It was a dark and stormy night. In a narrow alley on the west side of Chicago, a dead woman is slumped inside her Mercedes, clutching her mobile phone to her head, as if she were still in conversation. Rain pours through the broken car window, blown out by the bullet that went through the woman’s temple. A small crowd is standing around the car as Chicago PD detective Nick Fasano arrives on the scene, responding to a 911 call made by a witness waiting in a restaurant line. Fasano knows he’s looking at a homicide. For one thing, there’s that bullet in her head. He immediately realizes that another sort of witness to this crime might be on the other end of that phone connection.
He reaches through the open car window to grab the phone and thumb through its recent call history. Then he stops himself. He knows better than to disturb a crime scene. And he’s never seen that particular model of phone—he could potentially push the wrong buttons and destroy evidence. He needs to get that device to a forensic lab, where the information can be extracted properly, in a way that preserves not only the contacts, call histories, text messages, e-mail, images, and videos but also their admissibility in court.
If the fictitious Fasano were a television detective, forensic examiners would arrive in moments with high-tech tools and search the phone on the spot. Fasano would have the information he needed in 15 minutes and he’d solve the entire case within the hour. Here’s the reality: Detectives don’t carry forensic tool kits that let them search mobile devices. Instead, they photograph the scene and then remove the phone. But this procedure is riddled with pitfalls.
A detective who finds a mobile phone at a crime scene immediately has a decision to make—whether to turn the phone off or leave it on. If he turns it off, the investigator in the lab may have to deal with a password prompt when the phone restarts (60 percent of people password-protect their phones, according to a 2009 study by Credant Technologies). If the detective leaves it on, the phone could receive calls and text messages during the drive to the lab, which could force the device to overwrite information inadvertently. It’s even possible that someone connected to the crime may hit the phone with a text or e-mail “bomb” that floods the phone’s memory with messages that crowd out all other previous calls from the log.
To prevent that, the detective could leave the phone on and place it in a metal-mesh shielding bag to block all signals. Indeed, such products are readily available. But even that tactic would cause problems. Placing the phone in such a bag would erase vital location information stored by certain kinds of phones—after searching for a signal for a while, the phone would give up and zero out the register that holds location data. Bagging the phone would also drain the battery faster, because the phone, trying in vain to lock on to a tower, would boost its transmitting power to the maximum. And these preservation bags aren’t completely impervious to wireless signals. Drive within a few dozen meters of a cellphone tower and all bets are off.
Back to Fasano (who, along with the others named in this article, is a fictional character based on actual cases I’ve come across in my work consulting for federal, state, and local law enforcement agencies). Fasano photographs the scene and takes the cellphone. Because the phone is already on and at least 75 percent charged, he leaves it on, without a shielding bag, taking the risk that incoming calls may overwrite evidence. He races to the forensic lab.
At the lab, Fasano tells the forensic examiner, Marla McKenna, about the phone and its relationship to the crime scene. McKenna tells Fasano the exam will take several hours. Then she photographs the front and back of the phone and takes a close-up of the screen. She notes the name of the manufacturer—HTC—and the carrier branded on the phone’s case. She looks through her selection of nearly 100 different data cables, hunting for one that will fit. She’ll need a charging cable soon as well.
She’s not sure of the model number; that’s usually stamped under the battery, and she’s not ready to remove the battery and kill the power. She goes online to look at phones by HTC, trying to home in on the model by matching its styling with the pictures on the screen. She decides it’s an HTC Magic—an Android-powered touch phone. Only now can she determine what hardware and software tools to use to examine this phone.
Believe it or not, there are actually quite a few forensic tool kits available that can suck out the binary contents of cellphones. The group includes the Universal Forensic Extraction Device from CelleBrite Mobile, XRY and XACT from Micro Systemation, Secure View from Susteen, Aceso from Radio Tactics, Device Seizure from Paraben Corp., MobileEdit Forensic from Compelson Labs, and the Forensic Suite from Oxygen Software. In choosing a forensic tool, McKenna must consider quite a few options, because there is no one package that can disgorge the data inside each and every mobile phone on the market. Some kits were specifically developed to meet the needs of the examiner, but most are offshoots of consumer products that allow people to transfer photos, address books, ringtones, and other stored information to a new phone from an old one, or to synchronize calendars and contacts with files stored on a personal computer.
