Defending Mobile Device Evidence in Court
Written by Christa M. Miller   

Few people dispute the value of mobile-device evidence in criminal investigations. The images and videos, text messages, call logs, and other types of data have proven their worth, often showing undisputed proof of a suspect’s involvement in a homicide, sexual assault, child exploitation, arson, theft, fraud, or a myriad of other crimes.


Mobile data, though, can be multi-layered and complex. As a forensic discipline, the methodologies used to extract and analyze the evidence must prove to have foundations in scientific principles. The evidence’s validity and authenticity must be established for use in a court of law. And even apart from evidence, mobile data can help investigators be proactive, not just reactive, as they build a case.

Preparing to extract forensically sound mobile evidence

Forensic soundness begins before the investigation. Mobile forensic extraction, analysis tools, and methodologies should, to begin with, be generally accepted within the investigative community.

To know what those tools and methodologies are, as well as how to perform them within best-practice guidelines, mobile examiners should be trained and certified. Because the field of mobile forensics is in constant flux, examiners should ideally refresh their training and any certifications every two years.

Good training helps examiners to understand how mobile device technology—operating systems, storage, usage trends, and so on—evolves, and how these changes influence mobile forensics tools and techniques, particularly the ones they use from day to day. Training helps examiners to understand and explain what is on the device and where it is located, and how their forensic solutions helped them to preserve and analyze the evidence.

It is also important for examiners to stay up to date with licensing and with all new releases. It is not unreasonable to assume that attorneys will ask whether an examiner used the most current versions of hardware or software available at the time each extraction and analysis were performed.

Therefore, regularly updating forensic software ensures not only the ability to keep up with new devices and operating system versions, but also, that any bugs or other issues are fixed. The examiner’s employer should maintain standard operating procedures and policies around logging and reporting. Careful documentation results in a repeatable and reproducible process.

Validation is an important part of good digital forensics practices. It can be likewise beneficial for the examiner to keep a known mobile device with certain known artifacts on hand, and use this non-evidentiary test device for extraction each time a new mobile forensics software release comes out. The loss of artifacts may alert the examiner to a problem with the new release, demanding they “roll back” the product to a previous release and notify the vendor. As a result, mobile-device examiners often employ more than one tool to interpret the data.

It is also advisable for forensic examiners to be familiar with any independent testing or peer review of mobile forensics tools. The outcomes of tests such as the National Institute of Standards and Technology (NIST) Computer Forensic Tool Testing (CFTT) Project can show whether a tool generally performs as expected.

Finally, search of a mobile device requires either a well-defined search warrant, or an appropriate exception—consent, plain view, exigent circumstances, or other exception. Because these can mean different procedures in different states, it is best to work with prosecutors to define specifics around exigency, search incident to arrest, plain view, and so on.

Mobile forensics examiners should be trained and certified in the use of their tools, even those generally accepted within the digital forensic community.

Best practices during an investigation

Forensically sound mobile evidence extraction and analysis continues as soon as an investigator begins looking into an incident or complaint. Even with consent to search a device, preserving the evidence should be considered a best practice in the event it does end up in court.

Forensically sound mobile evidence extraction and analysis continues as soon as an investigator begins looking into an incident or complaint.

It may not be necessary, or even advisable, to seize a device indefinitely. Yet an investigator or first responder should be prepared to isolate the device from the network and to image its data. Imaging can be done at the scene on a device for which the investigator has written consent, signed consent, or other legal authority, and any user lock codes.

If data has been deleted, or the interview reveals that location data or other metadata could be important evidence, the device may need to go back to the lab for processing: physical extractions, especially of smartphones, can take several hours to complete.

After isolating the device from the network, the investigator should properly bag and tag it, and document its chain of custody. Evidence of a new crime on a mobile device requires new consent or a search warrant, as does any mobile device not covered in the scope of an original warrant.

In addition to validating that their tools work properly, examiners should authenticate their evidence, either independently or in collaboration with case investigators, using the guidelines in Rule 901(b) of the United States Federal Rules of Evidence or equivalent in their own country. Other tools and resources used to authenticate mobile evidence may include carrier call detail records, manual examination of existing (non-deleted) data, and witness interviews.

It can also be useful to corroborate device data with tower data by serving a mobile service provider with a subpoena or court order. The 1.3 million records requests served in 2011 by U.S. law enforcement may have seemed like overkill, but it can be important due diligence in showing whether a device was stationary or on the move during a certain time frame.

In addition to routine validation practices, it can also be wise to validate mobile forensic tools using a test version of the device(s) relevant to the examiner’s case. Make, model, and operating system version should all be consistent, along with any pertinent apps. The examiner should also understand and be prepared to explain differences between device models, operating system versions, and app versions.

Comparing devices from multiple suspects or victims can show overlapping communication, location, and timeline patterns, which can show connections between people and locations before, during, and after an incident.

Mobile data as evidence

Mobile forensics can move an investigation forward by helping to narrow down what can be thousands of data points—text messages, contacts, call logs, images, videos, geolocation, and much more—to only those that are most relevant to a case.

