Archived Webinars

All archived webinars are merely for educational and viewing purposes ONLY. NO CLE CREDIT will be given for watching the archived webinar.

Cellphone Forensics: Applications in Discovery and Investigations

TASA ID: 10136

Program Description:

On May 22, 2018 at 2:00 p.m. (ET), The TASA Group, in conjunction with digital forensics expert Simon Varley, presented a free, one-hour interactive webinar presentation, Cellphone Forensics: Applications in Discovery and Investigations, for all legal professionals.

During this presentation, Mr. Varley discussed:

  • Background
  • Mobile forensics
  • Typical cases
  • The forensic process
  • Privacy issues
  • Digging deeper
  • The future

Cellphone Forensics: Applications in Discovery and Investigations from The TASA Group, Inc. on Vimeo.

About The Presenter:

Simon Varley is a digital forensic examiner at Califorensics in Sacramento, CA which emphasizes in computer forensics, eDiscovery, and fact-finding in support of complex litigation or referral for prosecution. He represents law firms, state and local government, high-tech firms, aircraft manufacturers, financial institutions and school districts. He also has experience in obtaining and analyzing digital forensic evidence with specialist experience in high level training in cellphone and mobile device forensics, cell tower analysis and presentation, digital tape archives restoration and analysis, and website and social media preservation and analysis.


Video Transcription:

Lauren: Good afternoon, and welcome to today's presentation "Cellphone Forensics: Applications in Discovery and Investigation." The information presented by the expert is not to be used as legal advice and does not indicate a working relationship with the expert. All materials obtained from this presentation are merely for educational purposes and should not be used in a court of law sans the expert's consent, i.e., a business relationship where she/he is hired for your particular case.

In today's webinar, Mr. Varley will discuss background, mobile forensics, typical cases, the forensic process, privacy issues, digging deeper, and the future. To give you a little background about our presenter, Simon Varley is a digital forensic examiner at Califorensics in Sacramento, California, which emphasizes in computer forensics, eDiscovery, and fact-finding in support of complex litigation or referral for prosecution. He represents law firms, state and local government, high-tech firms, aircraft manufacturers, financial institutions, and school districts. He also has experience in obtaining and analyzing digital forensic evidence with specialist experience in high-level training, in cellphone and mobile device forensics, cell tower analysis and presentation, digital tape archives restoration and analysis, and website and social media preservation and analysis.

Attendance require a passcode. The word for today is "Cellphone." During the Q&A session, we ask that you enter this passcode into the Q&A widget for CLE reporting purposes. The Q&A is located to the left of your screen. Please remember that if you are applying for CLE credit, you must log on to your computer as yourself and stay for the full 60 minutes. You're also required to complete the survey at the end of the program. Please note that CLE credit cannot be given to those watching together on a single computer. Tomorrow morning we'll send out an email with the link to the archived recording of the webinar. The slides can be downloaded from the Resource List at the widget at the bottom of your screen. Thank you all for attending today, and Simon, the presentation is now turned over to you.

Simon: Okay. Thank you, Lauren. Good morning or afternoon everyone, depending on where you are across the country. This presentation, as she stated, is about "Cellphone Forensics and Applications in Discovery and Investigation." I'm from Califorensics over here in California, and I'm going to first tell you a little bit about myself. I'm English even though my accent is slipping a little bit. I come from an electronics background. I went to work for EDS which was Ross Perot's rival for IBM, embedded with the British Ministry of Defense doing Safety and Security Analysis, and then moved to Prague in the Czech Republic to build forensic search systems for intelligence agencies across Central Europe.

Since coming to the U.S., I worked a little bit in banking with government accounts and fundraising accounts. And since then, been trained by Cellebrite to the top level for analysis of cellphones and mobile forensics. I do a lot of criminal defense cases, a lot of public defender work, involves expert court testimony, as well as we do some largescale civil litigation work as well.

Okay, during this presentation, well, I'll try and cover a little bit about the background, a bit of general knowledge on digital forensics, and then why we might need it, what cases might need it, a little bit about what mobile forensics refers to, when we might need that, some typical cases, some little scenarios and different types of cases that are of interest, then a little about the forensics process, what happens during collection, the importance of preservation. It might get a little technical, but there may be some terminology that may prove useful if you're getting a forensic report from the other side and they mention certain types of extraction that might happen on a cellphone. This will maybe help you know whether a better collection of data was possible and what that means.

We'll go into some location data, some mapping, some cell tower data also, and then issues for privacy, reasons for resistance, and a key case that covers concerns and what it means in a courtroom. We'll go into digging deeper, which will be little the extra services that we can perform, and if we have time we'll go into the future on what we think will happen.

Let's go dig into this. What is digital forensics? Well, a lot of people know what physical forensics refers to. A lot of people watch mystery shows and get to see the process. They're used to seeing people onsite collecting evidence using clean suits so as not to affect the evidence during collection, used to storing it in special containers to preserve the integrity of the evidence, and they used too some sort of analysis which in TV shows, you know, get the DNA of the killer within 20 minutes. But, obviously, the reality is a little bit longer than that.

