The other side of mobile forensics

     The relationship between device and carrier data is even more intertwined when it comes to SMS (text) messages. Encoded using Protocol Description Unit (PDU) mode, a GSM standard, the SMS message contains much more than the message: it also includes "metadata," information on the phone number dialed, the date and time the message hit the service center, and the center's phone number. This data, which users can't view, is important to law enforcement. As Reiber explains, the carrier maintains the information that will help law enforcement identify the subscriber.

     "As technology evolves," Loving says, "it presents more to investigate."

     He breaks down evidence locations into four parts:

• Service providers. "AT&T, Verizon, T-Mobile, [etc.] all have different internal systems that collect, maintain and provide data in different ways from each other."
• Networks. As noted, providers sometimes share networks via tower antennas.
• Mobile forensics. "Not only does it identify what carrier the device works on," says Loving, "it also reveals current and potentially deleted photos, text messages, call logs, voice and video recordings, and other evidence."
• Phone manufacturers. "This comes into play when you find phones with the same capabilities, but [with] different software, since it works on a different carrier's system," says Loving.

     In addition to device and carrier data, cell phones may provide access to other important information. A GPS-enabled device will have data logs associated with it, either from the cell carrier or from the third-party GPS carrier whose software has been downloaded to the phone.

     The phone's registration will contain credit information and other applicable data. "Even a prepaid phone requires registration. Although a user can sign up as Mickey Mouse, personal information will be available," says Loving.

     Reiber adds that it's important to record equipment identifiers, including the electronic serial number (ESN), the International Mobile Equipment Identity (IMEI) number, the handset model number itself and removable media such as Flash cards. "Information on a SIM is standardized by ETSI [the European Telecommunications Standards Institute] and 3GPP [3rd Generation Partnership Project]," he explains. "It is really the handset, the manufacturers and carriers who have different firmware that allocate different portions of storage areas for data, which are not necessarily standardized".

     Mobile forensics is becoming increasingly complicated to navigate, even as it becomes more important in criminal investigations. Law enforcement agencies should thus ensure proper training for their personnel. In the last two years, Reiber has noticed an increase in the number of departments putting officers through courses. "Most local and state agencies remain mindful of their budgets, but they've also been allocating funds for training," he says.

     Training is also important for first responders, who must know how to preserve both the phone and the evidence inside. It's not enough to seize the cell phone during an arrest; the officer must also immediately ensure that its data remains intact. Loving points out that an arrestee can use his one phone call to contact an associate, who can then log on to the carrier's Web site and delete information. If the phone is on, or turned on during an investigation, the data will be deleted as soon as it connects to the network.

     Some investigators prefer to use a "Faraday cage," a signal disruption device that allows the phone to turn on without it connecting to the network. (Utah-based digital forensic solutions provider Paraben Corp. has designed a Faraday evidence bag that first responders can use to secure mobile devices.) Loving also recommends turning on the seized phone's "flight mode" feature, which enables the device's full functionality without a network connection.

     Both Loving and Cree agree that the carriers themselves supply the other part of a solid investigation. "Today, most companies have a department assigned to handle law enforcement requests and maintain the level of confidentiality that investigations require," Cree says.

     This represents a major change from even a few years ago. "The telecommunication business was designed to be consumer-driven, not a source of potential evidence used in the courts," she explains. "Additionally, the companies are required to protect their subscribers' privacy. Balancing the two requires personnel to assure legal compliance, as well as answer law enforcement questions, process requests and, when necessary, provide expert testimony."