Mobile Phone Evidence Collection - Critical Decision Points
SECTION 1: LEGAL AUTHORIZATION
↓
⚖️ VERIFY LEGAL AUTHORIZATION (THREE TYPES)
Type 1: Consent (written - from phone owner)
Type 2: Search Warrant (judicial authority - must specify scope)
Type 3: Independent Expert Appointment (court-ordered mission)
⛔ NO coercive activity without authorization
Authorization must cover: physical seizure, data extraction, cloud access
Type 1: Consent (written - from phone owner)
Type 2: Search Warrant (judicial authority - must specify scope)
Type 3: Independent Expert Appointment (court-ordered mission)
⛔ NO coercive activity without authorization
Authorization must cover: physical seizure, data extraction, cloud access
↓
SECTION 2: SCENE RESPONSE & IMMEDIATE ACTIONS
↓
⚖️ CONTRADICTORY PROCESS - LEGAL REQUIREMENT
ALL on-site operations MUST follow contradictory process:
• Phone owner/legal representative MUST be present
• Witness(es) MUST be present throughout
• All operations in presence of all parties
• Ensures transparency and strengthens evidence
ALL on-site operations MUST follow contradictory process:
• Phone owner/legal representative MUST be present
• Witness(es) MUST be present throughout
• All operations in presence of all parties
• Ensures transparency and strengthens evidence
↓
📸 PHOTOGRAPH PHONE IN SITU
Before touching
Screen visible (if ON) | Position | Surrounding items
Photograph | biological traces
Before touching
Screen visible (if ON) | Position | Surrounding items
Photograph | biological traces
↓
⚖️ ALBANIAN LAW - ARTICLE 37
SELF-INCRIMINATING STATEMENTS
BEFORE ANY QUESTIONING:
IF person makes statement raising suspicion of guilt:
⚠️ IMMEDIATELY INTERRUPT questioning
⚠️ Issue MANDATORY warnings:
• "Investigation may be carried out against you"
• "You have the right to appoint a lawyer"
• "You have right to lawyer presence during questioning"
❌ Statements BEFORE warning = INADMISSIBLE
⚠️ IF lawyer requested: SUSPEND all questioning
Applies to ALL questions (PIN, password, pattern, app usage, etc.)
SELF-INCRIMINATING STATEMENTS
BEFORE ANY QUESTIONING:
IF person makes statement raising suspicion of guilt:
⚠️ IMMEDIATELY INTERRUPT questioning
⚠️ Issue MANDATORY warnings:
• "Investigation may be carried out against you"
• "You have the right to appoint a lawyer"
• "You have right to lawyer presence during questioning"
❌ Statements BEFORE warning = INADMISSIBLE
⚠️ IF lawyer requested: SUSPEND all questioning
Applies to ALL questions (PIN, password, pattern, app usage, etc.)
↓
⚠️ CRITICAL FIRST ACTION - NETWORK ISOLATION
↓
📶 IMMEDIATELY ISOLATE PHONE FROM NETWORK
Option 1 (PREFERRED): Enable Airplane Mode
• Disables: cellular, Wi-Fi, Bluetooth, NFC
• Phone remains ON (important for AFU state)
Option 2 (if Airplane Mode not accessible): Faraday Bag
• Blocks all radio frequencies
• Phone remains ON inside bag
WHY CRITICAL:
• Prevents remote wipe commands
• Prevents data modification from network
• Prevents new messages/calls
• Preserves AFU state (After First Unlock)
• ⚠️ ESSENTIAL for eSIM (virtual SIM) - cannot be physically removed
Option 1 (PREFERRED): Enable Airplane Mode
• Disables: cellular, Wi-Fi, Bluetooth, NFC
• Phone remains ON (important for AFU state)
Option 2 (if Airplane Mode not accessible): Faraday Bag
• Blocks all radio frequencies
• Phone remains ON inside bag
WHY CRITICAL:
• Prevents remote wipe commands
• Prevents data modification from network
• Prevents new messages/calls
• Preserves AFU state (After First Unlock)
• ⚠️ ESSENTIAL for eSIM (virtual SIM) - cannot be physically removed
↓
📇 SIM CARD EXTRACTION (if possible)
• Wear forensic gloves (preserve biological traces)
• Document SIM location and removal
• ⚠️ Check for MULTI-SIM (dual SIM phones)
• ⚠️⚠️ eSIM (virtual SIM): CANNOT be physically removed
• Note operator(s) if visible
• Store SIM separately with chain of custody
IF eSIM present: ADDITIONAL reason for Airplane Mode/Faraday
• Wear forensic gloves (preserve biological traces)
• Document SIM location and removal
• ⚠️ Check for MULTI-SIM (dual SIM phones)
