FAQ

  • How should mobile devices be packaged to prevent loss of evidence (data)?

  • Mobile devices should be shielded from communication networks at the time of seizure to avoid alteration or loss of evidence. This can be accomplished in one of the following ways:
    • Power down the device via its interface and remove the battery. If unable to do either, enable the device's "Airplane Mode" – a setting available on many mobile devices that suspends the device's signal transmitting/receiving functions.
      • Also, if a GSM network (e.g. AT&T, T-Mobile and subsidiaries/resellers) compatible device, remove the SIM (Subscriber Identity Module) card (if present) and submit it as a separate evidence item.
    • Package the item at the time of seizure to provide a multi-layer approach for static dissipation and effective shielding.
    The Virginia Department of Forensic Science recommends mobile devices be packaged at the time of seizure and prior to lab submission as follows:
    1. Place in an anti-static bag
    2. Wrap in aluminum foil (5 times with heavy duty or 10 times with standard thickness)
      1.  This step can be skipped if the device's battery has been removed or "Airplane Mode" has been enabled.
    3. Place in a >3 mil thick shielded enclosure (e.g. "Faraday" bag)
      1. This step can be skipped if the device's battery has been removed  or "Airplane Mode" has been enabled.
    4. Place in an outer storage bag (container) and seal.
    Packaging kits may be available from a third party vendor for purchase.   For ease, the mobile device may be packaged in an appropriately sized kit at the time of seizure and prior to lab submission  
  • Can you analyze a device protected by a security measure?

  • The DME Section maintains capabilities for bypassing security measures on a multitude of devices.  Please contact the DME Section for guidance specific to the device.
  • Can you recover deleted text messages from a mobile phone?

  • The ability to recover deleted text messages depends on the make and model of the mobile phone, the length of time that has passed since the messages were deleted, the number of new text messages that have been sent or received since the messages were deleted, whether the deleted messages have been overwritten, and if phone has been reset or restored. Please contact the Digital & Multimedia Evidence section for additional information.
  • Can you determine location information from a mobile device?

  • Depending on the device's capabilities and settings, Global Positioning System (GPS) coordinates and available/connected WiFi access point identifiers may be present.  This information can be extracted and interpreted to determine locations the device was near. Please contact the Digital & Multimedia Evidence section for additional information.
  • Can you determine what Internet resources a user has accessed?

  • Most web-browsers and web-based applications, record a user’s activity – logging what Internet resources were accessed.  Even when a user attempts to delete this information, the browsing activity can often be recovered.  If the data hasn’t been overwritten, the exact time, resource and content of the activity may be available. Please contact the Digital & Multimedia Evidence section for additional information.