Do you think mobile forensics is only about getting the incriminating text messages, images or emails from the device? Think again. As with forensic evidence in general, the data contained on mobile devices is far more versatile. It’s rare these days that you’ll encounter a case where a mobile phone, GPS device or tablet isn’t relevant in some way. Therefore, it’s important to think about these seven potential uses for the data they contain:
1. Leads that can move a criminal investigation forward.
When you’re faced with thousands of text messages, hundreds of contacts and dozens of call logs, there’s no way you can parse all that data to learn which people, places and events are most relevant to your case.
Included with most commercial mobile forensics tools, data analytics can help you narrow the field to pinpoint which people your subject is talking to most (via call, text, email and social media), locations your subject frequents, and/or the order in which conversations of interest took place.
More robust analytic tools can take this concept a step further, linking data from multiple mobile devices to show which people and even places your suspect(s) and victim(s) have in common. Choose your tools wisely – all mobile evidence is not created equal, and a cheap tool may not get you as much data as you think or need.
2. Proof that a crime was committed, or of criminal intent.
Apart from the obvious -- the text messages sealing a drug deal or harassing a victim, a parolee photographed with guns and drugs, or images of child exploitation, among others -- mobile data can show that an injury or property damage wasn’t the result of an accident.
For example, mobile forensics can show whether a driver was texting while driving at the time of a collision, or reveal text messages that conspire to cover up child abuse. In some cases, mobile evidence can be considered prima facie.
3. Elimination of a suspect as the person who committed the crime.
In 2010, Wills County (Illinois) Detective Josh Fazio found social media evidence that exonerated Brian Dorian, a murder suspect who was also a police officer. Computer and social activity showed that the officer was online at the time the murder took place.
As long as you can place the device in the individual’s hands, data such as geolocation (including EXIF data in any images), as well as the individual’s normal usage patterns, can show that the individual was nowhere near the crime scene on the date and time in question.
Also remember: even if other evidence has enabled you to build a reasonably good case against a suspect, you may still uncover exculpatory evidence from a mobile device or other source. It is mandatory to disclose this in your report.
4. Independent evidence that can corroborate a confession, or affirm or disprove an alibi.
Use mobile data to establish a timeline of communications, contacts and/or locations visited. It should match a suspect’s narrative of events. If it doesn’t, use the discrepancy to work your interview: uncover additional suspects that the suspect may be protecting, or other crimes s/he may have committed besides the one you’re investigating.
5. Links between crime scene and suspect, suspect and victim, or suspect/victim and witnesses.
Suspects may deny ever having been at the crime scene, or knowing the victim(s). Again, however, geolocation can show the suspect visiting the scene before, during, or after the crime. The suspect may even take photos while at the scene, which can provide additional evidence.
Likewise, their call logs, text messages, contacts and social media connections can show whether they knew the victim(s), if not by name then at least by number, or even whether they have common connections.
6. Establishing the innocence of people not involved in the crime.
Executing a search warrant can bring you to a residence where you may need to image multiple devices, not all of them connected to the case. Put together with on-site interviews, a quick logical extraction can show whether more than one individual should be part of your investigation.
(It goes without saying that if you find incriminating evidence on a device other than your suspect’s, you should stop and obtain a new search warrant for the new device.)
7. Reasonable suspicion or probable cause.
A text message in plain view can provide reasonable suspicion to detain a suspect; a consent search can turn up enough to support a search warrant for a full extraction and analysis of a mobile device.
The true power of mobile forensics, as with other digital forensics, lies in building such strong cases that not only can your clearance rate improve, but prosecutors can negotiate plea bargains that reduce the number of trials, clearing their calendars for more serious crimes. Understand how to make it work for you, use it appropriately, and educate your prosecutors on how it can help them too.