The other side of mobile forensics

     Loving notes that as cell phone technology advances, the devices are frequently linked to unconventional crimes that test both existing statutes and legal precedents. Vehicular homicide, for example, virtually demands that a suspect's cell phone be seized and the call logs, SMS messages with their date/time stamps, etc. be preserved. This way, investigators can determine whether cell use, including "driving while texting," was a factor.

     While customer demand for better coverage — and thus more towers — remains high, Loving says many communities have limited tower build-out for a variety of reasons, including aesthetics, zoning and site problems, and even public health. That's why many carriers have begun to share tower space.

     "It is not uncommon to find two or three different carriers at one location," Loving explains. "The simplest and fastest way to determine if multiple carriers exist at one location is to view the tower location. You will notice a group of antennae on the tower; and individual, bulletproof control rooms/buildings at the base."

     This is important for investigators to know because collectible data doesn't go by tower; it goes by carrier. Each carrier maintains sets of information for different periods of time, ranging from six years to just 45 days for call detail reports, while text messages and voicemail typically last a week or less. Each carrier also has its own preferences for how it wants to receive and deal with subpoenas. Some may even charge money for records retrieval services.

     Cree notes that even personnel changes can create difficulties. "Investigators may have had limited or no prior contact with service providers and have no idea where to start. They may not know what information is available to them or what the company's data preservation timeframe is," she says.

     These factors can lead investigators to assume erroneously that they'll have a hard time getting a warrant, according to Lee Reiber, owner and lead instructor of Mobile Forensics Inc. But the trick isn't obtaining the warrant; it's doing so quickly enough.

     The best way to accomplish this is to send a preservation letter. Such a letter asks carriers to pull and maintain data until a warrant can be obtained. Under U.S. Code Title 18 § 2703 (f), investigators can fax a written request to the carrier to preserve all data for a target phone number. The carrier must then hold the data for 90 days, and if requested, renew for 90 more days if the agency requires it. Often this allows investigators enough time to obtain a warrant.

     "The preservation letter doesn't have to come from an attorney," notes Loving. "Most carriers will respond to a police department's letterhead."

     Reiber and Loving both advise that one set of evidence cannot exist independently of the other during a criminal investigation, for a variety of reasons.

     First, no standards exist for cell phones. "The fact that different carriers utilize different technologies and have more than 100 different handsets on the market at any given time [makes] evidence collection/data recovery extremely challenging," says Loving.

     Reiber agrees, saying that manufacturers are unlikely to ever standardize their equipment. "To stay competitive, they cannot standardize things like memory and connectors, and they are constantly improving the technology for faster data and better storage," he explains. "So whereas a computer's hard drive is static and easy to image, investigators would have to budget thousands of dollars in software upgrades alone to keep up with cell device manufacturers." Hence, the need to work with carriers to obtain data.

     Conversely, tower data tells only part of the story. "One challenge law enforcement faces is identifying the specific user of a phone," says Cree. "The only way to positively identify a user is through personal statement, direct observation or audio identification."

     For example, after the February 2006 murder of a California peace officer, tower data that showed the suspect fleeing the area was later tied to personal data in his phone's calendar. It was not enough that the officer was found clutching the vehicle's registration, or that tower data showed calls being made along the suspect's escape route; the suspect had even erased all inbound and outbound call logs.