Every day, more and more people are using smartphones. The amount of data which is wirelessly transmitted continues to increase at an impressive rate. According to the results of a semiannual survey released by CTIA-The Wireless Association in April, there was a 43 percent increase in the number of active smartphones and wireless enabled PDAs in 2011 (111.5 million). “If you think about what cell phones are today, they’re moving away from simple cell phones toward smartphones which are tiny, powerful computers that people are walking around with everyday,” said Det. Cindy Murphy, a computer and mobile forensics examiner with the Madison (Wisconsin) Police Department.
The value is not just in the cell phone call history and text messages, Murphy said. “It’s about the ability to Google search whatever you want and have information at your fingertips,” she said. “Cell phones become diaries of people’s lives.”
“As police officers and detectives,” Murphy said, “we’re trying to find out what was happening in somebody’s life, to whom they were talking, what the contents of those conversations were, and how they relate to a crime we’re investigating. That’s indispensable evidence we can’t afford to overlook.”
Gary Kessler, mobile forensics examiner and a member of the Vermont Internet Crimes Against Children Task Force, describes how there is probably more probative information found on a mobile device per byte examined than on computers. “When you seize a cell phone from a suspect’s hip, it’s much more difficult for the suspect to claim that somebody else was using that phone,” Kessler added.
Cell Phone Forensics Realities
Cell phone forensics has led to some surprising results. Do you think a cell phone which has been exposed to water, fire, harsh weather – or even run over by a large SUV – is worthless? Think again. “Don’t think that there’s no chance of getting evidence out of it,” Murphy said. “Leave that up to someone who has experience. We can resurrect phones which look and seem completely destroyed.”
Cell phone examiners today can perform deeper analyses by getting at the chip level, said Bill Teel, Founder and President of Teel Technologies. “That more extensive analysis, when you dismantle the phone to get at the memory, is something that’s more appropriate for the lab,” he added.
Cell Phone Forensics Complexities
Cell phone forensics isn’t easy. There’s the network, or tower, end of cell phone forensics (the data which is held by the cell phone carriers); there’s call history; and, then, there’s the handset. Many agencies handle each of those pieces separately.
In Cell Phone Evidence Data Extraction and Documentation, Murphy outlines the many challenges:
• The immense variety of cell phones on the market;
• The variety of tools and techniques used to examine a cell phone;
• It’s not always possible to isolate a phone from surrounding networks;
• In most cases, it’s necessary to apply more than one tool to extract and document data from the phone and its storage media; and
• The number of apps from which to collect data is increasing.
“There’s a lot of complexity there,” Murphy said.
Frequently, officers will ask cell phone examiners, “Can you just run this cell phone quick while the suspect is waiting – if it doesn’t take long, the suspect will give us consent to search the phone.”
The assumption that cell phone forensics is fast and easy and that the tools do the work is false, Murphy clarified. Some examinations are easier than others.
The growth in smartphone use, according to Teel, has added another dimension to getting data out of a phone. There are many types of information stored on smartphones, beyond incoming and outgoing calls, text messages and pictures. “We’re now diving in and looking for Skype chats, Facebook contacts and a multitude of data from other apps, “ he said. “There’s far greater memory and much more useful content.”
Getting all of the information off a smartphone is the new challenge, Teel said. “You never know what you’re going to find,” Murphy said. “You may find nothing or you may find the mother lode.”
To officers requesting a cell phone examination, she suggests providing as much information as they can (rather than asking, “Can you examine this phone for evidence?”). She said officers should provide the overall context of the case, including dates and times, names, phone numbers and the suspected criminal behavior. That makes what can be a huge winnowing job much more efficient.
Evidence Data Extraction and Documentation
No matter what someone’s role is with regard to evidence data extraction and documentation, he (or she) should be following a process, Murphy emphasized.
Murphy wrote Cell Phone Evidence Data Extraction and Documentation not to give agencies a specific process to follow, but to emphasize the need for a process. Since she first self-published the journal paper on-line in 2009, she has invited others to comment on the paper, and she incorporates changes and updates the paper once a year.
