The new frontier in digital evidence

Today, the ring tones and vibrations of cell phones are everywhere — or at least they seem to be.

At the end of 2006, CTIA-The Wireless Association reported 233 million U.S. wireless subscribers, more than 76 percent of the total U.S. population.

While cell phones are a great technological advantage for businesses, the entertainment industry and everyday consumers, they are also an advantage for law enforcement.

In fact, many opportunities exist to use this relatively new form of digital evidence to help solve cases.

Cell phones as evidence

Cell phones and other mobile devices, such as PDAs and cameras, are increasingly being found on suspects and at crime scenes, says Gary Kessler, associate professor and director of the Center for Digital Investigation at Champlain College. And, he says, increasingly they contain information pertinent to a specific event under investigation or intelligence to link individuals to one another.

Stephen Pearson, founder and CEO of the High Tech Crime Institute Inc. (HTCI), which offers computer forensic services and specialized training, explains why cell phones can be especially meaningful to criminal investigations.

He describes three circles of evidence, one inside of another, to form a bull's-eye. The outer circle is where the least evidence is found. A company-owned PC, where most people would not put evidence, is an example in the outer circle.

The next circle has more evidence, and includes home PCs and other often-shared electronics. The inner circle is where the best evidence is found because it is controlled by one individual. Cell phones typically are used by one person; they can be carried around and used anywhere, and never leave a person's sight.

More than five years ago, when Keith Thomas, a cell phone forensics expert with First Advantage's Litigation Consulting Services, started examining cell phones, he says they were used primarily for one person to speak to another. That was all.

Cell phones have gone from being only a means of communication to include extras such as a phone book, Internet access, text messaging, games and more.

"Just about anything that can be done on a home computer now can be done on a cell phone," says Thomas, a former special agent with the Naval Criminal Investigative Service and one of the first members of the NCIS computer investigations and operations squad.

Criminals are taking advantage of cell phone technology in many ways. For example, predators use cell phones to photograph children on playgrounds. Drug dealers take pictures of their couriers so their customers can recognize them when they deliver drugs, and terrorists can activate bombs using cell phones.

Whether a case involves terrorism, homicide, illegal narcotics, stalking, child pornography, harassment, robberies or another crime, a cell phone can link a suspect to a crime. At some crime scenes, criminals aren't only leaving behind fingerprints, DNA and trace evidence; they're leaving their cell phones, too. One officer reports suspects have left their phones in stolen vehicles.

Mistakes first responders should avoid

When first responders enter a crime scene, they know what to do with fingerprints, DNA and trace evidence — they've been trained. When first responders discover a cell phone, they don't always know what to do.

As with any other evidence, first and foremost, evidence handling procedures must be in place for cell phones. If evidence gets lost in the collection process, it's gone. Like a hair that's blown away by the wind, it won't be there when examiners look for it in the laboratory.

Mistakes involving cell phones as evidence often are made in the acquisition process, says Kessler. He suggests seizing the phone and power supply together, if possible, and turning off the phone for evidence preservation.

Pearson suggests removing the phone's battery and leaving the phone off without turning the phone on for any reason, including looking at the electronic phone book. He also emphasizes the importance of putting procedures in place for first responders to collect evidence in a pristine manner.

Guidelines establish policies and procedures

Even if they are not examining their own cell phones, law enforcement agencies should be familiar with the "Guidelines on Cell Phone Forensics: Recommendations of the National Institute of Standards and Technology" (NIST) by Wayne Jansen and Rick Ayers. (www.csrc.nist.gov). A finalized version of the guidelines was recently published in June.

The intent of the guide is to help organizations establish policies and procedures for dealing with cell phones, and to prepare forensic specialists to contend with new circumstances involving cell phones. An executive summary points out that the guide is not all-inclusive, nor does it prescribe specifically how to handle mobile devices during investigations or incidents.

Guidelines on preserving, collecting, packaging, transporting and storing evidence will be especially helpful when setting policies and procedures for first responders.

