An evolution in cell forensics
"Logical acquisition lays out all of the information in a very user-friendly format, like a Windows Explorer view," says Ayers. "You can see data objects of interest that might be relevant to the case and bookmark them for later reference."
Although a logical acquisition provides instantly readable information, it has its downfall. Deleted data is very difficult to recover through logical acquisition. "It's really not possible because there is no way of asking, 'Do you have deleted information?' " notes Jansen.
Punja agrees, saying, "It is very difficult to extract deleted content from logical structures if you don't understand where the deleted content is being dumped, and every phone is different."
Because most cell seizure devices available today perform only a logical acquisition of data, it is often necessary to follow-up the automated acquisition with a manual acquisition. "You may get all the messages that were sent and received with an automated tool, but a draft message may be something that is just sitting there," explains Jansen. "You can see it through the user interface of the handset, but there is no way of requesting it using the protocol in a logical acquisition with a tool."
Manual seizure tools
"Before I started examining cell phones, our crime scene personnel were just reading the screens and writing down or typing into a computer what the information was," tells Officer Dale Hanson of the Minneapolis (Minnesota) Police Crime Lab. "One of them got jammed up in court because he wrote down one number wrong. That is when I told them, 'Even if I can't pull the data off, I can still photograph or video record each screen, and that is a lot more solid than writing it down.' "
Manual acquisition and reporting can be done by hand but has been found to be more expedient and reliable when using photographic tools. (See available products listing on Page 70.) In this instance, the examiner operates the cell phone through the various screens of data as the camera records the findings. "Phones that I can't do using our traditional tools I'll do a manual collection simply because time is of the essence and you don't have three hours to muck around trying to get the phone to be recognized on certain pieces of software," says Punja.
In a recent case, he had two phones to examine, and he estimates that using the camera system cut the time it took by more than half. "And it automatically puts the information into report format for you," Punja praises. "It saves a lot of time when you don't have time to research every single phone and figure out how to connect to it. You're going to backlog the remaining phones and computers you're trying to get through."
Photography systems also play a key role when a new, unsupported cell device hits the market or the forensic office does not have compatible software to perform a download. These systems will work with all types of small-scale digital devices.
Building a toolkit
With all of the tool options and various mobile devices in use today, it is difficult for one tool to sufficiently meet all the needs of a cell phone forensic examiner. "There are a lot of mobile device acquisition toolkit solutions on the market today, but unfortunately, there are just too many cellular devices — makes, models, networks — for one tool to provide support to all of them," says Ayers.
When developing a toolkit, cell phone examiners must first determine what types of handheld digital devices are being used in the area. For example, Blackberrys may be more popular in the Northeastern United States, while iDEN phones are frequently seen on the West Coast, and GSM phones dominate the European market.
Ayers recommends multiple toolkits. "It is advantageous for examiners to have individual toolkits tailored for GSM devices, non-GSM devices, smartphones (i.e. Blackberrys, Windows Mobile, Palm OS, iPhones, Symbian, etc.) and applications that have the ability to acquire data from SIMs present in GSM devices," he says.