These data points can help establish the timelines, locations, and other patterns of life that can proactively assist investigators in finding leads, as well as in developing questions for interviews and interrogations.

Facts around a suspect’s or victim’s communications and locations can fill in blanks left by missing evidence, statements, or memories.

Facts around a suspect’s or victim’s communications and locations can fill in blanks left by missing evidence, statements, or memories. Determining the most important people in the subject’s life, as well as out-of-the-ordinary communications (for instance, those taking place at an unusual time of day or those that are much more frequent than other contacts), can come down to call and text-messaging logs, social media conversations, instant messaging, and emails.

Messages can also uncover conspiracies or intent to commit or cover up a crime. Conversely, establishing these key people in a subject’s social circle can refute claims that a suspect didn’t know a victim (or vice versa).

Data analytics, which are available as part of the feature set in most commercial mobile forensics tools, can help establish these patterns in highly visual ways: graphs and charts, maps, and timelines.
These tools automate the process of pinpointing which people a subject is talking to most, the methods they are using to do it, and locations they frequent. The automated process replaces the time-consuming and error-prone process of manually creating associations via spreadsheet.

Timelines are another key piece of any investigation that can benefit from mobile device data. Mobile evidence can help investigators to reconstruct timelines from the last hours, days, and even weeks before an incident. It can be important to discern a victim’s or suspect’s normal patterns, as well as any deviations from those patterns.

Mobile data timelines do more than just help to establish subjects’ movements or add communicative context to other timeline evidence. They can also help to corroborate a statement—when it matches a subject’s narrative—or disprove an alibi, which may become key in the interview process.

Combining timelines with location data can show both normal and anomalous travel patterns. Routines—and significant departures from them—might provide important insights. Location data can come not just from GPS devices or smartphone apps, but also from the geotags within images and social-media posts.

These can help narrow down location specifics, whether stationary points or travel paths. In turn, this may lead to additional sources of information, such as witnesses to interview or surveillance video to process.

Although location data can be useful in showing that a suspect was definitely on the scene of a crime, not all location data is created equal. The GPS coordinates hidden within an image’s or social media post’s metadata is not the same as a Wi-Fi access point; the first shows that the device was at a particular place in a particular time, but the second shows only that the device attempted to connect to a nearby network.

Aside from authenticating mobile data, tower dumps can come in handy when police have no other leads in serial crimes and need to cross-reference data from towers in the vicinity of multiple crime scenes. Later, these records can be compared with data from suspects’ mobile devices.

Communications are not the only useful forms of mobile device evidence. Mobile browser activity, banking app transactions, travel and productivity app information, and data from other apps can all provide additional insights.

For investigators working very complex cases with multiple suspects or victims, or for investigators who need intelligence rather than evidence, mobile data link analysis can take visual analytics further. Comparing devices from multiple suspects or victims can show overlapping communication, location, and timeline patterns, which can show connections between people and locations before, during, and after an incident.

Comparing multiple mobile devices—smartphones, tablets, GPS devices, and so on—from a single subject can provide important insights about their usage habits, whether they only take one device with them on the road, use another to communicate exclusively with certain people, or other patterns.

Case investigators who do not perform their own forensic examinations should be prepared to help examiners understand the general facts of the case, what data they’re looking for, from what timeframes, and any keywords or other relevant data needed to move forward.

Information gleaned from interviews and the data itself can help to develop a “watch list” of keywords, names, or phrases that the investigator or forensic examiner can use to filter new evidence from mobile devices, computers, and other digital sources—even interviews.

Finally, mobile data can eliminate suspects. Using an examination of all existing and deleted data to show that a suspect didn’t know a victim, or was never at the scene of a crime, can be as important as finding a culprit. Any exculpatory data must be disclosed in an examiner’s report, even if other data seems to support the case the investigator is trying to build against a particular subject.

This is also true if, executing a search warrant outside of the lab, an investigator is able to put together a quick logical exam with interviews to eliminate devices from inquiry. (Even so, investigators must still be able to place the suspect device in the suspect’s hands, an important part of data authentication.)

Well thought out and prepared for in advance, digital evidence from mobile devices can make all the difference to criminal and civil cases. To save time and improve the cases they build, investigators should work with forensic examiners and prosecutors in advance to determine standard operating procedures and best practices around obtaining the evidence.

About the Author

This e-mail address is being protected from spam bots, you need JavaScript enabled to view it is the Director of Mobile Forensics Marketing at Cellebrite. She has worked for more than ten years as a journalist, specializing in digital forensics and other high-tech topics for public safety trade magazines. Miller has a B.A. in Economics from Whittemore School of Business and Economics at the University of New Hampshire, and is based in South Carolina.

< Prev   Next >

Image Clarification Workflow

A FEW WEEKS AGO, I received a call from Ocean Systems asking if I would like to beta test their newest software—ClearID v2.0 Image Clarification Workflow. The new progam has filters that were designed for use with Adobe’s Photoshop graphics-editing program.