What are some specific challenges that investigators face with mobile technology?

In 1973, when Motorola employees John F. Mitchell and Dr. Martin Cooper showed off the first hand-held mobile phone, the DynaTAC 8000x, no one could have dreamed of the power of today’s mobile devices. Today, there are over 7 billion mobile phones in use—more than one for every human being on earth. Many of us have multiple phones, while using a myriad of other connected gadgets. According to Business Insider, by 2017 we will each have 5 internet devices!

The USA began developing a mobile telephone network in the early 1980s. Phone development went through several phases, from the flip phone to the Blackberry. In 2007, Steve Jobs famously introduced the Apple iPhone, a “smartphone,” which revolutionized cell phones and likely society as a whole. With the creation of the smartphone came the ability to do more things with our phones: listen to music, play games, and most important—the use of mobile applications. Other smart gadgets continue to be developed, including Google Glass, tablets (iPad), and wearable technology like smartwatches. As a result of this new technology, the phone carriers continue to develop increasingly advanced networks to handle the massive user traffic.

The list of countries by number of mobile phones in use include:

• China: 1.2 billion
• India: 905 million
• USA: 327 million

Cell phones have gone from being a luxury to a necessity in the business world. With people and companies becoming increasingly connected, cell phones allow employees to perform job duties whenever and wherever they might find themselves. Almost every cell phone today has the capability of performing the same tasks that your computer can. You can access the Internet, write emails and send documents just like you were sitting at your computer. As cell phones have continued to get smarter and become a part of everyday work life, so has the use of mobile applications. Every 60 seconds:

• Google receives over 4,000,000 search queries
• Email users send over 200,000,000 messages
• Facebook users post over 2,000,000 pieces of content
• Amazon makes $83,000 in online sales

Since cell phone use has become ubiquitous in the work place, they now play a critical role in the theft of corporate intellectual property and other crimes. This has made it necessary for companies to include them when they receive court orders to produce evidence. While computer forensics has almost become commonplace, cell phone forensics presents several challenges for digital forensic examiners. Some of these challenges include the difficulty of acquiring cell phones, cell phone carrier location services tracking, and cell tower tracking technology.

Mobile Device Forensics vs. Computer Forensics

Mobile device forensics and computer forensics both attempt to accurately capture and analyze a device’s data. The intent is the same, but the challenges are quite different. In computer forensics, the major operating systems (OSs), such as Windows, Mac OS, and Linux, rarely change. With mobile forensics, the OSs are frequently updated and require vigilance to stay up to date. Mobile devices are designed to roam and are thus constantly communicating with the outside world. Because of this, proper evidence handling is extremely important to prevent the contamination of data stored. For instance, cell phones can be remotely commanded to wipe all of the data contained on the phone. Without proper isolation of the phone from wireless signals, mobile device examiners could lose everything!

Cell Phone Acquisition and Analysis Challenges

Cell Phone Acquisition

Today’s smartphones are essentially handheld computers, containing a treasure trove of information. Due to the differences in cell phone designs, some acquisitions will yield more than others. The following data types can possibly be acquired from mobile devices:

• Contacts
• Call history
• Text messages
• Photos and videos
• Audio (voicemail, music, etc.)
• GPS location
• Email
• Memos (notes)
• Calendar
• Documents
• Web history
• Applications (social media, user behavior, etc.)

Due to the challenges in supporting the constant flow of new phones and changing technologies that come with them, there is no one-size-fits-all solution to acquire cell phones. Cell phone acquisition falls into four main categories:

• Screen captures: A camera is used to take pictures of what’s on the cell phone screen. Sometimes this is the only way preserve cell phone data.
• Logical analysis: The practice of extracting the cell phone data that you see and can access on the device. This is the standard methodology used today.
• Physical analysis: The practice of extracting data from the physical memory of the device and removable memory.
• Chip level analysis: The practice of analyzing the storage chips in the phone by removing them from the device and probing them for data.

In most instances, it is sound forensic practice to attempt to acquire both a logical and physical acquisition. The logical image allows the examiner to access call logs, text messages, and email. The physical image allows the examiner to access deleted information and attempt to recover it. Chip level analysis is a relatively new science that is gaining traction within the cell phone forensics community. However, cell phone chip removal techniques and forensic digital device data recovery represent a very complicated science.

Case Study – Riley V. California

In 2009, David Leon Riley was arrested at a traffic stop. While in custody, the police searched Riley’s cell phone. Using information found on his phone, the police charged Riley with crimes unrelated to his initial arrest. A June 2014 Supreme Court decision made it mandatory for police to obtain a warrant before searching the cell phones of people they arrest.

Location Tracking – Where Is your Cell Phone?

Did you know that when you take a picture with a mobile phone, your location (measured in longitude and latitude) is typically embedded within it? Or when you use a mapping program for directions, this locational data is recorded? This location tracking methodology can be used by investigators to geographically track your activities.

Case Study – Russia v. Ukraine

In June 2014, during the ongoing Russia and Ukraine conflict, Russian tank commander Alexander Sotkin posted two photos of himself to his Instagram account from within the Ukraine. Up until that point, the Russian army had staunchly denied that its troops had crossed the Ukrainian border.

