Balancing data actionability with forensic soundness

The ability to extend mobile evidence collection capabilities into the field has a great many benefits. Reducing costs associated with overtime, outsourcing, and diminished forensic lab productivity renders a field-based solution an investment rather than an additional cost. Reducing the risk of human error in data analysis is attractive, too, as automated tools help to improve field-level decision-making about cases.

Even so, decentralizing mobile forensics also carries its own risks. Will field personnel handle mobile device evidence the right way, including securing proper legal authority? Will they follow policy and standard operating guidelines when it comes to extracting and preserving mobile device evidence?

The legalities around field-based mobile device extraction have yet to be determined in many countries, but authorities can ensure compliance with organizational policy and overall forensic best practices by using permission management and auditing features. These kinds of capabilities take into account that not everyone needs the same level of access to mobile device evidence, depending on the types of cases they are investigating as well as the offense severity.

With the UFED Field Series, as well as the UFED Pro Series, permission management functionality allows agency administrators to define and configure user authentication settings to ensure that only users with the right credentials can access the application. An encrypted permission management file that contains usernames and profiles can be imported into multiple UFED InField applications.

Not only credentials, but also extraction privileges can be assigned. Certain investigators may be able to have access only to logical and SIM card extractions, while forensic lab examiners can access full physical extractions as well.

In addition, administrators can define content types available from logical extractions. Some investigators may be granted extraction permissions only for images and videos, for example, while others can access messaging in addition to images and videos.

These privileges can be based on user roles and/or training and certification levels. For example, investigators who have received the Cellebrite Certified Logical Operator (CCLO) or the Cellebrite UFED Field Operator (CUFO) certifications, or completed the coursework without receiving the certifications, can be assigned as many or as few extraction privileges as an administrator deems necessary for their role.

On the flip side of granting access to mobile extractions and data is tracking what the logged-in users do once they’re in the system. With UFED InField, an activity log maintains a list of all transactions including extraction start and end times; transaction type, duration, and status; device owner, vendor, model, and name; case ID and crime type; and who seized the device. Administrators can use this log to audit usage and ensure accountability among users.

The UFED Field Series solutions promote the treatment of mobile devices as crime scenes, so that the evidence they contain is fully preserved from seizure all the way through search and analysis. It offers organizations the “technology” component of a three-pronged approach that Cellebrite encourages towards implementing legally defensible field-based extractions for personnel who do not specialize in mobile forensics. By combining the UFED Field Series with training, policy, and standard operating guidelines*, organizations can reduce risk while meeting the need for improved access to actionable mobile device data in the field.  To learn more, download our solution brief today.

Umbrella - blog banner

*We recommend you work with your prosecutors and administrators to develop policy and appropriate training, including processes for obtaining written consent and search warrants (either traditional or electronic, if your jurisdiction allows).