And, similarly, with digital forensics, in the same way we have to collect the digital data from the device without affecting it in any way. People may be aware of something called metadata, which is essentially data about the data. So, if you created a word document, you know that it has a "created date" attached to it and an "edited date." So even looking at a file can change some of this data. So the purpose of digital forensics is to collect that without changing the evidence in any way. Just like physical forensics, we have a way of storing it and maintaining the integrity in a provable way so that if a case comes to court two years after that collection, we can show that the evidence hasn't changed in any way. And, similarly, with the analysis, there's a lot of data on computers, and especially the larger hard drives, so analysis can take a little bit longer than you might think even if it's a simple case.

Why do we need it? Okay, different reasons. Cases and people need digital forensics, in general, is evidence preservation, the need to preserve things. If litigation is expected, this can be very important, not just because of sanctions, which we'll touch on a little bit but a great deal of dates can be lost if it's not collected in time. So we're talking, let's say, large organizations have policies of retention regarding email that need to be noted. Obviously, cellphones could damage...people will delete items. We go in there to preserve the data as early as possible so we have it saved, and to maintain the integrity of evidence. So, we preserve it, we have a copy, and then if the litigation takes, you know, two, three years, it's still there. It's still stored in the same state as it was collected.

Detailed analysis, we can be hired to find user activity. People still copy files off their computer to take to their new employer and call the USB drive "My Stolen Files." People still do those sort of things. So, we can see that activity. We can see what was printed. We can see what was browsed. And that's a large part of what we do. We can recover deleted files when people try and cover things up. But search for relevant evidence can be anything. We've done reviews, especially of cellphones, to show frame of mind. So, it can be whatever an attorney, whatever narrative he wants to present in court, we can try and find evidence to back that up, however circumstantial. And, obviously, a cellphone is important in that because it covers a lot of day-to-day activity that can be used to show, not definitively, but it can help back up a narrative about someone as very minor if they were happy or scared, or what have you.

Production of results. A lot of times, civil litigations or strongly powerful written forensic report may be enough to push for a settlement. The forensic results that we provide are meant to reproducible and definitive so that if they hire an expert too and they read the report, there shouldn't be too many points to contest and can be enough to move to a settlement. Court testimony, we do a lot of that, especially criminal cases. And that can even be just explaining complex concepts to the court, like Snapchat. Obviously, that, to some people, might not be a complex concept, but depending on maybe age and sophistication of the judge, it could be, or especially if it's a jury, not everyone will understand how different systems work. I was recently in a family court explaining the "Find My iPhone" feature of the iCloud. So, that's part of what we do as well.

Okay, moving into mobile forensics. What do we mean by mobile forensics? Well, it's forensics on mobile technology and that covers cellphones, obviously, so that's Smartphones which most people have now and not so smart phones. We do have a term that we use for people that use not so smart phones, and that term is "criminal," which I feel bad about. I think some people still like the simplicity of it, but a lot of people that wanna hide their activity use not so smart phones. They're cheap, they don't carry a lot of incriminating data on them, you know, and they can be thrown away at a pinch.

So, tablets. Tablets work exactly the same way as a cellphone. The market was booming in tablets for a while when Smartphones were trying to get smaller. There was definitely a market for a bigger thing. But now cellphones are now getting bigger. But we still deal with a lot of those in terms of test of IP and criminal activity. Wearables as well come onto that. The Smartwatches. I don't know about Google glasses. They haven't flooded the country as they were promised to do at some point, but it's still something that we can see as a source of data to be analyzed.

Moving on to the next slide, we see something else that moves on from the smart devices into what's called "The Internet of Things," which you may or may not have heard of. And this covers devices that connect into a sort of a smart home network. This has come to the fore because of the rise of Alexa and Amazon's Smart Home devices and, of course, now Google and Apple have jumped on that bandwagon. And all manufacturers of products now are trying desperately to find a way or a reason to make their devices a smart device. Increased cost, but sometimes it's genuine functionality that's added there, but these can all be sources of data that we can use. That's obviously cropped up, from the weird and the wonderful.

Actually, door locks, there was an issue initially when they released smart door locks, that people would find, especially one story houses, criminals would go to the back of the house to what they believed was the bedroom window and shout through the window, "Alexa, open the front door." And it would unlock the front door. So they had to quickly issue modifications to it to prevent the unlock feature. So you could lock your door through Alexa but you can unlock it. I think that's now changed though. I don't know what security they've added to that. But, yeah, in a little bit we'll talk about the future at the end. We'll go into that, what implications that could have in investigations.

When do we need mobile forensics? Well, it really depends. Now cellphone ownership is well about 95% of adults in America. There's that strong possibility that any legal case that you have, a cellphone will be involved in some way, whether it's relevant or a need of an expert. But it will be involved in some sense in a case. And with the percentage of that being Smartphones on the increase too, mainly due to drops in price, greater functionality, it's a lot easier to do business on a Smartphone now, so people are seeing more value in getting Smartphones. So, it's on the increase, and, of course, the types of data it stores, it's more likely also that your case is gonna involve a cellphone.

