Professional Documents
Culture Documents
Mobile Phone Data Capture: WINTER 2011
Mobile Phone Data Capture: WINTER 2011
BlankLaw+TechnologyP.S.
157YeslerWay,Floor3
Seattle,Washington98104
www.digitallegal.com|877.387.9377
WINTER2011(v.11.01)
2
v.11.01
Mobilephonesarenowusedmorefordata(websurfing,
socialmedia,texting,emailing)thanforphonecalls.
4
InformationagetrendspotterJanChipchas:
threeobjectswereconsideredessentialacrossall[survey]
participants:keys,moneyandmobilephone.
5
Therewere277millionmobilephonesubscribersinAmericain2009.
Globally,therewere5billionsubscribersbytheendof2010.
2
InEurope,threequartersofgirlsandboysaged9to10
haveamobilephone.Byage14,nineoutoftenhaveone.
3
In1999,27%ofU.S.householdsusedatleastonemobilephone.
In2009,90%did.
1
1. CTIAAnnualSurvey2010(www.ctia.org)
2. Id.
3. EuropeanCommissionforInformation
SocietyandMedia,ChildrensHealth
Survey2008
4. NewYorkTimesCellphonesarenow
usedmorefordatathanforcalls,May
13,2010.
5. FuturePerfect,2009SurveyResults.
3
v.11.01
ThankyouforyourinterestinBlankLaw+Technologys
MobilePhoneDataCaptureservices.
Thisbrochureexplainstheadvantages,limitationsandopportunitiesofcapturing
andrecoveringdatarelatedtomobilephones.
OurPitch:Sometimesoonyouwillneedtohireaforensicsexperttoexamineandreporton
mobilephonedata.Youmayalsoneedexpertassistanceincontactingphoneserviceproviders
and cloud storage companies, and in interpreting the data they provide. Blank Law +
Technology provides these services. We support our clients with a decade of experience in
computer forensics and a record of hundreds of successful investigations. Many of these
projectshaveincludedexperttestimonyatcivilorcriminaltrial.
The reason for this brochure is twofold: first, to help prospective clients understand what we
do; and second, to furnish insight that you will find helpful for its own sake. The information
presented over the next several pages is condensed from years of experience working with
mobilephonesandcomputerforensicassignments.
4
v.11.01
CAPTURINGANDRECOVERINGMOBILEPHONEDATA
Geolocationinformation,mappedagainstcrimescenesorallegedpatternsofactivity,provides
colorful and sensational evidence that grabs the attention of the jury (see map, page 10).
Depending on whether it helps or hurts your case, you must do everything you can to get
geolocationevidencein,ortokeepitoutofsight.
Like other softwaredriven devices, users efforts to delete geolocation data and all of the
other data described above often can be overcome (or at least detected) by the skillful
application of computer forensics tools. Just as with desktop and laptop computer data,
deletedoesnotmeandelete.
5
v.11.01
CAPTURINGANDRECOVERINGMOBILEPHONEDATA
Lawenforcementagencies,governmentagencies,andmany
employershavelongsincediscoveredthatmobilephonescancontaincasemaking
evidence.
Theprotocolstomandatecriticaldatadeliveryfrommobilephone
carriers are in place. Even cloudbased storage areas and phone
accessorydevicesareknown,searchedfor,andexamined.
Still, as with any computer forensics application, skill and experience matter. Investigators
make mistakes. Phone companies turn over incomplete or erroneous records. Multiple
innocuousexplanationsmayexistinparalleltothestoryofthecasethatisthefavoriteofthe
prosecutor,employer,oragency.Theinvestigatormayjustmisscriticaldata.
If your client is on the other side of a criminal or sophisticated civil investigation, you cannot
affordtoignoremobilephonerecords.Youalsocannotrelyonwhattheothersidechoosesto
disclose of its findings. You may be looking at less than the full picture. The analysis may be
flawed.Therecordsmaybewrong.Youneedtoundertakeyourowninvestigation.
6
v.11.01
Here are Seven Tips for Success to help with your investigation into mobile
phonedata.
Tip1.GetAuthorization
Amobilephonemaybepersonalorcompany/governmentproperty.Doyouhavetherightto
have the phone forensically examined? If it is your clients personal phone, the answer is
almost always yes. Otherwise, you may need to obtain the owners permission, or a court
order.
Itisamistaketoshortcutthepermissionprocessjustbecauseyourclientcangethishandson
someoneelsesphone.Weseethismostcommonlyindomesticcases,andalsoincaseswhere
the employer desires to examine a phone that is owned by an individual (and not by the
company).
7
v.11.01
Tip2.CheckthePhysicalConditionofthePhone
Look the phone over the way you are supposed to with a rental car
beforeyougetbehindthewheel.Notonlywillspottingdamagegive
you a better idea of whether or not the phone is suitable for
extraction;italsogivesyouanopportunitytowritedownthephones
conditiononreceiptsothatyouarenotblamedlater.
If the phone will not take at least a minimal charge, or if the phone has no means to send or
receivedata(thedataport,forexample,isbentormissing),wemaynotbeabletoextractdata
from the phone. It is possible, in cases where the stakes justify the expense, to attempt
physical repairs prior to data extraction. These can be expensive, they often void warranties,
and success is uncertain. In our experience it is unusual to attempt any but the simplest
physicalrepairs.
Despitedamagedappearance,
dataretrievablebyforensic
processes.
Datairretrievable duetoextremely
hightemperatures.Donotthrow
away:maybespoliationevidence!
