Decentralized Mobile Forensics
Written by Christa Miller & Lee Papathanasiou   

There is little doubt that mobile devices are pervasive in American culture. According to a recent study conducted by the Pew Research Center, as of January 2014, 90 percent of American adults owned cell phones, 58 percent owned smartphones, and a little less than half of those surveyed owned tablets.


What’s more, as cell phones have given way to smartphones and tablets, the volume of data being stored and transferred has grown increasingly sophisticated. From text messages and images to call logs, email, and Internet search histories, mobile devices are no longer just phones. They are, as the Supreme Court recently acknowledged, repositories of vital information about human behavior and interaction.

Not surprisingly, the use of mobile evidence in criminal investigations has increased exponentially in recent years. As mobile forensic examinations have become more prevalent, however, so have significant backlogs at forensic labs. Forensic specialists are bogged down with workloads that can prevent them from focusing on the technical and complex cases that demand their attention, while investigators often confront long wait times for urgent and time-sensitive information.

As a result, some law enforcement agencies are turning to a process of decentralization in which data collection and analysis are no longer restricted to the lab. However, this means that an increasing number of non-specialist staff are conducting mobile data extractions in the field. For this model to work, proper training and education are more important than ever before.

In this article, we break down the benefits of decentralization and examine the specific ways organizations can prepare themselves to ensure that all mobile evidence is preserved and extracted in a forensically sound and legally defensible manner.

Understanding the Move Toward Decentralization

The standard procedure for mobile evidence collection typically looks something like this: the first responder secures evidence at the scene. Then, either that individual or an investigator seizes the evidence, bagging it and tagging it and securing the legal authority to search before sending it off to the lab. Once at the lab, the forensic examiner then performs extraction and analysis on the device, collecting evidence relevant to the investigation in question.

This process, however, is beset by a number of problems. To begin, many labs lack the funding, staff, or tools necessary to handle the high volume of mobile devices submitted for examination by law enforcement professionals and first responders.

Can you use electronic warrants to search mobile devices?

Consequently, many are forced to focus on tasks related to basic evidence collection, and don’t always have the time necessary to concentrate on deeper, more complex examinations that may yield vital deleted or hidden information. In addition, lab limitations also contribute to delays in evidentiary extraction and analysis for investigators in need of information critical to their cases.

Restricting the practice of mobile forensics to the lab can also mean that actionable evidence is not available to first responders and law enforcement professionals in real-time. In cases ranging from active shooters and abductions to bomb threats, investigators in the field may need immediate access to information stored in mobile devices.

Even in less time-sensitive situations, such as the investigation of traffic collisions, drug or human trafficking, stalking, or similar cases, investigators often don’t have the luxury to wait days or weeks to obtain the evidence they need. They need to be able to extract data immediately upon receiving the legal authority to do so, which could take from just a couple of hours for a warrant to as little as a few minutes for consent.

Field personnel and investigators need to be better equipped to make decisions regarding evidence that can and should be extracted immediately. When the evidence does require deeper forensic analysis, first responders need second-tier support, ensuring that devices sent back to the lab receive full attention.

Making Decentralized Mobile Forensics Effective

The move toward decentralization is specifically designed to facilitate a more effective, efficient way for investigators and forensic examiners to work together. Under a decentralized system, investigators and first responders can use their knowledge of the case to make urgent decisions regarding mobile device evidence.

Armed with the proper technology and tools, investigators in the field can perform simple extractions at the scene and in real-time. This can free up forensic professionals to move beyond basic evidence collection in order to focus on more complex analytical work.

A multi-tiered and decentralized system, however, requires bringing more people into the forensics process. How, then, can law enforcement and forensics professionals ensure that the proper determinations are made regarding mobile evidence? The answer is three-fold: the right technology, effective training, and sound enforcement policies.

Step 1: Technology

Effective decentralization requires mobile forensics hardware and software that is flexible and easy to use. Because of the broad range of devices and operating systems investigators come in contact with in the field, the software needs to support extraction from a large variety of mobile devices, operating systems, and apps in order to be effective.

The workflow for this process, however, needs to be intuitive enough for non-specialist investigators to implement in as little time as possible following legal authorization. The tool’s interface should be clear and simple, requiring minimal interaction from the user to obtain the evidence.

