Introduction to the challenging world of the mobile phone forensic analyst, from one who provides digital media analysis to defence lawyers
Romeo is in court on a charge of rape. He’d had a relationship with Juliet for some months before they parted acrimoniously. Some months later, Juliet brought a charge alleging sexual assault at a date around the end of their relationship and claimed that she was now deeply traumatised. Romeo denies the charge vigorously
It’s her word against his. Or is it?
There’s only one way he can verify his innocence – and Romeo’s luck is in. A mutual friend, Bianca, doesn’t think Juliet’s actions are fair. She’s been on a wild night out with Juliet recently and took photographs on her mobile phone on the evening. Unfortunately, she had deleted them.
Enter the world of forensic analysis. Using sophisticated software, Bianca’s images were recovered from the phone and showed Juliet having a very good night out indeed, with no visible signs of trauma. The expert witness wrote a report on the images, which were used by the defence as an indication of the girl’s true character and state of mind.
The case was dismissed.
It’s not always as easy as this. The vital point about mobile phones as a source of evidence – and I can’t emphasise this enough – is that they must be disconnected from the network as soon as possible and retained. A modern mobile phone may carry data equivalent to 12 Encyclopedia Britannicas on a chip the size of a fingernail, but because of the way the information is organised, some items are overwritten very quickly.
Take a similar case: Malvolio met a girl, Titania, in a public house. On the way home they had sex. Titania said nothing for some weeks, then reported a rape. Malvolio insisted that sex was consensual and that he had had cordial messages and calls from Titania on his mobile after the alleged incident.
Ill-starred, Malvolio was not as lucky as Romeo; he had been using his mobile during the weeks before Titania’s allegations and any calls or texts from her had been overwritten. Although her name was in the contacts list, it was not enough to provide useful evidence for the defence.
While the capacity for data is large, most phones only record the last 40 calls or thereabouts. After this time, older entries may be overwritten. For average users, phone call logs can start to wrap around in a week or so and text message stores will fill every few weeks. Technology-savvy criminals are getting wise to this and may start to bombard an impounded phone with calls and messages to ensure that relevant data is driven beyond the capacity for storage.
The most vital point to stress to solicitors seeking to preserve mobile phone evidence is to ensure that the mobile in question is taken off the network as quickly as possible.
By 2006, 91% of adults in the United Kingdom owned or used a mobile phone – more than double the number of landline connections. Indeed, more households now rely solely on a mobile phone (9%) than just on a landline (7%). What’s more, they are using their mobile for much more than just making phone calls. The phone acts as a digital camera, can give internet access and provide entertainment in the shape of radio broadcasts or games. Texting has overtaken mobile calls: 16 to 24-year-olds made an average of 27 calls and 70 texts a week in 2006. If a phone is used to take photographs or access the world wide web, this will be recorded – and much of what is recorded about our activities is still present in the chip even after it has been “deleted”.
For the forensic expert, mobile phone analysis is an expensive, time-consuming and challenging business. Unlike PCs, which generally run on variants of either Windows or Unix and where there is a lot of knowledge about what is located where, every phone is potentially different. There are hundreds of different types, the layout of the information is proprietary to the manufacturer, and they are under no obligation to tell anyone what that is. Furthermore, the memory is generally only accessible via the phone itself, so what it doesn’t want to tell you can be very inaccessible indeed. Purchasing and keeping the necessary acquisition and analysis software up-to-date is very expensive – but vital. The analyst for the defence has to keep pace with the sophisticated tools available to police forensic units, and ideally build constructive relationships in order to discuss software advances with them.
Older and budget phones may have no shortcuts to acquiring the data, which must be punched up on the phone screen by screen, each screen being photographed by way of documentation. Modern phones are generally more yielding. The most popular tools for interrogating phones are XRY, CellDEK, PhoneBase, Paraben Cell Seizure and MobilEdit! Forensic. They all have advantages and disadvantages, and it is often necessary to analyse the phone using two or more applications, as well as check the phone manually to ensure nothing was missed. And, of course, there is the risk of revealing facts that the defence solicitor would rather not discover!