Kessler said officers should carefully examine their search warrant templates for mobile devices. “Several years ago,” he said, “it was sufficient to say we want to look for a contact list, call history, images, text messages and any other pertinent data. That was before the day we were imagining that other pertinent data could also include E-mail, your entire browsing history, GPS points, documents you may have downloaded – Word, PDF, that kind of stuff. So, I think we need to revisit the way in which we’re writing our warrants, just to be sure that we’re covering ourselves appropriately.”
A case decided February 29 in the US Court of Appeals for the 7th Circuit ruled it is legal for police to search cell phones to determine their phone number without a warrant; however, more intrusive searches were not included in the ruling.
The law in this area is ever changing, said Senior Assistant State Attorney for Connecticut’s Stamford/Norwalk Judicial District, Richard Colangelo. “Know the parameters of the information that you can get by just looking at a phone,” he said. “To be safe, get a search warrant. Then, you don’t have to worry about the legal challenges down the road.”
Once officers have a warrant, they need to know what information on the device is relevant. Kessler has seen search warrants which direct him to recover photographs off of the phones’ SIM cards. While a phone may have photographs, they will not be on a SIM card. “Work with your local experts to be sure that you’re asking for things that make sense,” he said. “I’m a big fan of getting as broad a search warrant as you can that is not overly broad.”
Today’s phones and mobile devices can contain gigabytes of information. Evidence gleaned from mobile devices can be astounding, Kessler said, noting that, when he first looked at a phone with GPS info, it had about 17,000 GPS points.
Photos also can be helpful. “People like taking pictures of themselves,” he said. Kessler has seen pictures of people in the process of their criminal acts and pictures showing the fruits of their criminal acts, such as suspects posing with their drugs, guns or money. “It turns out to be very effective evidence which frequently never has to be shown to a jury because people see it and they realize what a jury will think.” This leads to faster adjudication, he said.
Cell Phone Forensics Tools
The information which can be obtained from mobile devices in the field (logical analysis) is very different from what a forensic examiner can obtain in the lab (physical analysis).
In the field, officers should keep in mind that they’re only going to be able to get a limited amount of data from a smartphone, Teel said. “You wouldn’t want to go out in the field and expect to get a full dump of an iPhone because that can take a long time,” he said. It’s not uncommon, according to Teel, for a forensic examiner doing a full analysis on a smartphone in a lab to let the data collection process run overnight.
Officers in the field should focus on the data which can be acquired quickly, Teel said, like verification of a subject.
Logical analysis software and hardware can locate all the files on a phone which have not been deleted or hidden, including text messages. This type of tool is less costly and was designed to be used by the officer on the street with minimal training, Kessler said. They can grab a phone, capture the basic data and give it back.
Companies like Cellebrite and Micro Systemation offer tools for logical and physical analysis. James Rowley, Area Manager for Micro Systemation, a global company in forensic technology for mobile device examination, said, “Having a tool that can be used easily at the patrol level is an important consideration. A lot of these situations are going to be a quick, logical exam, like looking through a phone versus a physical exam, so being able to see the results immediately in the field is key.”
More detailed analyses should be left to the cell phone forensics examiner. Physical analysis gets everything off the phone which can be gotten – including deleted messages, deleted contacts and more. This type of software is more difficult to use and interpreting the data is harder, Kessler said. It requires special training.
Rowley pointed out that today’s text messages might not be in the phone, but rather in a peer to peer application. Physical analysis tools can be used to parse contacts and information from Facebook, Skype, peer to peer instant messaging and more.
Cellebrite USA Corp., a global company known for its work in the cellular communication industry, pioneered mobile phone to phone content transfer. Keith Daniels, Director of Forensic Sales for Cellebrite USA Corp., said that his company’s good working relationship with cellular carriers enables Cellebrite to update its support for new phones virtually as soon as they’re released.
Daniels pointed out a benefit of proactive analysis. “If you’ve got the proper tools in your organization, and you use them upon arrest or prior to the interview, you can find evidence of the crime, other leads for your case, and possibly use it to bring a confession.” This approach, he said, is better than having to corroborate evidence months later for the court case.
Especially in the forensics lab, costs related to analysis can be steep, Teel said. “Part of the justification for the cost – reasons that the costs are so high are partly because there’s a big R&D effort for cell phone forensics,” he said.
