I was requested to answer some questions on cellphone forensics in regards to processing, seizure and more about a month back. I thought I would put my responses “as they were” so to speak just in case they did not make it to print for some reason. I thought the questions are ones that everyone should be asking themselves. Better yet, answering honestly. Take a read and like always comments from anyone are appreciated except from a bot trying to get a hyperlink up.
1. What are steps once obtaining a cell phone to examine?
The most important items to consider when coming into possession of a cellular phone are seizure, isolation and documentation.
Seizure – You will have to ask yourself if you have the legal grounds to take the physical device and/or the digital data. If you do not have a legal right to examine the device or it’s contents then you are likely to have all the evidence suppressed no matter how hard you have worked.
Isolation – The single most important step you should take in the examination of a cellular phone is to isolate the device from the network. This is important because the cellular phone’s data can be changed, altered and deleted over the air (OTA). Not only is the carrier capable of doing this, but the user can use applications to remotely “wipe” the data from the device.
Documentation – The device must be photographed to show the state at seizure to include time settings, state of device and characteristics. A cellular phone’s date and time can change upon removing the battery during the examination phase, so a documentation of the state at seizure is very important.
2. How about cell phone jammers or faraday bags?
The utilization of a signal disrupter (cellphone jammer) is illegal in the United States and not a method we instruct in our courses. We do discuss the option of a signal disrupter and steps an examiner must take to insure that it is done safely as not to interfere with outside cellular communication to wit: emergency traffic. Faraday bags are a good option for the transportation of cellular devices, but not a good option for the examination of a device simply because the introduction of a cable to the device and then to the examination computer will render the bag useless. We recommend using a metallic mesh to wrap the device securely and then placing the phone into standby mode or airplane mode from transportation, photographing and then placing the phone in a state to be examined.
3. Multiple investigation tools for data verification?
In order to have a successful examination not only should you verify the tool extracted the data as it should, but you should verify that the tool did not alter data. This is something that we speak about in depth in our training courses. The verification of the process not the tool.
How can an examiner truly say the tool did not alter the data in the extraction process? This is done by validation of the tool using a baseline and then conducting the same extraction and comparing the results using the created “digital fingerprints” or hash values. This does not have to be conducted on every examination, but at least at version changes and upon first installing/using the software.
Too much emphasis has been taken to “if the tool extracted all the data”; instead of did the data get altered by the tool.
As for using multiple tools for an examination I believe this is a must. As tools in cellular forensics behave and extract different types of data we must find the tools that cover the majority of phones seen for your area.
4. Should we understand the investigation tools at an in-depth technical level?
Understanding a general process of the tools is very important, but a technical “code level” is not. The technical “code” level is left to the actual company offering support for the software. In the law enforcement world the examiner is not going to testify to the code that makes the software perform, but the actual developer or a representative of the vendor will.
What is extremely important for the examiner is to have a very in-depth knowledge of the forensic process. An understanding of the steps to take from isolation > seizure > extraction > documentation is of utmost importance. During the extraction phase the examiner with today’s phone types has to be capable to look into file systems to uncover data that is not recoverable with standard extraction tools. The simple point and click examination is not going to be enough by tomorrows standards. The button cowboy tools are going to come under further scrutiny.
5. Has there been an increase in cell phone evidence being used in criminal cases?
Everyday in the US the media reports a case being solved by the examination of a text message, photograph, video etc. Because over 130 million people just in the US own cellular phones law enforcement examiners are looking to these devices as an evidence trove. So yes there are many outlets showing that cellphone evidence is today’s DNA.
6. Advice for a cell phone investigator taking the stand?
An examiner who must testify to their findings must realize that they can no longer testify to the fact they pushed the “get evidence” button and then believe that reasoning/explanation will suffice. The examiner must be ready to answer the question, “Where did the phone book come from?” And not answer, “From the phone.” Instead, be ready to give the location of the phone book’s contents as it relates to the phone’s file system and also how the user data was not altered during your examination. Unfortunately for most, this is a daunting task because it takes additional time and training. Two things the button pushing applications feed on. So until the day comes and case law is made due to an examination or lack of examination we wait…..
Thank you for reading and please let me know what you think!