I've left off criminal in there. So I'll use some examples of the activity we do in criminal cases, but most common types of mobile forensics case we're getting at the moment are inappropriate use of work devices, which covers a lot of evil, as you can imagine. Sexual harassment in the workplace, obviously, a very worrying series of cases, and theft of intellectual property. So we're gonna go through a little bit of these scenarios and how we help, essentially.

So starting off with inappropriate use of work devices. That can be Internet gaming. We have a lot of cases with that. School district recently, IT director was playing multiplayer, you know, one of those broad online games. We were brought in to track the time of his use and it was literally all day. He actually got to work at 7:30 in the morning and he was already online and gaming at 7:45. So we produced quite a detailed report on that so that supervisors could know what was going on there.

Pornography, as you can imagine, large problem, large reason for calling us in to investigate. We look into viewing it, whether you're looking at a website, whether you're downloading it. The amount of it on work devices, where it was stored, how much time was it taken up at their work or school day. And the content can be important, not just because if it was criminal or not being child pornography, but even just inappropriate. One example is a school teacher. I was recently testifying at a teacher credentialing administrative hearing essentially because a teacher was looking at teen content, although legal, had some worrying titles of videos and things that were inappropriate even if they weren't illegal. So that's a lot of what we do there.

And, of course, child pornography plays an unfortunately large amount of our time in terms of investigating. We tend to search for known CP images, child pornography images, and I'll tell you in a second how we do that. We check the hash values. Again, I'll tell that in a moment. We search how it was viewed, if they used an external drive so we can provide that for a search, and these always result in law enforcement being brought in, even if it's a side effect of an employment law case, you know, civil litigation. We find child pornography in any way, we bring in law enforcement.

But just to explain how people know that the images is known child pornography and a little bit about what we do, this is a slide that explains, well, it doesn't quite explain yet, what a hash value is. And now this doesn't look like it, but this is the most important part of digital forensics as a whole.

So, a hash value. Hashing is a process whereby all the ones and zeros of either a file or a drive are put through a complex algorithm to come out with a long, complex number at the end of it. You look at the MD5, one there. These are two different protocols, two different algorithms, essentially, two different equations that generate unique answers or semi-unique answers. And so, this is an answer essentially to what is this file, the contents of the file. It doesn't affect the name of the file or the metadata, as I previously mentioned, but it's the actual content. And if anything changes on that content, it comes out with a different answer.

So, these are the hash values of this presentation. So, I could rename this presentation whatever I wanted. I could change the author of it, you know, that's listed in the file properties [SP]. But if I input a blank space next to the uniquely identified data part of this, it will come out with a different number. And this is how digital forensics preserves that integrity of the evidence, too. So, when we take the forensic collection, the forensic software or the tools will hash the entire drive of the computer, or cellphone sometimes, before it copies the data over. So, it will have a hash value for the drive itself.

Then after the extraction or the copying of the data, it will scan and hash the forensic image and make sure it comes up with the exact same number, or hexadecimal number. It's actually in BASIC string [SP] in hexadecimal. So that's how we know it's an exact copy. That's also how we know whether anything's changed or corrupted. It's also how antiviruses work, especially the older ones. They have a series of these known virus files and they have the hash values, and they hash your machine and they look for matches. So it doesn't matter what the file is called, whether it's pretending to be a word document. It can identify them. So that's what it's used for.

And in child pornography, when law enforcement identifies a victim that's shown in an image, they will save these hashes and we can download these hash values to search our data. So that's a part of what we do in our investigation. We can see whether there are any matches to this database of these identifiers. And that's part of what we do for child pornography cases.

Sexual harassment in the workplace. Now this, I would say a large portion of our investigations into this seem to be valid allegations, and the evidence we find, a large portion of the time, back up the claim. But this is a specific incident of a false claim that happens all the time, and it keeps coming back to it. It's an interesting one that's why I included it in this. It's actually a case where a supervisor, Person 1, and a subordinate are having a relationship with one of them or both of them being married. It's this common scenario, very consensual, they have a conversation via text.

Normally, it is a little bit more...the example I have up here is a little bit Sesame Street, so I apologize, but the ones I normally see do make me blush a little bit. But for the purpose of this demonstration, I've done quite a normal one. A conversation that seems innocuous. We're gonna have a copy of this entire conversation that's gonna be on the supervisor's cellphone as well as the exact same on the subordinate. So, what happens is they get on very well, they have their relationship, and then it comes to an end.

The Person 1 may be married or just feeling bad because he's a supervisor. "Please let's just delete all our communications, you know. This was wrong, we shouldn't do this." So, Person 1 deletes the entire conversation. But Person 2 doesn't. They keep it. They don't delete the messages, and then at some point in time in the future, they're reprimanded or even let go by the company that they file a sexual harassment claim. And then they produce this evidence, a selection of messages that doesn't necessarily show the whole picture.

So, again, forgive this crude example but you can see how you can twist, by choosing which messages you provide, you can change, essentially, the narrative of the case. So, we get a lot of these. It's a surprisingly common issue. And then we have to try and recover. Most of the time, we won't recover all the messages, but just enough to counter the sworn testimony by Person 2 on the case just to challenge that narrative. And I'll show a little bit of evidence later on of a case like that where I managed to find a message that countered a sworn testimony. So I've included that. It's a very common one and it goes to show what we get asked to do quite a bit in terms of recovery of text messages.

