Friday, May 11, 2007

Phone Forensics: Cell/Mobile Phone Forensics Recognized for What It Is

Wired has an article on Cell Phone ("Mobile Phone" for those unfamiliar with US English) Forensics that comes across as critical in tone, but, in my humble opinion, simply conveys the message that there is nothing magic about cell phone forensics - it is evidence and should be treated as such. That means establishing the chain of custody to preserve it and protect it from intentional and unintentional tampering.

The article makes a point about some software tools not having tamper protection built in. I know that this is a current issue regarding evidence, particularly digital evidence. However, the drive to ideally preserve evidence can be taken too far - real world practicalities must also be acknowledged and accommodated or else the evidential system, and therefore justice, will suffer in the end.
Aside: Please do not mistake my point - I am not against establishing standard operating procedures and best practices for preserving evidence, performing examinations, and the like. What I am against is establishing overly idealistic expectations that are not achievable in the real world across the myriad law enforcement and justice agencies. Put another way, I am for a reasonable balance that is biased toward continually improving the system over time.

The Wired article, at least to my reading, gives the impression that if a tool does not have built-in digital signature protection that it is somehow completely suspect. I don't think that is the case. There are ways to adjust operating procedures to accommodate this, such as MD5 hash generation software routines and proper (in the British sense of the word) evidence handling procedures. I think it is a good idea to have protection built-in, but that it is likewise a bad idea to automatically assume that if a tool that is used in an investigation doesn't have digital signature features built in that the evidence was likely tampered with. That sounds blindingly obvious when approached in this manner, but may not be so obvious to a jury or the general public.
To return to the main thrust of this post, cell phone data is not just any run of the mill evidence, it is "scientific evidence", so someone acting as an examiner needs to recover and analyze the data and then present the results. The article helpfully provides a link to a draft NIST (The National Institute of Standards and Technology, a US government agency) recommendation titled Guidelines on Cell Phone Forensics.

Phone forensics is a helpful tool and can provide valuable clues that would not be otherwise available. But like all scientific evidence, it must be handled, analyzed, and presented properly, and then taken into account along with other evidence, to be of use to investigators and the court.

3 comments:

Anonymous said...

Very interesting post. Thanks Keith.
Diverse issues considered, in particular those relating to UK judiciary.
AJF.

Anonymous said...

Well, unfortunately, your cell phone isn't exactly like a computer. Establishing a chain of custody, as it pertains to current forensics, really isn't possible in most modern cell phones. The cell phone, when powered on at all, can change the state of what is stored there, connected to a network or not. You are dealing with a system, not a simple hard drive. Even forensics on a thumb drive could be questionable by current forensic standards.

And none of this really leads to questions that no one is asking right now: How do you know *I* put the data on that phone. If I bought my phone from e-bay, and I get my phone and don't question who sold it to me, I could be going to jail. Especially if I get mixed up in some investigation in which the OLD data from the phone seems relevant, but I have nothing to do with putting it there. Another possibility is someone else using my phone. I have a friend, he commits a crime, takes pictures with my phone that he's borrowed, deletes them after transmitting them to his buddies... I didn't do anything, but when I get my phone back, I'm left literally holding the bag.

So all of this "evidence" is pretty much circumstantial unless someone can prove the phone was in my hands at the time of the crime.

All of this doesn't mean that mobile phone forensics isn't useful, but it should certainly be questioned if it is the only evidence.

roboknight said...

Well, unfortunately, your cell phone isn't exactly like a computer. Establishing a chain of custody, as it pertains to current forensics, really isn't possible in most modern cell phones. The cell phone, when powered on at all, can change the state of what is stored there, connected to a network or not. You are dealing with a system, not a simple hard drive. Even forensics on a thumb drive could be questionable by current forensic standards.

And none of this really leads to questions that no one is asking right now: How do you know *I* put the data on that phone. If I bought my phone from e-bay, and I get my phone and don't question who sold it to me, I could be going to jail. Especially if I get mixed up in some investigation in which the OLD data from the phone seems relevant, but I have nothing to do with putting it there. Another possibility is someone else using my phone. I have a friend, he commits a crime, takes pictures with my phone that he's borrowed, deletes them after transmitting them to his buddies... I didn't do anything, but when I get my phone back, I'm left literally holding the bag.

So all of this "evidence" is pretty much circumstantial unless someone can prove the phone was in my hands at the time of the crime.

All of this doesn't mean that mobile phone forensics isn't useful, but it should certainly be questioned if it is the only evidence.