BBC article: Prevent devices being remotely wiped, here’s how to do it properly
Following the BBC report on devices being remotely wiped in police custody here’s a how-to on how to handle the problem.
Sometimes it happens that you might need to retrieve data from an employee’s mobile device. Maybe you suspect that they have been naughty and used it for NSFW purposes, or they’ve rooted it, or managed to side-step the MDM policy. You may suspect that the device has been compromised by an attacker in some way, as part of a spear phishing attack for example.
So, you’ve managed to physically get hold of the device, the next steps will help ensure that you can maintain its state for a proper forensics investigation.
The first thing is understanding if the device has been wiped. If it hasn’t, no problem. If it has had a factory reset applied, it’s likely much of the data is still intact so it can often still be recovered. However, if it has been thoroughly wiped then that’s probably the end of the investigation. Fortunately many people do not have the skill or the foresight to do this.
Also, keep in mind that iOS, Android, Windows Phone and Blackberry all have remote wipe capabilities or varying effectiveness. To stop the individual concerned from wiping the data remotely before you can analyse it there are some simple things you can do.
- Acquire the device.
- Do not turn it off, otherwise you may lose valuable information stored in memory
- Place it in a Faraday bag. These are readily available at sensible prices. If you supply mobile devices to your staff you really should have a few of these to hand at all times.
- If you don’t have any Faradays bags wrap the device in tin foil and place it in an unplugged microwave.
- Keep it shielded in this way until your forensics expert arrives. This will prevent a remote wipe being carried out.
As an aside, if you want to protect your own data from recovery in the event of theft, encrypt your phone. In Android, this is easily carried out from the phone settings, so long as you have Android version 3 or later. Bear in mind that the key to the encryption is usually the phone PIN, so make sure it’s at least 6 digits or more. Avoid using short ‘pattern’ PINs, as they’re usually easier to crack.