Theft of intellectual property, often huge civil cases. A lot of problems there. Now, Stroz Friedberg did quite a broad survey that had some quite startling results. Seventy-one percent of the respondents admitted to frequently or occasionally sending materials to a personal email account, or uploading materials to a personal cloud account, Google Drive, things like that. Most cited reason, close to 40%, was they preferred their personal computer over their work computer. They were asked to, you know, work at home. Some of you may have done that. Can be quite a natural thing. "Oh, I'm just gonna, you know, send this to my Gmail account so I can just work on it at home."

And that can be a huge, huge issue in terms of trying to deal with that when they move to a competitor. The 51% of senior management admit to taking job-related emails, files, and materials with them when they have left past employers. That is a lot more worrying because, obviously, they have access to a lot more sensitive and propriety information than the people below them. The HR best practice we say is there should be forensic imaging of devices, especially key personnel, leaving the company. That is very difficult to fight for from a cost and logistics standpoint but, you know, the problem that we encounter a lot is when they only find out that, even with sexual harassment crimes, the HR departments only find out after the person's left, and probably a couple of months after a lot of the time that something's happened, or, you know, the clients are getting called from this new company. And by then, the devices have probably been reallocated. They used computers, sent it to someone else, they've wiped it, they've reset the phones.

And so, that is the ideal, especially for key personnel, to keep that preserved forensic image, snapshot the exact set of data from that device. And then once it's been forensically imaged, it can be reallocated, reused, it doesn't matter. We have a court-approved exact copy of that data.

Let's go through a little bit the forensic process here. What steps should you take upon receiving evidence? It may or may not happen that you yourself receive evidence. A lot of times that may happen with a cellphone because if you become aware that it might be relevant and clients may drop it off for collection, if the device is off, leave it off. Or if it's on, don't turn it off. Just keep it on and place it into airplane mode. That will help prevent any updates, any operating system updates, app updates that may alter the evidence, and it prevents someone doing a remote wipe, which is a huge issue now.

Find my iPhone is a feature on the iCloud that you can go in from another Apple device with the same Apple ID and remote wipe your phone. So that could happen. So to prevent that, we need to get it into airplane mode. And that little picture is what's called a Faraday bank, named after Michael Faraday. It blocks all signals to the outside, either Wi-Fi or a cell network. I'm actually a user of T-Mobile cellphone, so there's lots of places around Sacramento that could be described as a Faraday device because I can't get any signal in a lot of those places. But whenever we get a cellphone in, we'll put it inside one of these Faraday devices and it will still sense your touch on the screen so we can power it up without it connecting through a network and then place it into airplane mode.

Law enforcement has a huge issue with this, with people handing over their powered down cellphones to law enforcement. They then go back. The officer takes that, logs in evidence, keeps it there, a week later comes to say, "I'm gonna extract all that data, find out what happened." And the suspect has gone on to a computer and remote-wiped it. And if it powers on, and it will hit that network or your Wi-Fi before you can get to airplane mode, then it will be wiped. All the evidence will be gone. So, it's a need and a precaution to use these kind of devices, these blocking devices.

Make sure we get passcode, password information. That can be a problem if you're compelling devices from the other side. We need to make sure we have that updated information and that we can test it and make sure it works as soon as possible so that we're not chasing them down later in the day trying to get the right backup passwords and passcodes.

And step four, really bring it in as early as you can, or if you're anybody with forensic training, as soon as you can to even help consult on how to deal with these devices because improperly collected can cause damage and data loss. Speaking of data loss, mobile technology is very volatile. The most volatile, really, of digital data can be lost by user selective deletion. Like we said, messages and images, people, when they take their cellphone in to be introduced into a case, either to the opposing council or to their attorney, will often go in and try and delete messages they're embarrassed about, or doesn't make them look good, or they think will be misinterpreted.

So that can be a huge issue. But even things like app updates can damage it. Snapchat has some bad publicity a little while back because it got out into the public mindset that Snapchat left forensic artifacts for people like us to find, and it was very damaging to what Snapchat was trying to market their app as. So, they've worked pretty tirelessly to update that. And the updates delete any forensic artifacts that were there from the previous version and now prevent there being any real artifacts left via the Snapchat.

Constant OS updates. Similar things, there can be logs and data that are overwritten as the OS, the operating system, changes. So that can be something where if you leave the phone too long, data can be lost. Factory reset, simple and effective, can be an easy way to... We do get a lot of people that accidentally drop their phone on their way to bring it in for collection, but a lot of times sometimes they just reset it. And as we mentioned, remote wipe can be a problem.

Deleted data, now, if people do delete things, you might say, "Well, you can recover deleted items." There's some reasons that it might not be recoverable. Main one is security on the device. To get at the deepest level of data, we have to use imperfections in the code, unknown vulnerability, some problems with the coding. And the security team for Apple and other devices are constantly working to fix those and keep us out. We're essentially hacking into the devices' memory to get all the data we can. And so, it's a constant battle. So, if there was a security update on the phone that's done, it can be the same model of phone, if one just got a newer security update, we may not be able to get as much data as we should or we need. So that can be a huge problem.

