June 16,
2016
Holistic Mobile & Cellular Investigations
I’ve been attending a lot of training
lately. Because my training and
experience initiated in law enforcement and in computer forensics and because
the field of mobile device forensics has exploded so much, I have been catching
up on newer methods & tools for computer analysis and getting additional
formal training, education and more experience in the field mobile device
forensics. Two of the courses I’ve
completed in the past couple of months are the IACIS Mobile
Device Forensics (MDF)
course and the Smartphone Forensics Smartphone Forensics and Cellular Technology
(+SMART) course offered by
PATCTech and Lead Instructor, Glenn Bard.
To be clear, many of the ideas in this blog were not originally my own,
but I also haven’t seen them compiled in one place (i.e., I’ve been to multiple
trainings to glean this information), so I wanted to put them forth in a
concise blog entry for consideration in the greater digital forensic &
investigative community.
What Does “Holistic”
Mean in Mobile Forensic Investigations?
The Scientific Working Group on Digital
Evidence (SWGDE) states in their document entitled Best Practices for Mobile Phone Forensics that “Various tools at multiple
levels of analysis may be required to provide a holistic view of the data
contained within the mobile phone, identity module, or associated storage
media.” This notion of a “holistic view of the data” is repeated in different
terms in publications by NIST
and other digital forensic governors.
But what does “holistic” mean with regard to mobile forensics? It means to attempt to gain a whole picture
of the evidence as much as possible and in every investigation. This is generally thought to mean that we
should invest in, validate and use multiple forensic tools in order to ensure
we have all of the evidence and information we can get. In mobile device forensics this is
particularly important because mobile devices run the gamut of software
versions, hardware manufacturers, network providers, natively supported and
unsupported apps and so on. Obtaining a
holistic view of the data becomes especially poignant when the search may
involve deleted items such as text messages, web(kit) history, app
communications and other important evidence stored in the multitude of Sequel
Lite database tables.
But the SWGDE document doesn’t address
other areas of evidence, like wireless (wifi) routers, call detail records
(CDRs) and IP connection logs. As Glenn
Bard reiterates in the +SMART course, each of these valuable sources of data,
when combined with the mobile forensic examination of the device itself, can
help put the pieces of the digital puzzle together to tell us virtually the
entire story. For instance, if you seize
a mobile device of a suspect accused of illicit communication with a minor,
they may have been using a mobile app such as Yahoo! Messenger to facilitate
this communication. When they’re
communicating away from home or work, the call detail records and data logs
will help corroborate the data usage and possible location at the time of
communication and will provide data to compare to the Yahoo! Messenger chat
logs as recovered through your mobile forensic examination. If the device is seized at a known location
(such as home or office), the wifi router can be interrogated to see when the
device was connected and compare that to the gaps in cellular data
connectivity. The router will also
display the external IP address, which can be compared to search warrant or
court-ordered connection logs received from Yahoo! (and yes, I know that no
kids use Yahoo! Messenger anymore, but just go with it). When you put all of these pieces together, it
becomes clearer what is meant by a holistic mobile forensic investigation. Furthermore, when you research the suspect
through online databases and background, even more information lends itself to
the investigation. The amount of data we
can obtain in order to prove or disprove the case is staggering.
Other Cases
Investigated Holistically
Criminal cases often times bear the
most available evidence because the stakes can be very high, but the hunt by no
means ends there. Consider these brief
examples of where putting all of these data sets together can help paint a
great picture for the judge & jury when representing clients in other types
of cases as well:
Missing Persons
Whether the search is for a missing
adult, endangered person or a child who, like many children in the modern era,
has a smart phone, there is information available to help find them through
call detail records, mobile device backups stored on computer systems and cloud
data. The key, however, is to look in
ALL available areas and to keep the attempts at communication with the mobile
device ongoing as long as possible. But
when we consider that the mobile device the missing person has in their position
has the capability to tell us where they are or were last known to be, the
power of the data in the hands of the right person to help bring them home or
find them is undeniable. A case-specific example of this is located here.
Personal Injury
Insurance companies and law firms
working large-claim personal injury cases can use mobile data to help prove or
disprove the claim through an independent digital forensic analyst. Even if you can’t get the claimant’s cell
phone (which you should be able to), the call detail records can often put the
claimant in a certain location during the time of the incident or apart from
the incident location. Are they claiming
a nebulous neck or back injury that can’t be effectively diagnosed? Do you have doubts about the veracity of
their claim? A court order to turn over
all cellular connection detail records before, during and after the time of the
incident can help prove or disprove the claim.
