Hendon Publishing - Article Archive Details

Cell Phone Analysis: Part 1

"At a crime scene, grab the cell phone."


The Columbus, Ohio Police and the Ohio High Intensity Drug Trafficking Area offer a one-day course on Cell Phone Analysis across the U.S. Taught by Christine Roberts, the class familiarizes investigators and patrol officers alike with the basics of cell phone technology, the information and data stored on these phones, forensic methods used in retrieval, cell-tower site analysis, and the info available from cellular service providers.

This is all geared to better understanding the use of mobile devices as evidence in criminal trials. The course covers the use of information stored on the handset, SIM cards, expansion cards, prepaid phones, live and historical tracking, cell-based financial crimes, payments and money laundering, cyber stalking and cloud storage.

An incredible amount of evidence is just sitting on smartphones waiting for you to access it. You would never overlook a drop of blood at a crime scene. A cell phone may even be more helpful, and that includes info “deleted” from the phone.

Juries understand cell phones, cell phone towers and cell phone pinging. They also understand cell phones can put the suspect in the proximity of the crime. Or at least the cell phone was at the area – and the suspect testified that he never lets the cell out of his possession. Cell phones and cellular service providers are a vast source of evidence that investigators are just now grasping.

Mobile phones are one of the most important developments in technology in the courtroom in the last five years. When a person types and sends an e-mail or text message, they create a piece of evidence that can be used for or against them. Cell records can be used in court to show exactly where someone was – or was not – and to whom they were talking at a particular time.

Electronic and Retained Evidence
Two types of evidence can be retrieved from a cell phone: 1) electronic evidence and 2) retained data evidence. Electronic evidence includes the user’s call history, contacts / phone book, calendar information, and information stored on the SIM card. Retained data evidence is telecom records involving the detail of calls made and received and the geographical location of the mobile phone when a call took place. Part One will cover electronic evidence. Part Two (November 2012, LAW and ORDER) will cover retained evidence.

Electronic evidence is stored in different places depending on the channel access method of the phone. GSM (global system for mobile communication) is typically used by AT&T and T-Mobile. With this and the iDEN (integrated digital enhanced network) phones, evidence is stored on the handset and the SIM card. CDMA (code division multiple access) is typical of Verizon and Sprint-Nextel. The evidence here is all on the handset. There is no SIM card with CDMA phones. However, this is slowly changing – the new LTE network will require all phones to have a SIM card.

Every handset has a unique identification number. On CDMA phones, an ESN (electronic serial number) or a MEID (mobile equipment identifier) 56-bit serial number is used. On GSM phones, an IMEI (international mobile equipment identity) is used. Both are found under the battery. The point is this: you don’t need to know the phone number for the handset. You can subpoena the MEID/ESN or IMEI to obtain call detail records.

“The SIM card of a phone can contain a lot of valuable evidence. If you see these loose and lying around, grab them,” said Roberts. Then you can subpoena the ICCID number to the network provider and receive the toll records associated with that phone.

Electronic evidence is fragile. It can be altered, damaged or destroyed by improper handling or improper examination. Special precautions should be taken to document, collect, preserve and examine this type of evidence.

The Big Three
The address book, call history and text messages are the Big 3 in your investigation. The address book has contact information that gives insight to the social network of the suspect or victim. It can be used to link a suspect to a victim and to provide a list of people to interview. It can provide a cross-reference between real names and nicknames. And the picture next to the contact number can even put a face to a name.

The call history gives even a deeper insight to the activities of the owner. You can see the last received and sent calls, when they occurred and their duration. The duration is important for indirect conclusions. A wrong number going to voice mail would have a duration of 30 seconds, while a duration of 15 minutes means a real phone conversation.

Text messages are becoming more and more important in both criminal and civil proceedings. Texts are one of the most common forms of electronic evidence. Texts offer concrete and direct information in contrast to the call history and address book that only offer indirect and inferential information. These contain the actual words written by the owner or intended for the owner. That is good news for evidence in court.

Text Is Perishable
The bad news is that text messages are perishable. Cell phone companies no longer store or extract text messages. Verizon does not keep text messages on their servers for very long, between three and seven days. AT&T stores the text message for 48 hours to be sure it is delivered, and then deletes them.

