co-authored by Stephanie Kurtz, Digital Intelligence Advisor, Cellebrite
It’s no secret that strong encryption has made life much harder for the digital forensics examiners who want to help solve crimes and keep citizens safe. Much of the data that examiners and investigators want to access and analyze, such as images, messages, and emails, can remain hidden from view without a passcode or sophisticated technology to lawfully decode data.
And even when data can be obtained, it may not present the full forensic picture that investigators prefer to allow prosecutors to build a convincing case.
However, there is data available that doesn’t necessarily require overcoming encryption protection, which can help support evidence that’s obtained through other methods, as we’ve outlined below.
Warrant returns
Because data from a suspect’s or witness’s social media applications is largely stored in the Cloud, digital forensics investigators can issue warrants to cloud service providers such as Google, and social media apps like Facebook and Twitter.
Just like warrants for access to homes or places of business in the course of a crime investigation, a warrant return must make the case for obtaining the cloud data, including the requestor’s legal authority to access it.
The advantage of using warrant returns is that investigators can obtain cloud data without the need to decrypt phones. However, the disadvantage is that they may have to wait a long time – if, in fact, they ever get the data. The major Silicon Valley tech companies are notoriously reticent about allowing law enforcement agencies to access data, since they support their users’ right to privacy of their information. Such delays can hinder investigations for which the data is critical.
If law enforcement agencies do receive data after submitting a warrant return, that data will often come in forms that make it time-consuming to analyze, compared with data taken directly from a phone. The state of data can lengthen processing and analysis time for digital forensics teams.
Call detail records and text messages
The records of incoming and outgoing calls to a device should be considered the “low-hanging fruit” of investigations. Call detail records, or CDRs, include the phone numbers themselves along with dates and times calls were placed.
CDRs are collected by wireless carriers, not cloud and app providers such as Google or Facebook. Generally speaking, it’s much easier to obtain this type of account data from carriers than it is to obtain highly personal social media data. Law enforcement agencies have been requesting such data from carriers since the advent of mobile phones, so it’s an easier “ask.”
Investigators can also request text messages from wireless carriers, assuming the phone and the user are sending and receiving messages using the “native” message capabilities of the device.
Tower pings
A cell phone “ping” helps determine the location of a phone as it connects to cell towers. The pings are recorded as devices “report” their locations to service providers that need to know if a device can receive calls, texts, or data. There is a related process called “triangulation,” which is similar to GPS tracking: Using a combination of cell tower data, analysts can determine where a phone was located at a given time and location based on how long it takes data to be shared with cell towers.
Cell phone pings and triangulation data are collected by wireless carriers. The ping and triangulation data can also match up effectively with other data obtained via the device itself, or via warrant returns to cloud or social media companies. For example, if the ping data matches mapping data or turn-by-turn directions found in the phone’s apps, investigators can help prosecutors strengthen their cases with corroborating evidence.
Best practices for obtaining and using digital data from other sources
In general, the more specific the requests are, the better the chances you’ll receive data. The advice below can apply to requests for cloud data, pings, or call and text records.
1. Stress the specific data needed for the investigation. A fishing expedition, like asking for “all account data,” won’t go over well with corporate attorneys who are inclined to decline your request. Articulate what you need, and why you need it.
2. Emphasize the legal authority to obtain the data. A requesting investigator may have the legal authority to ask for the data, because they know that it may relate to a crime or they may have witnessed suspects committing crimes. In other words, an officer would have the legal authority to arrest a person for robbing a grocery store, but would still need a warrant to search that suspect’s home.
3. Match the data with what investigators have already obtained from the device. Your forensic lab’s digital evidence solution may be able to intake the data from cloud providers or wireless carriers without adding a good deal of manual work for examiners.
4. Strengthen knowledge of data management. Examiners need to know what data is stored on devices and in the Cloud, and how it’s stored. It’s good to have basic knowledge – no one needs to be a software engineer to grasp the essential rules of data storage, but it does help to understand what types of data can be requested from a wireless carrier, versus a cloud provider.
5. Protect digital data just as you would any type of evidence. The data from wireless carriers or cloud providers can arrive in all kinds of formats: as a digital file, most likely, but also on a hard drive or disk. However it arrives, the chain of evidence needs to be maintained and carefully logged. For example, if the data arrives on a disk drive, there should be a permissions policy in terms of who gets to handle the disk, download data from it, and so on.
Forensic's monthly column, Digital Intelligence in the 21st Century, is authored by Heather Mahalik, Senior Director of Digital Intelligence at Cellebrite. With over 18 years of experience in digital forensics, Mahalik has been an expert of choice for many law enforcement and intelligence agencies. She has worked high profile cases from child exploitation to Osama Bin Laden’s digital media. Check every month for more digital intelligence as Mahalik takes on managing and sharing data, testing and validation, highly encrypted phones and more.