The other is slightly less exciting sounding, wear-leveling of NAND technology. So, forgive me and be patient with this, but it is important problem because with the older technology of computer disks and the way it stored data on hard drives, it would essentially stay there, marked as deleted until it was written over. And that could be a relatively long period of time. With the newer technology, they'd use what's called a NAND chip. Now this covers Solid State Drives. You may have heard of USB flash drives and cellphones and mobile technology, they all use the same type of memory chips.

And what happened initially when this technology was developed, they did it for these flash drives, the USB drives that you have, and they were designed to basically work for about 10 years' rough use. And, initially, they found out that they were failing in under a year because...that's the crude little graph at the bottom, it kind of shows. The same little part of their memory were being written too constantly and the rest was relatively unused. So, they realized they had to put in a little bit of a controller attached to it essentially that would move data about and make sure things are written equally to all parts, and to spread it to a level, the wear and tear of the memory. That constant moving about and making sure the entire bit of the chip is used is obviously going to overwrite deleted data a lot quicker because of that.

So that's a big problem. We do have a quite limited timeframe for recovery of deleted data, you know, can be, you know, two to three months, can be a lot shorter, can, in some cases, be a lot longer. It really depends on how much use is on the phone since the point of deletion. That can be an issue. If it's a teenager that's using all kinds of apps and doing things, it's probably gonna be a very short lifespan of that deleted artifact. But, yeah, that's one of the problems that we see.

And in terms of preservation, I've included this, the federal rule of civil procedure which governs possibility of sanctions based on loss of evidence which should have been preserved. It's been loosened a little bit now as to intentional loss rather than just negligent loss. They've tried to be a little bit more flexible now than when it first was issued, but it covers the loss or destruction of relevant cellphone texts. I've included it for that reason here, but it basically says that the electronically stored information or ESI should be preserved. So, the court can issue sanctions if these four conditions that I listed there are met. So, basically, it should have been preserved in anticipation or conduct of litigation, that it's now gone, and the loss is due to one of the parties' failure to take reasonable steps to preserve it.

And the last one is a little bit of a savior for some cases because sanctions will only happen if there is actually a detrimental effect to one of the sides' cases because of it. So, if like a text message was sent by one person to another party, the sent text message was no longer there but they were able to get the message from the recipient, then sanctions can be avoided. But it's a key issue, especially with the volatility of the data on there. And I apologize for the novel of a slide I have here but just to go through this key case, and definitely look up this case and read about it, it's an interesting one, sexual harassment lawsuit was brought basically a wrongful dismissal. The plaintiff wrote essentially a log. And this happens quite often in sexual harassment cases that we see. They kind of journal the incidents and inappropriate acts that have happened in some sort of a computer file.

In this case, she wrote it on notes and then she wrote it up into a log file on her computer she had every night. There were audio recordings and text messages that she wanted included. Now, the problem happened was the fact that the notes that she made were thrown away after she copied them into the computer file. But then she threw away the computer, so she no longer had that as part of the case. She created a log from memory which, as you can imagine, of course, has some problems. But what didn't help actually was that when asked about the disposal of the computer, she said, well, she got a new computer, this one was old. And she was asked whether the change of computer happened before the start of litigation. She said it was but they kind of pushed and compelled credit card records and proved that it was after initiating the litigation.

So that damaged the case a little bit. The other side brought sanctions, applied for sanctions against the loss of the computer, the log of harassment. She had text messages, but they were screenshots and printed out. She disposed of the cellphone so they didn't have that, but that was part of the sanctions that were applied for. And so, the judge said that this was [inaudible 00:37:31] granted adverse inference instruction to the jury as to the plaintiff's computer, the log of harassment that was gone, because she didn't copy it off to another...she didn't put it on a USB file before getting rid of the computer. It was gone. The cellphones, obviously because a screenshot printed out of the text message doesn't have any other data about the time stamps. It can be altered by, you know, a simple Photoshop if need be.

And she had audio recordings but they didn't really have any dates. And there were other recordings that have since been deleted as well. Now there was an adverse inference instruction there, what's not allowed is to introduce the screenshots or the text messages or the audio recordings and, of course, she had to then pay all the fees of the other side, the defendant's fees for challenging this motion for spoliation. There was another motion to compel that came out of it based on email.

But, yeah, so it's an interesting case about...interesting because of the importance of preserving the evidence. It's important because they determined that her duty to preserve the evidence started with her starting that log of sexual harassment, which is very interesting. So, if you have a client or there is a case of sexual harassment where a log was kept, that has to be preserved. Once you start that, that's when the duty to preserve begins. So that was an important one. And it's important because of the prevention of introducing the screenshots of text messages. That's very important. Even in family law, the sophistication of the courts is getting to the level where they're starting to reject that kind of collection of digital data because they know there is a better way and an easily accessible way to get that data for review. But it's an interesting case. I definitely recommend you look at that for relevance. And I think we're ready for our first session of questions. Miss Lauren, go on.

Lauren: Thank you. We're now in the part of Q&A. Just enter the passcode now. The passcode is Cellphone. The first question that we have is, "How long does a cellphone company store GPS data on a phone?"

