Posts Tagged ‘cell phone forensics’

Cell phones, the Internet and common evidence issues

Wednesday, July 6th, 2011

Our free webinar last week was on cell phones and the common apps used to connect them with the Internet. Mike Harrington of Teel Technologies talked about some of the items of evidence which those apps leave, both on the phones and on the Internet sites the apps lead to.

Todd has been talking for some time about how the normal crime scene has been changing over time and that investigators, both civil and criminal, need to be thinking of where there evidence is outside of the physical location they are at. The Internet, and the ability of most modern cell phones to connect to it, have greatly expanded our possible locations for evidence to be found – far beyond the physical crime scene. With this increase means of course more work. But with the additional locations for evidence, investigators can obtain a clearer picture of what occurred.

This means that evidence will be located at a minimum in the following places:

  1. The cell phone itself (forensic data extraction)
  2. The social media site (accessed from the web and properly documented). Depending on the number of apps on the phone this could be numerous sites.

Because we don’t generally let the cell phone access the web during data extraction (to prevent syncing and therefore data change), what is on the cell phone will undoubtedly be different then what is on the social media site.

This is particularly true if the user accesses the sites from places other than his cell phone, or his friends make posts to his wall (as themselves or even posing as him). So, to corroborate what they find on the phone, investigators should also plan to collect additional items through legal service (civil or criminal subpoena or search warrant):

  1. Cell phone/tower records from the provider
  2. Social media site records from the social media site. Again, depending on the number of apps on the phone, this could be numerous sites.

Each of these records contains a piece of the puzzle. Compiling all of them can give the investigator a more accurate picture of what occurred and when, but it all needs to be documented properly.

The investigator must also be prepared to investigate further when the two are inconsistent, and if necessary, explain the inconsistencies in court. For example, if phone artifacts have date/time stamps and content that are different from those found on social networking sites, investigators must question why. Likewise when a cell service provider’s records differ from phone or Internet evidence.

In short: none of this evidence – data on the cell phone, the social networking site, or in the cell or Internet service provider’s records – should be considered “nice to have.” With courts paying more attention to the authenticity and verifiability of digital evidence, gathering as much information as possible from as many sources as possible is a requirement to ensuring that victims and suspects alike get the due process they deserve.