These days, virtually every major criminal activity leaves evidence — images, text messages, call records and more — on mobile devices. Yet for the investigator who knows only the basics or less about how to recover this evidence, building a strong case can be difficult — especially after the evidence has been deleted.
State or regional digital forensics labs are frequently overworked and understaffed, while many agencies lack the resources for the training and equipment to support an in-house expert. A good compromise is to train non-expert forensic analysts or investigators to recover essential evidence. However, those who wish to take part in more complex mobile forensics need to know first that mobile forensics is as complicated as computer forensics — and has many of its own challenges. Many tools exist to aid data recovery efforts, but they demand plenty of training and educational support.Cost challenges
Cost can be a significant challenge to smaller agencies, but SEARCH computer crime training specialist Keith Daniels says the investment in a tool like Cellebrite UFED (See "Data recovery tools" on Page 30) can be well worth it. Not only does it have unparalleled support, it's also easy to learn and use.
Cellebrite works quickly enough (15 to 20 minutes) to be used in emergencies, such as with missing persons. "It works so quickly on the street," says Daniels. "It can be a life-saving device." He finds it so useful that he counsels investigators in agencies with limited resources to pool funds with other investigative units to buy it.
If this is not possible, detectives are encouraged to find out whether they can join with a local or regional task force. In California, five task forces are available. "Investigators send phones to us for help," says Brian Farnsworth, an investigator with the Sacramento Valley Hi-Tech Crimes Task Force. "If they find they're getting inundated by mobile evidence, they can join the task force and have access to our resources."
However, not all task forces have the same tools. "In Sacramento Valley, we had to buy most of what's available because we had so much coming in," says Farnsworth. Investigators with no task force at their disposal can apply for grants, such as from the federal Internet Crimes Against Children (ICAC) program, to start one of their own.Investigative challenges
Investigators who want to move from simple data recovery toward mobile forensics face another challenge: the lack of manufacturing standards, a result of competition. Kipp Loving, a member of the Tracy (California) Police Department as well as the Sacramento Valley task force and a California POST instructor on high-tech crimes, explains that even though consumer demand has driven manufacturers to design their phones more consistently, file structures, data storage, pin connectors and cables vary from manufacturer to manufacturer and even model to model. This makes it impossible for any forensic company to make a tool that recovers data from all phones on the market. In other words, Loving says, "Obtaining the data is easy; it's getting the phone to talk to the forensic computer that's the hard part."
Investigators find that many products exist — and often must be used in conjunction with one another. "Some only extract the phone book; others extract images but not call logs," says Loving. Farnsworth adds that some tools may appear to be the better investment because they claim to support 1,500 phones, but in reality, they can obtain only the devices' phonebook. Tools that support just a fraction of that number, however, often capture all data off their supported devices.
So how does an investigator know which tools are best? Richard Gilleland, a detective with the Sacramento Police Department, says finding out is often a matter of trial and error. He keeps a spreadsheet of what product works with what phone; reseller Teel Technologies, based in Connecticut, runs a secure database at www.MobileForensicsCentral.com that tells investigators the best tools to use for specific phones.