Simon: Oh, okay. I'm actually gonna get to that. I do have a slide in a moment that breaks it down. AT&T is the best. It keeps them for seven years. It ranges from a year to 23 months through to 7 years. I have it broken down on the slide in a little while. Yeah, it came from a question from a public defender's office because often they get a case and it's already a year after the event, so they very much have to move very quickly to try and get that. But, yeah, I have a slide. It varies quite a lot, and I also have it... Oh, and GPS data. So, they have a timeline for three different types of data. One, subscriber data, which is relatively quite short. It's the cell tower call records which is what number was called and the location.

The GPS data itself tends to be six months and it is only, as I'll touch on in a little bit, is protected. So it has to have a search warrant essentially to get that access to the GPS data.

Lauren: Great. We have time for one more question. "Can we get data from phones that are broken, touchscreen not working, or when it is involuntary phone locked?"

Simon: Okay. Yes, can do, depending on the phone. There can be ways we can... In the "Digging Deeper" section, we can go through and sometimes take the memory chip off, the NAND chip off. We can put it into a similar phone. If it's just the screen, we can do some replacement work there. The memory chip, we can take off and have a look in a reader. Depending on what it is, the newer Apple phones have encryption on the chip itself so we take the chip off, it doesn't matter. We can't really get access to it.

Phone locked, we can bypass the passcode on certain cellphones. Obviously, the new Grey-Key device will bypass all the newer iPhone apps, but, in general, up until about the iPhone 4, we can do it here. Anything newer than that, we can send it away and get access to that data. The reason we send it away, a lot of companies will hide the technique because if Apple finds out about the technique, they will fix the vulnerability that allows it and then, you know, the party will be over, as it were. But, yeah, we can bypass a lot of security. It really depends on the make and model and how new it is. So, definitely ask your forensic provider, you know. Just say, "Can you bypass passcode on this Galaxy S6?" etc.

Lauren: Thank you. That was all the time we have for questions right now. You can continue on with your presentation.

Simon: Okay. Thank you. So I'm going to move through a little bit quickly here. This is just some of the terminology that you might encounter. Types of extraction we get, logical extraction. That just gets the active files on the device, no deleted data. Basically, ask the cellphone, "What text messages do you have? What images do you have?" Especially what the user sees. And that's the easiest one to get. File system extraction is very similar but it gets some of the system files in there that may prove useful, some logs, etc. We generally do a combination of those two.

The iPhone has...it's called an advanced logical extraction. It essentially is an iPhone backup. It asks the operating system for all its information, but it's a very helpful operating system. We get a lot of deleted data and there's a lot we can do with that, so it's quite a good extraction. And that's the most common one, because we get a lot of iPhones.

Our goal is the physical extraction. This is all ones and zeros on the memory chip, a lot of deleted data, more likely on an Android, iPhone 4 and earlier, as I said. To get there, we bypass all the security on the device. So it bypasses a passcode. So if we can get past the passcode, we can get all the data on the chip because we're bypassing essentially the security of the phone. But the physical extraction's the best extraction that we can get. So that's just some of the terminology you might see on a report or from your forensic specialist.

Data types, this is an example screenshot of how mobile forensic software parses out the data, read through all the ones and zeros and that groups them all together for us here. The number in parenthesis in white is the total count of these items. The one in red is how many of that is deleted and been recovered. You can see there's quite a lot of deleted data. I think this is an LG phone that's used as an example. Chats, contacts, device locations, users. Passwords sometimes give us a key. And then, normally, what's saved on the phone is very, frivolous is the word I keep thinking of, saved passwords, so it won't be anything severe like online banking or anything that's saved on the phone unencrypted, but it may be some sort of app or a mailing list, you know, registration.

But what we can look at is if the person keeps using the same password, then it may be that that password was used for a backup or a login to a GroupMe text app that we can maybe access. So, you can see a broad range of data there. If you expand it out a little bit, you'll see chats. We'll get some Facebook message chats. Now, Snapchat, this was an older version of Snapchat, and we weren't able to recover pictures directly through this. So if you use Snapchat, your secrets are safe. But we did get some information regarding handle IDs which we used in a recent case, this home invasion case, and the defendant said it was actually a drug deal gone wrong.

So, obviously, not an angel but we were tasked to looked through these handle IDs to try to find the handle ID of the alleged victim of the home invasion to prove that they knew each other prior to the incident. Contacts, we can break out all the weird and wonderful chat applications that are changing daily. It's a constant battle to try and find out what people are using now. And it's not obviously something I can just search for. I really don't want to have to Google "how are teens talking online," you know. That's not something I want in my Google search history. But we do have to know about all of these apps that we may recover from a device.

Locations, lots of sources of locations there that we can use, but I wanna move on so we can get to some of the more useful ones. Instant messages, we can pull out Twitter messages. Searched items still trips people up. People still search like, "How to steal from my boss," you know, "How to hire a hit man." People still do it and we can recover those, all types of different searches.

