At the end of September, I participated in a Twitter chat with friend and fellow blogger Alice de Sturler, long known as @Vidocq_CC for her work in publicizing details about a variety of cold cases. The topic: digital evidence in such cases, with an emphasis on mobile device data.
Researching the concept before the chat, I realized that there are both obvious and not so obvious ways that mobile device data can be valuable in cold case investigations. There are also, as you might imagine, some challenges -- both technological and procedural.
You probably already know that a victim’s text messages, instant messages, contacts, emails, social network posts and other data might lead to people the victim knew, locations they visited, threats they received or other key evidence. But if you haven’t been able to obtain this evidence, take heart: mobile device technology advances at such a rapid clip that it’s entirely possible to obtain data now, that you couldn’t have obtained even a year ago.
This is partly because mobile forensics tools, in a bid to keep up with the technology, regularly add new features and functions throughout any given year. Some of it is designed to address best-selling devices’ popularity, understanding that evidence from these devices is in high demand. Some of it is based on ongoing research into the way mobile operating systems affect data. Password bypass, decryption, and the like are all in constant development.
It is also partly because of advances in overall mobile forensics methodologies. Over the past two years, for example, methods known as “JTAG” and “chip-off” have gained ground as ways to recover evidence from devices that are damaged or unsupported by conventional mobile forensics tools. More specialists are building expertise in these methods, making them more available to other forensic examiners.
The bottom line: just because you couldn’t get data from a victim’s cell phone six, twelve, eighteen, or more months ago doesn’t mean you can’t get it now.
The less obvious
Mobile device data isn’t on its own as a source of evidence. Cloud backups, social media, and other internet-based data can bring your case back to life, too. One 2007 homicide case in Virginia was able to move forward six years later, when investigators were pointed to online rap videos. Created using “various electronic devices,” the lyrics turned out to be graphic references to the crime.
To connect specific internet-based songs or other media with specific devices, though, requires a level of investigation that might be time-consuming. Here, again, advances in investigative techniques, and the software that supports them, can put disparate digital data together in ways the human brain cannot.
Link analysis software, for example, can connect victims with suspects even when conventional interviews give no indication that they even knew each other. Common text messages, call logs, locations, and other communication between one or more victims and suspects can give investigators fresh leads and lines of questioning that would not otherwise have been available.
This is possible through analytics that show important patterns of life as well as any significant anomalies in those patterns, whether they are patterns in time, communication, or location. Software automates what once might have taken days, weeks, even months to generate -- and risked missing information.
Mobile devices have been in use for more than a decade, and they weren’t always the smartphones that are commonplace today. Some cold cases may run up against much older mobile devices or storage media, which may be unsupported by some forensic tools or even lack cabling for power.
On the opposite end of the spectrum, despite mobile forensics tool vendors’ best efforts, some cases may go cold because of a lack of resources. Large quantities of mobile devices, few dollars to invest in mobile forensics solutions, and limited professional assistance can all make it difficult for investigators to respond in a timely fashion.