Mobile device forensics forecast: continued oscillation, chance of cloud computing.

Detectives arriving at the scene of a fatal shooting at a Miami night club find a young woman slumped on a couch in the lady’s room, dead, shot in the head, an open cell phone clutched in her hand. The detectives wonder what clues the phone contains but do not disturb it. Evidence could be altered or destroyed. Cell phones contain histories of text messages, calls made and received, address books, schedules, calendars, images, and GPS waypoints—all potentially useful forensically. The phone is collected and left to be processed by the forensic lab, where any information it contains can be extracted properly, preserving the data and its admissibility in court.

The first issue, though, is whether to turn the phone off or leave it on.

If it’s turned off, forensic technicians later may have to deal with a password/PIN prompt when the phone is restarted. An estimated 60% of phones are password/PIN protected, according to a 2009 study. iPhones can be set so the phone is locked after three unsuccessful PIN tries. Other phones erase data after 10 failed PIN attempts.

“That’s a convincing argument for leaving the device switched on,” said Darren Hayes, a Pace University computer forensic scientist.

If the phone is left on, however, it could receive calls and text messages during transport to the lab and data could be overwritten or erased. Using an app called Protect, it’s even possible for someone to remotely delete all data from a seized Blackberry.

“Detectives should treat the cell phone as they would any computer evidence,” said Tod Burke, a professor of Criminal Justice, Radford University. Burke said it would be unwise for detectives to attempt information retrieval at the crime scene, since this may overlay potential forensic evidence, such as caller ID entries, call logs, and voice mails.

Burke also does not recommend turning the phone off. “Placing the evidence in a Faraday bag is probably the best means of securing the evidence until the information can be retrieved in the lab,” he said. Arson cans may also be used. These shields remove the device from the cell network and prevent someone connected to the crime from hitting the phone with a text or email ‘bomb’ that floods the phone’s memory with messages that crowd out all other previous calls from the log.

But, these bags are not foolproof. There’s a danger that placing the phone in such a container can jeopardize location information stored by certain phones because the phone will continue searching for a signal. Once it fails, it zeros out the register that holds location data. Bagging the phone also tends to drain the battery faster, because the phone will boost its honing mechanism to maximum power. Plus, shield bags aren’t completely impervious to signals, especially within a few yards of a cell phone tower.