In the world of digital forensics, mobile phone investigations are growing exponentially. The number of cell phones investigated each year has increased nearly tenfold over the past decade. Courtrooms are relying more and more on the information inside a cell phone as vital evidence in cases of all types. Despite that, the practice of mobile phone forensics is still in its relative infancy. Many digital investigators are new to the field and are in search of a “Phone Forensics for Dummies.” Unfortunately, that book isn’t available yet, so investigators have to look elsewhere for information on how to best tackle cell phone analysis. This article should by no means serve as an academic guide. However, it can be used as a first step to gain understanding in the area.

The History of Phone Forensics
First, it’s important to understand how we got to where we are today. In 2005, there were two billion cell phones worldwide. Today, there are over 5 billion and that number is expected to grow nearly another billion by 2012. This means that nearly every human being on Earth carries a cell phone. These phones are not just a way to make and receive calls, but rather a resource to store all information in one’s life. When a cell phone is obtained as part of a criminal investigation, an investigator is able to tell a significant amount about the owner. In many ways, the information found inside a phone is more important than a fingerprint in that it provides much more than identification. Using forensic software, digital investigators are able to see the call list, text messages, pictures, videos, and much more all to serve as evidence either convicting or vindicating the suspect.

The Step By Step Investigation Process
Lee Reiber, lead instructor and owner of Mobile Forensics Inc., breaks up the investigation into three parts—seizure, isolation, and documentation. The seizure component primarily involves the legal ramifications. “If you do not have a legal right to examine the device or its contents then you are likely to have all the evidence suppressed no matter how hard you have worked,” says Reiber. The isolation component is the most important “because the cellular phone's data can be changed, altered, and deleted over the air (OTA). Not only is the carrier capable of doing this, but the user can employ applications to remotely ‘wipe’ the data from the device.” The documentation process involves photographing the phone at the time of seizure. Reiber says the photos should show time settings, state of device, and characteristics.

After the phone is taken to the digital forensics investigator, the device should be examined with a professional tool. Investigating phones manually is a last resort. Manual investigation should only be used if no tool on the market is able to support the device. Modern cell phones are like miniature computers that require a sophisticated software programs for comprehensive analysis.

When examining a cell phone, it is important to protect it from remote access and network signals. As cell phone jammers are illegal in the United States and most of Europe, Reiber recommends “using a metallic mesh to wrap the device securely and then placing the phone into standby mode or airplane mode for transportation, photographing, and then placing the phone in a state to be examined.”