NIST references the Mobile Phone Forensic Tools Sub-Group of the Interpol European Working Party on IT Crime, which identified how the United Kingdom's Association of Chief Police Officers (ACPO) Principles of Evidence apply to seizing mobile phones, and offers these guidelines:

  • Isolate the phone from other devices used for data synchronization;
  • Pull the plug from the back of the computer if the device is found in a cradle or connected via a cable;
  • Seize the phone, cradles and cables;
  • Do not remove media cards, SIMs or other hardware residing in the phone; and
  • Product manuals also should be seized.

The guidelines indicate "isolating the phone from the radio network is important to keep new traffic, such as SMS messages, from overwriting existing data, if the phone is turned on when found.

"Besides the risk of overwriting potential evidence, the question may arise whether data received on the phone after seizure is within the scope of the original authority granted."

Cell phones should be packaged, transported and stored in evidence bags. NIST guidelines recommend using static-proof bags and hard containers to prevent keys from being pressed and radio frequency isolation bags for phones left on.

SEARCH, The National Consortium for Justice Information and Statistics, a non-profit membership organization created by and for the states, offers a description of basic hardware and software specifications required to retrieve information from cell phones.

"Creating a Cell Phone Investigation Toolkit: Basic Hardware and Software Specifications" can be found at www.search.org/files/pdf/CellphoneInvestToolkit-0806.pdf. As part of the publication, SEARCH lists specific products and suggestions to prevent a phone from receiving a signal.

Challenges of cell phone forensics

Even when cell phones are in pristine condition when they arrive in the laboratory, digital evidence recovery typically is not an easy task.

"Cell phones are not my favorite," politely describes Cpl. Rodney Van Horn of the Charleston (South Carolina) Police Department's Digital Evidence Unit. But, he says, "If an investigation requires examining cell phones, they must be done."

Kessler sums up the problem by saying there is little consistency with hardware and software interfaces. New cell phone models, with different operating systems and cabling requirements, are constantly evolving and forensic software has difficulty keeping pace.

"I don't like receiving an item for examination and not knowing whether or not the program can produce results with it," Van Horn says.

Not all cell phones can be examined with software.

Cell phone forensics is similar to computer forensics because examiners aim to preserve data in its original format.

But, Bill Teel, president and founder of Teel Technologies, a cell phone forensics solution provider, says it's not as easy to do this with cell phones as it is with computers. Examiners cannot wholly image a phone and all its data, he explains.

While computer data can be extracted bit by bit or sector by sector without writing anything to the hard drive, he says commands must be written to a cell phone to recover information. After a computer is examined, data authenticity can be verified, but that's not the case with cell phones. And, that may never be the case because of the many different cell phone configurations and the constant flux in cell phone technology.

However, Thomas says scientific methods, which should be tested and evaluated, can be applied to cell phone investigations.

The NIST guidelines describe: "Mobile phone forensics is the science of recovering digital evidence from a mobile phone under forensically sound conditions using accepted methods."

Examiners who analyze cell phones for forensic evidence must be able to indicate what they did to extract information from the cell phone being presented as evidence and what steps they took to preclude damaging any evidence or other material they recovered as a result of the examination.

Kessler says the process for cell phone exams also must be consistent with any consent or warrant.

He reminds, "Don't forget the cell phone company and call records. It is best to have contacts with the cell phone companies in place before they need to be called in an emergency."

Information from network operators can pinpoint where an individual is or was at a specific time — if the cell phone was on or, in some cases, off, Thomas adds.

Cell phone examiners

Learning cell phone forensics is not instantaneous.

Those investigators already tasked with performing digital analysis, including computer forensics, are good candidates for learning cell phone forensics. A specific level of expertise is needed to understand file structures and methods unique to cell phone investigations, Thomas says.

Larger law enforcement agencies, with more manpower and more funding, are more equipped to handle cell phone forensic investigations.

Van Horn, along with Sgt. Jerry Roberts, process cell phones at the Charleston PD, which has 382 sworn officers. The Digital Evidence Unit Laboratory, which is accredited by the American Society of Crime Laboratory Directors (ASCLD), processes almost any kind of digital evidence, including computers, PDAs and phones. It is one of three internationally accredited digital evidence labs and the only local lab in the ASCLD/LAB-International directory.

As sworn officers assigned to the forensic division, Van Horn and Roberts also report for roll calls, deliver search warrants, testify in court, attend training sessions, train others, and like many in law enforcement, their list of duties doesn't stop there. Cell phones are not the bulk of their work.

