Cases studies are proof of the value.
The Value of Mobile Data in Criminal Investigations
By: Christa Miller
Today, carrying a smartphone is commonplace. According to Pew Research, 88 percent of American adults rely on cell phones to text, take photos, send e-mail, and access their social networks. What does this mean for law enforcement professionals? When it comes to uncovering, analyzing and submitting evidence in today’s criminal investigations, mobile phones play a more critical role than ever in bringing criminal offenders to justice.
Mobile forensics technology can assist law enforcement by enabling the most technologically advanced extraction, decoding, analysis and reporting of the data found on a wide range of smartphones, legacy and feature phones, tablets and GPS devices. Much of the time, this can even include deleted and hidden data—often invaluable evidence in both civil and criminal proceedings.
In addition to accessing data directly from a device (e.g. text message or e-mail), law enforcement can find value in the personal information stored within mobile applications. A 2013 Nielsen report indicated that the average smartphone user has approximately 41 apps stored on a single device. According to John Carney, Chief Technology Officer at Carney Forensics, “The ability to extract critical data stored in apps will become the new measuring stick by which investigators gauge the superiority of mobile forensics tools.”
There is no better way to understand the power of mobile forensics technology than seeing it in action. The following case studies—including a homicide conviction believed to be one of the nation’s first for texting while driving—highlight the work done by authorized investigators in the field of mobile data extraction and analysis using Cellebrite’s Universal Forensic Extraction Device (UFED). All four cases underscore the value of mobile forensics technology, and allowed professionals to crack the cases without compromising stringent Constitutional requirements.
Cell Pictures Provide Critical Evidence
In Columbus, Ohio, Detective Zane Kirby, a forensic examiner for the Franklin County Internet Crimes Against Children Task Force, helped to convict a 23-year-old man accused of trying to solicit an inappropriate relationship with a 13-year-old girl. The case breaker was lewd photos of the perpetrator found on his phone and sent to the victim.
Originally recovered from the victim’s home computer, the images later turned up on the suspect’s phone, together with deleted call logs and the girl’s name listed in the suspect’s contact list. The usage of mobile data provided strong enough evidence to result in a guilty verdict for the defendant.
Mobile Forensics Exonerate Falsely Accused
For investigators, clearing the wrongly accused is just as important as convicting the guilty. When an incoming Norwich University freshman was accused of inappropriate communications with an underage female, Peter Stephenson, the university’s chief information security officer, needed an accurate way to prove or disprove the allegations—specifically, whether the student was calling and texting the girl to solicit sex.
During interviews, the accused student denied knowing the girl and stated that he was only connected to her through a shared Facebook Group. In charge of the school’s digital investigations, Stephenson needed a way to conduct an objective, scientific examination of the student’s digital devices. The student voluntarily surrendered his phone for the investigation.
Although the student’s phone was an older device with a primitive operating system, Stephenson analyzed the phone and SIM card using Cellebrite’s UFED. Not only did the UFED reveal none of the alleged victim’s contact information in an otherwise full phonebook, or a history of text messages between student and alleged victim; the SIM card contained no record of any calls made to the area code where the girl lived.
“The logs would’ve shown up on the SIM card, even if her contact information had been deleted,” Stephenson said. The girl’s parents, who filed the initial complaint, backed down on their claim. “The claim could have ended this student’s career before it even started,” Stephenson added.
Unlocking a Broken iPhone
Getting the right mobile evidence from a mobile device can be challenging enough. What if the phone has been badly physically damaged? That was a question Victoria (British Columbia, Canada) Police Detective Bob Elder faced when an iPhone was destroyed by an arrestee in custody. Having smuggled the phone through a body search and into his holding cell with him, the suspect smashed the phone when he saw police coming to confiscate it.
Elder, a mobile forensics expert, went to work trying to acquire the evidence. As it turned out, not only would the broken phone not power on, but a nearby repair shop said there was too much damage to put it back in working condition. For this phone, as for others not accessible through typical means, Elder turned to a newer data acquisition method: a “chip-off” RAW dump.