Such consumer products, known as synchronization tools, generally don’t meet all the needs of a forensic specialist, because they don’t protect the phone data from tampering, which means that the data might not be admissible in court. Tools developed specifically for the examination of evidence don’t make it impossible to tamper with the data, but they make it easy to prove that tampering did or didn’t happen. They do this by means of a mathematical technique called hash functions. When the forensic software pulls the data from the phone into the computer, it automatically runs a set of mathematical operations on the data, using those operations to generate a series of numbers. Later, if attorneys or judges question the quality of the evidence, the software again runs the operations on the data file and generates a new series of numbers. If the two sets of numbers don’t match exactly, it’s likely the data changed along the way—which would mean its authenticity could be challenged in court.
The data we’ve been talking about so far comes from the phone’s active memory, stored in static RAM chips built into the phone. This active memory contains the user’s contacts, call history, text messages, images, videos, e-mail, and cached Web pages, as well as basic information about the phone needed to connect it to the network. Phones may also have removable memory cards, usually in the MicroSD format. Most forensic tools pull this data as part of the active memory; the card may also be removed from the phone later and read as if it were a flash-based hard drive. For some phones, that’s where the story ends. But phones built to the Global System for Mobile Communications (GSM) standard have an additional storage area—a removable smart card known as the subscriber identity module (SIM). GSM is the most common phone standard outside the United States and is also used by AT&T and T-Mobile USA inside the country. The SIM contains the phone number, along with other authentication and security information that allows the phone to connect to the network. It also acts as a secondary storage bin for contacts, text messages, call history, and other information that the user might want to take with him if he switches to another phone; it’s up to the user whether the phone sends that information to the built-in memory or to the SIM.
The SIM can be a great place to look for evidence, because deleting a text message or contact from the SIM doesn’t necessarily mean that the corresponding data is lost. Instead, it’s simply flagged as deleted, making it no longer accessible to the phone; it doesn’t really disappear until the number of stored messages exceeds the SIM’s capacity, which is typically 20 or 40 messages. Then only the oldest message is pushed out when a new message comes in.
Extracting these hidden messages from the SIM sometimes requires even more software tools. Ideally, a forensic lab would have enough different tools on hand to cover all the cellphone carriers and models sold in its region. But the typical forensics lab can afford only a small proportion of these tools; they’re just too expensive, with prices often in the tens of thousands of dollars. To make the situation even worse, these tools can handle only certain specific sets of data. For any one type of phone, the lab must purchase one piece of software to pull the contacts, call history, and text messages and a second software tool to pull the images, videos, and ringtones. And as a final blow to the lab budget, the tools must be updated frequently to handle new phone models, new versions of phone operating systems, and other technologies.
Let’s say McKenna’s lab currently has 12 different software and hardware tools, each using a variety of communication protocols specific to various device manufacturers. These protocols, such as BREW, OBEX, FBUS, and SyncML, to name a few, allow the forensic hardware and software tools to communicate with the various phones and access their data on both the SIM card and the main memory.
The next step is to move the phone data to a computer that’s set up to preserve the evidence in a legally acceptable way. Cellphone data is obviously different from blood spatters in the back of a car, but for either to be used as evidence in a court of law, it must be gathered according to standard methods acceptable to that court.
Now that McKenna has selected software tools and connected the cable, she waits—and hopes—for the tool to connect to the phone. The tool may try several different communication protocols to do this. Finally, after several attempts, the software starts transferring data from the phone to the computer. Depending on the memory capacity and the processor speed of the phone, this could take anywhere from 5 minutes to 3 hours.
Unfortunately for the beleaguered McKenna, this is a smartphone with a memory packed with more than 750 contacts, at least 1000 text messages, and more than 2000 e-mails, along with scores of images and videos. She’s in for a long night.
Getting data from a mobile phone is not like backing up a hard drive—it’s more like surfing the Internet. The software pulls the data from the phone in context, starting with the contents of the various phone books, its own number, and contacts, as well as missed, dialed, and received calls. Then it moves on to the message stores, including the draft, in-box, and out-box files, before wrapping up with the music, images and videos, and so on.
And that’s the reason matching the software to the phone is so critical. For example, one common set of software commands for the Motorola, Nokia, Samsung, and Sony Ericsson phones all start with the characters “AT,” which call the device to “attention.” The convention is a holdover from commands that controlled Hayes Communication brand modems as far back as the 1970s. Other phone manufacturers rely on proprietary communication protocols. And smartphone manufacturers put their own twists on phone communications. Apple, for example, uses the iTunes software, and RIM uses its own BlackBerry desktop manager.
Ideally, some forensic tools create a duplicate image of the data on the hard drive of the examiner’s computer, copying the data bit by bit. Getting this kind of data from phones requires a special cable that connects to the phone’s circuitry through tiny contacts that are typically hidden under the battery. In the worst cases, though, no software is available for the specific phone in front of the examiner.