These little file structure I included because in a case, it was very important. Somebody had downloaded an app that save Snapchat photos. They were sent a lot of very personal images from ladies, and he downloaded an app that saved it but he didn't realize that it automatically saved photos he'd sent to his best friend, his most common snapped friend. And there was actually a murder case and it was 10 minutes before the start of the murder timeframe, it saved a Snapchat photo he'd sent of him pointing the gun at the camera that was used in the crime. So, it can catch people out. So we do a bit of in-depth poking around there to see what kind of apps people have added in there. But this is kind of the data that we'll get off a cellphone.

SMS, you'll see the little X's if it's been deleted. It'll show us that. Chat, as you can imagine... Oh, I don't see what happened there. There we go. It'll break down in a little conversation format. We can see there on the middle message there's a little icon there that shows we got a location for that person. So that can be used. And we break that down in our reports to show what the conversation looks like and its content. Email and Snapchat, limited content. Our phones don't do very well with email. Essentially, you're logging into a server like Gmail. So there's better ways to get the email data. It requires a username or a password, we can collect that. We can use [inaudible 00:49:39] triangle agreement which I'll talk about in a moment to protect privileged and non-relevant data. But, yeah, don't expect email from the cellphone per se. There's other ways we collect that.

Images, it used to have a lot of metadata on images, and you can see here, even on the right there, it says MD5, has the number there. It's got the hash of that image. Don't have any location data nowadays by default. Social media strips off metadata and location data to protect privacy. And so, cellphones tend to be going towards not even saving that. But most people use their camera for uploading to social media, so not the source of information it once was. However, we still do get information where it gives a longitude and latitude there, type of phone it was taken on, resolution.

We still do get some cases where that's actually available to us and we can track locations that way. Other way to do it would be power data on the device. This was the old cell network. The CDMA, Code Division Multiple Access network that is now defunked. If we get in a cellphone where this data is stored on there, maybe it's an old case, there's still databases we can go to and sort of map out these cell towers. But I'm gonna skip over that to get to what happens actually nowadays, which is with the GSM communications. The cell network stores call records and SMS data, records location whenever there's incoming, outgoing calls or SMS messages or whether someone's using their data to connect to the Internet. There can be a location there. Can be obtained via subpoena. It's not protected data.

And this is an example here, United States versus Davis. It said there was no violation of Fourth Amendment right against a reasonable search and seizure, even if records placed the defendant's cellphone near a crime scene. So, there's no expectation of privacy if you're dialing in a number and sending those numbers to a third party as long as the content isn't shown. Content is protected but the numbers to and from and the location are not protected. Verizon, I've got the dates here for you for subscriber info, 10 months to a year with Verizon, 18 months with Sprint, 7 years with AT&T. So we like AT&T. So we deal with their compliance department quite often in getting records and asking to explain certain aspects of it.

So, yeah, definitely download the presentation to keep that slide if it's pertinent to your type of cases. What we get with the call data, we'll get the connection date and time, the number to and from, the IMEI number, which is the equipment ID, the handset, essentially, the cellphone handset, and then the IMSI which is the subscriber ID which essentially is the sim card. So, you can have different IMSI numbers with the same IMEI number if you've switched out sim cards, but it's a good way to identify the actual phone itself. Description and the example underneath is SMS terminating, so the example here was an incoming SMS message, make and model of the phone and then the cell location data. Now, this has an identifier for the cell tower along with the longitude and latitude coordinate and what's called an azimuth and beamwidth.

And if we go to the next slide, we'll show how we map that. So, obviously, we locate the tower using the longitude and latitude. The azimuth is the angle from north round to the center of the beam essentially, that either transmits the SMS or the call or receives it. And then the beamwidth will then give you the arc, essentially. So, we know in that record that the cellphone was somewhere within that slice of the pie, that the message or the call hit that side of the tower. So, we can use that to plot, with the series of these calls and activity, we can go on to plot paths and disprove alibis. Sometimes we've done that before, saying he couldn't have been further north on the road than this point at that time because it hit this side of the tower. So, we do quite a lot of mapping that way. It's quite long and laborious but it's very useful.

The GPS data, as mentioned before, we normally get that. AT&T calls it Historical Precision Location Information. You'll get a time-longitude and latitude and the degree of accuracy. It can be 10,000 meters, it can be 5,000 meters. Not great for pointing out exactly where they are, but can help back up a narrative of the path, like in this case there was a road that was being driven along there in that accident. That is protected content and is available for about six months, but you need a search warrant. So criminal defense people normally get it as part of discovery from law enforcement if they're lucky enough. So, we have seen that before.

Privacy issues. I wanna move on to this real quick to make sure we fit this in. Resistance to extraction, large majority of the time, it's because that hold images around the phone. Unfortunately, that's a key part of what people store on their cellphones sometimes. Private conversations, especially at litigation when dealing with employment. And so mistrust, of giving too much information, dating apps, and things that could be used as character assassination. Collective extraction, not always possible. I'll try and speed up because I know we're pressed with time here. More often than not, on an Android, very rare on an iPhone, and you don't get deleted items. So, it's not the best idea. Triangle agreement basically means that we will act as a third party, view all the dates around just applied search terms that have been agreed by the two parties, and have both parties agree to the data produced, essentially. And that's something 80% of the time we have.

