It’s 0-dark-30 HRS and your team is gearing up to hit the five locations listed on your search warrant. Your search-warrant check list includes computers, CDs, flash-storage media, business documents and, now, mobile phones. Evidence collection has just gotten harder.
It wasn’t too long ago when a mobile phone, the Motorola Dyna Tac, cost $3,995 and was aptly referred to as “the brick.” Now it seems everyone owns a mobile phone, from Grandma to 7-year-olds using Wherify’s GPS-integrated phone.
Mobile phones are the new Swiss Army knife, complete with date books, cameras, video and MP3 capabilities. For law enforcement, this cutting-edge, multi-faceted device is a double-edged sword; the information is there, but extraction and review can prove relatively arduous because most of the data is proprietary.
Why so difficult? First, there is vast amount of manufacturers, models, variations on accessories and different transmission technologies. Numerous types of external media now appear in mobile phones from Secure Digital cards to TransFlash to the new Reduced Size MultiMedia cards. And if all this isn’t enough to keep investigators or detectives on their toes, the upgrade capabilities behind the devices add an element of the unknown.
The key: preparation. Establish a foundation for detectives, investigators and even patrol officers to properly handle and process mobile phones.
Handling the Device
Step-by-step procedures for each level of collection can properly and securely maintain the evidence available on these new devices. Many methods can extricate data, but the first part of collection remains the actual handling of the device. Follow the simple flow chart above (“Cellular Device Seizure Procedures”) to maintain proper evidence. And, follow these basic rules:
1. Do not change the condition of the evidence. If it’s off, leave it off; if it’s on, leave it on;
2. Look for more devices. Recover any other potential points of evidence, which can include SIM cards, external media, power cables and data cables;
3. Make sure you have a search warrant prior to searching the device;
4. Return the device to a lab for proper processing; and
5. Use forensically sound software and processing tools, and validate your evidence.
Rule 1: Maintain the Device
Why should you maintain the phone in the condition in which you found it? Evidence. If you recover a phone in the off position, do not turn it on until you can do so without it registering on the network. Why? If a handset registers on the network, it can receive calls. A handset normally holds anywhere from 10–20 numbers in its received-call or missed-call list. If a new call comes in, the oldest number—a number that may have evidentiary value—drops off.
To remove a handset from the network, use a Faraday bag, such as Paraben’s Wireless StrongHold bag. These small mesh bags are composed of copper, silver and nickel to block all wireless signals from reaching the device while it’s in the bag. This allows you to keep the phone off the network and safely transport the evidence for processing while maintaining the condition of the evidence.
Other options include an empty paint can or aluminum foil. Both of these methods work but are not as secure as a proper Faraday device. One last method: Place the device in airplane or standalone mode. Don’t use this final alternative unless you are familiar with the handset because this action could potentially harm the evidence. This feature is available on most Motorola iDEN phones and is becoming more common in newer handsets. Bottom line: Any protection is better than allowing the phone to receive calls or possibly be remotely erased.
Why leave the device on? Two four-digit personal identification number (PIN)s can prevent evidence gathering. One PIN belongs specifically to the handset, and investigators can bypass it with a variety of different free software tools. The handset’s default PIN setting depends on the manufacturer and service provider, but could be as simple as the last four digits of the phone number, 0000 or 1234. The user can easily change it.
The second PIN lock is the SIM PIN, which only applies to GSM phones. A SIM PIN, as with the handset PIN, comes with a default number; this, too, varies among service providers. However, once the user changes the SIM PIN, you can’t bypass it unless the user tells you the PIN or the service provider gives you the personal unlock key or personal unlock code (with the aid of a court order, of course). The SIM offers great security; to date, no one has been able to bypass the SIM PIN.
Rule 2: Look for Other Potential Evidence
The price of mobile phones has dropped considerably over the years. You can easily buy phones on eBay and add a prepaid phone card from Target or Wal-mart for less than $100. So, it certainly isn’t unreasonable to expect that many criminals may possess two, three or more phones. Never assume that once you’ve recovered one phone, your trail has ended. Always look for more.
Most phones can connect to a computer via data cables; in fact, more and more phones are sold with the data cables these days. By all means, grab any data cable you may find, including power cables—no power means no examination if the phone’s battery is dead. Rule of thumb: The battery must be charged at least 50 percent in order to complete an examination.
Mobile phone evidence is not limited to the handset. Accessory technology takes small to the extreme; many common external media cards, such as SD, Memory Stick Duo and Transflash, are small enough to remain unnoticed but can hold 32MB–2GB of information. Many reference sites, such as Phonescoop.com, can help you to identify potential accessories for mobile devices. Once at the Phonescoop site, you can check to determine whether your mobile phone has external memory card capabilities, or if there are other new accessories available for your phone.