Which other methodologies can be used to find you?

• GPS: Satellites are used to pinpoint the location of the phone.

[Note -- FCC E911 regulations require wireless carriers to be able to track 911 callers.]

• Triangulation: Three cell phone towers are used to approximate the location of the phone.
• Wi-Fi Networks: Even with the GPS off, a phone can record Wi-Fi network connections. The network location can then be traced.
• Ping: Service provider asks the central switch the following question: “Where is the hardware associated with this phone number and billing record?”
• Rogue tower (Stingray): These are devices that impersonate cell towers, tricking phones into thinking you are the service provider. Originally designed for military and intelligence agencies, they have recently gotten into the hands of state and local law enforcement.

Cell Technology

The space in the air around us seems infinite, but it has limits. Wireless signals are like cars on a highway with a finite number of lanes or frequencies in which they can travel. There are a sufficient amount of lanes when just a few phones are transmitting. However, issues arise when there are hundreds or even thousands of devices trying to communicate within a small area. There simply isn’t enough space in the air for all of this chatter!

Cell phone technology was created to solve the issue of limited frequencies for wireless signals to travel. The solution is to divide the world into smaller sections called “cells.” Cells are visualized as hexagons on a grid, each containing a cell tower that handles calls. This allows the re-use of wireless frequencies in each cell, so that many phones can be used in the same small area. Each cell ranges in size depending on the population density within them, with dense urban areas having smaller cells. Cell phones operate within cells, and they switch to other cells as they move between them.

Mobile carriers operate Mobile Telephone Switching Offices (MTSO) which control the cell towers in its region. The MTSO handles the routing of calls and data through their cell towers and then weaves it into the land-based phone system. Since all cell phones have unique numbers associated with them, the MTSOs can identify the phones placing calls within its service area.

Cell Tower Records

The use of historical records from cell phone companies potentially allows for the tracking of a cell device without physical access to that phone. This is done by reviewing the Call Detail Records (CDR) kept by the phone’s service provider. Phone companies do not save GPS or triangulation data for an individual phone but they do keep logs identifying which cell phones were connected to their cell towers and at what time. Since cell towers and phones are constantly talking to each other, a caller’s general whereabouts and path of travel can be mapped.

The phone company’s logs are comprised of records indicating which cell tower the phone was connecting through, phone numbers involved in the call, call date, call duration and other details. Cell towers typically have 3 sensors, each tracking a 120-degree “pie” shaped area. The phone’s location is calculated from the angle it was facing the tower and the distance of the phone from the tower. So using these cell tower logs, a phone can be typically be placed within one of the 3 pies. Police and prosecutors have used this information to connect a suspect to the location of a crime.

In recent cases, the validity of placing a person at an exact location using CDR has been called into question. With each pie’s area potentially being many square miles, this technique introduces a large margin of error. Unlike highly accurate GPS or triangulation technologies, the only thing that you can say with confidence is that the phone connected to a cell site somewhere within a radius of many miles. To add to the difficulties, when someone places a call, it does not automatically go to the closest tower. It’s routed to the tower that the switching center thinks best, determined by many factors: weather, time of day, types of equipment and technology, and call traffic. Since each tower is designed to accommodate a set number of calls per second, the closest tower might be swamped and unavailable. If the closest tower is overloaded, the MTSO can route you to a farther tower. Because of these factors, the cell tower that receives a call is hard to predict as it could be picked up by a number of different cell towers in the area.

Case study - Lisa Marie Roberts

In 2002, Lisa Marie Roberts was imprisoned for murdering her girlfriend. The prosecution had cell records purportedly showing she used her phone where the body was found. Roberts claimed she was innocent, saying the call was made many miles away while she was driving on a highway. Without having actually seen the evidence, Roberts’ attorney urged her to take a guilty plea. This led to Roberts accepting a 15-year sentence for manslaughter. After years of continuing to assert her innocence, a public defender picked up Lisa’s case. The defense analyzed DNA evidence found on Robert’s girlfriend’s body, discovering that it belonged to a male who had been a suspect. Thorough analysis of the cell records showed that the cell tower her phone connected to was miles away from the murder scene. The defense’s experts used this to illustrate the inherent inaccuracy of relying solely on historic cell tower logs. In 2014, U.S. District Judge Malcolm F. Marsh threw out Roberts’ guilty plea, stating that “the presentation of expert testimony at trial, concerning the variables impacting the reliability of cell tower evidence to pinpoint a caller’s location, likely would have changed the outcome of the trial.” After 12 years, Roberts was released from prison.

Conclusion

Wireless devices are becoming an ever-growing part of our lives. Each time we use them for convenience, they record a part of our day. This data is increasingly being used by companies and law enforcement to create a timeline of our locations and actions that previously would have disappeared. Investigators should be careful to use this information responsibly and interpret it with accuracy. If not, what you thought would lead to digital heaven could send you straight to digital cell.

What are the challenges of mobile forensics?

Why are mobile devices something difficult to investigate in a forensic examination?

What is one of the challenges that forensic investigators face today?

What is the single most difficult issue facing forensic analysts investigating mobile devices?