Chip-off acquisition is a destructive process that involves unsoldering the phone’s NAND memory chip from its board. “You can’t put the chip back, so this is a last resort,” Elder warned, “only to be used when the phone is too damaged or otherwise can’t be acquired in the usual ways, and when the phone’s data is necessary for a high-profile case.”
After manually locating the user data, Elder used Cellebrite’s UFED Physical Analyzer to validate his findings, including the date and time stamps. “On high-profile cases, it’s important to carve manually and then validate the findings using a secondary method,” Elder explained.
In this case, he was able to use the search functions—including Python scripting; regular expressions; and searches for strings, dates, codes, numbers, ICCID and SMS formats—to locate other user data missed and validate everything for a successful conclusion to the case.
Nation’s First Texting Homicide Conviction
In Madison, Wisc., Detective Cindy Murphy, also a mobile forensics expert, testified in the case of a young female driver accused of striking and killing a pedestrian while text-messaging her boyfriend.
During this trial, the detective was able to refute the conclusion of a defense witness, who was untrained and inexperienced in the field of mobile forensics. That witness had erroneously concluded that the defendant’s mobile phone was not a reliable indicator of the order of text messages sent and received from the device.
Fortunately, the jury had already heard Murphy testify how she had used the UFED Physical Analyzer to determine how deleted messages on that phone model could affect the text entries’ order—resulting in a conviction for the driver.
“In my experience as a criminal investigator, password protections and deleted text messages, pictures and call logs once proved to be major obstacles in relying on mobile data as a feasible source of evidence,” Murphy commented. “Now, for crimes ranging from pedophilia to gang violence to human trafficking, we are able to use mobile data with a high degree of accuracy and integrity for convictions in criminal investigations. The impact has been significant for case clearance rates.”
These cases demonstrate the increasingly important role of mobile forensics in empowering investigators to gather and analyze cell phone data. As mobile phone usage increases, there is no doubt that stories like the ones above will become more common.
Education, Training and Technology
As Detective Murphy’s story illustrates, the thorough investigations overviewed above would not have been possible if the experts behind them did not have the proper training. In order for law enforcement to adapt to the proliferation of mobile evidence and prepare to testify about their processes in court, it’s critical for organizations to invest in both technology and training as part of best practices.
Two types of training support this. First, mobile-forensics technology vendors use tool certifications to ensure that their solutions are implemented properly in the field and support standard procedures for gathering and submitting evidence. Second, vendor-neutral training provides a well-rounded approach to the scientific methods of mobile forensic evidence preservation, collection and analysis, including the validation emphasized by Detective Elder above.
Either way, a strong training program should include a number of areas. First, hands-on technology demonstration, i.e., using technology solutions to connect to mobile phones and extract information without compromising the phones’ integrity. Second, best practices for collecting and preserving digital evidence, both in real time from the field and as part of the ongoing investigation processes.
Third, processes for recovering hidden and deleted data: to retrieve information that may not be visible on the device, i.e., hidden within mobile applications or file metadata. Fourth, instruction on analyzing extracted data: to ensure that forensic examiners properly validate and interpret the outcomes such that they can be entered as valid evidence in court.
Powerful mobile forensics technology combined with consistent and up-to-date education and training for law enforcement will ensure that mobile data, and the methods used to obtain it, adhere to the Constitution’s search, seizure, and due process requirements.
Mobile Forensics in the Justice System
“Lawmakers and judges are looking at cell phones much more critically than they did computers,” said Gary Kessler, associate professor, Embry-Riddle Aeronautical University and a member of the ICAC North Florida Task Force. “However, because few understand the nature of the technology, they are erring greatly on the side of caution. This speaks to the need for greater education regarding the scope and possibilities of mobile forensics and what it means for privacy and pre-trial discovery.”
The case studies outlined here only scratch the surface on the important and growing role of mobile forensics in the modern justice system. As the usage of mobile data in criminal cases increases and more cell phones are submitted as evidence in court, it’s clear that law enforcement must adequately prepare to handle mobile forensics and the technology that powers it.
Christa M. Miller is currently the Director of Mobile Forensics Marketing for Cellebrite USA.