MobilePhoneDataCapture

BlankLaw+TechnologyP.S.
157YeslerWay,Floor3
Seattle,Washington98104
www.digitallegal.com|877.387.9377

WINTER2011(v.11.01)

2
v.11.01
Mobilephonesarenowusedmorefordata(websurfing,
socialmedia,texting,emailing)thanforphonecalls.
4

InformationagetrendspotterJanChipchas:
threeobjectswereconsideredessentialacrossall[survey]
participants:keys,moneyandmobilephone.
5

Therewere277millionmobilephonesubscribersinAmericain2009.
Globally,therewere5billionsubscribersbytheendof2010.
2

InEurope,threequartersofgirlsandboysaged9to10
haveamobilephone.Byage14,nineoutoftenhaveone.
3

In1999,27%ofU.S.householdsusedatleastonemobilephone.
In2009,90%did.
1

1. CTIAAnnualSurvey2010(www.ctia.org)
2. Id.
3. EuropeanCommissionforInformation
SocietyandMedia,ChildrensHealth
Survey2008
4. NewYorkTimesCellphonesarenow
usedmorefordatathanforcalls,May
13,2010.
5. FuturePerfect,2009SurveyResults.
3
v.11.01
ThankyouforyourinterestinBlankLaw+Technologys
MobilePhoneDataCaptureservices.

Thisbrochureexplainstheadvantages,limitationsandopportunitiesofcapturing
andrecoveringdatarelatedtomobilephones.

OurPitch:Sometimesoonyouwillneedtohireaforensicsexperttoexamineandreporton
mobilephonedata.Youmayalsoneedexpertassistanceincontactingphoneserviceproviders
and cloud storage companies, and in interpreting the data they provide. Blank Law +
Technology provides these services. We support our clients with a decade of experience in
computer forensics and a record of hundreds of successful investigations. Many of these
projectshaveincludedexperttestimonyatcivilorcriminaltrial.

The reason for this brochure is twofold: first, to help prospective clients understand what we
do; and second, to furnish insight that you will find helpful for its own sake. The information
presented over the next several pages is condensed from years of experience working with
mobilephonesandcomputerforensicassignments.

4
v.11.01
CAPTURINGANDRECOVERINGMOBILEPHONEDATA

Today, phones are not just devices for

talking. Mobile phones send and receive electronic
communications like email, texts, and internet browsing
information.Theyrecordandtransmitpictures,video,and
sound. They house diaries, calendars, spreadsheets,
purchase histories, and much, much more. Much of this
informationisunique,anditcanbeinvaluable.

For example, mobile phones broadcast and

receive geolocation data that can be used
to recreate a history of each phones
movements from time to time, place to
place over a period dating back months.
Mobile phones are truly mobile only
because they are easily transported by
users. Since they cannot move on their
own, courts have taken the logical step of
permitting geolocation data to be
introduced as evidence of the movements
of the phones account holder. The
evidence is, of course, subject to rebuttal
testimony that the phone was not in that
personspossessionatthetime.

Geolocationinformation,mappedagainstcrimescenesorallegedpatternsofactivity,provides
colorful and sensational evidence that grabs the attention of the jury (see map, page 10).
Depending on whether it helps or hurts your case, you must do everything you can to get
geolocationevidencein,ortokeepitoutofsight.

Like other softwaredriven devices, users efforts to delete geolocation data and all of the
other data described above often can be overcome (or at least detected) by the skillful
application of computer forensics tools. Just as with desktop and laptop computer data,
deletedoesnotmeandelete.

5
v.11.01
CAPTURINGANDRECOVERINGMOBILEPHONEDATA

Lawenforcementagencies,governmentagencies,andmany
employershavelongsincediscoveredthatmobilephonescancontaincasemaking
evidence.

The forensic tools to pull data from mobile phones may be

expensive, but in the hands of police detectives and information
technology security teams they are effective, efficient, and often
devastating.Thecanalsobeflawedorincomplete.

Theprotocolstomandatecriticaldatadeliveryfrommobilephone
carriers are in place. Even cloudbased storage areas and phone
accessorydevicesareknown,searchedfor,andexamined.

Still, as with any computer forensics application, skill and experience matter. Investigators
make mistakes. Phone companies turn over incomplete or erroneous records. Multiple
innocuousexplanationsmayexistinparalleltothestoryofthecasethatisthefavoriteofthe
prosecutor,employer,oragency.Theinvestigatormayjustmisscriticaldata.

If your client is on the other side of a criminal or sophisticated civil investigation, you cannot
affordtoignoremobilephonerecords.Youalsocannotrelyonwhattheothersidechoosesto
disclose of its findings. You may be looking at less than the full picture. The analysis may be
flawed.Therecordsmaybewrong.Youneedtoundertakeyourowninvestigation.

