co-authored by Dan Embury, Technical & Services Development Director, Cellebrite Advanced Services
If you’re in the early days of your career in law enforcement, you’ve no doubt learned about the processes for lawfully entering a location such as a residence in order to gather evidence. You might assume that gaining access to digital devices works much the same way, and that eventually, your colleagues in the digital forensics lab can access any phone or computer.
Unfortunately, lawfully obtaining data from smartphones and other electronic devices is nowhere near as easy as getting into a residence or office, even when you have reason to believe the phone holds key evidence. The difficulties of gaining access to digital evidence mean that law enforcement agencies must equip themselves with sophisticated technology for collecting and analyzing digital data.
The bottom line is that there are ways to get the evidence you need from digital devices – but it’s nowhere near as easy as you may think it is or should be.
The difference between places and phones
In the time before mobile phones, here’s how law enforcement officers searched a location like a residence for evidence. The officers would write the investigation plan, get a search warrant signed, and would then have the lawful access to gain entry into that residence to search.
In many ways, the law hasn’t evolved very much since the pre-smartphone era. Hence the same investigative process is being applied to the devices that sit in everyone’s pocket all the time. Since the law hasn’t evolved to describe a phone as something other than a “place,” officers must have a search warrant to gain legal entry into the phone.
But unlike doing a knock-and-talk and asking a person to let you into their house, most phones are not as open as a typical house might be. There’s still a connection to traditional police behaviors of the past: If the resident wasn’t home, officers would have to defeat a mechanical lock, or, as times have evolved, a more sophisticated, high-tech lock. However, ultimately there’s technology out there for special entry when officers need to get into a house – or if all else fails, they can smash a window or break down a door. The bottom line is that they’ll get in the house eventually.
And that’s where mobile phones and computers are completely different. Phones are extremely secure and protected pieces of technology. Billions of dollars have been invested in making them secure, giving military-grade encryption to the average consumer, whether it’s a 12-year-old kid getting a smartphone for their birthday or a 50-year-old Hells Angels biker trying to protect all their secret communications.
The barriers of encryption and privacy
At this point, you may be asking yourself, “If I have the legal authority to get into this phone, why isn’t there a special way to just plug it in and make it happen? Why can’t I go to Apple or Samsung or Google and get assistance to perform this lawful investigation?” One word: privacy.
Technology companies have added unprecedented layers of encryption to devices, in response to consumer demand for better privacy. The social media companies are also highly protective of users’ privacy. Law enforcement agencies can subpoena tech device makers and social media companies, but the process is slow.
Forensic examiners can try “brute force” methods to guess passcodes and gain access to device data, assuming they have the technology to do this. But given the complexity of passwords and the delays that tech companies have built into operating systems to protect user passwords, the brute-force approach is lengthy and often unsuccessful.
Best practices for dealing with digital devices
So with these barriers to obtaining evidence, what can frontline officers do to assist their digital forensic labs in gathering available evidence from digital devices?
Bag and tag: The first and most helpful step: Bag and tag devices carefully, as you would with any physical evidence you might seize from a crime scene.
Shield the device from Wi-Fi or cellular connections: Use a Faraday bag, which will block such connections. If you can connect the device to a USB battery charger that does not turn off at 100% charge (to help keep the device on as long as possible), that’s even better.
Keep it on if it’s on: In the case of a digital device like a phone or tablet, the best practice is to keep the phone on if it’s already powered on, since examiners have a chance to obtain more data, even with encryption protections. Do not power off a device!
The goal is to keep the device in what’s called an “After-First-Unlock” (AFU) hot state. This means that the device has been kept “alive” after someone has entered a passcode, and since that time, it hasn’t been restarted or had its battery run out of power.
In an AFU state, digital forensic examiners with the right solutions can bypass the passcode and lawfully collect data from the device. The amount and type of data will vary by the phone’s model and operating system. For Apple devices running on the iOS operating system, AFU provides most of the data, but not emails, corporate calendars, or system logs. For Android devices, AFU provides essentially all of the data.
Investigating beyond the device
There are other ways to help your forensic examiners gain access to devices, and these methods rely on standard investigative police work and thinking outside the box.
For example, a suspect with the latest-model smartphone, with all of its encryption and privacy protections, might have previous models around the house or at an office – devices that do not have such protections. Investigators may find it easier to obtain a password from an older smartphone, then attempt that password on the newer device.
Or perhaps there’s CCTV footage that shows the suspect entering their passcode. Careful analysis of the footage could uncover that password. Or perhaps other evidence could yield birthdays or addresses, information that’s commonly used in passwords. This is why the front-line officer’s job doesn’t end when the device is turned in: Keep your eyes and ears open for any information that can help the digital forensics team unlock access to vital evidence.
Forensic's monthly column, Digital Intelligence in the 21st Century, is authored by Heather Mahalik, Senior Director of Digital Intelligence at Cellebrite. With over 18 years of experience in digital forensics, Mahalik has been an expert of choice for many law enforcement and intelligence agencies. She has worked high profile cases from child exploitation to Osama Bin Laden’s digital media. Check back monthly for more digital intelligence as Mahalik takes on managing and sharing data, testing and validation, highly encrypted phones and more.