Furthermore, Gilleland adds, what is best for one investigator may not help another. That depends on the actual phones being submitted to the lab for analysis. One well-known tool he tested supported only 10 of the models coming through the Sacramento lab. He notes further that what works on one model may not support a later, updated release of the same model.The global divide
Many tools — both cheaper and professional forensic applications — originated overseas. "You don't have to reinvent the [investigative] wheel," Loving says, "but you can't stay within U.S. bounds. Cell phones weren't born and bred here, so most of the tools that extract information from them aren't, either." Companies overseas have been seeking to break into the U.S. market, so problems common to other software programs — like language translation — are minimal.
However, foreign software remains limited. That's because in Europe, cell phones use only the Global System for Mobile Communications (GSM). Here, carriers use GSM along with Code Division Multiple Access (CDMA), Integrated Digital Enhanced Network (iDEN), and others. So, while European and Asian phones and the tools used to extract their data are more sophisticated than in the United States, forensic tools from those countries can't be universally applied here. For instance, Logicube's CellDek, according to Mark Menz, vice president of digital forensic and electronic discovery firm MJ Menz & Associates, works well with European and Middle Eastern environments — but not as well in the United States.
Daniels cautions that some foreign data recovery tools are far more complex than U.S.-made tools. "Some that are coming out from the United Kingdom are FTK- or EnCase-level: they require specialized training. They aren't for first responders." Farnsworth adds that with tools that originated in countries like Russia, investigators may find it difficult to obtain technical support — not only because of the language barrier, but also because of the time difference.Market-driven limitations
As mobile device data recovery becomes more important to criminal investigation, the challenge to find the best tools for the job will increase. "Cell data recovery is now where computer forensics was in 1995," Daniels explains. "This is a new market, and everyone is jumping into it, trying to become the next FTK or EnCase."
Farnsworth notes that as more companies become aware of just how much is involved in mobile device data recovery and forensics, the more they allow their products to be bought and repackaged by established digital forensics firms. Yet the newer products, such as AccessData's Mobile Phone Examiner, support few phones because they are not yet established.
Cheaper tools exist, but Farnsworth and Gilleland both prefer not to discuss them. That's because the increased demand from law enforcement would create a new market, which programmers may not have recognized when they created their tools. In turn, the tools' prices would rise. "Cellebrite went from costing about $600 to $4,000 because of the word 'forensic,' " Gilleland explains. Susteen's Secure View for Forensics encountered the same. Both pieces of equipment were originally made to support phone upgrades for consumers.
BitPim is one of the rare programs whose creator left it open source, rather than license and sell it. As useful as that tool is, however, open source software carries its own risks. In particular: anyone, including criminals, can access and use the same code to program countermeasure software.
Finally, Farnsworth says device manufacturers are becoming wise to the kinds of tricks that allow users, including police, to access device information via "backdoor." "They don't want you in the code because it's proprietary," he says. "They're developing better ways to hide the technology; eventually you may have to physically unsolder the memory chip to recover data from it."
Many of the cheaper tools remain forensically unsound — which, Farnsworth cautions, makes it easier for the defense to challenge in court. "They'll do this especially if they have nothing else, because you can't guarantee you made no changes to the device," he says. "However, they have to make the jury believe that the investigator planted the evidence on the device, and that's unlikely."