Teel said the initial investment for mobile de- vice forensics is high, as are the ongoing costs. Manufacturers produce about 200 new phones every quarter, he said, which requires forensics labs to work constantly to keep up with a moving target. As president of Mobile Forensics Central, Teel helps digital forensic investigators identify the solutions they need to examine the mobile devices with which they are confronted. He recommends that departments prioritize their purchases based on the types of phones they are seeing. Different cell coverage areas have different concentrations of phone brands, he pointed out.
Departments using just one of these software types are potentially limited, Kessler said. However, many departments cannot afford the more expensive physical analysis software and the training it requires. This is where partnerships among departments can help.
Cell Phone Forensics Partnerships
Small law enforcement agencies lacking resources and training can reach out to larger agencies, including state and federal agencies, for assistance. They may also benefit from exploring resources within their communities and establishing partnerships with other law enforcement agencies. Across the country, task forces, like the Internet Crimes Against Children task forces, deal with high-tech issues. Universities may have digital forensics programs and could supply task force members.
Small and large agencies could benefit from partnerships or task forces which could help them acquire technology they alone could not afford. “Some agencies are pooling their funds to get capabilities that they all then share,” Teel said. Some groups are using one centralized lab, he said, which is a good idea as long as the lab can keep up. “There’s recognition that the amount of data that is required from cell phones has pushed the de- mand for analysis off the charts in some places,” Teel said.
In Connecticut, Richard Colangelo estimates 90 to 95 percent of the cases which come through his office have a cell phone component. Colangelo obtained about $141,000 in grant funding to start an Internet Crimes Against Children Task Force for the judicial district. About 30 percent of the funding will be used on cell phone data recovery equipment and officer training. Colangelo plans to house the technology in one central location which is accessible to the judicial district’s eight towns and cities.
Each department will have a MacBook Pro laptop with Lantern – a forensic tool for iPhones, iPads and iPods, from Katana Forensics. “By pooling our resources, each department will have access to more than one tool and the latest technology,” he said.
Colangelo spent a lot of time researching tools for cell phone forensics. “While all the tools are good at what they do,” he said, “some are better for different types of platforms. I wanted to make sure that the tools we are getting would complement each other so we wouldn’t have anything fall through the cracks.”
Colangelo strongly encourages agencies to partner with one another. “That’s how you can maximize any funding that you potentially can get,” he explained. “Unfortunately, these are expensive tools and the upkeep or license renewal fees are expensive.”
It’s important to have officers trained to know how to handle cell phone evidence. Murphy put together a pamphlet just for patrol officers.
The answer to how to handle cell phones is not simple. It’s not a matter of turning the cell phone off. “There are a set of questions officers need to go through to determine what makes the most sense to preserve the evidence until a deeper examination can be done,” she said.
Teel said officers in the field should know how to properly analyze the device and protect it from the network. They need to know how to avoid damaging the device and how to not spoil the evidence by putting their fingers all over it, he said. There are classes available, he adds.
“The biggest single place where I think more training is needed,” Kessler said, “is in the proper seizure and storage of the phone prior to it ever being examined.” Unlike computers, which are generally secure once officers seize them and have the hard drive, mobile devices can be altered as long as they are turned on and connected to a network, he said.
As for cell phone forensics, Kessler said it’s really a specialty unto itself. Physical analysis requires a different level of training. That training should include a balance of vendor specific training and generalized training looking at the process of cell phone forensics.
Daniels advocates certification training and knowing how to use a tool. The tool may be easy to use, but possessing the ability to understand and verbalize the process in court is what’s important.
Teel teaches examiners how to access the raw data on the memory chips through chip-off and JTAG forensics. “We’re doing a lot of training in that area,” he said. “People are really liking it, as it gives them the ability to complement the standard commercial tools with a lower level capability. If they are running into a wall, such techniques enable the examiner to continue to pursue the data.”
About the Author: Rebecca Kanable is a freelance writer spe- cializing in law enforcement topics. She can be reached at [email protected]
This article is a contribution from articles and gear reviews for the patrol officer. P&SN is a valued supporter of BlueSheepdog and the Blue Crew. You can obtain a free subscription to the Police & Security News magazine by joining the Blue Crew.