• ⚠️⚠️ eSIM (virtual SIM): CANNOT be physically removed
• Note operator(s) if visible
• Store SIM separately with chain of custody
IF eSIM present: ADDITIONAL reason for Airplane Mode/Faraday
↓
💿 SIM CARD FORENSIC IMAGING (MANDATORY in Laboratory)
WHY CRITICAL:
• Some phones REQUIRE SIM present during extraction
• Original SIM must remain intact (evidence preservation)
• All analysis performed on replica image
Procedure in Laboratory:
1. Connect SIM to forensic reader (write-blocked)
2. Create bit-by-bit replica image
3. Calculate SHA-256 hash (MANDATORY)
4. Store original SIM in secure evidence storage (sealed)
5. Use replica image for all analysis
6. IF phone extraction fails without SIM:
→ Temporarily reinsert original SIM (documented)
→ Perform phone extraction
→ Remove SIM immediately (documented)
→ Return to secure storage
Multi-SIM: Image BOTH SIMs separately, separate hashes
eSIM: Data captured during phone extraction (non-removable)
WHY CRITICAL:
• Some phones REQUIRE SIM present during extraction
• Original SIM must remain intact (evidence preservation)
• All analysis performed on replica image
Procedure in Laboratory:
1. Connect SIM to forensic reader (write-blocked)
2. Create bit-by-bit replica image
3. Calculate SHA-256 hash (MANDATORY)
4. Store original SIM in secure evidence storage (sealed)
5. Use replica image for all analysis
6. IF phone extraction fails without SIM:
→ Temporarily reinsert original SIM (documented)
→ Perform phone extraction
→ Remove SIM immediately (documented)
→ Return to secure storage
Multi-SIM: Image BOTH SIMs separately, separate hashes
eSIM: Data captured during phone extraction (non-removable)
↓
SECTION 3: PHONE STATE ASSESSMENT
↓
Phone Power State?
OFF
↓
⛔ DO NOT TURN ON
Turning ON = BFU State
(Before First Unlock)
Full encryption active
Harder/slower to unlock
Place in Faraday bag
Seal and transport to lab
Turning ON = BFU State
(Before First Unlock)
Full encryption active
Harder/slower to unlock
Place in Faraday bag
Seal and transport to lab
ON
↓
✓ Phone is ON
Likely in AFU state
(After First Unlock)
Easier/faster to unlock
Keep powered ON
Keep in Airplane Mode/Faraday
Transport to lab QUICKLY
(preserve AFU state)
Likely in AFU state
(After First Unlock)
Easier/faster to unlock
Keep powered ON
Keep in Airplane Mode/Faraday
Transport to lab QUICKLY
(preserve AFU state)
↓
SECTION 4: UNLOCK REQUEST - THREE LEGAL SCENARIOS
↓
⚖️ CRITICAL LEGAL DISTINCTION
THREE DIFFERENT SCENARIOS WITH DIFFERENT LEGAL & FORENSIC CONSEQUENCES
Choose the appropriate scenario based on cooperation and legal requirements
THREE DIFFERENT SCENARIOS WITH DIFFERENT LEGAL & FORENSIC CONSEQUENCES
Choose the appropriate scenario based on cooperation and legal requirements
↓
SCENARIO 1: WRITTEN CONSENT
↓
✅ WRITTEN CONSENT + CODE PROVIDED
(Budapest Convention Article 32.b)
Requirements:
• Subject signs written consent form
• Subject voluntarily provides passcode/PIN/password
• No coercion, fully voluntary
Documentation:
• Consent form signed
• Code documented (written or verbal)
• Witnesses present
Biometric: ❌ NOT needed (code provided)
Forensic Result:
✅ FULL LABORATORY EXTRACTION POSSIBLE
(code available for "Trust Computer")
Place in Airplane Mode → Transport to lab
(Budapest Convention Article 32.b)
Requirements:
• Subject signs written consent form
• Subject voluntarily provides passcode/PIN/password
• No coercion, fully voluntary
Documentation:
• Consent form signed
• Code documented (written or verbal)
• Witnesses present
Biometric: ❌ NOT needed (code provided)
Forensic Result:
✅ FULL LABORATORY EXTRACTION POSSIBLE
(code available for "Trust Computer")
Place in Airplane Mode → Transport to lab
SCENARIO 2: LIVE EXAM
↓
⚠️ LIVE FORENSIC EXAMINATION
(Contradictory - No Consent for Code)
Requirements:
• Subject does NOT consent to provide code
• Article 37 Albanian CPC applies
• Contradictory procedure (subject + witnesses present)
• Device in Airplane Mode MANDATORY
Biometric Legal Question:
Can biometric be used AGAINST subject's will?
