Product Insight: Mobile Forensics Fights to Stay Ahead
Law enforcement groups are staying ahead of criminals’ ability to conceal information with the use of new data extraction tools.
Figure 1: The UFED Touch.
Handheld digital data extraction forensic devices are becoming essential tools for law enforcement agencies to rapidly and reliably obtain data from the wide variety of mobile phones and smart devices now available. Detective Dan Morrissey, the Gang Intelligence Supervisor for the Sacramento, California Sheriff’s Dept. was a beta-tester of Cellebrite’s recently introduced handheld UFED Touch, and a long-time UFED user. When this compact mobile device was introduced earlier this year, it was noted for its faster processing, ease-of-use with a large touch-screen display, larger storage capacity, and the wide range of evidence it was able to process.
One of Det. Morrissey’s favorite successful prosecutions involving the UFED includes a juvenile prostitution case. The officers knew the suspect was running several girls, but the District Attorney was having a difficult time proving the suspect was the pimp. When the officers arrested her, they saw that she had pictures on her phone, but it was locked. Using the UFED, the team was able to get through the password, extract a contact list with two other victims, as well as extract incriminating text messages and photos in just two minutes. This also helped elevate the case from a misdemeanor to a felony.
The editors of DFI News recently asked Det. Morrissey about his use of this device:
DFI News: How have you used this device to solve a particularly complex crime?
Det. Morrissey: We were recently investigating a rather large criminal organization and during the investigation, it was determined that some high-visibility street suppression would be useful in identifying unknown gang members who were known to travel in a specific geographic region. During the operation, one of the subjects was found to have more than five mobile phones on him. Several of the phones had little or no information on them because they were obviously “burner” phones, but two of the devices did. With the phones previously seized, and the phones recovered from this operation, an additional fifteen members were confirmed to have a nexus to the gang.
DFI News: What features of the UFED Touch do you particularly like?
Det. Morrissey: First of all, the device is significantly faster when extracting media content than previous devices we’ve used. This allows for a shorter time on target when completing examinations in the field, and the ability to do more examinations in a laboratory setting as well. The fact that it’s Windows-based, also allows for instant examination of the source data in the field. For rapidly evolving criminal investigations, having the ability to both acquire and present the information in the field is also a powerful tool for digital investigations.
Figure 2: The tip kit allows for the examination of a wide range of mobile devices.
DFI News: Are you able to stay ahead of criminals by finding viable evidence? Are they getting smarter in their ability to conceal information?
Det. Morrissey: The criminal’s ability to gain access to technological equipment and use it for nefarious means is a formidable challenge. On January 21, 2010, Apple released its iOS 4 operating system; at 1600 hours that day, a subject was arrested and booked into the jail. He was a street level narcotics trafficker, had no home, and no legitimate source of income. Somehow he was able to gain access to a computer and complete the iPhone software update prior to his arrest.
One theme I have begun to see more of, is the deleting of text messages and call logs. I’ve also seen subjects physically breaking their phones in an effort to keep their digital footsteps silent.
When it comes to criminals and digital evidence, criminal skill sets are as wide ranging as their crimes. Some criminals may be more cautious and use prepaid phones they can throw away when they are done using them. Others will password protect their devices or delete as much of their usage as they can before an arrest. Some criminals will utilize a combination of these items and actively seek out ways to make their device useable, without becoming a liability to them.
DFI News: How fast is the technology environment changing/expanding?
Det. Morrissey: Technology is expanding at a tremendous rate. The types and releases of individual software operating systems have seemed to slow down, but the production of new devices seems constant. The fact that Cellebrite also has a retail product used by every provider is one of the most under-acknowledged facts. Retail phone stores could not compete in the current market if they had to wait four to six weeks for a new update each time a new mobile phone is introduced. Nor would customers purchase new products if the devices were going to negatively impact their lives. These same concerns and considerations are felt by mobile phone examiners. Having the ability to acquire phones before they enter the marketplace or shortly thereafter is a key reason we utilize the UFED family of products.
DFI News: What are the most difficult issues you have to contend with in this area?
Det. Morrissey: The two biggest issues we encounter are password protected phones and supported devices. We keep our handheld extraction devices updated, because we continually come into contact with new phones. It’s not uncommon to find criminals in possession of prepaid devices the day or week they were released. Passwords are not as significant of an obstacle with the UFED Physical Analyzer carving capability. This has allowed us to find many of the swipe pattern locks for Android devices. The Android devices are currently more common, because they exist with providers that do not require credit checks and in a prepaid capacity.
Tim Studt is the Editorial Director of DFI News. tim. firstname.lastname@example.org