For Fasano, there is hope. An Android phone stores information in much the same way as a hard drive—as a set of files within nested folders. Several of the tools available can pull these files onto the computer, either bit by bit, creating an exact copy of the data on the computer’s hard disk, or as a series of files and folders, preserving the original nested structure. Were this an ordinary cellphone, the software would instead sort the data into simple sets of related information, like contacts, text messages, images, and so on.
After about 2 hours, the forensic software finishes transferring the files to the computer and analyzing them, categorizing the different types of information. The software then generates a 192-page report detailing the recovered evidence. Finally, McKenna goes through the screens by hand, spot-checking the information to make sure that the software did a complete and accurate job; she may later have to testify to this fact in court.
After saving the report and respective e-mail, image, and video files to a DVD, McKenna calls Fasano. She has good news for him. She explains that in those 192 pages there are close to 2000 text messages, which may shed light on at least 100 different conversations the victim had over the last year and a half with people among the 750 names found in her phone’s contacts list. Besides all that, Fasano will also get access to other important pieces of evidence from the phone, such as the call history, received and sent e-mails, Internet browsing history, and the browser cache.
Meanwhile, across town, several local, state, and federal agencies are conducting a drug bust. Jay Webb, the lead narcotics agent, is using a one-of-a-kind tool kit developed out of the Cyber Forensics Lab at Purdue University. (Full disclosure: Besides consulting for law enforcement agencies, I am a Purdue professor associated with that lab.) During the bust, Webb and his men capture 13 different phones from a group of men who were processing crack cocaine until...well, very shortly before the raid began. Right at the scene, moments after the bust, Webb connects each of those phones to its corresponding cable and to his laptop computer to quickly get the most important evidence: contacts, call history, text messages, specific images, and videos. The software requires no forensic training or even knowledge of the model of the phone he’s dealing with. It can detect enough information about the phone to decide for itself what protocols to use. Within minutes Webb is tracking down other buyers and sellers based on information retrieved from the first of the 13 drug dealers’ phones.
It’s a basic scene that’s playing out with increasing frequency all over the world, but not always with the happy result that Webb achieves. Forensic labs everywhere are being slammed with an influx of mobile phones found at crime scenes—hundreds of thousands annually in the United States alone. So there’s a real need for investigators in the field to be able to triage the key evidence before having to take it to a lab for a full forensic exam. The problem is so acute that some ambitious detectives are taking training courses and purchasing forensic tools in an attempt to get a jump on their own labs. Sadly, the time and energy expended in this effort are often wasted. The initial software costs of up to US $25 000 and ongoing costs of up to $5000 annually (for licenses and updates) are high, and many times the tools sold to these detectives are too advanced for their on-the-spot intelligence needs.
Often a first responder just needs quick information from these devices, such as the call history, the contacts, or the text messages. This information is immensely useful in helping the on-scene investigator determine the next steps in his investigation. The contact lists represent a useful group of suspects, allies, and family members; the call history tells who was most recently in communication with the victim or suspect; and the text messages reveal those quick and easy private conversations that often give specific details of what was going on perhaps moments before a murder or a raid. Images and videos further fill out the portrait that the information on the phone has started to sketch about the owner (or former owner).
These new on-the-scene forensic tools are slowly making their way into the hands of law enforcement officials. However, with each new phone come new services, new features and, sometimes, new operating systems. The manufacturers struggle to keep their tools up to date. So most detectives, like Fasano, still have to wait for lab results.
Fasano’s story ends badly. When he returns to the lab several hours later, he picks up the report. As he sorts through its 192 pages, he realizes that many of the text messages came from one contact distraught over the end of a relationship; one message reads, “You’ll be sorry.” Fasano grabs for his cellphone to call the county prosecutor to get an arrest warrant, but by the time the detective arrives at the suspect’s apartment, the place is empty, showing signs of a hurried departure. After several fruitless months, he drops the investigation.
Fast-forward five years. Fasano’s department, having recognized the importance of cellphone evidence, now has the latest tools, and a similar story of crime will end this time in punishment.
In a narrow alley on the west side of Chicago, a dead woman is slumped inside her Mercedes, clutching her mobile phone to her head. Rain pours through the broken car window, blown out by the bullet that went through the woman’s temple. Chicago PD detective Nick Fasano arrives on the scene, snakes a cable through the window, and connects the phone to a handheld computer. Fasano scrolls through the torrent of information to zero in on a series of agitated text messages that grow increasingly threatening. He notes the number of the sender and forwards it to police headquarters, where detectives finger the owner of the number and send a squad car to his apartment to pick him up, just as he arrives, spattered in blood. The suspect confesses, and Fasano marks the case closed.