Today, few agencies are doing cell phone forensics.

"Agencies are going to have to start doing cell phone forensics," says Pearson, noting the proliferation of cell phones is even greater than with computers.

According to Kessler, "No one should attempt to analyze a cell phone without training. Sometimes the only way to obtain information is by turning on the phone, scrolling through the screens and taking pictures. Even then, a process should be followed and individuals knowledgeable in the process should be performing the exam."

Cell investigations training

Several organizations, companies and colleges offer cell phone forensics training.

The best way to know whether a training organization is reputable is the old-fashioned way: word of mouth and references, Kessler says.

According to Kessler, the Champlain College Center for Digital Investigation recently received a $650,000 grant from the Department of Justice's Bureau of Justice Assistance to create online training opportunities for law enforcement in addition to teaming with Vermont law enforcement for digital investigations. Champlain's Computer and Digital Forensics program offers training online (see c3di.champlain.edu).

"In my opinion, the best source of training for law enforcement is tailored for the law enforcement community," he says. "While many vendors provide good training sources, their courses are about their own products."

Kessler points to SEARCH as an example of an organization offering law enforcement-specific training.

HTCI also offers online training (www.hightechcrimeinstitute.com).

Pearson, who has been doing cell phone forensics for three years, says it's important to qualify the trainers and the company.

"A good training company uses investigators that are or have been recently in the field," he says. "That's very important to have that newness and awareness of the technology."

At the HTCI, cell phone forensics is a course that's part of an advanced track, the Certified Computer Forensic Technician. In all, four certification tracks are available and explained in detail at www.hightechcrimeinstitute.com/courses/xcertification.htm.

Cell phone forensics technology

Recognizing that the frustrations associated with cell phone forensics, such as multiple operating systems and changing technology, were not going to go away and that the need for analysis was only going to increase, Teel Technologies started a Web site for users and content providers. Mobile Forensics Central (www.mobileforensicscentral.com) is a free Web site to help examiners determine the tools available for analysis. Teel Technologies is a solution provider for many of the tools found on the site.

Trained forensic examiners essentially are working with a moving target, describes Teel.

"When they get a cell phone, they don't know which model or version of a particular operating system they're dealing with," he says.

That's largely why Mobile Forensics Central was built.

"We knew examiners were getting phones they didn't know what to do with," he says. "Even though they might have three different tools in their lab, examiners still were having a hard time quickly identifying which tool to work with and then what to expect to get off that phone."

At Mobile Forensics Central, examiners can enter a model number to determine which software and cables they can use, and what kind of results they will experience from these tools.

Phone software programs can be found on the Web site. If a phone isn't listed, Teel recommends asking about it — a supplier may not support a phone because it hasn't had a chance to test it. Just because a software solution is not listed doesn't mean an agency shouldn't try it, he adds.

The Web site, which launched in January, does not replace manufacturer literature, which agencies also should reference to reach conclusions, Teel says.

Phone specs and the Examiner's Exchange, where examiners share their knowledge, offer additional information.

"The Web site is a tool to help examiners get closer to determining what they need to do with a phone," Teel says, "but it's not going to take them the entire way."

An examiner may analyze a phone with a specific forensic tool and try to do the same three months later only to find out he has more of a challenge — or he can't analyze the phone — because the firmware or a component has since changed.

Mobile Forensics Central's Product Updates section provides information on new versions and enhancements, bug fixes, and phone support updates.

Teel will continue to update and expand the site to include information on charging and adaptors. He also plans to offer all the data on the site as an offline tool.

A new frontier

"Cell phone investigation is a new frontier in electronic evidence," according to Thomas, who adds it's only a matter of time before more and more law enforcement agencies develop their own units and expertise in the field.

Working together, Pearson says agencies could pool their resources to obtain the people, training and technology to examine a majority of cell phones.

Because cell phones are such a big part of everyone's lives, he predicts 15 or 20 years from now every law enforcement officer in the country will need to know how to examine a cell phone for digital evidence.

Rebecca Kanable is a freelance writer who specializes in law enforcement topics living in Wisconsin. She can be reached at kanable@charter.net.

Loading