Cyber Space

How to maintain the chain of custody for mobile forensic evidence

Evidence on mobile devices is not just limited to photos, videos, text messages and the call log. Increasingly, investigators are reliant on evidence collected from a suspect’s cell phone or other mobile device, creating a specialty area within the investigatory universe called mobile data forensics.

Because all evidence brought to trial must be done under forensically sound conditions with a solid chain of custody, new challenges are presented when dealing with evidence mined from a device that is inherently connected to a large network such as a Wi-Fi connection or the cellular telephone provider network.

Focus on Data, Not the Device
One of the things people forget is that the evidence is the data on the device and not the device itself. Investigators are usually diligent in ensuring the chain of custody for the device and make sure they have the device secured, but they might forget to have the same level of attention to detail for the chain of custody for the data stored on that device – how that data is preserved and accessed during the investigation.

The most glaring example of this is the time during which a phone is initially seized and taken into custody. At this time, it should be immediately put into a Faraday bag, which can block cellular and Wi-Fi signals, preventing anyone from remotely accessing the phone and sending text messages and phone calls to it.

Joe LeFevre, a coordinator for forensic science training and police recruit fitness at the Fox Valley Technical College Public Safety Training Center, says that evidence from a cell phone can be easily compromised if not properly and quickly secured in a Faraday bag.

“If I’m trying to say no data on this phone has been changed since the time I took it as evidence, and I took it as evidence at 5:14 on Thursday afternoon and it is getting text messages repeatedly over the next three days until the battery dies, have I really kept that phone from receiving more data? Have I really kept that evidence pristine to this point from the time that I collected it?” LeFevre asks.

The short answer is probably ‘no’ and that can cause problems down the line. This one issue underscores the supreme importance of the Faraday bag; however, LeFevre thinks that a significant number of agencies don’t even have Faraday bags, much less use them properly.

“One of the problems is that when you actually click on any of the buttons on the phone or swipe on the phone to bring up the screen, you’re altering the data on the phone again because you are initiating information into the operating systems log files saying the phone was shut down by a power switch or via the touch screen at this time on this date. So again, I altered the data. We used to be able to just pull the batteries out of the phones, which was an easy fix. But now Androids and iPhones may have a sealed case where you can’t access the battery anymore.”

Download, Copy, Kill
One possible solution would be to download everything off the phone as quickly as possible and then kill the phone. With some of the different technologies available, officers and investigators in the field can download all the data right there. This is perhaps the easiest way to ensure the chain of custody is maintained. The copied data is then copied again, and it is the second copy which is analyzed during the investigation. This way, there is always going to be a pristine copy of the original set of data from the phone.

Log the Chain of E.vidence
After the copy is made from the pristine original download, investigators simply log the chain of evidence from the data as they would any other evidence. Any person who interacts with the data is logged, and the investigation proceeds. As long as proven chain-of-evidence procedures are followed, any incriminating data discovered on the device should be admissible at trial.

LeFevre pointed out that doing that mobile download in the field is also beneficial when dealing with a victim. “We don’t have to take the victim’s phone. We can just go to the victim’s house, download their phone and let them move on with life, and we can have those unwanted text messages, photos or whatever they’re the victim of,” he said.

Evidence comes in many different Forms
It’s important to remember that the evidence that can now be found on mobile devices is no longer limited to photos, videos, text messages and the call log. With cloud-based services and databases, people can pull up spreadsheets or word processing documents that are on Google Docs, for example.

“You can prove that somebody’s got a spreadsheet for anything from illegal gambling, loan sharking or drug dealers keeping track of who owes them money. With prostitution, you would have text messages between clients and the working folk, potentially photos there too – maybe even a contact log of regular customers,” LeFevre said.

Conclusion
Although mobile forensics is a relatively new science, it is evolving very rapidly. It has to as the pace at which mobile phone technology improves appears mind-boggling at times.
Ten years ago mobile devices had relatively little memory capacity, and were significantly easier to examine. Think of it this way: Ten years ago (spring of 2007) saw the introduction of the very first iPhone. The Android OS had not even been developed. Flip phones were commonplace.

Today, the sheer volume of data saved to a mobile device presents challenges to investigators. Even getting the phone unlocked for examination proves to be a daunting task.

Leave a Comment