Most computer users are generally aware that a computer’s hard drive contains more information and data than just the files that they create or download. That same awareness cannot be attributed to most cell phone users. Not surprisingly, cell phones can and do store data or information that the user may not be aware of. It was not too long ago that most phones had limited functionality, primarily being used to make phone calls and store the user’s phone book and call history. In recent years all that has changed. Many of today’s cell phones are also hand-held computers. Specific applications allow a user to access the Internet, take photos and videos, receive and send sophisticated multimedia files, use the integrated GPS functionality to find their location and businesses, and so forth. It should come as no surprise that all this increased functionality can provide a tremendous amount of potential probative information (evidence) to investigators. Indeed, over the past several years, law enforcement digital forensics examiners have experienced a phenomenal growth in the number of requests for cell phone forensics. With that being said, the forensic examination of cell phones and the extraction of any stored data that they may contain presents some unique challenges.
Data That Could Be In a Cell Phone
There is an enormous variety of cell phones currently available, many of which support and utilize proprietary operating systems, embedded file systems, and manufacturer specific applications, services, and peripherals. When new models are introduced, manufacturers often change or modify the phone’s functionality from their previous models. For investigative purposes, this makes it difficult to know just what functionality a particular phone contains or supports. The question often asked by investigators is “What potential probative information can be forensically extracted from a cell phone?” Although the specific answer depends upon the manufacturer, make, and model, the following list represents some of the data that can typically be extracted:
- Installed Applications
- Phone Book/Contacts
- Recently Dialed Numbers
- Call Logs
- Text Messages
- SMS Messages
- MMS Messages (Media Messages)
- Browsing History
- Audio and Video Recordings
- Appointment Calendar Entries
- GPS Data (locations the phone has been)
- Location of Photos Taken
- Hot List
- Pin Data
- SIM Card Data
- Data Stored on Internal and Removable Memory
- Service Provider
- Spyware Artifacts
- Other Hidden Data
Depending upon a phone’s technology and access scheme (CDMA, GSM, etc.), data may be stored or found in three primary locations: in the handset, on the phone’s SIM, or on its memory card (if either is present). To complicate matters, some types of data or information may be stored in more than one location. For instance, the contacts can be located in the handset and on a SIM. Likewise, multimedia files may be found on a memory card or in the handset.
Some Forensic Issues
Initially, three forensic dilemmas confront an investigator or forensic examiner when faced with seizing and analyzing cell phones:
1. Cell phone is powered on:
While powered on, a cell phone will continue to do what it was designed to do, namely communicate with the phone network. Likewise, it may also continue to communicate with other networks via Bluetooth, WiFi, or Infrared. Incoming phone calls, SMS text messages, multimedia, and so forth will continue to be received. Although some of this incoming information could be probative, it may also overwrite existing or deleted information. Thus it becomes critical to preserve the data or information that is already on/in the phone by isolating it from any surrounding networks. One way to accomplish this is to place it in a Faraday bag (which should block the receipt of information from any network). However, doing so may decrease the life of the battery as the phone will probably increase its signal strength to the maximum as it tries unsuccessfully to connect to a network. After failing to connect, some phones may clear or reset network data, causing potentially useful information to be lost. Also, if the battery were to run down, any user data residing in battery-dependent volatile memory would be lost. (This is analogous to the loss of data in a computer’s RAM when the computer is turned off). Attempts should be made to maintain the battery level until the phone can be analyzed.
If the cell phone has “Airplane Mode” functionality, that mode could be enabled. Activating this mode should block the phone from connecting to a network. However, since all phones are different, knowing if it has an “Airplane Mode” or finding it if it does may not be realistic. Also to initiate the functionality, it will be necessary to physically interact with the cell phone’s keypad or its power button. This could be a potentially risky procedure, particularly if the power button has to be pressed to bring up this functionality.
2. The power to the Cell Phone has to be turned off:
Several reasons could lead to this conclusion: the time interval between seizing the phone and its subsequent forensic analysis may be such that it would be impractical for the phone to remain powered on; the phone’s charger or cradle may not be available; the battery level may already be low; an alternate power source cannot be supplied to keep it on. If the phone has to be turned off, the reason(s) need to be documented along with the current status of the phone and the date and time of the shutdown. A common way to turn off the phone’s power is to remove its battery. However, turning off a cell phone has inherent forensic risks. Doing so may activate the phone’s authentication codes (e.g. PIN, handset security codes, SIM). These codes are generally going to be needed to analyze and extract data from the phone. If they are not readily available, the examination and analysis is going to be delayed or may not be possible.
3. Cell Phone is already powered off:
Initially, this may not appear to be a problem. However, the handset does have to be powered on to obtain the information or data that it may contain. When power is restored, the phone will attempt to connect to its provider network. Once connected, any missed calls, SMS text messages, and voicemail notifications that have been queued while the phone was powered off will immediately be received. Additionally, the service provider may update roaming services and other system files or software when the reconnection is made. All this new data can easily overwrite existing or deleted data, thereby causing its potential loss. Measures must be taken to ensure that this does not occur.
John J. Barbara owns Digital Forensics Consulting, LLC, providing consulting services for companies and laboratories seeking digital forensics accreditation. An ASCLD/LAB inspector since 1993, John has conducted inspections in several forensic disciplines including Digital Evidence. John is the General Editor for the “Handbook of Digital & Multimedia Forensic Evidence” published by Humana Press. He can be reached at firstname.lastname@example.org.