An evolution in cell forensics

     A woman is held against her will for nearly 36 hours by her common law husband. During this time, she is sexually assaulted and tortured. The suspect uses his cell phone to take more than 30 photos of the woman throughout the unlawful confinement. Now in police custody, cell phone forensic examiners need to secure the photos and document the date/time stamp to corroborate the victim's story.

     These digital photos, extracted and examined by Cst. Shafik Punja, a member of the Electronic Surveillance Unit — Technological Crimes Team of the Calgary (Alberta, Canada) Police Service, would have never been an evidentiary possibility as few as 5 to 7 years ago. According to Richard Ayers, computer scientist at the National Institute of Standards and Technology (NIST) and co-author of "Guidelines on Cell Phone Forensics: Recommendations of the National Institute of Standards and Technology," commercial cell phone seizure tools that have the ability to acquire and examine data started appearing on the market in early 2000.

     Since then, the capabilities of handheld digital devices have expanded dramatically from simply being phones with limited contact information to incorporating digital cameras/video cameras, MP3 players, etc. "There are approximately 20 new cellular devices introduced to the market each month," says Ayers.

     According to Wayne Jansen, computer scientist at NIST, "Annual sales of cell phones are at approximately 1 billion per year worldwide. They are outpacing personal computers three to one in terms of annual sales."

     Considering the pervasive nature of cell phones, and their ability to contain vast amounts of useful information and potentially powerful evidence, cell phone seizure devices are a critical component of the forensic examiner's toolkit.

Automated seizure tools
     Automated forensic cell seizure tools can be divided into three categories: subscriber identity module (SIM) tools, handset tools and integrated toolkits that include both. As the name implies, SIM tools read information from the portable memory in the identity module used in many models of cellular phones, specifically GSM phones, rather than an indirect data acquisition through the phone's handset. There are a handful of tools that work exclusively on SIMs. (See available product listing on Page 70.) They yield such information as abbreviated dialing numbers, last numbers dialed, SMS messages and location information.

     Exclusive handset tools, also few in number, are designed strictly for the acquisition of the internal memory. These devices are useful with smartphones and other PDA-derived devices that run on Palm OS or Windows Mobile. They generally are unable to acquire data from SIMs.

     Most commercially available cell seizure devices fall into the category of integrated toolkits. (See available products listing on Page 68). They incorporate the capabilities of both SIM readers and handset tools in a single product and include such capabilities as search functionality, book marking and generating a single integrated report.

     Software-based forensic tools acquire data from digital devices either physically or logically. "A physical acquisition recovers all the memory in a bitstream that must be parsed and interpreted to be understood," explains Jansen, fellow co-author of "Guidelines on Cell Phone Forensics: Recommendations of the National Institute of Standards and Technology." This process yields more data — deleted files and data remnants — but is tedious and time-consuming to process manually into a readable format ready for examination, if not done automatically.

     "Logical acquisition uses the memory structure of the phone to request information by memory type or object type," defines Jansen. As he details, in a logical acquisition, the seizure tool will ask the phone if there is a phonebook. If the phone finds this component, each entry will be requested; then the tool will move onto the calendar, recent calls record, etc.

     "Logical acquisition lays out all of the information in a very user-friendly format, like a Windows Explorer view," says Ayers. "You can see data objects of interest that might be relevant to the case and bookmark them for later reference."

     Although a logical acquisition provides instantly readable information, it has its downfall. Deleted data is very difficult to recover through logical acquisition. "It's really not possible because there is no way of asking, 'Do you have deleted information?' " notes Jansen.

     Punja agrees, saying, "It is very difficult to extract deleted content from logical structures if you don't understand where the deleted content is being dumped, and every phone is different."

     Because most cell seizure devices available today perform only a logical acquisition of data, it is often necessary to follow-up the automated acquisition with a manual acquisition. "You may get all the messages that were sent and received with an automated tool, but a draft message may be something that is just sitting there," explains Jansen. "You can see it through the user interface of the handset, but there is no way of requesting it using the protocol in a logical acquisition with a tool."

Manual seizure tools
     "Before I started examining cell phones, our crime scene personnel were just reading the screens and writing down or typing into a computer what the information was," tells Officer Dale Hanson of the Minneapolis (Minnesota) Police Crime Lab. "One of them got jammed up in court because he wrote down one number wrong. That is when I told them, 'Even if I can't pull the data off, I can still photograph or video record each screen, and that is a lot more solid than writing it down.' "

     Manual acquisition and reporting can be done by hand but has been found to be more expedient and reliable when using photographic tools. (See available products listing on Page 70.) In this instance, the examiner operates the cell phone through the various screens of data as the camera records the findings. "Phones that I can't do using our traditional tools I'll do a manual collection simply because time is of the essence and you don't have three hours to muck around trying to get the phone to be recognized on certain pieces of software," says Punja.

     In a recent case, he had two phones to examine, and he estimates that using the camera system cut the time it took by more than half. "And it automatically puts the information into report format for you," Punja praises. "It saves a lot of time when you don't have time to research every single phone and figure out how to connect to it. You're going to backlog the remaining phones and computers you're trying to get through."

     Photography systems also play a key role when a new, unsupported cell device hits the market or the forensic office does not have compatible software to perform a download. These systems will work with all types of small-scale digital devices.

