Detailed Procedure:

Today's cellular phones do not just make calls. They store and transmit a great deal of data that may be of evidentiary value. PDAs and mobile devices are commonplace and may contain electronic data that may be of evidentiary value. Any attempt to recover or analyze this data should not be attempted in the field. The device should be collected for examination by trained and qualified personnel. Do not attempt to operate the PDA or mobile device in an effort to access information. Instead, use the following collection procedure or the procedure recommended by your laboratory or agency.

​

To collect a cellular phone, PDA, or other mobile device:

1. Do not allow the user or anyone else to operate the device. Collect the item as soon as possible so that the battery does not go dead, potentially losing data.

2. Do not attempt to use the device to look for information.

3. Be aware that the device may also contain trace evidence, such as fingerprints. Therefore, handle the device as little as possible and only while wearing new, unused evidence collection gloves. Consult the laboratory to determine if fingerprint processing should be done in the field before collection or in the laboratory after collection.

4. Photograph and document the device in place, including any attached peripherals like an earpiece. Photograph all sides, showing all connections.

5. If the device is "off," do not turn it on. Proceed with collection.

6. If the device is on, photograph the screen. Then, if possible, place the device into "Airplane Mode." DO NOT TURN THE DEVICE OFF. If possible, keep the device charged. If the device cannot be kept charged, deliver it as quickly as possible to the laboratory and advise the laboratory that the item is on so it can be properly dealt with before the battery dies, potentially losing data.

7. If the device cannot be placed into "Airplane Mode," isolate it from the wireless network by placing it into a Faraday cage or bag. Alternatively, wrap the device in three layers of aluminum foil. Transfer it for analysis as soon as possible.

8. If the device is plugged in, disconnect the power source by unplugging it at the connection to the wall and at the connection to the device. Collect all power cords in addition to the phone.

9. Collect any storage media, such as disks or cards, and place in an anti-static bag.

10. Select a box of suitable size and secure the device inside the box, ensuring that it will not roll around or contact other surfaces. Avoid packaging items that may create static, such as plastic bags. If possible, the item should be placed in an anti-static bag or foam.

11. Label the box with identifying information, including case number, date, exhibit number, a brief description, and your name.

12. Seal the box with evidence tape. Initial and date the tape.

13. Store the item in a secure location, keeping it away from sources of heat, static electricity, and electromagnetic energy, such as a two-way mobile radio. Such forces can damage or erase data stored in the device.

​

Laboratory testing of cellular phones, PDAs, and mobile devices:

Laboratory examination will include processing for trace evidence (such as fingerprints) and electronic data analysis. The laboratory will typically search for hidden and protected files, restore deleted files, copy data from the hard drive(s), prepare mirror-image copies of suspect media, and analyze data and files stored on the device.

​

Sources:

Crime Scene and Evidence Collection Handbook. Bureau of Alcohol, Tobacco, Firearms and Explosives, 2005.

United States of America. Best Practices for Seizing Electronic Evidence v.3: A Pocket Guide for First Responders. U.S. Secret Service, 2007.