Cell Phones And Handheld Devices Provide Discovery Opportunities
The expanded power and intensive use of mobile devices mean that they often contain evidence that may not be anywhere else. But mobile devices provide challenges that do not exist for traditional computers.
The cost and complexity of forensics on handheld devices has caused this field to lag behind computer forensics. However, the valuable information contained on these mobile devices deserves increased attention by skilled civil lawyers and criminal investigators.
-Why Care about Mobile Devices?
Generally, mobile computing devices provide all the discovery opportunities of a standard computer. Because mobile devices can be used intensively for a broader range of uses, mobile devices have the added possibility of providing evidence that may not be anywhere else.
An increasing number of professional services companies purchase Blackberries, Personal Digital Assistant (PDA), or cell phones for their employees, and pay the monthly usage fees. When this occurs, there is invariably a mixture of personal and business usage of this equipment. Depending upon the employer’s communications with its employees regarding the employees’ privacy expectations, employers may have a right to review the information contained on these devices. When litigation arises, parties have a responsibility to preserve certain electronic information which likely resides on a Blackberry or other PDA. In these circumstances, employers may be forced to address the contents of mobile devices.
Mobile devices often contain communications and other evidence that the employee would be careful to otherwise avoid through their company-based e-mail. For example, in a typical civil theft of trade secrets case, a memory-laden mobile device provides email, documents, and often evidence of the theft itself.
Law enforcement officers often seize cell phones and other electronic devices when executing search warrants. A cell phone obtained from a suspect during an arrest, found at a crime scene, or otherwise part of an investigation can provide a wealth of information, including contact lists, text messages, and phone calls made, received and missed – and maybe even pictures and video involving the incident itself.
In both civil and criminal contexts, mobile device forensics can be used to preserve e-mail and other files in a way that (i) maximizes recovery of information, and (ii) eliminates issues regarding the authenticity of the evidence.
-It Wouldn’t Hurt to Take a Peek
With so much information literally at an investigator’s fingertips, the temptation is great to start poking around to see what is there. However, just as with a personal computer, every second doing this increases the potential allegation that the information on the device has been altered in the process. As with computers, having controlled, repeatable, and verifiable extraction of the information is key to having the related evidence be unassailable in court.
-A Maze of Providers and Standards
Stationary and laptop computers are simple when compared to handheld devices. A computer forensics technician about to work on a desktop or laptop computer knows in advance that the machine will have a hard disk with either a Serial ATA (SATA) or Parallel ATA (PATA) interface, probably connectible through a Universal Serial Bus (USB) connection. In contrast, cell phones and other handheld devices have a dizzying array of interfaces, and these interfaces are changing rapidly. For example:
1. The FCC has is approving hundreds of new cell phone models each year. While some of these new phones are variations of a prior model, sometimes there are major internal revisions with no apparent external changes.
2. There is no requirement to standardize connectors. Instead, many of the dozens of phone manufacturers see an unusual connector as a means of selling higher priced accessories.
The challenge with cables and connectors is only the start. There are two primary (CDMA and GSM) and one secondary (iDEN) technologies involved with mobile phone voice signals. There is often no external difference between the phones using each. The techniques a field technician should use with each of them are often exactly the opposite.
-Don’t Turn it On! … Unless You’re Not Supposed to Turn it Off
When faced with an unfamiliar phone and/or provider, the quickest way to see if it is a GSM or CDMA phone would be to open it up and take out the battery. This allows one to see the presence of the SIM card used in GSM. However, in many cases that is exactly what you don’t want to do with a GSM phone, but exactly what you do want to do with a CDMA phone. Here is why.
The service provider for a CDMA phone can send a signal to a subscribing phone to clear all the information in memory. This is desirable as a means of protecting customer private information when the phone is reported as stolen or lost. But, in a law enforcement situation, a phone seized at a crime scene or during an arrest could have its entire contents remotely erased by reporting the phone as being lost. To avoid this possibility, CDMA phones should remain off to keep the phone from hearing the transmission tower signal.
GSM phones have a different means of protecting user information. Depending on the service provider, GSM phones either allow or require a Personal Information Number (PIN) when the phone is turned on. Only three incorrect PIN numbers in a row are usually allowed, after which a PIN Unlocking Code (PUK) must be obtained from the service provider. So, unless the suspect with a GSM phone provides an accurate PIN, it may be wisest to leave the phone turned on.
-FCC Design Standards Would Help
This situation could be readily improved by the FCC, who already approves every telecommunications device for sale in the U.S. Standarization in mobile device design would pay off in improved and simplified cell phone forensics in a relatively short time.
Specifically, the FCC should require standardized connections and communication protocols that would not significantly add to the existing standards. The mini-USB ports already found on the vast majority of digital cameras, music players and other devices are a logical and fine choice for this standardization. Mini-USB ports are small, durable, and universally supported by computer makers. A great many current phones already have USB ports.
Among other purposes, a standardized connector could be used to obtain the unique identification of the phone. With this number, an authorized person (e.g., the registered owner or law enforcement officer) could obtain from the phone manufacturer an unlocking code that would permit a read-only data dump of any or all of the physical memory. The need to get the unlocking code from the phone manufacturer would generally require a warrant or agreement from the owner if accessing the device’s content was not already legally justified.
Between accidental damage, technology leaps, and free/upgraded phone with renewal offers, handheld devices have one of the shortest life cycles of any consumer technology product. Experts with experience in mobile device forensics can provide the expertise necessary to preserve and extract information from these devices.
Fulcrum Inquiry assists with electronic discovery, including computer forensics.
ABOUT THE AUTHOR: David Nolte
Mr. Nolte has 30 years experience in financial and economic consulting. He has served as an expert witness in over 100 trials. He has also regularly served as an arbitrator. Mr. Nolte has achieved the following credentials, CPA, MBA, CMA and ASA.
Copyright Fulcrum Inquiry
Disclaimer: While every effort has been made to ensure the accuracy of this publication, it is not intended to provide legal advice as individual situations will differ and should be discussed with an expert and/or lawyer.For specific technical or legal advice on the information provided and related topics, please contact the author.