IF local law permits compelled biometric:
• Examiner may use subject's fingerprint/face
• Must be documented (time, method, witnesses)
• Examination LIVE only (screen viewing)
• ❌ NO full extraction (requires code, not biometric)
IF local law prohibits:
• Cannot use biometric
• Proceed to Scenario 3 (technical bypass)
WHY NO EXTRACTION?
Forensic tool "Trust Computer?" needs CODE
Biometric only unlocks screen, not USB connection
Forensic Result:
⚠️ LIVE EXAMINATION ONLY, NO FULL EXTRACTION
(Contradictory - No Consent for Code)
Requirements:
• Subject does NOT consent to provide code
• Article 37 Albanian CPC applies
• Contradictory procedure (subject + witnesses present)
• Device in Airplane Mode MANDATORY
Biometric Legal Question:
Can biometric be used AGAINST subject's will?
IF local law permits compelled biometric:
• Examiner may use subject's fingerprint/face
• Must be documented (time, method, witnesses)
• Examination LIVE only (screen viewing)
• ❌ NO full extraction (requires code, not biometric)
IF local law prohibits:
• Cannot use biometric
• Proceed to Scenario 3 (technical bypass)
WHY NO EXTRACTION?
Forensic tool "Trust Computer?" needs CODE
Biometric only unlocks screen, not USB connection
Forensic Result:
⚠️ LIVE EXAMINATION ONLY, NO FULL EXTRACTION
SCENARIO 3: TECHNICAL BYPASS
↓
🔧 LABORATORY UNLOCK BYPASS
(No Subject Interaction)
When Used:
• No consent for code
• No live examination
• Pure technical method
Legal Consideration:
✅ NO Article 37 issue
(subject not asked to provide anything)
Procedure:
• Device in Faraday bag or Airplane Mode
• Transport to laboratory (maintain AFU if ON)
• Technical unlock tools:
- Cellebrite, GrayKey, etc.
- AFU unlock (easier/faster - minutes to hours)
- BFU unlock (harder/slower - hours to days)
Locations:
• Central forensic laboratory, OR
• Police stations with distributed unlock solution
Biometric: ❌ NO (technical bypass only)
Forensic Result:
✅ FULL EXTRACTION POSSIBLE AFTER BYPASS
Chain of custody, sealing maintained
(No Subject Interaction)
When Used:
• No consent for code
• No live examination
• Pure technical method
Legal Consideration:
✅ NO Article 37 issue
(subject not asked to provide anything)
Procedure:
• Device in Faraday bag or Airplane Mode
• Transport to laboratory (maintain AFU if ON)
• Technical unlock tools:
- Cellebrite, GrayKey, etc.
- AFU unlock (easier/faster - minutes to hours)
- BFU unlock (harder/slower - hours to days)
Locations:
• Central forensic laboratory, OR
• Police stations with distributed unlock solution
Biometric: ❌ NO (technical bypass only)
Forensic Result:
✅ FULL EXTRACTION POSSIBLE AFTER BYPASS
Chain of custody, sealing maintained
↓
SUMMARY - THREE SCENARIOS COMPARISON:
| Scenario | Consent | Code | Biometric | Full Extraction |
|---|---|---|---|---|
| 1. Written Consent | ✅ YES | ✅ Provided | ❌ Not needed | ✅ YES |
| 2. Live Exam | ❌ NO | ❌ Refused | ⚠️ Maybe (if legal) | ❌ NO (live only) |
| 3. Technical Bypass | ❌ NO | 🔧 Bypass | ❌ NO | ✅ YES |
↓
SECTION 5: DATA EXTRACTION LEVELS
↓
Who performs extraction?
What level of access needed?
What level of access needed?
