Chapter 37. Cell Phones
Information in this chapter:
• The fragile nature of cellular evidence
• Forensic acquisition methods for cellular phones
• Subscriber identity module (SIM) cards
• Cell phone backup files
• Advanced cell phone data analytics
• The future of cell phone forensics
The CIA World Factbook reported that in 2009 there were approximately 286,000,000 cell phone subscriptions in the United States alone. That is getting close to one cell phone for every man, woman, and child in the United States. Cell phones can store more data and perform more functions than ever before. Today’s smart phones can perform functionalities that were only possible with a computer a handful of years ago. Ultimately, this increase in complexity means that people tend to use their cell phones for more and more functions. In turn, the more functions someone can perform with a phone, the more data that phone stores, and that makes cell phones a tremendous source of potential evidence in all kinds of cases.
Keywords
Cell Phones, Smart Phones, Cell Phone Evidence, Cell Phone Analysis
Introduction
The 2010 United States Census reported that the population of the United States was 308,745,538. 1 The CIA World Factbook reported that in 2009 there were approximately 286,000,000 cell phone subscriptions in the United States alone. That is getting close to one cell phone for every man, woman, and child in the United States. The World Factbook also reports that there are over 4.8 billion cell phone subscriptions worldwide. 2 With numbers like these, it is no surprise that cell phones have become a common form of evidence in cases.
In addition to their sheer numbers, cell phones have become progressively more complex with the passage of time. Cell phones can store more data and perform more functions than ever before. Today’s smart phones can perform functionalities that were only possible with a computer a handful of years ago. Ultimately, this increase in complexity means that people tend to use their cell phones for more and more functions. In many ways, the cell phone, once a luxury, is quickly becoming the communications hub and mobile office for people all over the world. In turn, the more functions someone can perform with a phone, the more data that phone stores.
Cell phones are made by numerous manufacturers, and come in thousands of different models. Between the different cables used to connect cell phones to chargers and computers, different file systems, device-specific applications and services, and proprietary operating systems, the forensic examination of cell phones becomes reliant on the use of an entire toolbox of examination methods, forensic software, and forensic hardware. There is no one-size-fits-all method for handling cell phones when it comes to forensic acquisitions and examinations of the data stored on these devices.
37.1. The fragile nature of cellular evidence
It is important to remember that cell phones do not operate in the same way as computers do. When your cell phone is powered on and has service, it is constantly receiving new data. On modern cell phones, there is a constant stream of data such as phone calls, text messages, e-mail, Twitter updates, and Facebook updates, along with pushed data from various other applications the user may have installed on the handset.
Depending on the make and model of the phone and whether or not supplemental storage is installed on the phone, many cell phones can store only a limited amount of information, which means that as new data is received on your phone, the oldest data is being deleted. This is true whenever the phone reaches the limit on a particular storage area. For instance, many phones limit the number of text messages to a fixed amount. If the phone can store a maximum of 100 text messages, when the 101st message comes in, the oldest message is automatically deleted. This works a lot like a conveyor belt that can only hold a limited number of items, as shown in Fig. 37.1.
 |
| Figure 37.1 |
If there is a possibility of data being deleted as new data is coming into the phone, the evidence on that cell phone is not being preserved. This is why the first and most important step in the acquisition and examination of cell phones is to isolate the cell phone from any networks it might connect to. This includes the cellular network, Bluetooth, wireless networks (WiFi), and infrared connections. By isolating the phone from all networks, the cell phone is prevented from receiving any new data that would cause other data to be deleted. This illustrates how the data on cell phones is fragile due to the nature of the way cell phones operate. Even if the cell phone is isolated from the networks correctly, the data can still be damaged or lost through an improper examination of the cell phone. The following section covers how a cell phone is isolated from networks, the different methods of cell phone data acquisition and examination, and some of the ways we have seen acquisitions performed incorrectly.
37.1.1. Protecting cell phone evidence
Like all digital evidence, the data on cell phones must be protected from being changed or destroyed during the examination process that can occur if the cell phone is allowed to connect to a cellular network. To do this, a cell phone must be isolated from all networks to prevent the phone from sending or receiving. This is usually handled by using a Faraday bag to block radio signals to or from the phone. Figure 37.2 shows a phone inside a Faraday bag for isolation during an exam.
