Securing Compromised Mobile Device Evidence
In a previous column, “9 Questions About LE Use of Cell Phone Videos,” I compared a mobile device to a crime scene, stating that a mobile phone that has passed through multiple hands before yours was not unlike civilians trampling all over an unsecured crime scene.
This scenario is likely in two cases: when a cell phone has been lost and its finder has made an effort to determine its owner by scrolling through its contents; and/or when it is “searched” by one or more third parties because they suspect it contains evidence.
By the time it gets to you, the possibility is very real that volatile digital evidence has been, at least to some extent, compromised. How can you preserve what’s left so that forensic examiners have a shot at building a good case?
The lost cell phone
Lost cell phones are commonplace. They’re small, lightweight and easy to misplace when they slip out of a jacket pocket or bag, get left on a messy restaurant table or seat back pocket, or even in a shopping cart.
And, they’re not like other pieces of lost property. You can’t simply bag and tag them and bring them to the property room. They’re expensive and contain personal data, so finding their owner becomes important.
So what do you do when the personal data turns out to be evidence of criminal activity? In one Fort Lauderdale (Florida) case, officers found child pornography images on a Samsung cell phone that had been turned into the Broward County Sheriff’s Office that had been found on a public bus.
They turned it over to the Internet Crimes Against Children task force for forensic processing. That examination recovered not just the full extent of pornographic images, but also the name of the phone’s owner, whom detectives then tracked down through mobile subscriber data.
From a legal standpoint, scrolling through a lost phone’s contents cannot be considered a “search” because there is no expectation of privacy attached to abandoned property—at least, until evidence of a crime is located, at which point the search must stop and a search warrant obtained.
Either way, it is important to preserve the evidence. Don’t risk deleting personal data or evidence, or leaving an unshielded device powered on. This leaves it vulnerable to being remote-wiped, or having new data added.
The third-party “search”
In a similar found-phone story from Fargo (North Dakota), the phone was turned into a Sprint store instead of police. As in Broward County, the store employee found child pornography when he went through the phone; then he called police.
But a third-party “search” may come into play even when a device isn’t lost. Police may receive calls from parents or school officials who have searched a minor’s cell phone because they suspect the child is involved in some type of criminal activity -- drug dealing, for example, or contact with a sex offender.
In this case, the phone may pass through multiple hands: more than one parent, school official, first responder, or even the suspect.
What to do with lost or compromised evidence devices
Basic steps to take are the same as for other types of cell phone seizures:
- Isolate the phone from the cellular network. Use a Faraday bag or other shielding device to prevent signals from going in or out. This will prevent potential remote wipe and/or other changes to evidence. If no Faraday device is available, place the device in Airplane Mode or remove its battery.
- Photograph the device and document its condition. If it’s damaged, describe the damage in your report.
- If the device is off, remove its battery and photograph the inside of the phone. Document the device information found underneath the battery.
- If the device is on and evidence is in plain view on the screen, photograph the image, text-message or other evidence—and stop your search there until you obtain a search warrant.
- If you suspect evidence has been deleted -- for instance, incriminating content deleted by a juvenile suspect -- document that so that the forensic examiner knows to conduct a physical search.
In addition, document the lost device’s chain of custody as far back as you can trace it. Ask the wireless store employee, parent, school official or other civilian to recall as precisely as possible what they did and how they did it. Ask who else has had access to the device and what they did. Interview them if possible, and also obtain a written witness statement. Put this in your report, as you would after interviewing anyone who entered an unsecured crime scene.
Ideally, preserve evidence on the phone by capturing a forensic image. With the right mobile forensics tool, this is a simple procedure that requires minimal technical expertise; the officer need only provide the image -- together with the device -- to a forensics lab for analysis.
In turn, an in-depth forensic examination will show when criminal evidence was downloaded to or generated on a phone, so the issue would not be whether police will be accused of planting evidence.
Just as for any other piece of evidence, procedural matters such as proper preservation and chain of custody will be the issue. Have an SOP in place, both for typical and less typical seizures. Remember that there is no such thing as too much documentation in cases like these.
Christa M. Miller
Christa M. Miller is Director of Mobile Forensics Marketing for Cellebrite USA. Christa has worked for more than 10 years as a journalist, specializing in digital forensics and other high tech topics for public safety trade magazines including Law Enforcement Technology and Officer.com. Christa is based in South Carolina.