SEARCH training tells investigators that its task is to recover (or copy) data that's on the phone — not to acquire it. "Data recovery is not held to the same legal standard as computer forensics," explains Daniels, "so that's why it's important to make the distinction."
Farnsworth adds that currently, most attorneys remain unaware of these tools and their capabilities — but will become more knowledgeable as more mobile devices are introduced into evidence. It will thus be incumbent on manufacturers to make their tools forensically sound. "Detectives called on to testify in court aren't engineers; they can't always verify whether the technology they used is forensically sound," Farnsworth says. "Therefore the prosecution would have to subpoena the manufacturer."Learning the ropes
Farnsworth says that some easy-to-use tools create an expectation that all tools should be as easy. He uses Cellebrite as an example: "It's very logical — it gets standard data and even some deleted information from the device's memory in seconds. What it will not do is get passwords." For those, investigators must turn to a program like BitPim, but they need to know how to use it. "Even something as useful as BitPim writes to the phone, so you have to be careful not to destroy the evidence," says Gilleland.
Not-made-for-forensics tools are only part of the problem. Another is a lack of technical troubleshooting knowledge. "The problem is often not the tool — it's Windows," Farnsworth explains. "The cable doesn't send data to the forensic computer because Windows can't see it. You have to know how to change the port, or the connection speed, or whatever will get Windows to see the device you're working with." SEARCH makes available a troubleshooting guide at www.search.org/files/pdf.
Investigators involved in mobile data recovery may start by using the easier tools. "But to get good at it," says Farnsworth, "you have to learn the business." Daniels says the best way to do this is to attend training. SEARCH provides instruction all over the country; its four-day training — which is available via grant funding, or for a $1,500 fee — allows investigators to get a feel for all tools currently on the market, using 15-20 phones each.
"An officer can join training associations for free and pay for training they offer," says Michael Menz, a Sacramento County Sheriff's Department detective assigned to the Sacramento Valley Hi-Tech Crimes Task Force, who in 2006 served as president of the International High Technology Crime Investigation Association (www.htcia.org). "[The HTCIA] is an association of law enforcement and private enterprise with the goal of training investigators for high technology crime investigations."
Paraben trains investigators on its Device Seizure software; an Idaho-based firm, Mobile Forensics Inc., also offers training, as does Utah-based AccessData, Indiana-based Smart Phone Forensics, H-11 Digital Forensics LLC (also located in Utah), and Farnsworth's company, 42 LLC. But training remains limited rather than widespread.
Another way to learn is through Internet communities. The High Tech Crime Consortium (www.hightechcrimecops.org) provides criminal investigators access to a controlled listserv and a secure Web application portal. The HTCIA also offers a restricted listserv; Loving's own law-enforcement-only list includes detailed lists of many different resources, including search warrant samples. The U.K.-based Phone-Forensics.com is a secure bulletin board for investigators from all over the world.
Farnsworth also recommends HowardForums Mobile Phone Community & Resource. Although not specifically meant for law enforcement, this community is home to individuals who are some of the savviest when it comes to mobile devices. "If you need to find a way to reveal a password, you log on and ask," he says. "Someone always knows a backdoor, the sequence of buttons you need to press to get to that point." Investigators must take care not to mention case specifics or even that they're police, but can often learn rapidly about devices this way. Finally, Web sites like PhoneScoop.com and Mobiledia.com can be excellent sources about existing and upcoming mobile technologies.