Introduction

Before reading this guide, we recommend that you read our earlier guides on notes and seizing computers. This guide extends the principles described in the earlier guides to deal with the special problems posed by portable devices such as tablets, mobile phones, laptops and similar devices.

In particular, it provides guidance on how to deal with a device which contains its own internal power supply (usually a battery) which it may not be possible or advisable to remove.

Note: This is general guidance, and designed to meet the minimum requirements of various standards and good practice guides. It may not always be completely appropriate and, if time permits, it is wise to consult an expert to produce a plan for seizure which will maximise the quantity of potential digital evidence which can be recovered whilst minimising disruption to other parties.  

Mobile devices

Additional considerations

You should also bear in mind that portable devices can be rich sources of non-digital evidence, including fingerprints, DNA and fibres. If these may be relevant to the investigation, seek expert advice on how to avoid physical contamination before you start.

Devices should be handled as little as possible and you should wear appropriate gloves if you have to handle any device. Anyone handling a device should be prepared to give fingerprint and DNA samples for eliminination purposes.

Before seizing anything you must check that you have authority to seize the device in question. With the advent of BYOD (bring your own device) in business environments, portable devices may belong to the user rather than the organisation in question. 

General procedure

  1. If the device appears to be off, leave it off.

  2. If the device appears to be on, do NOT interact with it (i.e. do not be tempted to "have a quick look" by using the touchscreen or keypad) other than to switch it off - if the "off" switch is obvious. Note the exact time and location where the switching off occurs and make this available to whoever will examine the device.

  3. Make a note of condition and state (see step 3 of the "seizing computers" guide.)

  4. Identify and collect any associated power supplies or other external accessories for the device. Power supplies are particularly important. It may be some time before the device can be examined and keeping power supplied to it can prevent the loss of vital evidence.

  5. Record any identifying marks (serial numbers, licence stickers, damage etc.).

  6. If possible, isolate the device from networks by using a Faraday bag, Faraday cage or other radio-frequency shielded container. Be aware that devices which are on may run their batteries down more quickly once shielded from communications networks.

  7. Package the device and associated cables in tamper-evidence packaging, completing continuity labels and entering details into the evidence log. Ensure that any associated external power supplies & devices are packaged with the device if at all possible. Ensure that identifying marks are visible through the packaging wherever possible. Label the device as portable, possibly running on battery power, and ensure that it is sent for examination as quickly as possible.

 If you need further help or advice on this, or any other topic in forensic science, please contact n-gate ltd. now.