When NIST published Guidelines on Cell Phone Forensics in May 2007, about a dozen tools existed to help forensic experts recover and investigate data on cell phones. Today, the marketplace consists of hundreds of tools, many designed for specific models of specific mobile devices.
Because of the proliferation of tools to meet the forensic requirements caused by the explosion of types and models of mobile devices, the National Institute of Standards and Technology is revising and renaming its guidance. NIST has just published a draft of Special Publication 800-101 Revision 1: Guidelines on Mobile Device Forensics.
"In the past, there were enough tools that you could hold them in your hands and say, 'I'm the master of all the mobile forensic tools,'" says guidance co-author Sam Brothers, a digital forensic specialists at U.S. Customs and Border Protection, part of the Department of Homeland Security. "We laugh at that now. But we've come to a point where that's virtually impossible. You have at least 100 different tools that are out there. For someone to try to know all of them would be very difficult."
Besides, Brothers says, organizations could not afford to acquire most mobile forensic tools.
Therefore, the revised guidance provides advice on how to triage the growing number of mobile forensic cases. "There are so many different kinds of phones that are being used to support so many different kinds of cases in so many different kinds of situations," says Barbara Guttman, NIST software quality group manager.
Guttman says forensic investigators must make many quick decisions, such as whether to keep the phone on or turn it off. To help forensic investigators make those decisions, the guidance offers an onsite triage decision tree.
The decision tree provides a starting point to align investigations with existing policies and procedures, such as determining if circumstances exist to extract data onsite or transport the device to a laboratory.
"It's different if you're seizing a phone from a gang member vs. picking up a phone you found on the street," Guttman says. "Very different situations call for different activities."
NIST experts say the guidance is not all-inclusive and does not prescribe how law enforcement and incident response communities should handle mobile devices during their investigations or incidents. Specific vendors and mobile forensic acquisition guidance are not specified.
Although NIST says the publication should not be construed as legal advice, organizations should use it as a foundation for developing a forensic capability in connection with proper technical training and extensive guidance provided by legal advisers, officials and management.
NIST requests stakeholders to submit comments to improve the draft by Oct. 4. They can be e-mailed to Richard Ayers, a NIST computer scientist who co-authored the original and revised guidance, with the subject line "Comments SP 800-101 (Revision 1)." A final version of the revised guidance could be published by year's end.
NIST also issued two other publications:
- Interagency Report 7946: CVSS Implementation Guidance (Draft), which provides guidance to individuals scoring IT vulnerabilities using the Common Vulnerability Scoring System Version 2.0 scoring metrics. The guidance is the result of applying the CVSS specification to score more than 50,000 vulnerabilities analyzed by the National Vulnerability Database.
- Federal Information Processing Standards 201-2: Standard for Personal Identity Verification for Federal Employees and Contractors. NIST says the overall goal of the guidance is to achieve appropriate security assurance for multiple applications by efficiently verifying the claimed identity of individuals seeking physical and computer access to federally controlled government facilities and information systems.