Building a toolkit
     With all of the tool options and various mobile devices in use today, it is difficult for one tool to sufficiently meet all the needs of a cell phone forensic examiner. "There are a lot of mobile device acquisition toolkit solutions on the market today, but unfortunately, there are just too many cellular devices — makes, models, networks — for one tool to provide support to all of them," says Ayers.

     When developing a toolkit, cell phone examiners must first determine what types of handheld digital devices are being used in the area. For example, Blackberrys may be more popular in the Northeastern United States, while iDEN phones are frequently seen on the West Coast, and GSM phones dominate the European market.

     Ayers recommends multiple toolkits. "It is advantageous for examiners to have individual toolkits tailored for GSM devices, non-GSM devices, smartphones (i.e. Blackberrys, Windows Mobile, Palm OS, iPhones, Symbian, etc.) and applications that have the ability to acquire data from SIMs present in GSM devices," he says.

     Hanson lists DataPilot SecureView from Susteen, Paraben's Device Seizure and Cellebrite's Forensics UME-36Pro as part of his toolkit. He also uses freeware such as BitPIM and vendor-supplied software from Motorola and Sony-Ericsson. For manual acquisition he relies on Project-a-Phone.

     Punja has a similarly diverse compilation of products in his repertoire. His toolkit began with manufacturer-specific tools from Motorola and Nokia, and then expanded to include freeware such as BitPIM and floAt's Mobile Agent. Today his toolkit also includes Logicube's CellDEK, DataPilot SecureView and Device Seizure. His agency is hoping to purchase .XRY from MicroSystemation soon. He utilizes Fernico's product for manual documentation.

     "I would caution people not to rush out and get everything that people have tried," says Punja. "You have to see what your needs are and what types of devices you are getting."

     When deciding whether or not to add a seizure device to the toolkit, Jansen and Ayers recommend "baselining" the tool first. "Populate a phone with test data and then check which of the data the tool can recover, how well it does this and how well it reports the data," explains Jansen. "You do this with more than one person and then compare results to make sure there is a consensus as to whether the tool is meeting your requirements."

     While developing this baseline, examiners also can identify problem areas in the tool. Jansen and Ayers have found some devices truncate recovered data by a defined number of characters or mark text messages as read following a download, although they were unread previous to the data acquisition.

     In the sexual assault case mentioned previously, Punja had the MAC times — modified, access, created — altered by the seizure tool during the data acquisition. "I expect two of the time values to be affected, but I don't expect the modified time to be affected," he explains. "I used Microsoft's ActiveSync to extract the evidence because it retained the original time stamp for when the victim was being tortured. The other two products altered the modified time stamp."

     Jansen and Ayers have had experiences where a new version or updates of a tool did not perform as well as the previous version. "Therefore, you always want to re-establish the baseline if you make a move to a newer version," says Jansen.

     Seizure device manufacturers are doing their best to keep up with the constant evolution of small-scale digital devices. They are providing a variety of products to address the diversity of phones and operating systems.

     By Punja's estimation, the field of cell phone forensics is where computer forensics was 20 years ago. "If there could be some consistency developed for these small devices, then you might see the evolution of cell phone forensics becoming a structured analysis as opposed to a mish-mash of 'What do I try?' and 'What do I use?' "

Training for a different ballgame
     Many cell phone forensic examiners began their careers in the computer forensics field, and may continue to work in both disciplines. But to make the transition, some training is required, because as Cst. Shafik Punja, a member of the Electronic Surveillance Unit — Technological Crimes Team of the Calgary (Alberta, Canada) Police Service, points out, "Phones are an entirely different ballgame altogether. You're not just a forensic examiner. You're also a trouble-shooter at times, trying to figure out how the phone can be read or, at the very least, just how to get some information off for examination."

     SEARCH, the National Consortium for Justice Information and Statistics, offers the "Core Skills for the Investigation of Cellular Telephones" course. The program is intended to give the experienced investigator an understanding of the basics of cell phone investigation including explaining how to trace cell phones, properly seize phones and use a variety of software programs. The various types of cell phones — CDMA, TDMA and GSM — as well as SIM cards are discussed.

     Officer Dale Hanson of the Minneapolis (Minnesota) Police Crime Lab praises this course saying, "They present a good range of the products that are available, and if you're fairly aggressive during the class, you can easily do 25 phone exams while you're there."

     Aside from relying on formal training, examiners can keep up-to-date by participating in forums, chatrooms and e-mail lists. Hanson participates in multiple e-mail lists and Punja visits several phone forensics forums including, which is based in the United Kingdom, a country he estimates to be five years ahead of North America in its cell seizure practices.

     "Training is the first step," says Richard Ayers, computer scientist at the National Institute of Standards and Technology. "Then it is practice, practice, practice with mock examinations and spending a lot of time with the tools you are going to be using and really getting to understand the nuances of the tools." He estimates that, dependent on the examiner's skill level, it will take three to six months on average to fully train a cell phone examiner.

     Proper training and time spent using the tools are critical in gleaning the most information from a cell seizure. "The operator has an impact on how much information you get," says Punja. "Somebody coming in to it brand new, being greeted with an array of tools, is facing a steep learning curve." After three years examining cell phones, Punja can quickly identify which tools will work best for each phone.

     "What you need is training on a multitude of devices," he continues. "Whether they are good or bad, you still need to understand that each product can do something, and it's knowing when to use which product at the right time."