This could be the name. I'm gonna let you look it up yourself. It's very important. I'll go through it a little bit. It's Garcia versus City of Laredo. It's a case where a dispatcher was having an affair with a police officer at the station. The wife searched the locker, found Garcia's cellphone, looked through the cellphone and found images and text messages. Took it to her supervisor who then conducted an investigation into the cellphone, and then she was fired for sexual activity whilst on duty.

So, she felt that her privacy was invaded, that there was not a valid search. And it's actually a quite interesting case law that govern this. They said that the actual cellphone was in the officer's unlocked locker. That was the key point there. That Garcia was aware of the possibility that the officer's wife may find the cellphone. That was a key point they made. That she was aware of the possibility that the wife would find it but did not lock it with a passcode or keep it within her own locker. So that made that private search admissible. They were allowed to do that. That was not a violation of privacy. Now the supervisor's search, this is a key case that you might want to look into, United States versus Runyan, basically said that the private searcher, because the private searcher had searched the cellphone, it meant that the supervisors could do a more detailed search of that same digital data container which they determined was the cellphone, this one container of data which has been searched privately, then, officially, it can have a more detailed search of the same container without violation to privacy. And that's what they found.

She then challenged it saying that it violated the Stored Communications Act which was an act that was brought in because of Internet service providers and the Fourth Amendment not covering that expectation of privacy when giving...essentially, you hand over your data to a third party and covering that new expectation of privacy that they had. So they brought in the Stored Communications Act to counter that, which is why you need the search warrant for the GPS data. But she argued that her cellphone was covered by that, but it wasn't facility protected by the SCA.

I'll skip through these very quickly. Other things we can do, we can connect directly to the chip in what's called JTAG to bypass it to get the data. We can take the chip off the board. Some risk of damage, so it's not always possible, but it can help us get that extraction. This is what a text message looks like in hexadecimals, so we did a little bit of carving through the raw data and found a text message that said, [inaudible 00:59:40] that relates to the sexual harassment investigation. It was able to find a message that the lady had sent to her supervisor that countered to her testimony. And this is what I was able to break down to prove that it wasn't from the supervisor, it was from the subordinate.

We can look at Snapchat saved pics, all these different areas that we can also look at there. I wanna leave time for some questions. So I'm gonna skip over this very quickly. Just that with this slide, definitely download the slides, have a look at this, filling out the details and maybe, on this slide, with all these smart devices mean that traces are left and a better picture of what happened will be possible. Cloudentity is another trend that will be very damaging to the forensic science because people now pick kind of their tribe, whether it's Google, Apple, Alexa. And pretty soon, nothing will be stored on the device. You will just essentially log in to the servers and all the data will be stored there.

And we see that now, if you look at the Pixels commercials out there at the moment, they're saying, "Never see the screen again, unlimited storage," that's because they're already starting to store all the data up there on Google Drive. So, that's a worrying trend because soon there'll be no actual artifacts on the devices, these mobile devices, for us to find if it keeps going that way.

Okay. So, I apologize for skipping over a few at the end there but I think we've gotten the most important ones in there, and I wanna leave time for some questions.

Lauren: Thank you. We're entering the final Q&A. Please enter the passcode now. The passcode is Cellphone. Unfortunately, we only have time for one more question which is, "Is Apple the most secure of devices in terms of trying to hack into?"

Simon: Yes. They are problematic in many ways to us. Yeah, very difficult because the operating system is not made public, and the Android operating system is available. Anyone can see how it works, how it functions and therein write codes to get into it and to exploit and bypass security. But it's not public, the Apple operating system, so it's very hard for us to bypass it and hack into it to get the forensic data. They're very thorough. If you do a reset of the Apple device, that's pretty much all the data gone. It's very thorough. And then, you know, there's nothing we can do. So, yeah, Apple is definitely the most secure.

Lauren: Thank you. Any unanswered questions will be forwarded to Simon and he will answer them directly. Please remember that if you are applying for a CLE credit, you must have attended for the full 60 minutes of the presentation. You're also required to complete the survey at the end of the program. Please note, you will be receiving your certificates via email in 24 to 48 hours after the presentation.

In addition of being your best source for test finding and consulting experts for more than 60 years, TASA also offers free interactive webinars, expert written articles, research reports on expert witnesses including the Challenge History Report 2.0, and Expert Profile 360. I wanna take this opportunity to thank everyone for attending and most especially Simon Varley for his time and effort in creating this presentation. If you would like to speak with Simon, or if you would like to speak with a TASA representative regarding an expert witness for a case that you're working on, please contact TASA, 1-800-523-2319.

One of my colleagues will be following up with you regarding your feedback on today's presentation. This concludes our program for today.

Previous Article Abdominal Emergencies
Next Article Identifying High Risk Employees
Tasa ID10136

Documents to download

Theme picker

  • Let Us Find Your Expert

  • Note: This form is to be completed by legal and insurance professionals ONLY. If you are a party in a case that requires an expert witness, please have your attorney contact TASA at 800-523-2319.

Search Experts

TASA provides a variety of quality, independent experts who meet your case criteria. Search our extensive list of experts now.

Search Experts