The best chance to get any text message information is by searching the handset. If the telecom company keeps text messages, then an option is to fax a letterhead “preservation” request to the cell service provider. If this is done in time, the cell phone company will hold the data for a police agency for up to 90 days, allowing the investigator time to get a court or search warrant for records.

If the text messages have been deleted from the handset, a cell phone forensic specialist must become involved. Even still, “try” and “maybe” are what you are likely to hear. However, these forensic specialists pride themselves on doing the difficult and complicated. The lesson is the text is not “deleted” until the cell forensics folks with all their expensive retrieval hardware and software say it is deleted.

Unlike text messages, voice mail is stored at the service provider for at least 30 days. Voice mail can be more damaging evidence than text messages. Texts don’t indicate tone of voice or sincerity. Voice mail reveals much more of a person’s intentions, especially in stalking or intimidation cases. Some of today’s smartphones store voicemail on the handset so don’t think that all voicemail is deleted.

Voicemail is easy to copy. Audacity.com offers free software. CellTap™ from JK Audio allows audio recording, including live recording, from any cell phone, not just smartphones. On the other hand, voice mail can also be deleted remotely.

Photos on SD Cards
People are proud of their crimes. They take cell phone pictures of the crimes as trophies, and sometimes cell phone videos of the crime in process. Data on the phone can be used to determine the exact date and time an image was taken, and possibly even a location.

Geotagging is the process of adding geographical identification to photos and videos. Geotags are automatically embedded in photos taken with smartphones. When these photos are uploaded to the Internet, they remain tagged with location data. Got a photo of a marijuana grow operation? Got a photo of a kidnap victim? The image probably contains the geotag with the latitude and longitude. “We often overlook this,” Roberts said.

One place to look for images is the expansion memory (SD) cards. The iPhone does not use an SD card. It uses its hard drive instead. All other phones use an SD card. A 32-GB SD card can hold 12,320 (fine mode) photos. In a child porn case, one forensic specialist retrieved 4,500 images that had been “deleted.” One forensic specialist retrieved 5,800 text messages that had been “deleted.”

Just to keep the two straight, an SD expansion or memory card is very different from a SIM card. The SD card holds photos and videos. The SIM (subscriber identity module) card is the brains of the phone and stores the phone number subscribed to the phone.

Grab all the SD cards you can. Getting deleted images from these cards is relatively easy unless the information has been over-written. Consider asking cooperative witnesses (who have taken images of the crime or suspects) for their SD card – if you can verify that the evidence is stored on the SD card. You don’t need their phone (if it has an SD card) and they won’t want to give it up for the duration of a criminal investigation. Just ask for the SD card.

SIM Cards
SIM cards may hold incredible amounts of evidence. And the information on the SIM card may be very different from what is on the handset. The trained cell forensic specialist will want to process the cell phone (handset) separately from the SIM card in that phone. Deleted text messages on the SIM card can be retrieved as long as a new message has not over-written the old message. SIM card readers like Paraben are pretty common.

The investigator may find loose SIM cards lying around on desks or in wallets. Grab them. As a rule, AT&T and T-Mobile phones use SIM cards. Even the iPhone uses a SIM card if it is on AT&T. (Recall the iPhone does not use an SD card).

The phone book on the SIM card and the handset may have different phone book contact numbers. The SIM card typically holds between one and 10 numbers last dialed. The cell phone’s internal memory may hold many more than that.

If the Phone Is OFF
The rule: If the cell phone is OFF, leave it OFF until the SIM card and SD card are processed by a cell forensic specialist.

The location area identifier shows where the mobile phone is currently located. This value is retained by the SIM card when the phone is turned OFF. However, the location updates on the SIM card when the phone is turned back ON.

You found the cell phone of an abducted child. What if that phone was turned OFF at the location the child is being held or the body was disposed? The location area identifier will tell you where the phone was when it was shut OFF. Turning the phone ON destroys that information!

Just turning the phone ON runs the risk of changing other data on the phone. For example, you turn the phone ON and two bad things can happen. First, new information may be added through an incoming call or text message. This may cause over-writing of existing calls, voice mails or text messages. A new text comes in and bumps off the oldest 20th text (max of 20 SMS) and that 20th text had valuable intel.

