Mobile device forensics forecast: continued oscillation, chance of cloud computing.
Detectives arriving at the scene of a fatal shooting at a Miami night club find a young woman slumped on a couch in the lady’s room, dead, shot in the head, an open cell phone clutched in her hand. The detectives wonder what clues the phone contains but do not disturb it. Evidence could be altered or destroyed. Cell phones contain histories of text messages, calls made and received, address books, schedules, calendars, images, and GPS waypoints—all potentially useful forensically. The phone is collected and left to be processed by the forensic lab, where any information it contains can be extracted properly, preserving the data and its admissibility in court.
The first issue, though, is whether to turn the phone off or leave it on.
If it’s turned off, forensic technicians later may have to deal with a password/PIN prompt when the phone is restarted. An estimated 60% of phones are password/PIN protected, according to a 2009 study. iPhones can be set so the phone is locked after three unsuccessful PIN tries. Other phones erase data after 10 failed PIN attempts.
“That’s a convincing argument for leaving the device switched on,” said Darren Hayes, a Pace University computer forensic scientist.
If the phone is left on, however, it could receive calls and text messages during transport to the lab and data could be overwritten or erased. Using an app called Protect, it’s even possible for someone to remotely delete all data from a seized Blackberry.
“Detectives should treat the cell phone as they would any computer evidence,” said Tod Burke, a professor of Criminal Justice, Radford University. Burke said it would be unwise for detectives to attempt information retrieval at the crime scene, since this may overlay potential forensic evidence, such as caller ID entries, call logs, and voice mails.
Burke also does not recommend turning the phone off. “Placing the evidence in a Faraday bag is probably the best means of securing the evidence until the information can be retrieved in the lab,” he said. Arson cans may also be used. These shields remove the device from the cell network and prevent someone connected to the crime from hitting the phone with a text or email ‘bomb’ that floods the phone’s memory with messages that crowd out all other previous calls from the log.
But, these bags are not foolproof. There’s a danger that placing the phone in such a container can jeopardize location information stored by certain phones because the phone will continue searching for a signal. Once it fails, it zeros out the register that holds location data. Bagging the phone also tends to drain the battery faster, because the phone will boost its honing mechanism to maximum power. Plus, shield bags aren’t completely impervious to signals, especially within a few yards of a cell phone tower.
For Whom the Cell Tolls
Forensic issues with imaging cell phone contents don’t end at the crime scene. Indeed, one question is whether police have a right to perform warrantless searches of cell phones or whether the extensive amount of digital information on these devices gives owners an expectation of privacy. Until the U.S. Supreme Court rules on this, the answer currently depends on which state you are in. California’s Supreme Court this year held in People v. Diaz that a warrantless search of text messages on a suspected drug dealer’s cell phone was constitutional. In 2009, however, the Ohio high court held in Ohio v. Smith that unless an officer’s safety is at stake or there’s an emergency, the Fourth Amendment prohibits warrantless searches of cell phones seized during lawful arrests.
Once the phone is in the lab, forensic examiners must contend with a bewildering number of makes and models. Charging cables and adapters necessary to access phone contents are not standardized. As staggering as the task may be, forensic experts have no option but to try to keep pace. Mobile phone sales just in the first quarter of 2010 were 314.7 million units, according to Gartner. Smartphones are proliferating three times faster than babies; meaning about 700 smartphones are activated every minute. Nearly all crimes have a digital component, so all of those devices contain data that may be forensically valuable.
Unlike personal computers, however, where analysts generally deal only with Windows, Macintosh, and Linux operating systems, cell phones have a multitude of operating systems: Windows, Android, Mac OS X, RIM OS, Palm OS, and Linux, plus all the proprietary operating systems that currently exist.
A number of commercial packages are available to help examiners image mobile device data, including XRY (Micro Systemation), Universal Forensic Extraction Device (Cellebrite), MobileEdit Forensic (Compelson Laboratories), Aceso (Radio Tactics), and Device Siezure (Paraben). These systems can cost as much as $1,800.
“The costs tend to be high because vendors have to supply new cables every quarter for new phones,” Hayes said. On average, a new cell phone model appears on the market every three days.
Forensic labs without adequate budgets may find free tools useful. Mac Marshal’s Mac OS X forensic imaging tool is available free to law enforcement
(http://macmarshal.atc-nycorp.com/), as is Oxygen Software’s Forensic Suite (http://www.oxygen-forensic.com/en/). Scientist and hacker Jonathan Zdziarski provides an iPhone imaging procedure free to police investigators (http://www.iphoneinsecurity.com). Other free resources include investigator Ryan Kubasiak’s Web site (http://AppleExaminer.com) that offers a variety of useful Mac tools for evidence collection. SANS (http://www.sans.org) and DFI News (http://www.DFInews.com) are helpful resources for mobile forensics news, tips, and trends.
Thinking outside the box helps. Hayes said iPhones are frequently synchronized to computers. “There is typically more historical evidence found on a synced computer than on the mobile device itself,” he said.
There are indications that within five years cloud computing will add a new twist to mobile device forensics. A system called CloneCloud uses a smartphone’s high-speed Internet connection to communicate with a clone that lives in a cloud-computing environment on remote servers, enabling more intense processing than the local device allows. How much local data will also reside in the cloud remains to be seen, but device imaging is sure to change again.
Meanwhile, the Miami night club detectives may soon have an onscene cell phone triage tool so they won’t have to risk transporting the device or wait for forensics to finish imaging—whether the data is in the hand or in the cloud.
One solution is already emerging at Purdue University.
Researchers in the Cyber Forensic Lab there have developed a universal forensic tool for mobile devices, called Purdue Phone Phorensics, or P3. This system, currently being field tested, provides immediate on-scene analytics for nearly all phones. P3 literally takes the confusion and guesswork out of imaging mobile devices. Even if you don’t know what hardware and software to use, P3 can guide you.
“P3 is first responder friendly,” said one of the developers, Richard Mislan, a Purdue cyber forensics professor and a member of the FBI’s Indianapolis Cyber Crimes Task Force. Users merely have to enter the brand and model. P3 then provides all the necessary details needed to examine the device. If the device brand and model is unknown (many model names are hidden under the battery), P3 has a ‘Phone Phinder’ feature that helps identify the unit in question.
Douglas Page writes about forensic science and medicine from Pine Mountain, California. He can be reached at firstname.lastname@example.org.