An evolution in cell forensics

Jeannine Heinecke
Created:

     Hanson lists DataPilot SecureView from Susteen, Paraben's Device Seizure and Cellebrite's Forensics UME-36Pro as part of his toolkit. He also uses freeware such as BitPIM and vendor-supplied software from Motorola and Sony-Ericsson. For manual acquisition he relies on Project-a-Phone.

     Punja has a similarly diverse compilation of products in his repertoire. His toolkit began with manufacturer-specific tools from Motorola and Nokia, and then expanded to include freeware such as BitPIM and floAt's Mobile Agent. Today his toolkit also includes Logicube's CellDEK, DataPilot SecureView and Device Seizure. His agency is hoping to purchase .XRY from MicroSystemation soon. He utilizes Fernico's product for manual documentation.

     "I would caution people not to rush out and get everything that people have tried," says Punja. "You have to see what your needs are and what types of devices you are getting."

     When deciding whether or not to add a seizure device to the toolkit, Jansen and Ayers recommend "baselining" the tool first. "Populate a phone with test data and then check which of the data the tool can recover, how well it does this and how well it reports the data," explains Jansen. "You do this with more than one person and then compare results to make sure there is a consensus as to whether the tool is meeting your requirements."

     While developing this baseline, examiners also can identify problem areas in the tool. Jansen and Ayers have found some devices truncate recovered data by a defined number of characters or mark text messages as read following a download, although they were unread previous to the data acquisition.

     In the sexual assault case mentioned previously, Punja had the MAC times — modified, access, created — altered by the seizure tool during the data acquisition. "I expect two of the time values to be affected, but I don't expect the modified time to be affected," he explains. "I used Microsoft's ActiveSync to extract the evidence because it retained the original time stamp for when the victim was being tortured. The other two products altered the modified time stamp."

     Jansen and Ayers have had experiences where a new version or updates of a tool did not perform as well as the previous version. "Therefore, you always want to re-establish the baseline if you make a move to a newer version," says Jansen.

     Seizure device manufacturers are doing their best to keep up with the constant evolution of small-scale digital devices. They are providing a variety of products to address the diversity of phones and operating systems.

     By Punja's estimation, the field of cell phone forensics is where computer forensics was 20 years ago. "If there could be some consistency developed for these small devices, then you might see the evolution of cell phone forensics becoming a structured analysis as opposed to a mish-mash of 'What do I try?' and 'What do I use?' "

Training for a different ballgame
     Many cell phone forensic examiners began their careers in the computer forensics field, and may continue to work in both disciplines. But to make the transition, some training is required, because as Cst. Shafik Punja, a member of the Electronic Surveillance Unit — Technological Crimes Team of the Calgary (Alberta, Canada) Police Service, points out, "Phones are an entirely different ballgame altogether. You're not just a forensic examiner. You're also a trouble-shooter at times, trying to figure out how the phone can be read or, at the very least, just how to get some information off for examination."

     SEARCH, the National Consortium for Justice Information and Statistics, offers the "Core Skills for the Investigation of Cellular Telephones" course. The program is intended to give the experienced investigator an understanding of the basics of cell phone investigation including explaining how to trace cell phones, properly seize phones and use a variety of software programs. The various types of cell phones — CDMA, TDMA and GSM — as well as SIM cards are discussed.

     Officer Dale Hanson of the Minneapolis (Minnesota) Police Crime Lab praises this course saying, "They present a good range of the products that are available, and if you're fairly aggressive during the class, you can easily do 25 phone exams while you're there."