Rule 3: Legalities & Paperwork
The days of thumbing through a suspect’s phone to get his address book and call history without a search warrant are gone, which means the legal processes associated with this evidence have also changed. When do you need a search warrant? If you want to recover data from a suspect’s phone, you must have a signed search warrant to do so. Always err on the side of caution and obtain a warrant when in doubt.
What do you do with the service provider? You will need proper legal documentation when dealing with service providers, who will not disclose any information on a subscriber’s account without it.
What if a witness has a mobile phone? Get a signed consent-to-search form when you search a witness phone. Minds can change easily, especially when the witness turns out to be friend of the suspect. Save yourself the aggravation of a witness on the stand who says, “They took the phone from me; I told them I didn’t want them to look at it!”
Important: Process a phone as soon as possible. Not that a phone sitting in your evidence locker will lose information if it’s turned off, but service providers store some information on their servers for a limited amount of time. (Note: Not true for a personal digital assistant (PDA), which can lose data if its battery runs down.) For example, text messages that pass through a messaging center may only remain on the servers for three days (depending on the service provider). So, if the phone you’ve recovered is important, don’t hold on to it. Secure the proper legal documentation and get the evidence processed.
Rules 4 & 5: The Lab, & Software Tools
There’s never just one tool for any job, and this philosophy applies to mobile-phone data gathering. No one software tool gathers data from every mobile phone. Therefore, everyone should have several tools in their toolbox in order to process mobile phones. In the United States, we must deal with four different technologies in mobile forensics:
1. GSM, or Global Systems for Mobile Communications;
2. CDMA, or Code Division Multiple Access. It’s used by Sprint and Verizon;
3. TDMA, or Time Division Multiple Access. It’s used by AT&T but is being phased out; and
4. iDEN, or Integrated Digitally Enhanced Network. It’s used by Nextel and Boost.
Again, no one software package can deal with all cell-phone technologies. Important: When you purchase software, check what phones it supports and what phones are coming across your desk. Also, make sure the tools you select come from a reputable supplier willing to support its tools in court.
More and more each day, mobile phones play a part in every investigation to some degree. Now is the time to take the necessary steps to learn proper procedure, software and hardware, and the emerging technology we call mobile-phone forensics.
The following list of manufacturers and software includes paid, open source and
freeware software that have proven effective in processing phones both logically (recovering data easily seen by the user, such as a phonebook, pictures, videos, call history, etc.) and physically. This is by no means an exhaustive list; on the contrary, it’s just the beginning. As new phones flood the market, new software and hardware will certainly follow.
Law enforcement personnel can download this software through either the
vendor’s Web site, or by registering at mobileforensics.info, a free Web site.
BitPim bitpim.sourceforge.net (free) BitPim is open-source software that allows users to view (logically only) a CDMA handset file system. It was not designed as a forensic tool, but it can prove valuable when processing CDMA phones, especially when you cannot find software that supports a particular phone. By viewing the phone’s file system, you can view and save pictures, audio and call lists, and recover the handset PIN code.
Paraben—Faraday Bag, Cell Seizure www.paraben.com Paraben’s Cell Seizure software supports both logical and physical analysis, depending on the device, and has been used in court. Cell Seizure was also designed to process the SIM card independently of the handset and generate a report solely on the SIM card. Paraben also offers the Cell Seizure Toolbox, which provides cabling support for many phones on the market.
SIMcon—SIM Content Controller simcon.no (free) SIMcon’s software allows users to securely image files on a GSM SIM card to a computer file with a standard PC/smart-card reader. Users can subsequently analyze the contents of the card, including stored numbers and text messages. This outstanding program was authored by Svein Williasson, an expert in computer forensics and digital evidence, who offers his program to law enforcement at no charge.
Susteen—DataPilot Secure View www.datapilot.com DataPilot Secure View is a read-only product that supports approximately 350 U.S. and Canadian phones. It only reads a phone logically, allowing users to view the phonebook, images, ring tones, calendar and, to some extent, text messages. This is an ideal program if you only need to recover the above items quickly and easily. In addition, DataPilot offers a USB cabling system for use with its software, and it’s compatible with most other software programs.
Phonebook Manager, Media Manager, SuperAgent RSS
• Compelson Labs
• Oxygen Software
Phone Manager II, Forensic version
• Guidance Software
• GsmServer Team
Karl Dunnagan is a 14-year veteran of the Los Angeles County Sheriff’s Department. From 1999–2005, he has worked the Technical Operations Detail, part of the Southern California High Tech Crime Task Force. He’s a member of the National Association of Technical Investigators and the High Tech Crime Investigators Association. He is also the developer and owner of MobileForensics.info, a clearing house of information used by mobile forensic examiners.
Amber Schroader frequently instructs on high tech forensics and is involved with many different computer investigation organizations including High Tech Criminal Investigators Association, High Tech Crime Network and the Institute of Criminal Forensics Professionals. She is currently the director of forensics and new software development at Paraben Corporation.