Cell Phone Forensic Investigations: What Can Be Found?

cellphone forensics
Veterans in Law Special Issue

Cell phones are the new dog; they are faithful, they are always with you, on your hip, in your pocket or purse. When you purchase them, they stay with you day and night like a faithful companion. But they have a memory…

Cell phones bring a whole dynamic into the equation of digital evidence. They are part of the mobile data world which also includes a laptop, tablet and USB device. This creates a wealth of evidence, both logical and physical.

Advertisement

Answering Legal Banner

In some ways a cell phone is better than a computer forensically. Many cell phones store large amounts of data, most have at least 8 GB of storage and many now boast 16, 32 or even 64 GB. Most have a camera; Droids and iPhones usually have two. Phones have video chat and convenient texting features. They store incoming, outgoing and missed calls, voice mail, visual voicemail, email, chat, sms and mms data, audio, picture and video data. They also capture GPS locational cell tower data. Some phones even synchronize to the cloud, like iCloud. Now data lives in multiple spots and for a forensic investigator, it gives us even more opportunities to find the data.

This is what the forensic investigator thrives on. Can you recover deleted data, deleted pictures, text, video, and so on from a cell phone? YES. You can even get GPS locations and cell tower connections. All complete with time and date stamps. There is so much data in today’s smart phone, a guilty party would be foolhardy to use one and not expect SOMETHING to be evident given the right search and seizure procedures.

Also consider an iPad or other tablet device (many of these are based on either phone or computer operating systems). Realize that a tablet doesn’t usually replace another device, it is an additional device. Many times, our suspects, targets or persons of interest have a phone, a computer or maybe even two AND a tablet. This is a forensic investigator’s dream! Throw in a plethora of thumb/USB memory devices and backup drives, as icing on the cake. It is not unheard of for a typical full acquisition to include a half dozen or more devices. If you are dealing with a bad guy, it is unlikely that they will be thorough enough to cover ALL of their digital tracks when a qualified digital forensic investigator is involved.

Advertisement

Eza Mediation

In order to correctly process the devices listed above, specific tools are necessary and many of the right tools require a significant capital investment. Proper acquisition is of the utmost importance in any forensic engagement. The cellular phone forensic procedures are no different. Think operating systems: Windows (any version), Mac (any version), Unix (any version). Now think iOS and Android. Again, any version… These are all operating systems, they store data in specific ways and no one tool can capture all of the information and artifacts on all devices. These tools and the qualified persons using them are the most important factor in digital forensics. For example, one of the most effective and reliably documented cell phone forensic tools today is the Cellebrite UFED. The UFED is a forensic version of the tool used by virtually every cellular store that takes your old phone and transfers your data to your new phone. They are ingrained in the cellular development market for transferring data from one phone to the next. Forensically, they can capture comprehensive amounts of data from cell phones, smart phones and tablet devices that almost all other tools cannot. While there is no one tool that can be used to capture all devices, the Cellebrite is an important and necessary tool for any cell/tablet forensic investigator. Not many investigative companies have made the commitment to both constant training and investment in the technology required to competently capture all of the evidence. Karl Epps

Karl Epps

Karl Epps is a partner at Epps Forensic Consulting and manages the tech consulting division which provides computer support, computer-related insurance claims consulting, data recovery and forensic technology services. Karl is an EnCase Certified Examiner. Karl can be reached at 602-463-5544 or [email protected].

Leave a Reply

Your email address will not be published. Required fields are marked *

Related Posts