3 Questions About Mobile Device Evidence
Are you in the habit of asking for “everything on the phone” from the forensic examiners you work with? Seizing all the mobile devices you encounter when serving a search warrant or processing a crime scene? Requesting full exams of every device you encounter on every case, whether felony or misdemeanor?
Mobile devices are more complex than testing bloodstains or gunshot residue on a sweatshirt. Accessing all the data in a single smartphone can be as painstaking as processing thousands of fingerprints at a crime scene, but rather than isolating the prints you know from those you don’t, thousands of irrelevant text messages or call logs can simply muddy the waters of an investigation.
1. Is this evidence?
Whether you are dealing with a suspect or a victim, your initial interview should include details on whether there are text messages, instant messaging or chat, images or video, and other mobile phone data that show evidence of the crime. Both victims’ and suspects’ devices may include this type of evidence, so be sure to ask:
-- Whether communication passed between victim and suspect, and in what form.
-- Dates and times of the communications (approximate or definite).
-- Whether the device is password protected or user locked, and what the password, passcode or user lock is.
Also keep in mind that any given investigation is likely to result in more than one mobile device. Suspects, victims, and the people who live and work around them could each have one or more phone, a tablet, GPS device, and so on.
It might be tempting to seize every one of those devices, but unless you are working a homicide and the devices are part of the active crime scene, it probably isn’t necessary to seize all of them -- especially if you find an obsolete, years-old device in a toy box or buried in a closet.
Work with victims and suspects to determine which devices are relevant. Isolate these devices from the network, property-tag them and log their chain of custody, and follow any other procedures your lab has for evidence requests.
It may be an inconvenience for a subject to be without their mobile device, but remind them that you need the evidence to move their case forward. If possible, supply them with a temporary device, especially if you suspect they may be in danger and need a “lifeline” device.
2. Do I have the legal authority to search this device?
Unless you already have a search warrant in hand for the device, one of several exceptions to the Fourth Amendment needs to apply: consent, plain view, abandoned property, exigent circumstances, incident to arrest, or automobile exception.
Consent should be written and signed. Make sure subjects understand what you are searching for and why you need it. Document this information, as well as any passwords you need for the device and/or the data on it.
A plain-view search is unlikely to apply with a mobile device. Unless the evidence you need is visible without your having to manipulate the device -- enter a password, thumb an icon, scroll through a list -- it is not a plain view search.
Exigent circumstances, search incident to arrest, and the automobile exception all still require you to have probable cause to perform the search. However, they can be tricky, depending on the laws in your state. Work with your prosecutor to stay up to date on current case law and what it means for these exceptions.
Even if you do have a search warrant, remember that if you find evidence that’s unrelated to the crime you’re investigating, you (or the examiner you’re working with) must stop and get a new search warrant for the new evidence.
3. What evidence do I need?
“Everything on the phone” is often an overbroad request to forensic examiners, who have other cases and priorities. Help them out by determining what’s most relevant to the case you’re trying to build. Interview suspects and victims to learn what data -- text messages, email, images, apps data, or other material -- helps you pinpoint a suspect. Also narrow down the data by date and time.
Although in some cases it may be important to compare data from around the time of the incident to “normal” data, generally it’s the most serious homicide, sexual assault or organized crime cases (or prosecutors) that require this level of investigation.
If you’re experiencing delays in getting mobile evidence returned to you, it’s time to think about ways to make forensic exams easier on the examiners. Help them understand exactly what you need and why you need it. While it still may take time for them to return your evidence to you, the data you get will help you build a stronger case in less time.
Christa M. Miller
Christa M. Miller is Director of Mobile Forensics Marketing for Cellebrite USA. Christa has worked for more than 10 years as a journalist, specializing in digital forensics and other high tech topics for public safety trade magazines including Law Enforcement Technology and Officer.com. Christa is based in South Carolina.