Second, turning the phone ON allows the increasingly common kill/wipe signal to be received. Just like the voice mail can be remote deleted, the hard drive can be remote wiped. Most cell phone companies offer a lost phone tool on smartphones. If you lose your phone, you can log onto the website and send a command to erase all the information stored on the phone, phone book, recent calls, and text messages.

If the Phone Is ON
If the phone is ON, the very first step is to find a way to get the phone off the network. There are several options. One of the easier options is to put the cell phone in airplane mode (Stand Alone, Radio Off, Standby or Phone Off Mode). This is not considered a “search” because it is done to “preserve evidence.”

If the phone is on, leave it on. Why safeguard the phone in the “ON” position? Why not just turn it OFF or pull the battery? This can cause the phone to activate a handset lock code that your forensic expert may not be able to bypass. A forensic expert can defeat a lot of handset passcodes on a small percentage of today’s phones. Always ask for the passcode from the suspect whom you are taking the phone; you will be surprised how many suspects give up there passcode when asked. Make sure to write this passcode down for the forensic expert.

Pre-Paid Phones
Everything that can be done on a regular contract cell phone can be done on a pre-paid cell phone. Numerous Mobile Virtual Network Operators (MVNO) sell mobile services with few restrictions. Nextel has Boost; Sprint has Virgin, Disney and Helio; Verizon has Tracfone and Amp’d Mobile; AT&T has GoPhone; and T-Mobile has T-Mobile.

The advantage of a pre-paid phone for criminal activity is obvious: anonymity. Plans and phones are paid for with cash. There is no contract to tie the identity of the person to the device or service agreement. They are essentially disposable.

However, there is still valuable data on the Verizon, Nextel, T-Mobile and AT&T supported cell phones. It is on the handset and SIM card! This includes the last numbers dialed, call logs, call durations, pictures and text messages. (Text messages may contain names or nicknames.)

It gets better. Did the subject buy a ringtone, game, music or app on the Internet for the pre-paid phone? You might now have a credit card number. Same for purchasing additional minutes. They may have used an e-mail address registering online for a receipt or a notification.

By mapping Call Data Records (patterns of communication) to known acquaintances and performing a Cell Site Analysis, it may be possible to either prove or disprove ownership of the pre-paid phone.

Damaged Phones
Don’t let a damaged phone, even a badly damaged one, stop you from obtaining evidence. The majority of all damaged cell phones can be repaired and processed. That includes the ever-common water damage. (One investigator had been able to recover some evidence from a phone that had been under water for two years). About 90 percent of water damage that most of us cause is just to the battery and connections. In fact, part of formal cell phone forensics training is cell phone repair. The iPhone, for example, has 42 screws and snap-in parts. Take the cell phone to the forensic expert and see if repairs can be made.

Formal training is necessary to become a cell phone forensic specialist. This training may be covered by grants, such as the Paul Coverdell Forensic Science Improvement Grant. Specialized hardware and/or software will be required. Software-based solutions include Paraben and Secure View. Hardware-based solutions are available from Cellebrite. Cellebrite is easy, portable and car-adaptable. The unit is a bit expensive, compared to the software-only solutions, including both an initial outlay and a yearly subscriber fee.

Grant money is available for cell-phone investigative training based in Ohio and California. This training is the one-day initial overview training up to a 40-hour advanced investigative training, and the formal cell-phone forensic training involving forensic and diagnostic hardware and software to process the handset and SIM cards.


Electronic Evidence Found on Cell Phones
(Including Deleted Information)

  • Text messages (SMS, Short Message Service)
  • Photo / Multimedia Messages (Multimedia Message Service)
  • Pictures and Images
  • Video and Audio Recordings
  • Call History Logs (calls received, calls made, missed calls)
  • Phonebook and Contact Lists
  • Calendar and Task List Entries
  • E-mails Stored on Handset
  • Internet Browsing History
  • Social Networking Artifacts (Twitter, Facebook)
  • Application Artifacts (data from apps installed on smartphones)


Evidence Found on SIM Cards:

  • Subscriber phone number
  • Service provider name
  • Phone book
  • Last dialed numbers
  • SMS text messages
  • Deleted text messages
  • Forbidden networks FPLMN
  • Location area identifier

Published in Law and Order, Nov 2012

Rating : Not Yet Rated

Comments 0 Comments

No Comments

Events and Tradeshows: LAOPFMTRPSIT
Close ...