The most important part of any investigation is to make sure that the methods and approaches used are forensically sound. This means that the method can be amitted to a court of law, and still hold its value when being challenged. The methods used should be able to be proven, tested and repeated if nessessary.
Upon receiving a novelty device, there are a number of things to consider:
1. Researching the device.
A lot can be learned by examining the device before doing the actual extraction. Consider what the device is for, who produced it, are there documentation available online, how does it connect to other devices/computers, does it have an operating system (which one?), what type of components does it contain, and so on.
2. Experimenting with the device.
Once you have a foundation of information about the device, one should try to take it to the next level. Can you determine what type of information the device contains or generates, does it store this information locally or remotely, can the information be retrieved and how? It is important not to experiment too much, as this might lead to information loss.
3. Extracting the information.
Approriately connect the device to a forensics workstation, preferly through a write blocker. Some novelty devices might only connect using wireless technology, so this might make it difficult to use a physical write blocker. Depending on the type of information, a suitable forensics software should be applied to extract the data.
4. Proper documentation.
In order to fully prove the information extracted, all the steps taken must be documented in detail. Keeping a log of every action taken from when the device is taken out of the evidence bag to it is put back is important to prove that the information extracted has not been compromised and the techniques used are forensically sound.