The mobile device INVESTIGATOR'S TOOLBOX

What works best for newbies, what requires more training, and how to tell the difference


     In addition to training, investigators should develop best practices for their own data recovery efforts. SEARCH has developed a series of five worksheets. Available at www.search.org/files/pdf/SeizedHandheldDeviceWorksheets.pdf, the worksheets allow investigators to identify field-seized devices, analyze those devices along with SIM cards, control the analysis, document which tools they used, and make processing requests. "The forms create a standard process for investigators to follow when they're recovering data," says Daniels.

     Investigators needn't shy from developing their skills in mobile forensics. The field is complicated with many issues in play, but the community is tightly knit, and a wealth of information exists for those willing to put the time into learning it.

Current and future technology

     Mobile technology has advanced to the point where a device the size of a deck of cards — the video iPod — can store up to 160 GB of data. That's comparable to the amount of storage on many computers' hard drives.

     Gilleland expects that investigators' jobs will become increasingly complicated as phones further evolve into mini-computers. "More phones are Internet-capable," he explains, "especially now that the iPhone has been released. That means that to track criminal activity, our examinations will more closely resemble computer forensics." Mark Menz, MJ Menz & Associates, adds that many newer phones have built-in 10-, 20-, or 30-GB Flash hard drives that analysts will be imaging, much like they do computer hard drives. Yet to figure out how the phones' proprietary operating systems work with those drives will be the hard part for forensic software programmers, who already must reverse engineer their tools.

     Another evolving capability is GPS. Many phones now store data that investigators can use to track suspect movements. For those that don't, carriers can sometimes step in. Farnsworth explains, "You can call Sprint, for example, with a court order to push an application to the phone to track it. Most companies have this capability, but don't advertise it because of privacy issues." Richard Gilleland, a detective with the Sacramento (California) Police Department, adds that once you have the data, "Paraben and some cheaper tools let you map coordinates in Google Earth. It's extracting the data that's the hard part."

     Michael Menz says cell phone service is becoming increasingly universal. "In the near future we will see integrated glasses (or sunglasses) to the cell phone, which is really a portable computer. Plus, the cell phone will be on [a person's] hip [but also integrated with] the car and home phones. The service will be sent to the unit you are closest to." Skype Internet telephony, for instance, transfers a picture phone call to a subscriber's home or cell phone if he doesn't answer the Skype line. "So when a search warrant is done," Menz adds, "it has to be for the cell phone, car phone and home phone."

     Both Skype and Vonage work with another pioneer technology: the USB Internet Phone. "Plug [it] into a computer with Internet access, you have your phone," says Menz, pointing out that this will make suspect location virtually impossible. Daniels agrees, saying "porting" is the main issue. Anyone who wants to keep the phone number from their original carrier can transfer it; to verify whether a number has been ported or not, investigators should use Neustar.biz rather than the carrier. Search warrant service will also become increasingly difficult, Menz continues, since a World Trade Organization agreement made it possible to subscribe to a cell service anywhere in the world.

     Loving says some carriers allow remote wiping of some devices (such as BlackBerry) in the event that a phone is lost or stolen. "It's important for investigators to identify and contact the carrier to lock down the user account so as not to allow that feature to be enabled," he says. Most carriers will respond to a department letterhead followed up by a court order.

     Farnsworth says Google is said to be developing an open source phone called Android, which Daniels says is expected to exceed iPhone's capabilities in performance, durability, and Internet surfing ability. That means its programming will be readily available for anyone else to develop supplemental software, including data recovery tools. "There are also rumors about some open source tools that will work with Linux," he says. "If it happens that all phones end up using one operating system, cell forensics will become like computer forensics."

  • Enhance your experience.

    Thank you for your regular readership of and visits to Officer.com. To continue viewing content on this site, please take a few moments to fill out the form below and register on this website.

    Registration is required to help ensure your access to featured content, and to maintain control of access to content that may be sensitive in nature to law enforcement.