A Faraday bag blocks any signals that a cell phone might pick up by blocking electrical fields and radio frequencies. A microwave uses this same technology, utilizing a Faraday cage to contain the radio frequency generated by the magnetron within the cooking chamber. A cell phone can also be isolated from any networks by wrapping the phone in radio frequency shielding cloth and placing the phone into Airplane mode. These are the most common methods of isolating a cell phone from any networks it might connect to. There are others, but whatever methods are used to block the cell phone’s signal, they need to comply with best forensic practices and be recognized as a viable solution by the digital forensics community.
37.2. Forensic acquisition methods for cellular phones
There are three types of forensic acquisition or collection methods for cellular phones: logical, physical, and/or manual. Depending on the type of acquisition performed on a cell phone, the amount and type of evidence that can be collected will vary due to the limitations that may be imposed by the method being used.
37.2.1. Logical acquisitions
Logical acquisitions of cell phones are performed using cell phone forensic software. A logical acquisition typically only recovers data on a cell phone that is not deleted. Depending on the phone and the forensic tools used, some or all of the data might be able to be acquired. For instance, where only some of the data can be acquired, this means that the text messages, contact list, and call history might be acquirable using the cell phone forensics tools, but the images and ringtones are not. Even if only existing data can be captured from a cell phone, there are good reasons for performing a logical acquisition instead of simply taking pictures of the information on the phone from the device itself. When a logical acquisition is performed, the data can be preserved in stasis and the phone returned to the custodian to which it belongs. You would then have a snapshot in time of the cell phone evidence as it existed when the acquisition was performed, which preserves that evidence and also allows for verification. Some cell phone forensic tools allow multiple phones to be added to one case, which allows the data from multiple phones to be compared using graphs and diagrams. Examples of this are included later in this chapter. If a logical acquisition is not performed, then the possibility of performing these analysis functions is off the table.
Although it is uncommon, it is possible to get deleted data when performing a logical acquisition. This only applies to phones where the unallocated space on the phone can be acquired as if it were a logical file. This allows an examiner to carve out information from the unallocated space that might be of interest in a case.
37.2.2. Physical acquisitions
Physical acquisitions of cell phones are also performed using cell phone forensic software. A physical acquisition of a cell phone is the acquisition of the data at the hardware level. In other words, a physical acquisition is able to acquire all of the data present on a device, regardless of the file system, operating system, or other factors that act as limitations when performing a logical acquisition. If a physical acquisition is possible, this is almost always the best option when acquiring cell phone evidence. Physical acquisitions are able, in almost every situation, to get all the types of data from a cell phone, and also the unallocated space. An examiner can then carve out deleted information from the unallocated space. An example of this is shown in Fig. 37.3. For more information on unallocated space and deleted data carving, see Chapter 29.
37.2.3. Manual examinations
With cell phones, a physical acquisition is usually the best option, and logical acquisitions are the second best option. Manual examinations should be the last option when performing a forensic acquisition of a cell phone. A manual examination introduces a greater degree of risk than the previous acquisition methods in the form of human error. With physical and logical acquisitions, the manipulation of the actual cell phone from the keypad and menu on the device is minimal. With a manual acquisition, the entire process must be performed using the keypad and menu to navigate through the cell phone.
When you get a new cell phone, it can be difficult to operate at first since there is a learning curve associated with getting familiar with the keypad, menu, and other ways to manipulate the controls of the phone. The chance of you accidentally creating evidence, such as accidentally hitting a speed dial button and creating a call attempt, is greater. The chance of deleting evidence is also greater; for example, you might accidentally delete a text message instead of just viewing the next one as you intended.
A correctly performed manual examination will reduce the risks of modifying the original evidence. With correct procedures and thorough documentation, a manual examination is a viable option when acquiring cell phone evidence. The quality of a manual cell phone examination really depends on the competency of the examiner; if correct procedures and thorough documentation are not part of the manual examination, it can call into question whether or not the evidence was actually preserved, or if any tampering, intended or otherwise, occurred during the examination of the cell phone.
A manual examination of a cell phone typically involves an examiner manipulating the cell phone to the different areas of information, such as text messages or call history, and taking pictures of the screen with a camera. While this is viewed as acceptable by some members of the digital forensics community, to others this is not enough.
Pictures only tell part of the story; what could have happened during the time between the individual pictures being taken? Pictures alone do not provide any real verification that the phone evidence has not been modified or tampered with. The only way to make a truly verifiable manual examination of a cell phone is to also record the process using a digital video camera running continuously throughout the process with no breaks, pauses, or edits. The video should begin before the phone is taken out of the secure evidence container and should be powered on in view of the camera. At the end of the examination, the phone should be powered down in view of the camera and placed back into a secure evidence container.
