Mobile devices are dynamic systems that differ significantly from static documents. They constantly update data in the background, even when not in active use, which can inadvertently overwrite crucial evidence. Furthermore, if a device remains connected to a network, it is vulnerable to remote wiping or alteration by third parties.
Method of Preserving Mobile Data Unaltered
To maintain the integrity of mobile data, you must isolate the device from all networks and prevent any interaction that could trigger automated deletion or system updates. Because mobile data is highly volatile, background processes and incoming signals can permanently destroy existing data or information.
1. Immediate Isolation and Preservation
- Enable Airplane Mode: Immediately toggle on Airplane Mode to sever all cellular and data connections.
- Disable Secondary Signals: Manually confirm that Wi-Fi, Bluetooth etc, are turned off. Airplane Mode may not always disable these signals on modern devices.
- Utilize Electromagnetic Shielding: Place the device in a Faraday bag. If a specialized bag is unavailable, wrap it in heavy-duty aluminium foil, which can act as a temporary shield to block incoming remote wipe commands.
2. Maintain Power Status of Mobile
- If Powered On: Keep the device powered and connected to a portable charger. Allowing the battery to die can trigger encryption locks, which significantly complicates forensic recovery.
- If Powered Off: Keep the device powered off. Powering it on initiates the operating system; this may trigger automated clean up scripts that remove temporary files, cache, and unused data to optimize system performance.
3. Handling and Documentation
- Minimize Interaction: Avoid unnecessary screen contact. Navigating the device can overwrite volatile system logs.
- Document Initial State: Take high-resolution photographs of the device from all angles. Note the battery level, any visible screen content, and physical damage.
- Record Hardware Identifiers: Document the manufacturer, model, and – if accessible without deep navigation – the IMEI and Serial Number.
- Strict Chain of Custody: Maintain a detailed, chronological, electronic, signed log, documenting every individual who handled the device, including the exact date and time of each transfer.
4. Forensic Extraction and Verification
- Use Hardware Write-Blockers: When connecting the device to a computer, use a forensic write-blocker to ensure that no data is written back to the mobile device.
- Create a Bit-by-Bit Image: Forensic experts should create a physical clone of the storage. Analysis should only be performed on this cloned copy, but never on the original.
- Verify Integrity: Generate cryptographic hash values (e.g., SHA-256) immediately after imaging to prove that the data has remained unaltered throughout the investigation.
5. Managing Biometric Locks (FaceID & Fingerprints)
- Prevent Auto-Lock: If the device is found unlocked, immediately set the Screen Timeout to “Never” or the maximum duration to prevent the device from entering a locked state.
- Courts can ask for physical biometrics: Under current judicial interpretations, courts may compel a person to provide physical biometrics (fingerprint, face or iris)) as they are considered physical evidence. However, compelling a PIN or Password involves different legal protections.
6. Conclusion
Strict adherence to these technical protocols is no longer optional. All these specific details must be carefully documented in the Seizure Memo prepared by the Investigating Officer under Sections 105 and 185 of the BNSS.
In the digital age, hash value plays a crucial role in proving the Chain of Custody, which is no longer just paper labels.
A clear understanding of these forensic safeguards will enable a defence advocate to meaningfully cross-examine the Investigating Officer and ensure that digital evidence has not been altered, or manipulated.
Post Views: 5
