NIST Revising Mobile Forensics Guide

Identity Verification, Vulnerability Scoring Guides Also Issued
NIST Revising Mobile Forensics Guide

When NIST published Guidelines on Cell Phone Forensics in May 2007, about a dozen tools existed to help forensic experts recover and investigate data on cell phones. Today, the marketplace consists of hundreds of tools, many designed for specific models of specific mobile devices.

See Also: Proactive Malware Hunting

Because of the proliferation of tools to meet the forensic requirements caused by the explosion of types and models of mobile devices, the National Institute of Standards and Technology is revising and renaming its guidance. NIST has just published a draft of Special Publication 800-101 Revision 1: Guidelines on Mobile Device Forensics.

"In the past, there were enough tools that you could hold them in your hands and say, 'I'm the master of all the mobile forensic tools,'" says guidance co-author Sam Brothers, a digital forensic specialists at U.S. Customs and Border Protection, part of the Department of Homeland Security. "We laugh at that now. But we've come to a point where that's virtually impossible. You have at least 100 different tools that are out there. For someone to try to know all of them would be very difficult."

Besides, Brothers says, organizations could not afford to acquire most mobile forensic tools.

Therefore, the revised guidance provides advice on how to triage the growing number of mobile forensic cases. "There are so many different kinds of phones that are being used to support so many different kinds of cases in so many different kinds of situations," says Barbara Guttman, NIST software quality group manager.

Decision Tree

Guttman says forensic investigators must make many quick decisions, such as whether to keep the phone on or turn it off. To help forensic investigators make those decisions, the guidance offers an onsite triage decision tree.

The decision tree provides a starting point to align investigations with existing policies and procedures, such as determining if circumstances exist to extract data onsite or transport the device to a laboratory.

"It's different if you're seizing a phone from a gang member vs. picking up a phone you found on the street," Guttman says. "Very different situations call for different activities."

NIST experts say the guidance is not all-inclusive and does not prescribe how law enforcement and incident response communities should handle mobile devices during their investigations or incidents. Specific vendors and mobile forensic acquisition guidance are not specified.

Although NIST says the publication should not be construed as legal advice, organizations should use it as a foundation for developing a forensic capability in connection with proper technical training and extensive guidance provided by legal advisers, officials and management.

NIST requests stakeholders to submit comments to improve the draft by Oct. 4. They can be e-mailed to Richard Ayers, a NIST computer scientist who co-authored the original and revised guidance, with the subject line "Comments SP 800-101 (Revision 1)." A final version of the revised guidance could be published by year's end.

NIST also issued two other publications:

About the Author

Eric Chabrow

Eric Chabrow

Executive Editor, GovInfoSecurity & InfoRiskToday

Chabrow, who oversees ISMG's GovInfoSecurity and InfoRiskToday, is a veteran multimedia journalist who has covered information technology, government and business. He's the former top editor at the award-winning business journal CIO Insight and a long-time editor and writer at InformationWeek.

Around the Network