The interface also needs to support supervision. In addition to empowering non-specialist first responders to obtain mobile evidence that supports their own missions, the solution should also enable them to request assistance from a second tier of specialist support. Specialists should be able, in turn, to administer data extraction capabilities.

Finally, mobile forensic tools need to be rugged enough for use beyond the confines of a laboratory environment. Equipment that can withstand the rigors of field investigations is essential for providing law enforcement professionals with the tools they need to effectively perform on-site extractions.

While the technology exists to support all four requirements, proper training and certification is critical to ensure that these tools are used effectively.

Step 2: Training

The benefits of decentralization depend, at least in part, on the ability of investigators in the field to perform simple extractions and make real-time determinations regarding mobile evidence.

This requires that law enforcement professionals receive training that provides them with a foundation in mobile forensics and the knowledge necessary to understand the core issues surrounding the proper handling, collection, and analysis of mobile evidence.

This basic knowledge, along with vendor-specific certifications, will enable investigators to use different tools and ensure that they are capable of extracting evidence in a forensically sound and legally defensible manner.

Law enforcement professionals need to understand how to collect and analyze evidence without damaging it, as well as how to protect the device from the network so it isn’t wiped remotely or altered in any way, and document each action they take in support of deeper forensic analysis.

Finally, investigators need to be armed with the knowledge of how mobile forensic tools support broader legal requirements. This way, investigators will be able to provide testimony and evidence that meets legal standards and will be admissible in criminal proceedings.

Step 3: Enforcement

In addition to proper tools and training, sound enforcement policies can play an important role in the decentralization process.

First, establishing a policy along with a set of standard operating procedures (SOPs) or guidelines can help prevent abuse and enforce standardized training and methods of evidence collection. This is especially important given the increase in the number of law enforcement personnel using mobile forensic tools.

Second, guidelines for handling mobile evidence should empower investigators to make decisions regarding when to conduct an extraction in the field and when to escalate a device and turn it over to a forensic specialist for further analysis.

Similarly important is the need for all investigators to become familiar with specific legal requirements and policies at the federal, state, and local levels. Guidelines and procedures can put safeguards in place that guarantee that the search, seizure, and extraction of mobile evidence are done in accordance with the law.

Standards developed in consultation with legal authorities can play a critical role in ensuring adherence to the law on multiple levels regarding probable cause, search warrants, and exceptions to the warrant requirement, especially consent and exigent circumstances.

The Future of Decentralized Mobile Forensics

As mobile devices continue to play an increasingly pivotal role in criminal investigations, more and more law enforcement agencies should consider adopting a decentralized approach to the collection and extraction of forensic evidence. Decentralization offers a number of significant benefits, including rapid evidence collection for real-time decision making, a decrease in the quantity of evidence forensic experts have to deal with, and an increase in the overall quality of evidence to aid in criminal investigations.

This is only the beginning. As the trend toward decentralization grows, decision making in the field will only continue to improve. Ultimately, not only will investigators be equipped to collect evidence from a mobile device at the scene, they will also have the capacity to run the data they retrieve against larger databases of criminal information in real time in order to make faster, more informed and more effective decisions.

Because decentralization depends upon the introduction of additional, non-expert staff into the forensics process, the right tools will have to be supported by proper training and sound enforcement polices. It is, however, well worth the effort. Empowering existing personnel will pave the way for a law enforcement workforce that is better equipped to handle the challenges of investigating digital crimes and evidence.

About the Authors

Christa M. Miller is the Director of Mobile Forensics Marketing at Cellebrite. She has worked for more than ten years as a journalist, specializing in digital forensics and other high-tech topics for public safety trade magazines. Miller has a B.A. in Economics from Whittemore School of Business and Economics at the University of New Hampshire, and is based in South Carolina.

As Cellebrite USA’s Forensics Solutions Engineer, Lee Papathanasiou is responsible for interfacing with various law enforcement agencies and enterprise customers to deliver technical information and product expertise. He also is tasked with identifying and articulating customer needs to R&D teams. Lee is approaching his sixth year of employment with Cellebrite and is CCLO, CCPA, and CCME certified.

< Prev   Next >

Crime Scene Revisited

Faces of the victims recovered from the scene of a genocide.