Introduction
In our fast-paced digital era, cell phones have become an
integral part of our daily lives, and their significance extends beyond personal
communication. With a staggering 95% of Americans and 100% of individuals aged
18 to 29 owning cell phones (Pew Research Center), it’s safe to assume that
most accidents involve at least one cell phone. Cell phones play a vital role
in collecting evidence for many cases, including motor vehicle crashes.
Since we have our cell phones with us all the time, it’s
reasonable to believe there’s at least one cell phone present in a car at the
time of a crash. During daylight hours, about 481,000 drivers are actively
using their cell phones while driving their vehicles (NHTSA, 2016). The
information contained in a cell phone can have a significant impact on our
cases.
However, preserving this crucial evidence is more complex
than merely issuing a preservation letter. Normally, we would send the
opposition a preservation letter. We would include language like “Preserve the
cell phone,” or “Preserve Electronically Stored Information (ESI).” Is that
enough? Probably not. To avoid spoliation, or argue spoliation after the fact,
we need to understand how cell phones store information. Cell phones employ
sophisticated technologies to store information, such as NAND flash memory.
Understanding the intricacies of NAND, particularly wear leveling and garbage
collection, is essential to safeguarding potential evidence and avoiding
unintentional spoliation. Cell phones commonly perform wear leveling and
garbage collection, two functions that can destroy evidence without any input
by the user.
In this post we will delve into the world of cell phone
evidence preservation, explore the mechanisms behind wear leveling and garbage
collection, and offer actionable guidelines to ensure data integrity during
investigations. By the end of this article, you’ll be equipped with the
knowledge to tackle evidence preservation challenges effectively.
Understanding Cell Phone Memory and NAND Technology
It is pretty common knowledge that electronic information is stored in the form of 1’s and 0’s on the memory card of the device. But not all memory is created equally. Most cell phones use the type of flash memory chip called NAND. NAND flash memory is a type of non-volatile storage technology that retains data even when the power is turned off. Unlike traditional hard drives, NAND memory is more resilient and suitable for the portability demands of modern devices.
NAND refers to the logical formula Not AND, which the technology uses to determine if a certain gate on the memory card shows a 1 or a 0. Going deeper into NAND technology is not the focus of this article. To simplify, we can think of each gate on the chip as a light switch. If the switch is on, it shows a 1. If it is off, it shows a 0. These switches are organized into pages and blocks on the chip to help the device’s operating system find the information. In the image, the blue areas represent blocks, and the green areas represent pages.
Wear Leveling: The Balancing Act
Wear leveling is a crucial technique employed by NAND memory manufacturers to extend the life of the memory chip. While NAND memory is highly durable, each memory cell has a finite number of read/write cycles before it fails. Wear leveling ensures that memory cells are used evenly across the device, preventing any one area from wearing out prematurely.
Imagine a heavily used block of memory containing frequently accessed data, like text messages. Without wear leveling, this block would wear out much faster than other areas, compromising the overall longevity of the cell phone’s storage. By distributing the wear evenly across the memory, wear leveling maximizes the lifespan of the NAND chip. In the image, the green pages represent erased pages, and the other colors represent pages with data.
Once the data is moved to the new block, the data remains in the old block, but the operating system considers the old block unused. In this image, the old pages are represented in gray.
Garbage Collection: Managing Data Erasure
In NAND memory, data can only be written to an empty block. This means that before new data can be stored, old data must be erased from the block. However, NAND memory cannot erase individual pages within a block; the entire block must be erased at once. This process is known as garbage collection. If the block were erased only when new data was being written, it would slow down all the process on the phone.
As wear leveling redistributes data, blocks that become empty due to data relocation are identified by the garbage collection process. The data within these empty blocks is marked as stale and is eligible for erasure. Once enough stale data accumulates, the garbage collection process triggers an erase operation, freeing up space for new data to be written.
Impact on Evidence Preservation
The complex nature of wear leveling and garbage collection poses challenges for evidence preservation. When sending a preservation letter, it’s important to consider that data may have already been moved due to wear leveling or erased through garbage collection if the phone remained in service, even if the opposing party complies with the preservation request.
Additionally, certain applications on cell phones, such as text messaging apps, may have automatic data deletion settings to optimize performance and free up memory. For example, both Android and iPhone offer settings to delete old text messages automatically. Thus, critical evidence can be unintentionally deleted before a preservation letter is even issued. I was curious as to the default settings on a phone, so I checked my iPhone. I had never adjusted the settings and found that the text messages were set to delete in one year even though Apple says the default setting is to retain all text messages forever.
This is one example of an application that will automatically delete old data after a period of time. Many applications can automatically delete data to free up space in the phone’s memory. If the user continues to use a target phone, a significant amount of data, potentially evidence, can be lost without the user intentionally deleting the data.
Guidelines for Effective Evidence Preservation
As digital forensics experts, we believe in proactive preservation strategies to ensure data integrity. We recommend educating both clients and opposing parties about the challenges posed by wear leveling and garbage collection. Providing clear and comprehensive guidelines can enhance the chances of good-faith preservation. Here are some recommendations:
Issuing a Preservation Letter: Start by sending a preservation letter to the opposing party, emphasizing the importance of preserving all relevant electronic evidence, including cell phone data.
Educating the Opposition: Include information about wear leveling and garbage collection in the preservation letter. Stress the significance of adhering to preservation guidelines to avoid unintentional data loss.
