While computer data can be extracted bit by bit or sector by sector without writing anything to the hard drive, he says commands must be written to a cell phone to recover information. After a computer is examined, data authenticity can be verified, but that's not the case with cell phones. And, that may never be the case because of the many different cell phone configurations and the constant flux in cell phone technology.
However, Thomas says scientific methods, which should be tested and evaluated, can be applied to cell phone investigations.
The NIST guidelines describe: "Mobile phone forensics is the science of recovering digital evidence from a mobile phone under forensically sound conditions using accepted methods."
Examiners who analyze cell phones for forensic evidence must be able to indicate what they did to extract information from the cell phone being presented as evidence and what steps they took to preclude damaging any evidence or other material they recovered as a result of the examination.
Kessler says the process for cell phone exams also must be consistent with any consent or warrant.
He reminds, "Don't forget the cell phone company and call records. It is best to have contacts with the cell phone companies in place before they need to be called in an emergency."
Information from network operators can pinpoint where an individual is or was at a specific time — if the cell phone was on or, in some cases, off, Thomas adds.Cell phone examiners
Learning cell phone forensics is not instantaneous.
Those investigators already tasked with performing digital analysis, including computer forensics, are good candidates for learning cell phone forensics. A specific level of expertise is needed to understand file structures and methods unique to cell phone investigations, Thomas says.
Larger law enforcement agencies, with more manpower and more funding, are more equipped to handle cell phone forensic investigations.
Van Horn, along with Sgt. Jerry Roberts, process cell phones at the Charleston PD, which has 382 sworn officers. The Digital Evidence Unit Laboratory, which is accredited by the American Society of Crime Laboratory Directors (ASCLD), processes almost any kind of digital evidence, including computers, PDAs and phones. It is one of three internationally accredited digital evidence labs and the only local lab in the ASCLD/LAB-International directory.
As sworn officers assigned to the forensic division, Van Horn and Roberts also report for roll calls, deliver search warrants, testify in court, attend training sessions, train others, and like many in law enforcement, their list of duties doesn't stop there. Cell phones are not the bulk of their work.
Today, few agencies are doing cell phone forensics.
"Agencies are going to have to start doing cell phone forensics," says Pearson, noting the proliferation of cell phones is even greater than with computers.
According to Kessler, "No one should attempt to analyze a cell phone without training. Sometimes the only way to obtain information is by turning on the phone, scrolling through the screens and taking pictures. Even then, a process should be followed and individuals knowledgeable in the process should be performing the exam."Cell investigations training
Several organizations, companies and colleges offer cell phone forensics training.
The best way to know whether a training organization is reputable is the old-fashioned way: word of mouth and references, Kessler says.
According to Kessler, the Champlain College Center for Digital Investigation recently received a $650,000 grant from the Department of Justice's Bureau of Justice Assistance to create online training opportunities for law enforcement in addition to teaming with Vermont law enforcement for digital investigations. Champlain's Computer and Digital Forensics program offers training online (see c3di.champlain.edu).
"In my opinion, the best source of training for law enforcement is tailored for the law enforcement community," he says. "While many vendors provide good training sources, their courses are about their own products."
Kessler points to SEARCH as an example of an organization offering law enforcement-specific training.