6
v.11.01
Here are Seven Tips for Success to help with your investigation into mobile
phonedata.

Tip1.GetAuthorization

Amobilephonemaybepersonalorcompany/governmentproperty.Doyouhavetherightto
have the phone forensically examined? If it is your clients personal phone, the answer is
almost always yes. Otherwise, you may need to obtain the owners permission, or a court
order.

Itisamistaketoshortcutthepermissionprocessjustbecauseyourclientcangethishandson
someoneelsesphone.Weseethismostcommonlyindomesticcases,andalsoincaseswhere
the employer desires to examine a phone that is owned by an individual (and not by the
company).

7
v.11.01
Tip2.CheckthePhysicalConditionofthePhone

Is the phone physically damaged? Does it turn on? Is the battery

missing?

Look the phone over the way you are supposed to with a rental car
beforeyougetbehindthewheel.Notonlywillspottingdamagegive
you a better idea of whether or not the phone is suitable for
extraction;italsogivesyouanopportunitytowritedownthephones
conditiononreceiptsothatyouarenotblamedlater.

Actually, you may be surprised to learn that it is common to recover

data, including deleted data, from phones that have suffered a great
dealofphysicaldamage.Theseincludephoneswithsmashedscreens,
keys that do not register, frozen screens, jammed trackballs, bent (or
missing) antennae, cracked and chipped housings, and damaged
flips. Missing batteries and power cords are also common and are
easilyovercome.

If the phone will not take at least a minimal charge, or if the phone has no means to send or
receivedata(thedataport,forexample,isbentormissing),wemaynotbeabletoextractdata
from the phone. It is possible, in cases where the stakes justify the expense, to attempt
physical repairs prior to data extraction. These can be expensive, they often void warranties,
and success is uncertain. In our experience it is unusual to attempt any but the simplest
physicalrepairs.

Despitedamagedappearance,
dataretrievablebyforensic
processes.
Datairretrievable duetoextremely
hightemperatures.Donotthrow
away:maybespoliationevidence!
8
v.11.01
Tip3.UnderstandtheElectronicCharacteristicsofthePhone

It is possible to recover data from hundreds of makes and

models of phones. We use leading technology from
Cellebrite
TM
and Paraben
TM
to forensically recover data from
phones;thisisthesametechnologyusedbylawenforcement.
The good news is: if the other side can recover data, so can
we.Thebadnewsis:sometimesnoonecanrecoveranydata
at all. Sometimes we can recover only live files, and not
deletedorexciseddata.

Mobilephonesmaybepasswordprotected.Ifthephonehas
a workaround, passwords may pose no obstacle to our
forensic team. Or, we may be utterly stumped. Bruteforce
password cracking for mobile phones, like for other computer systems, is timeconsuming, expensive,
and rarely justifiable. (In civil cases, the password can be demanded in discovery. Parties who
conveniently forget their passwords, which we see not infrequently, lose a great deal of credibility
withthecourtandjury.)

Mobile phones may also resist complete data extraction unless they are
unlocked,rooted,orjailbrokenthetermdependsonthephone
model.Unlockingphonesoftenrequiresseveralhoursofwork,butisnot
nearly as expensive as physical repair or password cracking. However,
unlocking phones involves tinkering with the lowestlevel operating
systems. For many manufacturers, unlocking voids all warranties. As
with all directapplication computer forensics, there is always a
possibility of irretrievable data loss. These risks must be considered
carefullybeforeproceeding.

We are normally asked to unlock a phone when it has been provided to

us by the owner. We do not normally receive authorization to unlock a
phone when we are working on a third partys phone through the
authorityofanagreementorcourtorder.

Finally, mobile phones may have suffered electronic damage that is not visible during physical
inspection. Like all computer systems, phones are susceptible to environmental extremes (heat,
moisture)andelectricalsurges.Manyphoneshaveindicatorsthatalerttechnicianstotheseissues,and
thatcanbeusedtoestablishhowthephonesufferedirretrievabledataloss.

Actually,datacanoftenberecoveredforensicallyfromdrownedorbrickedphones,sotheyshould
not be discarded without a technical examination. Deliberate damage may be evidence of spoliation,
andusefulinitsownright.Itmaybejustasimportanttoshowthatthedamagewasaccidental.

9
v.11.01
Tip4.RememberCollateralDevices

Many mobile phones have addon data storage capabilities that may be used in tandem with
onboardstorage.ItisnotuncommonforphonestocarrySIMcards,memorysticks,andother
collateral devices. All of these should be searched as part of the mobile phone forensic
investigation.