LEVEL 1: On-Field
↓
On-Field Kiosk Extraction
(Cellebrite/MSAB/UFED)
Personnel: Trained field officers
Type: Logical or Advanced Logical
Data obtained:
✓ Contacts, SMS, Call logs
✓ Photos, Videos, Audio
✓ Browser history, GPS data
❌ Encrypted messaging apps (WhatsApp, Signal)
❌ Deleted data
Limitation: PARTIAL data only
Sufficient for: Basic investigations
(Cellebrite/MSAB/UFED)
Personnel: Trained field officers
Type: Logical or Advanced Logical
Data obtained:
✓ Contacts, SMS, Call logs
✓ Photos, Videos, Audio
✓ Browser history, GPS data
❌ Encrypted messaging apps (WhatsApp, Signal)
❌ Deleted data
Limitation: PARTIAL data only
Sufficient for: Basic investigations
LEVEL 2: CCI Extraction
↓
CCI Cyber Crime Investigators
(Trained & Equipped)
Option A: Full File System
✓ All data from Level 1
✓ Encrypted messaging apps (WhatsApp, Signal, Telegram)
✓ App data, system files
❌ Deleted data
Option B: Physical Extraction
✓ All data from Full File System
✓ DELETED data (recoverable)
✓ Unallocated space
✓ Maximum data recovery
Sufficient for: Complex investigations
(Trained & Equipped)
Option A: Full File System
✓ All data from Level 1
✓ Encrypted messaging apps (WhatsApp, Signal, Telegram)
✓ App data, system files
❌ Deleted data
Option B: Physical Extraction
✓ All data from Full File System
✓ DELETED data (recoverable)
✓ Unallocated space
✓ Maximum data recovery
Sufficient for: Complex investigations
LEVEL 3: Lab Unlock
↓
Central Lab or Distributed Solution
When needed:
• Phone locked (no credentials)
• Encryption bypass required
• BFU or AFU state
Locations:
• Central forensic laboratory
• Police stations with distributed unlock solution
After unlock:
Proceed with Level 2 extraction
(CCI Full File System or Physical)
When needed:
• Phone locked (no credentials)
• Encryption bypass required
• BFU or AFU state
Locations:
• Central forensic laboratory
• Police stations with distributed unlock solution
After unlock:
Proceed with Level 2 extraction
(CCI Full File System or Physical)
↓
SECTION 6: CLOUD & CROSS-BORDER DATA
↓
Does phone contain cloud data stored abroad?
(iCloud, Google Drive, WhatsApp backup, etc.)
(iCloud, Google Drive, WhatsApp backup, etc.)
NO - Domestic Only
↓
Standard domestic procedures
Proceed with extraction
Proceed with extraction
YES - Cloud/Foreign Data
↓
⚖️ BUDAPEST CONVENTION APPLIES
Articles 32 & 16
See Computer/Server SOPs for:
• Article 32.a (public data)
• Article 32.b (consent)
• Article 16 (preservation + MLAT)
Same procedures as servers
Articles 32 & 16
See Computer/Server SOPs for:
• Article 32.a (public data)
• Article 32.b (consent)
• Article 16 (preservation + MLAT)
Same procedures as servers
↓
SECTION 7: DOCUMENTATION & CHAIN OF CUSTODY
↓
Evidence Documentation Requirements:
• Photograph phone (all angles, serial number, IMEI)
• Document phone state (ON/OFF, locked/unlocked, battery %)
• Document network isolation method (Airplane Mode / Faraday)
• Document SIM extraction (physical SIM + eSIM if present)
• Calculate hash of extraction (SHA-256 + SHA-1/MD5)
• RFC3161 timestamp
• Contradictory process report (all parties sign)
• Maintain unbroken chain of custody
• Seal device properly
• Photograph phone (all angles, serial number, IMEI)
• Document phone state (ON/OFF, locked/unlocked, battery %)
• Document network isolation method (Airplane Mode / Faraday)
• Document SIM extraction (physical SIM + eSIM if present)
• Calculate hash of extraction (SHA-256 + SHA-1/MD5)
• RFC3161 timestamp
• Contradictory process report (all parties sign)
• Maintain unbroken chain of custody
• Seal device properly
↓
✅ MOBILE PHONE EVIDENCE COLLECTED
Legal procedures followed
Evidence admissible in court
Legal procedures followed
Evidence admissible in court
⚖️ Critical Legal Requirements
- Section 1 - Legal Authorization: Consent (written), search warrant (specify scope), or expert appointment REQUIRED
- Section 2 - Contradictory Process: Phone owner and witnesses MUST be present during on-site operations
- Section 2 - Article 37 (Albanian Law): IF person makes self-incriminating statement about phone usage/passwords, IMMEDIATELY interrupt, warn of rights, suspend if lawyer requested. Statements BEFORE warning = INADMISSIBLE
- Section 2 - Network Isolation: IMMEDIATELY enable Airplane Mode OR place in Faraday bag - prevents remote wipe, data modification, eSIM commands
- Section 2 - SIM Extraction: Remove physical SIM if possible (preserve biological traces), check for multi-SIM, note eSIM presence (cannot be removed)
