Every Contact Leaves a Trace
The mobile phone in today’s society is without a doubt one of the most impressive revolutions of technology embraced by almost every person throughout the world regardless of race, color, or religion. Edmund Locard (1877-1966), a French criminologist, is regarded as a pioneer in the forensic world with his theory: “every contact leaves a trace,” the Locard exchange principle. At the time he was inspired with this theory, I doubt very much he imagined that it would be as relevant in a modern technological world as it is today.

Simply switching on a mobile device—whether calls are made and received or not—will leave traces of data, not just on the handset but across a telecommunication network. Knowing where to look and understanding what can be retrieved to assist in a successful investigation is key to a case’s swift and reliable conclusion. It is for this reason that the mobile phone has become an integral part of any modern day investigation.

Research by Dr. Jason Beckett in Australia has shown that evidence from cellular devices has increased by 500% in recent years. Is this because mobile phones were ignored and placed in the too difficult basket and are now being examined or that they are indeed being manipulated and used more extensively in the commission of criminal activity? Without a doubt the criminal fraternity is looking at mobile forensic manufacturers’ websites and researching which devices are supported or not, as the case may be, prior to making their purchase. This has been evidenced numerous times in Mexico during investigations into organized crime involving the drug cartels.

So where do we go if big league criminals are taking such evasive action? “Back to Basics.” There is a growing demand to return to the flasher box/hex dumping solution in order to retrieve information from suspect devices not supported by the various mobile forensic phone manufacturers. What are the alternatives? Thumb through the screen recording data as it appears? Certainly best practice would suggest that this be the first course of action regardless, when all else fails. Tools such as the Fernico ZRT and ZRT2 HD are excellent, easy to use products to facilitate this process. I use these tools on every single case regardless if it is a computer or mobile phone investigation to record a photographic survey of the device prior to and at the end of a forensic analysis. However, what about the latent data? What about damaged phones? What about phones without a SIM card? What about PIN protected handsets?

When Should You Use a Flasher Box
Let’s be very clear before we go down the flasher box path, there is no replacement or substitute for the automated forensic tools produced by mobile forensic manufacturers such as: CelleBrite UFED or Physical Pro, Micro Sytemation XRY or XACT, Paraben Device Seizure Kit, Logicube CellDEK, or Susteen Secure-View to name but a few. Indeed these types of solutions should always be used as a first response. Unfortunately, with growing consumer demand for newer and more technologically advanced mobile phones, these automated and safe solutions do not meet some investigative requirements.

There is no question that flasher boxes are invasive alternatives, but this is where mobile phone forensics started prior to the commercially available fast copy, and more recently, forensic physical extraction tools. So is it safe to use them? Yes, by those who have been trained or have extensive experience in their use under controlled environments. What are the alternatives? Do you really want to leave evidence behind and just move on if the automated solution has failed you? If your conscience will allow you to leave potential evidence behind when a child predator has abducted a victim or a terrorist attack is imminent and you believe that using a flasher box is against the rules, then so be it.