With a predicted 8.5 billion mobile subscribers by 2016 and an estimated average of 2 1/2 devices per person it’s not too difficult to see that mobile devices are already a major factor in many facets of the law and will continue to increase rapidly in the near future.
As a connected society, just think of the things we currently do with our mobile devices. Because so much of our lives are now captured on mobile devices the amount of potential evidence on these devices can be alarming. As a result, we are seeing more requests for mobile forensics examinations in legal areas such as personal injury, family law, civil litigation, employee/employer and patent law in addition to the criminal law arena, which has traditionally made up the majority of digital and mobile forensic service requests.
While digital forensics is the branch of forensic science that focuses on the recovery and analysis of data residing in electronic or digital devices, mobile forensics is a specialized branch of digital forensics that focuses on the recovery and analysis of mobile centric devices, phones, tablets, MP3 players, etc.
Consider this, everyone knows that computers store huge amounts of data and sometimes on a physically very small device such as a thumb drive or SD card. However, most people don’t consider that mobile devices of today are compact forms of computers capable of storing similar amounts of data. Soon some smartphones and tablets will be capable of data storage equal or exceeding many times the amount of most home computers and laptops.
Now when we think about data on mobile devices we usually think about user data. With over 1.6 million apps and over 82 billion downloads in 2013 that number is expected to increase to 200 billion by 2017. Data such as photos, text, voice mail, contacts, email is all user data, and while that data is vital in the course of a case, there is so much more potential data when you hire an expert that knows where to look. Mobile devices are the most personal electronic devices we use, they keep track of our schedule, appointments, photos and communications for both personal and business. However, they also keep track of our location, Internet habits, receipts and a wealth of other information when trying to demonstrate actions or geolocation data at a particular point and time.
When you acquire the information from the device and combine that with the information available from the user’s service provider, it provides an even clearer picture that allows us to define the actions or location of the user during the time in question. In a recent case, we proved that an individual could not have been at the location of a robbery at the specific time and place that was alleged by the prosecution. We were able to conclusively show that the defendant could not have committed the crime as they were more than 11 miles from the scene of the robbery at the time it occurred. This was made possible by the use of cell tower records obtained from the provider in conjunction with our ability to map the location of the defendant from that data. Once this information was provided in a pre-trial conference to the district attorney, all charges were dropped.
In a case involving a traffic collision, would it not be vital to know if the person responsible was texting or talking on the phone? Certainly it would. Additionally, would it be important to know if it was connected to a Bluetooth device or hand held contrary to the law? What if your client was accused of being on the phone and they asserted they were not? How do you prove either?
Within this specialized field of forensics, there are times when a subpoena will not return the desired information from the subscriber’s carrier and a properly written and executed court order is necessary to provide specific aspects related to geolocation data. There are times when a traditional mobile forensic extraction is insufficient in acquiring the desired data and more extreme methods must be pursued. These more aggressive forensic techniques involve the mobile phone being taken apart, leads which are connected to specialized forensic equipment being soldered to the printed circuit board, and data extracted at the binary level, (a process referred to as JTAG) in order to recover vital information. While time consuming and costly, it may be warranted in important cases.
From the basics of text messages and other forms of communication to the intricate method of mapping locations and extracting habitual data the question to ask yourself is “Am I leaving evidence on the table?”
Over the next few months, we will write a series of articles giving you some insight into the mobile forensics world. We will try our best to keep the technical jargon to a minimum but still provide the information you need to make the judgement call as to whether a mobile forensic expert is needed in your case. We will include a Q&A sidebar in future articles, in the meantime, please feel free to contact us if you have immediate questions. Darryl Bullens, CPE, CTF, CCLO, CCPA