal Investigations – California POST for Homicide and Computer Crimes investigations.