Best Practices in Mobile Phone Investigations
Written by Evan Dixon   

Miss the photos and figures?
View, read, share, save, and print this article
as it appeared in the print edition now, online!


THE FIELD OF mobile phone investigation has grown exponentially in recent years. The number of cell phones investigated each year has increased nearly tenfold over the past decade. Courtrooms are relying more on the information inside a cell phone as vital evidence in cases of all types.

Despite that, the practice of mobile phone forensics is still in its relative infancy. Many digital investigators are new to the field and are in search of a simple book that could be titled Phone Forensics for Dummies.

Unfortunately, that book is not available yet—so investigators need to look elsewhere for information on how to best tackle cell phone analysis. This article can help—although by no means should it serve as an academic guide. It can, however, be used as a first step to help an investigator gain a basic understanding in the area.

The History of Phone Forensics

First, it’s important to understand how we got to where we are today. In 2005, there were two billion cell phones worldwide. Today, there are more than five billion...and that number is expected to grow nearly another billion by 2012. Translated, there is a cell phone for nearly every human being on Earth.

These phones are not just a way to make and receive calls, but they are also a resource for storing all information in one’s life. When a cell phone is obtained as part of a criminal investigation, an investigator is able to learn a significant amount of information about the owner.

In many ways, the information found inside a phone can be more important than a fingerprint in that it provides much more than identification. Using forensic software, digital investigators are able to see the call list, text messages, pictures, videos, and much more—all to serve as evidence in either convicting or vindicating the suspect.

The Step-by-Step Investigation Process

Lee Reiber, lead instructor and owner of Mobile Forensics Inc., breaks up the investigation into three parts—seizure, isolation, and documentation. The seizure component primarily involves the legal ramifications. “If you do not have a legal right to examine the device or its contents, then you are likely to have all the evidence suppressed no matter how hard you have worked,” says Reiber.

The isolation component is the most important, Reiber continued, “because the cellular phone's data can be changed, altered, and deleted over the air (OTA). Not only is the carrier capable of doing this, but the user can employ applications to remotely ‘wipe’ the data from the device.”

The documentation process involves photographing the phone at the time of seizure. Reiber says the photos should show time settings, state of the device, and characteristics.

After the phone is taken to the digital forensics investigator, the device should be examined with a forensic acquisition and analysis tool. Manual investigation of phones should be an absolute last resort. Utilize manual investigation only if no tool on the market supports the device. Modern cell phones are very much like miniature computers that require a sophisticated software program for comprehensive analysis.

When examining a cell phone, it is important to protect it from remote access and a network signal. As cell-phone jammers are illegal in the United States and most of Europe, Reiber recommends using “a metallic mesh to wrap the device securely and then placing the phone into standby mode or airplane mode, photographing the phone, and then placing the phone in a state to be examined.”

Steve Bunting, Senior Forensic Consultant at Forward Discovery, laid out the process flow:

1) Achieve and maintain network isolation using a Faraday bag, RF-shielded box, and/or RF-shielded room.

2) Document the device thoroughly, noting all information available. Use photography to support this written documentation.

3) If a SIM card is in place, remove it and then read and image the SIM card. Note: If there is no SIM card in place, skip to Step 6.

4) Clone the SIM card.

5) With the cloned SIM card installed, do a logical extraction of the cell device with a forensic extraction and analysis tool.

6) Note: If this is a non-SIM device, start here. Examine the extracted data from the logical examination.

7) If supported by both the model and the tool, do a physical extraction of the cell device.

8) View parsed data from physical extraction; this will vary greatly depending on the make and model of cell phone and the tool being used.

9) Carve a raw image for various file types or strings of data.

10) Report your findings.

Credibility on the Stand

There are two things an investigator can do to gain credibility in the court-room. One is cross-validation of the tools used. It is important that investigators do not rely on only one tool when investigating a cell phone. Both Reiber and Bunting recommend using multiple tools for cross-validation purposes.

“By crosschecking data between tools, one may validate one tool using the other,” said Bunting. Doing so adds significant credibility to the evidence.

The second way to add credibility is to make sure the investigator has a solid understanding of the evidence and how it was gathered. Many of the investigations tools are simple to use and require only a couple clicks to generate a detailed report. Reiber warned against becoming a “point-and-click” investigator now that the tools are so easy to use. If an investigator takes the stand and is unable to speak intelligently about the technology used to gather the evidence, his credibility will be in question.

“The more knowledge one has of the tool’s function and the data structures and functions found in any given cell device, the more credibility one will have as a witness,” said Bunting.

Getting Started

If you have zero experience and suddenly find yourself called upon to handle phone-examination duties for your organization, don’t panic. I speak with individuals on a weekly basis in a similar situation looking for direction. My advice is always the same: Enroll in a training course, become certified, seek the counsel of veterans, engage in online digital forensics communities and forums, and speak with representatives of software companies making investigation tools. By taking these steps, you should be able to go from novice to expert in a short amount of time.

About the Author

Evan Dixon serves as Director of International Operations for Compelson Laboratories, makers of MOBILedit! Forensic. He has over six years of experience in mobile phone forensics examination and training. Dixon holds a BS from the University of Colorado and an MBA from Pepperdine University.

Return to the November 2011 Featured Products & Services Main Page

Next >

Item of Interest

The language barrier between English-speaking investigators and Spanish-speaking witnesses is a growing problem. (Updated 28 February 2011)