Friday, July 11, 2008

Cell Phones Anyone?

Now that cell phone forensics is becoming more accessible, I thought I would talk a little about it, both from a technical standpoint and regarding the unique issues these devices present from a discovery and privacy standpoint.

A quick overview:

Cell phone forensics is in its infancy and is becoming a popular topic, especially among private investigators and divorce attorneys.

Considering the size of the potential market for cell phone forensics, I can see why it is generating a lot of interest among those who want to get in the business.

CITA, a wireless association, reported that that as of Dec, 2007, there were 255.4 million cell phone subscribers in the US, or 84% of households.


Cell phones present some hairy issues when it comes to privacy and consent to search. I am sure that these issues will be addressed in the courts as time goes on. But, currently, let me outline some of the things that are, in my mind, issues that should be considered before you attempt to get information from a cell phone:

1. Who owns it?

This can be a little difficult to figure out because of the nature of these little beasties. Does the community property law apply for consent issues?

How do you establish ownership?

Probably the only why to really establish ownership of the phone is to see a recent phone bill with the phone's activity for that cell phone number.

Why is this such an issue. Suppose that a spouse brings you a cell phone to examine. How do you know it is a personal cell phone or one supplied by the subject's company? Can the spouse give permission to search a company owned cell phone? I wouldn't do it.

If the cell phone bill only has the subject's name on the account, even though it is paid from a joint account, does that establish a right to give consent from the spouse who's name is not on the cell phone bill?

Sticky, sticky issues.

2. Technical stuff you should be aware of.

You can't get a forensically sound copy of a cell phone, if you think of such from a computer forensics standpoint. The reason is that you have to talk to the phone to get the data from it. Even though you are not technically modifying the phone in any way, it is not like making a forensically sound copy of a hard drive where you never talk to the computer.

A big deal in computer forensics is something called an MD5 Hash. This is a long alphanumeric string that is calculated from the contents of a hard drive or other media to create a fingerprint for the copy.

This makes it possible to prove at a later date that the copy is exactly the same as the original.

Cell phones don't work like that. While you can, and some cell phone forensics software create such a fingerprint when data from the phone is copied, it is not reproducible. Cell phones have an internal clock that changes the data slightly that cannot be turned off.

So if you re-acquire a cell phone, the hash value will be different.

3. What can you get from a cell phone?

The exact answer is, it depends. Every cell phone model is different. Also, every piece of software available to get information from cell phones varies widely in their ability to get information.

So while one piece of software may be able to only get the recent call list from a phone, another package may be able to get the text messages and contact list as well.

In some cases, no software can get anything from a particular phone.

As of this writing, to get information from a Nextel phone, you have to use the phone tools provided by Nextel. None of the forensic software suites I am aware of can talk to a Nextel.

For all us super-geeks, this just makes it a more interesting challenge.

There is no doubt that cell phone forensics will continue to play an increasingly vital role in criminal and civil cases.

At this point there is no where to go but up.

...

1 comment:

  1. Love your Blog. By the way Paraben's Device Seizure product can pull information from Motorola iDen's (Typically used on the Nextell Network).

    ReplyDelete

I have moderated my comments due to spam.