37.3. Subscriber identity module (SIM) cards
Some phones have Subscriber Identity Module (SIM) cards in them. SIM cards can contain a significant amount of data, such as text messages and contact lists, as well as the last numbers dialed on the cell phone. A SIM card should be examined using a SIM card reader that meets forensic standards in conjunction with forensics software that is capable of acquiring data from a SIM card. Figure 37.4 is a view of a SIM card.
37.3.1. Media cards (removable storage cards)
Many cell phones today have expansion slots in them designed to accommodate a Secure Digital card (SD Card) as shown in Fig. 37.5. Usually they accommodate a small version of a SD card, called a microSD card. Users would purchase one of these cards and place it in their phones if they wanted to be able to store additional data. SD cards can be examined as if they were a tiny hard drive. They need to be write-protected just like a hard drive during the acquisition process for evidence preservation. If an SD card is present, it is possible to recover any form of deleted data that might have been saved to the SD card. Media cards are formatted and act just like computer hard drives when storing data. The presence of a media card almost guarantees that some level of deleted data recovery is possible. Figure 37.5 shows some of the different types of storage cards available.
37.4. Cell phone backup files
Many cell phones can interface with a computer in order to transfer data and create backup files. Backup files can be an excellent source of evidence. For instance, backup files for a Blackberry or iPhone can contain almost all of the data that exists on the phone. With an iPhone, if you have the proper tools to analyze the backup file, you can actually see more information than you would from just the phone itself.
An iPhone backup can also contain both deleted and existing text messages and e-mails. The backup file even contains the voicemails from the iPhone. The amount of data stored in the backup files of many phones today can provide a significant amount of data relating to almost everything a user does with their phone.
37.5. Advanced cell phone data analytics
Sometimes all you need in a case is the information contained on one phone. However, incidents involving cell phones usually do not happen in isolation. Since the purpose of cell phones is to communicate with others, it can be worthwhile to see how multiple phones interacted with one another as it relates to a particular case.
Cell phone forensic software has the capability of saving the collected cell phone data in a file that can be later imported into cell phone forensic analysis software. For instance, one of the tools used for this chapter, Susteen’s svProbe, can import cell phone data files collected from multiple cell phone forensic software tools.
This capability allows examiners to bring cell phone data from multiple users into a single case for advanced analysis of call traffic, timeline analysis, and call activity between two or more cell phones.
For example, imagine you had a client accused of running a drug ring because he was supposed to be the controller of the street dealers. Being able to visually see the call history activity between your client and the people he was communicating with could be very useful. Analysis of the cell phones in the case to show who was calling whom, and how frequently calls were made and for what duration, could support the argument that your client was not the controller at all. Figure 37.6 and Figure 37.7 are example screenshots of advanced cell phone analysis using Susteen’s svProbe software.
37.6. The future of cell phone forensics
Cell phone capability is expanding not only in response to consumer dependency for more powerful and multifunctional phones but also due to pressure placed on the market by Apple and Google with their iOS and Android operating systems.
Consumers have proven that they want a miniature computer in their pocket by voting with their pocketbooks.
As cell phones continue to progress in capability and complexity, the recoverable data from a cell phone is expanding almost on a monthly basis. Cell phones today contain not only the information you would expect to get such as call history, contact lists, and pictures, but also may contain office documents, social media data, voice mail, recorded conversations, recorded voice notes, and the list goes on.
The future of evidence recovery from cell phones will only grow as phones begin to replace computers. This will help the forensic examiner as the number of unique operating systems on phones today begins to consolidate into fewer standardized operating systems. Much like the computer industry, which has settled on three primary operating systems, Windows, Mac OS, and Linux/UNIX, the day is coming when cell phones will be in the same place and the vast majority of phones will be running the Apple iOS, Google Android, or Windows Mobile operating systems.
A smaller number of operating systems will allow forensic tool vendors to create ever more powerful extraction tools that can get more information from more phones on a consistent basis. The major cell phone forensic tools are covered in Chapter 5.
Summary
In this chapter we looked at the methods for handling and preserving cell phone evidence and some of the issues with improper preservation of cell phones. We also discussed the types of evidence that can be recovered from a cell phone along with some of the different types of storage options available for cell phones that enhance the ability to recover deleted information. We looked at the advantages of getting cell phone backup files and the evidence those files can contain. We also looked at advanced cell phone analytics and learned how this technology can allow multiple phones to be connected into a single overview of multiple caller activity.
References
[1]
[2]
..................Content has been hidden....................
You can't read the all page of ebook, please click here login for view all page.