Airplane Mode & Power Removal: Advise the opposition to place the cell phone in Airplane Mode and turn it off to prevent any potential wear leveling or garbage collection during transportation and storage. Remove the battery if it is user removable and do not attempt to charge the phone. Ensure to preserve the battery, SIM card, power cord, and all components of the phone.
Radio Isolation: Instruct the opposition to remove the SIM card and place the cell phone in a Faraday bag or wrap it in aluminum foil. This prevents any accidental connections to Wi-Fi networks or data networks that might trigger garbage collection, remote deletion, or data corruption.
Forensic Examination Timeline: Emphasize that the cell phone should not be turned on until it can be examined forensically. This minimizes the risk of wear leveling, garbage collection, or other data corruption during the power-up process.
Password & Account Preservation: Request that the opposition record and preserve all passwords, passcodes, or patterns used to unlock the phone, along with user IDs and passwords for all accounts and profiles on the phone.
Placing the phone in Airplane Mode will ensure the phone will not be able to connect to the internet when the forensic examiner turns the phone on for the examination. The examiner should remove the SIM card before turning it on for the examination, and the phone shouldn’t be close enough to connect to a known WiFi network, but this adds an extra layer of protection.
We don’t want a phone to connect to the internet when it is turned on for the forensic examination because both Android and iPhone users can remotely lock or delete their phones through the Google or iCloud accounts. Also, if the user stops using the target phone, but gets a new phone using the same Google or Apple account, when the target phone is turned on it will try to update with the current account. This could result in the deletion of old data, and the addition of data after the phone was preserved.
Turning the phone off will ensure no wear leveling or garbage collection will occur between the time the phone is powered off and the time the examiner powers it on for the examination. Certainly, some will occur during the power-up cycle, but there is less risk of significant loss of data. This is less critical in a criminal case. An examiner has the capability of examining the phone at the scene, or within a few hours. In civil cases, it could be months or years before the phone can be examined. If the target phone was left on when collected, it would have the opportunity for wear leveling and garbage collection until the battery dies, even if it were radio isolated.
Removing the battery will ensure the target phone can’t accidentally be powered on. iPhones and some high-end Androids don’t have removable batteries. Care should be taken that they aren’t accidentally powered on. The phones should not be connected to a charger until the examiner is ready to perform the examination. Many phones, including iPhones, will automatically power on when connected to a power source.
The phone should not be allowed to connect to the internet. As stated earlier, an internet connection could allow a phone to add or delete files or be locked or deleted remotely. Removing the SIM card will ensure the phone can’t connect to the cell phone company’s wireless internet, but a phone without a SIM card can still connect with a known WiFi router. Putting the phone in a Faraday bag, or wrapping it in aluminum foil, will ensure the phone can’t connect with a known WiFi. A Faraday bag is a purpose-built bag that doesn’t allow radio waves to penetrate the bag, so the phone can’t connect with the internet.
If the phone previously used WiFi at a Starbucks, and the WiFi is set to connect automatically, the phone could connect with a Starbucks WiFi if it was on and close enough to a Starbucks to receive the connection, even if the SIM card was removed.
If we provide instructions in the preservation letter, we give the recipient the opportunity for good-faith preservation of the data. If the recipient doesn’t follow the instructions, once we can examine the phone, we will know if the instructions are followed based on activity on the phone after the preservation letter and will have a good argument for spoliation.
These instructions should motivate the opposition to produce the phone quickly so the user can resume use quickly without having to get another phone.
Proactive Approach for Our Clients
For our clients who receive preservation letters, we recommend taking a proactive approach to preserve their data while continuing to use their phones. Encourage clients to have their cell phones forensically examined and create a forensic image that retains all relevant data. Once the legal demand for the phone is presented, the forensic image can be produced, ensuring the preservation of vital evidence.
Clients can also set their phones to automatically back up to the cloud when a case is imminent, and no preservation letter has been received. If a preservation letter is subsequently issued, clients can obtain a new phone of the same type and restore it from the cloud, ensuring minimal disruption to their daily routines.
Conclusion
In conclusion, the effective preservation of cell phone evidence requires a thorough understanding of wear leveling and garbage collection. By educating ourselves and others, issuing preservation letters, and providing comprehensive guidelines, we can increase the chances of preserving valuable evidence. Emphasizing a proactive approach, both for clients and the opposition, can significantly enhance data integrity during investigations.
Brave Investigations to offer our clients the best possible service. By demystifying complex concepts like wear leveling and garbage collection, we empower our clients and partners with the knowledge needed to navigate the challenges of evidence preservation successfully.
Resources
Distracted Driving, National Highway Traffic Safety Administration, retrieved from https://www.nhtsa.gov/risky-driving/distracted-driving.
How to Automatically Delete Old Text Messages on iPhone, Android (January 23, 2015), Gadgets 360, Retrieved from https://gadgets.ndtv.com/apps/features/how-to-automatically-delete-old-text-messages-on-iphone-android-652850
Mobile Fact Sheet (February 5, 2008), Pew Research Center, Retrieved from http://www.pewinternet.org/fact-sheet/mobile/.
Nuncic, M. (January 24, 2019). How does wear leveling make your SSD live longer? Retrieved from https://www.ontrack.com/blog/2019/01/24/how-does-wear-leveling-make-your-ssd-live-longer/.