Even the lack of usage as compared to normal usage can be useful
information when dealing with a potentially false claim.
On the plaintiff’s side, obtaining a
court order to present the defendant’s mobile device for analysis is always a good idea. Going further and getting their call detail
records in cases such as texting-while-driving claims, negligence, malfeasance
or civil claims arriving from criminal charges or an investigation could help
prove the case as well.
Divorce & Child Custody
It’s a fact that many divorce claims
originate from alleged infidelity on the part of one or more party, but how do
you prove it? Time & location. We routinely work cases where one party in a
divorce has filed a Motion to Compel the opposing party to produce their mobile
device, which is generally great evidence.
But by also obtaining a court order for call detail records and tower
location data, we can map out a timeline of locations based upon the data. Put that information together with the known
or suspected location(s) of other involved parties and it paints a pretty
damning picture. As I tell groups all
the time, affairs are conducted on mobile devices. Plain & simple.
If the claim involves child custody
and one party believes the other is engaged in some inappropriate, unwanted or
even illicit behavior, these same records can help prove or disprove that as
well. It’s all about the data and the
ability to put it all together for presentation to a judge or jury, which is an
intangible asset that every forensic examiner must have.
Fraudulent Insurance Claims
I’m sure by now, the point is becoming
clear, but it bears pointing out that when an insurance company is presented
with a high-dollar claim of damage to property or loss, all of this mobile
device & cellular data can be immensely helpful. Most Special Investigative Unit (SIU)
investigators probably don’t know what is available, but simply consider that
there are more mobile devices on planet earth than there are people. That means that virtually everyone has at
least one and with only 5 basic cell providers in the US, the search for the data
you need to help prove whether or not the claim is fraudulent becomes a bit
more narrowed. Questions that can be
answered include:
· Where was the claimant (or their
device) before, after or at the time of the incident?
· What was the level of usage before,
during and after the incident?
· To whom did the claimant send text
messages, picture messages, calls, etc. around the time of the incident?
· Were there any data connections
before, during or at the time of the incident and from where?
· If the mobile device can be analyzed,
does the information contained in the above-cited records mesh with what is
present on the mobile device?
· Is spoofing a claim? If so, call detail records can help identify
the originating number(s) and/or locations.
Conclusions
Hopefully by now, law enforcement,
civil attorneys and investigators can start to see the impact this mobile
device data and analysis can have on their cases. Does this take a lot of time and analysis?
Absolutely! But anything worth doing is
worth doing right, and in mobile digital investigations, the right way is the
holistic way – leaving no stone unturned and getting all of the available
information into the hands of the people who know what to do with it.
Some tips that can increase the likelihood
of finding the evidence you need in the cited examples include:
- If looking to use call detail and cell tower records to find someone, keep calling the phone, even if it goes to voicemail. Cell tower location effectiveness depends on the device having communication with the towers, so even if the call doesn’t go through, it will keep the breadcrumb trail going until the device is discarded and/or the battery dies.
- Know the limitations of record keeping in its various forms by cell providers and submit a preservation letter as soon as practicable when cell records may be a factor in your case. Records aren’t kept forever and different carriers keep different data sets different amounts of time.
- Don’t forget about the not-so-obvious places evidence might be stored such as computer backup files, discarded devices from a recent upgrade and even cloud data. All of this can help a properly trained examiner and investigator get a more holistic view of the case.
We don’t use one tool. We never look at the data from just one
perspective and we discourage clients who want us to do so. Is every piece of information always going to
be available in every case? No. But the more information we have during the
investigation, the better equipped we are to help prove or disprove the theory
of the case and paint the best picture possible for the judge and/or jury.
Author:
Patrick J.
Siewert
Principal
Consultant
Professional
Digital Forensic Consulting, LLC
Virginia
DCJS #11-14869
Based in
Richmond, Virginia
Available
Globally
We Find the Truth for a
Living!
About the Author:
Patrick Siewert is the Principal
Consultant of Pro Digital Forensic Consulting, based in Richmond,
Virginia. In 15 years of law
enforcement, he investigated hundreds of high-tech crimes, incorporating
digital forensics into the investigations, and was responsible for
investigating some of the highest jury and plea bargain child exploitation
cases in Virginia court history. A
graduate of SCERS, BCERT, the Reid School of Interview & Interrogation and
various online investigation schools (among others), Siewert continues to hone
his digital forensic expertise in the private sector while growing his
consulting & investigation business marketed toward litigators,
professional investigators and corporations.
