2014 may have marked a turning point in mobile device evidence collection. Technical landmarks made mobile device evidence more accessible from a great many devices, while legal landmarks - notably Riley v. California (573 U.S. _ [2014]), decided in June by the US Supreme Court - appeared to make it less accessible. (Worth noting: the Canadian Supreme Court went the other way. In early December, it ruled that police did not need warrants for cell phone searches incident to arrest.)
If anything, however, Riley provided some much-needed structure to the way law enforcement obtains key evidence among gigabytes of mobile device data, and in the long run, could make it easier for you to be proactive about obtaining the evidence you need. As you head into 2015, here are some ways to rethink mobile device evidence in light of these changes, as well as other issues this column discussed throughout 2014.
Old: Mobile device evidence is a “nice to have.”
New: Mobile device evidence can be mission-critical.
What’s happening in a subject’s world can have a substantial impact on the way you investigate a case. Conflicts between two or more people, criminals in need of accomplices for the commission or cleanup of a crime, time-and-place arrangements, and more communications show up almost constantly via text messaging, chat apps, social media, and voice.
This data can offer timelines, key locations, and key people that might provide leads, or simply give you insight into a subject’s patterns of life, as you work through an investigation at any stage.
Further reading: Responding to Digital Domestic Violence, Investigating Teen Dating Violence? Don’t Ignore the Cell Phone, Mobile Forensics and Human Trafficking
Old: Assume your subject uses his or her device the same way you use yours.
New: Be certain of how the subject uses the device.
The common smartphone screen with its grid of colorful icons might lead you to think that everyone has the same apps installed, and uses them with the same frequency and for the same purposes. You might even assume your subject owns only the one device.
As with so much else, make no assumptions; instead, ask questions about device ownership, access, and app usage. Find out how many devices the subject owns, and ask them, family, or friends what they use them for. Be sure to document all this in your report.
Further reading: 3 Questions about Mobile Device Evidence
Old: I have consent, so I can scroll through the mobile device in search of evidence.
New: I need to preserve the data the same way I would if I had to get a warrant to search it.
Don’t give a defense attorney the ability to question whether you planted or deleted data. As soon as the subject signs the consent form and hands over the device, isolate it from the network, either by placing it in Airplane Mode or by the use of a Faraday container of some kind. Then, have a way to perform a forensic extraction from the device.
Further reading: Warrants for Cell Phone Searches, Training for In-Field Mobile Device Extraction
Old: Ask forensic examiners for “everything on the phone.”
New: Time to get particular.
Privacy is on everyone’s mind these days, so rather than worry that your investigation has hit a wall, think in terms of relevant time and date ranges, along with specific content types. Worried that you don’t know what you don’t know? Use your interview skills together with other forms of evidence to find out.
Be sure to document your legal authority to search, whether it’s a consent search, exigent circumstances, you have a warrant, or some other exception to the Fourth Amendment exists. And know how to protect and preserve the evidence, whether you or someone else ultimately acquires it.
Further reading: Warrants for Cell Phone Searches
Old: Evidence extraction is hopeless because the device is damaged or prepaid.
New: Never give up on a device, at least until a proficient forensic examiner tells you it’s hopeless.
A seemingly crushed, burned, waterlogged, or other badly damaged device may seem hopeless. However, convictions have been won using evidence from just such devices. Even if you yourself lack the time, patience, or risk tolerance to attempt a do-it-yourself repair project, a forensic examiner in your or a neighboring agency may be willing and able.
In addition, some techniques used to recover data physically from a device’s memory have become less specialized and more accessible over the past year. Both JTAG and chip-off techniques are options when the case is a big one and no other alternative exists. Find out whether examiners local to your agency – in a larger agency, or a task force – have this expertise.
Further reading: The Challenges of Damaged Mobile Devices
Old: Obtaining mobile device evidence happens after I’ve gathered all my other evidence and am building my case.
New: I can be proactive and obtain the evidence or intelligence I need sooner rather than later.
Don’t let a concern about Riley make you reactive. If you have probable cause to support a search warrant for a search incident to arrest, weigh the costs and benefits of obtaining “low hanging fruit” yourself, versus waiting for it.
Remember, as discussed in July, the contacts (both saved and unsaved), locations, calendar entries, and messages within a mobile device -- on their own, or as part of a pattern -- can help spur a victim’s memories and enable you, using what the Force Science Institute calls “cognitive interviewing,” to help them reconstruct a timeline of events leading up to trauma they experienced.
In addition, many labs are backlogged. If you can no longer afford to wait on someone else’s timetable for evidence, you should be tracking a wide range of metrics to show how and why to support mobile forensic examinations. This is true whether you’re a patrol officer, investigator/detective, or forensic examiner: your supervisors have a lot competing for their attention, so make issues with mobile device evidence worth their while.
Further reading: Using Mobile Device Data in the Interview Room, Justifying Mobile Device Forensics
Old: My officers will know how to handle mobile device evidence when they see it.
New: My officers need appropriate training, policy, and equipment to handle mobile device evidence properly.
Develop good policies and standard operating guidelines to standardize mobile evidence collection across the entire spectrum of forensic evidence handling, from seizing and securing the device to detailed forensic analysis.
And remember, because mobile device evidence can be volatile, don’t lock officers into standard operating procedures -- you should give them guidelines, but allow them to use their judgment based on their individual case, including whether they need to escalate the device to a specialist for further analysis.
Further reading: Training for In-Field Mobile Device Extraction
Old: My mobile device evidence extraction equipment is self-explanatory and easy to operate.
New: My officers need to be trained and certified to use the equipment.
Think in terms of any other tool you use, from radar to electric control devices to body-worn and in-camera video systems: to ensure it’s being used properly – and that officers can testify in court about their use – you train, certify, re-train, and re-certify them.
Training should support both the proper use of equipment, and the proper application of policy, as well as an understanding of mobile devices themselves.
This includes properly preparing field training officers to help train new officers in their agency’s requirements for dealing with mobile device evidence, including any procedures involving electronic or telephonic search warrants, and how and when to escalate evidence to forensic labs. To encourage competence, scenario-based training should be available when possible, and ongoing, via re-certification, roll call training, and other methods.
Further reading: Training for In-Field Mobile Device Extraction
Remember: there’s no excuse for not proactively pursuing mobile device evidence extraction capabilities. Understand where your resistance comes from, and take the steps you need to address it:
- Create better policy and standard operating guidelines.
- Improve training and/or work processes.
- Purchase better equipment (and get the funds to do it).
- Build better relationships with investigators, prosecutors, or others involved in acquiring, analyzing, and testifying about mobile device evidence.
Further reading: Fear of Mobile Device Evidence Collection?
Christa M. Miller
Christa M. Miller is Director of Mobile Forensics Marketing for Cellebrite USA. Christa has worked for more than 10 years as a journalist, specializing in digital forensics and other high tech topics for public safety trade magazines including Law Enforcement Technology and Officer.com. Christa is based in South Carolina.
