In the ever-evolving landscape of litigation, the role of cell phone evidence has become increasingly prominent. The pervasiveness of smartphones means that crucial information is often in our hands, or at least in the hands of the phone’s user, waiting to be uncovered through meticulous digital forensics. There are two main sources of cell phone evidence; the records from the cell phone company and the data extracted from the cell phone device itself. This guide focuses on the evidence that can be extracted from the cell phone devices, shedding light on techniques, types of extractions, and the intricate analysis that follows. Aimed not as a step-by-step tutorial but as a robust exploration, this guide aims to equip you with a nuanced understanding of the processes involved in a cell phone examination. In this post we will cover:
- Forensically Extracting Evidence
- Types of Extractions
- Analysis of Extractions
- Deep Dive
Before delving into the complexities of extracting evidence, it’s crucial to set the stage. Imagine a scenario where legal prerequisites have been met — preservation letters dispatched, court orders or consent obtained, and examination protocols established and agreed upon. Now, the focus shifts to extracting a forensic image from the memory of a cell phone. Generally speaking, the examiner must have physical possession of the phone to perform the extraction. There are options for remote extractions of cell phones, but the results are usually limited. So, the phone must go to the examiner, or the examiner must go to the phone. Shipping the phone to the examiner can cause some inconvenience to the user of the phone, but the usual turnaround is about three days. In instances where time is of the essence, or other factors prevent the phone from being shipped, the examiner can travel to the phone for the extraction. When considering travel time, airfare, and lodging, this option can be extremely expensive, but appropriate in the right cases.
Forensic tools play a pivotal role in this process. Notable players in this arena include Cellebrite Universal Forensic Extraction Device (UFED), Oxygen Forensic Detective, Magnet Axiom, MSAB XRY, and Susteen Secure View. For the sake of illustration, we’ll spotlight Cellebrite UFED. These toolsets usually have two parts: one tool for the extraction and another tool for the analysis. The extraction tool obtains the data from the device and the analysis tool makes sense of the data.
The process kicks off with meticulous preparation of the phone. Ideally the phone has been preserved since the incident, or at least since the preservation letter. Preservation means turning the phone off and not using it at all. For information on how evidence can be lost see my post at https://braveinvestigations.com/cell-phone-evidence-preservation-spoliation-demystifying-wear-leveling-garbage-collection/. Preparation includes ensuring the phone is fully charged — a seemingly simple yet pivotal step, as some phones won’t undergo forensic extraction unless the battery is at 100%. Further preparations are contingent on the phone type; for instance, adjusting screen auto-lock settings on iPhones.
Obtaining all account passwords, beyond the phone’s passcode, is ideal. Many personal cell phones are now used for business as well as personal purposes. If an employer offers reimbursement for the cost of the phone, the company will likely require the user to install a Mobile Device Management (MDM) application on the phone that helps secure the company’s data. MDM applications can require different passwords and logins than the rest of the phone and can cause problems with a forensic extraction. Having the login credentials for all the accounts on the phone will help ensure successful data extraction.
While it is possible to unlock most locked phones, such as a phone belonging to a deceased driver, the unlocking process is expensive and time consuming. Unlocking a locked phone usually involves sending the phone to a specialized lab.
Once prepared, the phone is connected to a computer running the forensic tool. Depending on the phone model, specific modes like Recovery or Device Firmware Upgrade (DFU) might be necessary. The forensic tool takes the reins, initiating the extraction process that can span from a few minutes to several hours, contingent on factors like extraction type, memory size, and data volume.
Understanding the types of extractions is crucial in navigating the digital maze. There are three primary extraction types: Logical, File System, and Physical. We can obtain a logical extraction on most phones, but file systems and physical extractions are available on fewer phones. It seems the more sophisticated and higher-end the phone, the less intrusive the available extractions become. Until recently, logical extractions were the only available extractions for iPhones without jailbreaking the phone. We can obtain file system extractions on most high-end Androids, but physical extractions may not be available.
Logical Extractions: A Glimpse into User-Accessible Data
Logical extractions are the quickest, easiest, and least intrusive. They retrieve data easily accessible to the user — call logs, messages, emails, photos, videos, and more. However, they often miss deleted items or delve into databases. Logical extractions will include data like call logs, text messages, email messages, photos, videos, audio files, calendar entries, memos, and more.
Some forensic tools offer an extraction called an advanced logical extraction. An advanced logical extraction will recover everything available in a standard logical extraction along with some system files and databases. At the most, it would extract everything that would be stored with an Android or iTunes backup. It’s not quite to the level of a file system extraction, but it does recover more valuable data and some deleted data.
File System Extractions: Unveiling the Operating System
File system extractions go a step further, recovering operating system files and some deleted data. This comprehensive view includes application databases and logs from specific apps such as Snapchat or Instagram.
Physical Extractions: Delving into Every Bit of Memory
Physical extractions are the most time-consuming and intrusive. They copy every bit of data, every 1 and 0, from the phone’s memory, recovering deleted data not yet overwritten. While exhaustive, this method is the most invasive. However, with encryption becoming more common on cell phones, physical extractions are not practical on most modern cell phones, especially the higher end models like iPhones and Samsung Galaxies.
Once the extraction is complete, the next phase involves analysis. The analysis tool is separate from the extraction tool. For example, if the Cellebrite UFED was used to perform the extraction, then the UFED Physical Examiner would be used to perform the analysis. There is some cross compatibility. Magnet’s Axiom can be used to analyze an extraction taken using UFED, but not all tools are compatible.
Opening the extraction in the analysis tool allows for searches for case-relevant information. Keywords like “crash” or “accident” become pivotal, revealing details that could be crucial in a motor vehicle crash case. The timeline feature aids in identifying activities on the phone during specific periods such as the time around the crash.
Reports can be generated, offering a concise overview of valuable information for legal proceedings. However, the scope of searches is limited to what the forensic software can find, varying between forensic tools and phones.
While forensic tools offer a comprehensive view, they might miss details residing in application-specific databases. A manual search of these databases becomes imperative for a more nuanced understanding. For instance, exploring the data usage database can unveil which applications accessed the internet at specific times.
Internet usage alone doesn’t necessarily indicate the active use of the phone. We may find internet access by applications like Google Maps or Waze around the time of the crash. More than likely, this would indicate the user was using a navigation application, which wouldn’t indicate active use. We may find internet access by applications such as Instagram or Snapchat around the time of the crash. Internet usage alone doesn’t indicate active use, but we can manually search the databases for Instagram or Snapchat to see if there were messages sent or received around the time of the crash, which would indicate active use. This usage would not be recovered by a standard search using the forensic analysis tool.
This comprehensive guide has scratched the surface of the intricate world of cell phone forensics. From extraction methods to the depths of data analysis, digital forensics is a multidimensional field that demands expertise.
In today’s legal landscape, where digital evidence can make or break a case, understanding the intricacies of cell phone forensics is not a luxury but a necessity. As you embark on this journey, remember, each case is unique, and the landscape of digital forensics is ever-evolving. For questions, guidance, or further exploration, don’t hesitate to reach out. You can contact me through the contact box on this page. The digital frontier awaits, and navigating it requires a blend of expertise, innovation, and a keen eye for detail.