8
v.11.01
Tip3.UnderstandtheElectronicCharacteristicsofthePhone
Mobilephonesmaybepasswordprotected.Ifthephonehas
a workaround, passwords may pose no obstacle to our
forensic team. Or, we may be utterly stumped. Bruteforce
password cracking for mobile phones, like for other computer systems, is timeconsuming, expensive,
and rarely justifiable. (In civil cases, the password can be demanded in discovery. Parties who
conveniently forget their passwords, which we see not infrequently, lose a great deal of credibility
withthecourtandjury.)
Mobile phones may also resist complete data extraction unless they are
unlocked,rooted,orjailbrokenthetermdependsonthephone
model.Unlockingphonesoftenrequiresseveralhoursofwork,butisnot
nearly as expensive as physical repair or password cracking. However,
unlocking phones involves tinkering with the lowestlevel operating
systems. For many manufacturers, unlocking voids all warranties. As
with all directapplication computer forensics, there is always a
possibility of irretrievable data loss. These risks must be considered
carefullybeforeproceeding.
Finally, mobile phones may have suffered electronic damage that is not visible during physical
inspection. Like all computer systems, phones are susceptible to environmental extremes (heat,
moisture)andelectricalsurges.Manyphoneshaveindicatorsthatalerttechnicianstotheseissues,and
thatcanbeusedtoestablishhowthephonesufferedirretrievabledataloss.
Actually,datacanoftenberecoveredforensicallyfromdrownedorbrickedphones,sotheyshould
not be discarded without a technical examination. Deliberate damage may be evidence of spoliation,
andusefulinitsownright.Itmaybejustasimportanttoshowthatthedamagewasaccidental.
9
v.11.01
Tip4.RememberCollateralDevices
Many mobile phones have addon data storage capabilities that may be used in tandem with
onboardstorage.ItisnotuncommonforphonestocarrySIMcards,memorysticks,andother
collateral devices. All of these should be searched as part of the mobile phone forensic
investigation.
If you have control of the phone and are communicating with its owner, ask about SIM cards
and memory devices. When working with an adverse partys phone, remember that it is not
unusual for addon devices to be swapped out of the target phone in exchange for new or
innocuousdevices.Wecanusuallydetectwhenthishashappened.
10
v.11.01
Tip5.UnderstandandUseMobilePhoneData
The amount and quality of data that can be extracted from mobile phones is impressive. The
volumeishuge.Moreover,muchofthedataconsistsofeitherunfilteredcommunications(text
and email messages); or information that is kept by the phone, sometimes without the users
knowledge(geolocationrecords;mapandroutinghistory;deletedvoicemailfiles).
Whetherandwhichrecordsareimportantvariesfromcasetocase.Thisiswhyitisimportant
to understand the breadth of information that can be recovered, and how it may affect your
case.
Geolocationmapplottingpossiblephonelocations(yellowhighlight)againstCrimeSceneA.
A
11
v.11.01
Tip5.UnderstandandUseMobilePhoneData(cont.)
Hereisalistofthemostcommonmobilephonedata(remember,allofthisdatamaybe
eitheractiveormayhavebeendeletedbytheuserandthenrecoveredbyforensicmeans):
SMSContent Voicemail
Phonecalllogs Websitebrowsinghistories
Calendardata Websitecookies
Email Geolocationdata
Photos Mapandroutinghistory
Video Officetypedocuments
Contacts IMchatlogs
Userloaded applications, which may reveal banking, credit cards, data theft
capabilities,paymenthistories,etc.
Mobilepicturewithtimestamp. Textmessageactivitylogs.
12
v.11.01
Tip6.AssesstheServiceProvider
Some records are available only through the mobile phone service provider. These providers
donotseeabusinessadvantagetocooperatingwithanyoneotherthanlawenforcement.They
will often claim that they do not have any information, or that the information that they do
haveisextremelylimited.
In reality, carriers have an enormous amount of information about their service subscribers.
They have phone call and geolocation records going back months or years. They may have
additional information important to your case. Do not let the carrier off the hook with one
phone call. They have a civic duty to cooperate in the judicial process just like any other
individualorcompany.
Timeisoftheessencewhendealingwithcarriers.Soispatience.Wehaveworkedwithallof
themajorprovidersandcanhelpyougettheanswersthatyouneed.
13
v.11.01
Tip7.UnderstandtheCloud
Theforensicinvestigationofthephonemayrevealtheidentityofacloudstoragenetwork.The
ownermayalsovolunteerthisinformationifasked.
14
v.11.01
IfyouchoosetoengageBlankLaw+Technology,hereisanoverview
ofourpricingandresponsiveness.
Aswithanyproject,themoreleadtimeour
technicalteamhas,thebetter.Ournormal
turnaround time is three business days
from the date of receipt. If a phone is
missing unique data cables, chargers or
batteries,andwedonotalreadyhavethem
in stock (we have many hundreds), it may
take us several days to get new parts in
beforewecanbeginwork.
Wearehappytoprovidereferences.
ThankyouforyourinterestinourMobilePhoneDataCaptureservices.
Welookforwardtoworkingwithyou!
Pleasefeelfreetoinquireaboutourothercomputerforensicsandediscoveryservices.
EricP.Blank,Esq.
JonathanYeh,Esq.
www.digitallegal.com
info@digitallegal.com
BlankLaw+TechnologyP.S.
157YeslerWay,Floor3
Seattle,Washington98104
Office|206.256.9699
TollFree|877.387.9377
7.Understandthecloud
6.Assesstheserviceprovider
5.Understandandusecellphonedata
4.Remembercollateraldevices
3.Understandtheelectroniccharacteristicsofthephone
2.Checkphysicalconditionofphone
1.Getauthorization