- Section 2 - SIM Imaging (MANDATORY in Lab): Create forensic image of SIM with SHA-256 hash, original stored sealed, analysis on replica only. If phone needs SIM: temporarily reinsert (documented)
- Section 3 - Phone State: Keep phone ON if already ON (AFU state easier to unlock). Do NOT turn on if OFF (BFU state harder)
- Section 4 - THREE UNLOCK SCENARIOS:
- Scenario 1 (Written Consent): Subject provides written consent + code voluntarily → Full extraction possible (Budapest 32.b) | Biometric NOT needed
- Scenario 2 (Live Exam): No consent for code, contradictory procedure, Article 37 applies → Biometric MAY be used IF local law permits, BUT only for LIVE examination (NO full extraction - requires code, not biometric)
- Scenario 3 (Technical Bypass): No subject interaction, lab unlock bypass (AFU/BFU) → Full extraction after bypass | NO Article 37 issue
- Section 5 - Level 1 (On-Field Kiosk): Logical/Advanced Logical - PARTIAL data, no encrypted messaging apps
- Section 5 - Level 2 (CCI): Full File System (encrypted apps) OR Physical Extraction (deleted data)
- Section 5 - Level 3 (Lab): AFU/BFU unlock bypass - central lab OR distributed solution in police stations
- Section 6 - Cloud Data: If stored abroad, Budapest Convention applies (same as servers)
- Section 7 - Documentation: Contradictory process, hash calculations, RFC3161 timestamp, chain of custody
⚠️ Evidence May Be Inadmissible If:
- ❌ Section 1: No legal authorization (consent/warrant/expert appointment)
- ❌ Section 2: Contradictory process violated (owner/witnesses not present)
- ❌ Section 2 - Article 37: Self-incriminating statements (passwords, usage) used without proper warning, OR questioning continued after lawyer requested
- ❌ Section 2 - Network Isolation: Phone NOT isolated immediately (remote wipe occurred, data modified)
- ❌ Section 2 - SIM Imaging: SIM not imaged (original analyzed directly), OR no hash calculated, OR SIM reinsertion not documented
- ❌ Section 3: Phone OFF turned ON without legal justification (BFU state created, data potentially lost)
- ❌ Section 4 - Scenario 1: Consent claimed but not written OR coerced
- ❌ Section 4 - Scenario 2: Biometric used against will when local law prohibits OR live exam not contradictory OR full extraction attempted with biometric only (impossible - needs code)
- ❌ Section 4 - Scenario 3: Technical bypass used but subject interaction claimed (contradicts "no interaction" principle)
- ❌ Section 5: Extraction performed by untrained personnel without proper tools
- ❌ Section 6 - Budapest Convention: Cloud data abroad accessed without Article 32 compliance or MLAT
- ❌ Section 7: Chain of custody broken, no contradictory documentation, biological traces destroyed
🔐 AFU vs BFU - Critical Difference for Unlock
Understanding phone encryption states:
AFU (After First Unlock) - EASIER TO UNLOCK:
- ✅ Phone has been unlocked at least once since last boot
- ✅ Encryption keys loaded in memory
- ✅ Lab can unlock FASTER (minutes to hours)
- ✅ Higher success rate
- HOW TO PRESERVE: Keep phone powered ON, transport to lab quickly
BFU (Before First Unlock) - HARDER TO UNLOCK:
- ⚠️ Phone never unlocked since last boot (or turned off)
- ⚠️ Full encryption active, keys not in memory
- ⚠️ Lab unlock takes LONGER (hours to days, possibly weeks)
- ⚠️ Lower success rate, more complex exploits needed
- CREATED IF: Phone turned off, or powered on without ever unlocking
⚠️ CRITICAL RULE: If phone is ON, keep it ON. Transport to lab ASAP to preserve AFU state. If phone is OFF, do NOT turn it on (creates BFU state). In both cases, use Airplane Mode/Faraday to prevent remote interference.
📊 Extraction Levels - Comparison Table
| Level | Personnel | Extraction Type | Data Obtained | Limitations |
|---|---|---|---|---|
| Level 1 On-Field |
Trained field officers | Logical or Advanced Logical | Contacts, SMS, calls, photos, browser, GPS | ❌ No encrypted apps ❌ No deleted data |
| Level 2A CCI |
Cyber Crime Investigators (trained) | Full File System | Level 1 data + WhatsApp, Signal, Telegram, app data | ❌ No deleted data |
| Level 2B CCI |
Cyber Crime Investigators (trained) | Physical Extraction | Full File System + DELETED data, unallocated space | ✅ Maximum recovery |
| Level 3 Lab |
Central lab or distributed solution | Unlock Bypass (AFU/BFU) | Unlocks locked phones, then proceeds to Level 2 | BFU slower than AFU |