If you have control of the phone and are communicating with its owner, ask about SIM cards
and memory devices. When working with an adverse partys phone, remember that it is not
unusual for addon devices to be swapped out of the target phone in exchange for new or
innocuousdevices.Wecanusuallydetectwhenthishashappened.

10
v.11.01
Tip5.UnderstandandUseMobilePhoneData

The amount and quality of data that can be extracted from mobile phones is impressive. The
volumeishuge.Moreover,muchofthedataconsistsofeitherunfilteredcommunications(text
and email messages); or information that is kept by the phone, sometimes without the users
knowledge(geolocationrecords;mapandroutinghistory;deletedvoicemailfiles).

Whetherandwhichrecordsareimportantvariesfromcasetocase.Thisiswhyitisimportant
to understand the breadth of information that can be recovered, and how it may affect your
case.

Geolocationmapplottingpossiblephonelocations(yellowhighlight)againstCrimeSceneA.
A
11
v.11.01
Tip5.UnderstandandUseMobilePhoneData(cont.)
Hereisalistofthemostcommonmobilephonedata(remember,allofthisdatamaybe
eitheractiveormayhavebeendeletedbytheuserandthenrecoveredbyforensicmeans):
SMSContent Voicemail
Phonecalllogs Websitebrowsinghistories
Calendardata Websitecookies
Email Geolocationdata
Photos Mapandroutinghistory
Video Officetypedocuments
Contacts IMchatlogs
Userloaded applications, which may reveal banking, credit cards, data theft
capabilities,paymenthistories,etc.

Mobilepicturewithtimestamp. Textmessageactivitylogs.
12
v.11.01
Tip6.AssesstheServiceProvider

Some records are available only through the mobile phone service provider. These providers
donotseeabusinessadvantagetocooperatingwithanyoneotherthanlawenforcement.They
will often claim that they do not have any information, or that the information that they do
haveisextremelylimited.

In reality, carriers have an enormous amount of information about their service subscribers.
They have phone call and geolocation records going back months or years. They may have
additional information important to your case. Do not let the carrier off the hook with one
phone call. They have a civic duty to cooperate in the judicial process just like any other
individualorcompany.

Timeisoftheessencewhendealingwithcarriers.Soispatience.Wehaveworkedwithallof
themajorprovidersandcanhelpyougettheanswersthatyouneed.

13
v.11.01
Tip7.UnderstandtheCloud

Today, many mobile phone subscribers keep

dataandrecordsinthecloud,furtherblurring
the distinction between a mobile phone and a
portable computer. Internetbased storage
services are inexpensive (often free) and
ubiquitous. Some carriers even offer cloud
basedbackupaspartofphoneplans.

In our experience the most commonly cloud

stored data from mobile phones include
photos, video, email, chat logs, contacts,
voicemail messages, and officetype
documents. These can be extremely valuable,
andareoftenoverlookedbyotherinvestigators.

Theforensicinvestigationofthephonemayrevealtheidentityofacloudstoragenetwork.The
ownermayalsovolunteerthisinformationifasked.

14
v.11.01
IfyouchoosetoengageBlankLaw+Technology,hereisanoverview
ofourpricingandresponsiveness.

Our mobile data capture services start at

$500 per phone. Complete analysis and
reportingnormallytotals$1250perphone,
which includes the forensic recovery
services. Testimony and additional expert
reportingasdesiredarebilledatourhourly
rates,whichrangefrom$250to$395.

Aswithanyproject,themoreleadtimeour
technicalteamhas,thebetter.Ournormal
turnaround time is three business days
from the date of receipt. If a phone is
missing unique data cables, chargers or
batteries,andwedonotalreadyhavethem
in stock (we have many hundreds), it may
take us several days to get new parts in
beforewecanbeginwork.

We do not charge for consultations and

evaluations.

Wearehappytoprovidereferences.

ThankyouforyourinterestinourMobilePhoneDataCaptureservices.
Welookforwardtoworkingwithyou!

Pleasefeelfreetoinquireaboutourothercomputerforensicsandediscoveryservices.
EricP.Blank,Esq.
JonathanYeh,Esq.
www.digitallegal.com
info@digitallegal.com
BlankLaw+TechnologyP.S.
157YeslerWay,Floor3
Seattle,Washington98104
Office|206.256.9699
TollFree|877.387.9377
7.Understandthecloud
6.Assesstheserviceprovider
5.Understandandusecellphonedata
4.Remembercollateraldevices
3.Understandtheelectroniccharacteristicsofthephone
2.Checkphysicalconditionofphone
1.Getauthorization