Forensic analysis doesn’t always mean simply retrieving information from the depths of the handset. Sometimes it can be important to look at peripheral information too. For example, there are only two classes of people who routinely carry handfuls of SIM cards with them – drug dealers and mobile phone forensic specialists. Drug dealers live on their mobiles and generally have an extensive network of suppliers and customers. Documented evidence of this network can form a valuable record for the prosecution, especially where police may wish to demonstrate that the phone traffic in the network reached a peak during the run-up to a drugs deal and that a conspiracy was involved. In such circumstances, the defence may wish to demonstrate that the calls were just routine chat between acquaintances.
The answer may lie in the itemised phone bills. Phone companies are obliged to retain billing information for an extended period under the Regulation of Investigatory Powers Act (RIP), and this can be obtained if due cause can be demonstrated. If we can get these records as a computer file, searching through them is easy, but when the records are in paper form, they may fill several boxes.
There are many other challenges also. Text messages are often sent in the form of shorthand – “wht u doin 2 nite?” This can become really strange when combined with a dialect such as Scots Doric, where this message would become “fit a doin a nicht?” Suddenly, the expert witness needs not just a broad understanding of digital technology, an ability to write clearly, some understanding of how to handle evidence and a logical approach to it (and a credible presence in court) – but a degree in Scots dialect/text messaging language as well.
John Butler and his wife Helena run Geode Forensics, an Edinburgh-based company specialising in recovering evidence from digital media such as computers, mobile telephones, cameras, voice recorders and data sticks. For further information see “Forensic Analysis of Mobile Phones”, on www.geodeforensics.com . t: 0131 445 3705
SECURING MOBILE PHONE EVIDENCE
Secure mobile phone evidence at the first opportunity.
- If you are sure you know the PIN, then ensure that the phone is switched off and remains off until it can be examined under controlled conditions.
- If there is any doubt about having the PIN, leave the phone on, wrap it in a couple of layers of tinfoil, then send it immediately to a forensic specialist.
- Establish who is the registered owner if there is one.
- Establish the recent history of the phone and whether SIMs have been swapped between phones.
- Consider whether additional evidence is required from the service provider or other phones and arrange to obtain this where possible.
- When dispatching the phone for analysis, pack it securely so that it cannot be turned on or off accidentally in transit.
- Record details of custody of the phone on a form that accompanies the phone. Though this may be unnecessary, it may help forestall some issues about admissibility of evidence.
PHONE FORENSICS UNCOVERED
Mobile phone forensic procedures vary in detail but basically involve three steps:
1 Preparing the phone and isolating it from the cellular network
The phone needs to be charged and details noted. It can be isolated by placing it in a screened box, or by replacing the SIM with a forensic copy SIM that has had certain data removed so it cannot connect to any network.
2 Reading the data
A number of highly specialised forensic tools exist that can read some or all of the phone’s data by cable, Bluetooth or Infra-Red.
3 Selecting and reporting on what was recovered
The contents of a modern phone can require a 60 page report to describe, and significant editing may be needed to make sense of it.
All being well the phone will boot up nicely and read like a dream. The world being what it is, on a depressingly large number of occasions:
- The battery is dead and won’t charge.
- The infra-red port is dead.
- The phone is of a type unknown to the forensic application.
- The phone is essentially broken.
- The PIN was reported incorrectly.
- The phone is of an obsolete type with no data port.
- It just won’t read for no obvious reason.
The phone contains a lifetime’s collection of ringtones, music tracks and video clips that take an afternoon to read.
This inevitably happens miles from home, in an evidence store and with an audience. The forensic specialist then has the chance to explore his or her reserves of ingenuity, technical expertise or failing which, prayer.