An evolution in cell forensics

     A woman is held against her will for nearly 36 hours by her common law husband. During this time, she is sexually assaulted and tortured. The suspect uses his cell phone to take more than 30 photos of the woman throughout the unlawful confinement. Now in police custody, cell phone forensic examiners need to secure the photos and document the date/time stamp to corroborate the victim's story.

     These digital photos, extracted and examined by Cst. Shafik Punja, a member of the Electronic Surveillance Unit — Technological Crimes Team of the Calgary (Alberta, Canada) Police Service, would have never been an evidentiary possibility as few as 5 to 7 years ago. According to Richard Ayers, computer scientist at the National Institute of Standards and Technology (NIST) and co-author of "Guidelines on Cell Phone Forensics: Recommendations of the National Institute of Standards and Technology," commercial cell phone seizure tools that have the ability to acquire and examine data started appearing on the market in early 2000.

     Since then, the capabilities of handheld digital devices have expanded dramatically from simply being phones with limited contact information to incorporating digital cameras/video cameras, MP3 players, etc. "There are approximately 20 new cellular devices introduced to the market each month," says Ayers.

     According to Wayne Jansen, computer scientist at NIST, "Annual sales of cell phones are at approximately 1 billion per year worldwide. They are outpacing personal computers three to one in terms of annual sales."

     Considering the pervasive nature of cell phones, and their ability to contain vast amounts of useful information and potentially powerful evidence, cell phone seizure devices are a critical component of the forensic examiner's toolkit.

Automated seizure tools
     Automated forensic cell seizure tools can be divided into three categories: subscriber identity module (SIM) tools, handset tools and integrated toolkits that include both. As the name implies, SIM tools read information from the portable memory in the identity module used in many models of cellular phones, specifically GSM phones, rather than an indirect data acquisition through the phone's handset. There are a handful of tools that work exclusively on SIMs. (See available product listing on Page 70.) They yield such information as abbreviated dialing numbers, last numbers dialed, SMS messages and location information.

     Exclusive handset tools, also few in number, are designed strictly for the acquisition of the internal memory. These devices are useful with smartphones and other PDA-derived devices that run on Palm OS or Windows Mobile. They generally are unable to acquire data from SIMs.

     Most commercially available cell seizure devices fall into the category of integrated toolkits. (See available products listing on Page 68). They incorporate the capabilities of both SIM readers and handset tools in a single product and include such capabilities as search functionality, book marking and generating a single integrated report.

     Software-based forensic tools acquire data from digital devices either physically or logically. "A physical acquisition recovers all the memory in a bitstream that must be parsed and interpreted to be understood," explains Jansen, fellow co-author of "Guidelines on Cell Phone Forensics: Recommendations of the National Institute of Standards and Technology." This process yields more data — deleted files and data remnants — but is tedious and time-consuming to process manually into a readable format ready for examination, if not done automatically.

     "Logical acquisition uses the memory structure of the phone to request information by memory type or object type," defines Jansen. As he details, in a logical acquisition, the seizure tool will ask the phone if there is a phonebook. If the phone finds this component, each entry will be requested; then the tool will move onto the calendar, recent calls record, etc.