Mobile device data unlocks the critical connections that solve crimes
By: Buddy Tidwell, Vice President of Global Forensic Training, Cellebrite
Guilty or innocent? Today, the verdict increasingly hinges upon mobile device evidence. Critical details from browser history searches, messaging apps, social media posts, call logs, email and GPS location history are some of the most valuable assets investigators have when solving crimes. When used in crime, today’s devices – smarter and more powerful than ever before – can yield a treasure trove of evidence for investigators and prosecutors alike. Police departments across the country are finding success using tools that can legally leverage these emerging sources of evidence.
Making mobile evidence count in Hartford
“Cell phones and mobile device data are now impacting virtually every case,” said Sgt. Andrew Weaver with the Hartford, Conn. Police Department. “With powerful new capabilities, they are really mobile computers and contain important details about what criminals are doing before, during and after a crime is committed. Advanced mobile forensics solutions allow us to tap into that evidence and share it easily with investigators and ultimately prosecutors.”
Since decentralizing mobile forensics from the State Lab in 2009, the department has dramatically increased its efficiency and reduced device backlogs for their agency, as well as others.
One of Hartford’s biggest challenges involves accessing mobile messaging applications, which are constantly changing and evolving. Sgt. Weaver stresses the importance of working with a technology partner that keeps up with these changes, so they don’t become a stumbling block in investigations.
“When we run across a phone that’s difficult to unlock or an application we can’t parse, it’s critical to have a partner that can walk through the steps required to get to the data effectively and securely – even well beyond normal office hours,” he said.
Having the ability to expose every segment of a device’s memory using advanced logical, file system and physical extractions is critical; it enriches case information by accessing both intact and deleted data stored on a device. USgt. Weaver and his team can search, filter and drill into the mobile data that is most crucial to the investigation at hand.
Maximizing forensic investments
In public safety, budget dollars are thin, says Weaver. “While we compete with others to add to our forensics toolbox, having proven solutions and ongoing support makes investments easier to justify.”
Time is the enemy of criminal investigations. Extracting potential evidence out of mobile devices not only shaves weeks off of the investigative process, but also often leads to suspects pleading out to avoid more severe sentences in court.
“We had a case recently where a guy came in with his tablet, saying his roommate was using it to access child pornography and was worried he could get in trouble for it,” says Weaver. “With his consent, we dumped the tablet data and confronted the roommate with the evidence and he pled no contest to the charges within three weeks. That’s the kind of force multiplier advanced forensics capabilities can have on a case. It simply changes the game.”
Growing mobile forensics demand in Providence
Providence, R.I., Police Detective Teddy Michael has also seen firsthand the power of mobile data in solving all kinds of crimes, both inside Providence County and out – drug deals, juvenile crime, sexual assault, robberies and murder.
“More than half of the cases we see now involve mobile device evidence,” he said. “The ability to access call logs, messaging, social media posts, browsing histories, location information and application data – particularly deleted data – can mean the difference between solving cases…and not.”
Case defining evidence
While there are many cases he can point to where mobile device evidence helped identify and ultimately led to the prosecution of suspects in high profile cases – including a 2014 gang-related homicide – the one that still haunts the entire department was the senseless gang-related shooting death of a 12-year-old girl and three other women at a 2012 graduation party in Hartford Park.
The day after the incident, the suspect came into to the station to report that his van had been stolen. At the time, he had two phones in his possession which were ultimately surrendered – one was inactive before the murder, while the other housed deleted messages that were sent to his girlfriend, as well as Facebook posts suggesting his involvement in the shooting. After obtaining subpoenas for all related subscribers, the agency used Cellebrite UFED technology to access detailed call records and establish critical timelines, investigators were able to use the data to identify everyone else in the car. All suspects have since pled guilty and are currently behind bars.
“Solving that little girl’s murder was a defining moment in this department’s history,” said Det. Michael. Finding the connections hiding in the suspects’ mobile device data and on social media gave us everything we needed to bring everyone involved in that horrible crime to justice.”
Gallatin PD taps cloud application data to close tough cases
Jim KempVanEe, formerly a police detective and currently Director of Digital Forensics for LogicForce Consulting, regularly assists the Gallatin, Tenn. Police Force in unlocking mobile device evidence in a wide variety of criminal investigations. As a department reserve officer, he understands firsthand the complexity of gaining quick access to mobile data from cloud data servers, and the red tape involved in obtaining that information from service providers. Offering pro-bono services to the department from the LogicForce lab, KempVanEe has been involved in several recent high-profile cases where accessing data from the cloud quickly made all the difference in the final outcomes.
“The department brought me in on a case that involved a 12-year-old sexual assault victim who was heavily courted, through social media, by an adult male suspect,” said KempVanEe. “The initial evidence we had included the victim’s statements and a single prowler call originating from the girl’s house. We felt that if we could corroborate the victim’s statements and prove our suspicion that the prowler call was the result of our suspect visiting the victim’s home, the prosecutor would feel confident in moving forward with filing felony charges. Understanding the types of private cloud data sources we could obtain, we requested and were granted an additional search warrant for the suspect’s phone that covered the remote collection of social and cloud data. We used the tool to extract a year’s worth of Google Location History in minutes, all while awaiting Google’s response to our original warrant. With the data we extracted, we established that the suspect had been at the victim’s home just prior to the prowler call as well as on several other occasions.”
Location details Unlock Valuable Intelligence
After more in-depth analysis, a Google Location History also revealed the suspect’s path of travel, how long he was near the victim’s house and the path he took after he departed. KempVanEe pointed out that the tool provided a lot more intelligence than they previously had, including information documenting other extended visits the suspect had made to the victim’s home – several of which directly corroborated the victim’s statements.
“Cloud data is challenging to get,” he stressed. “Many times, investigators simply don’t look beyond the evidence that might reside on a phone. Sometimes cloud data may not be sought at all due to the time it takes to write additional warrants and then wait for service providers’ responses. Or, by the time we get the data back from the provider, it may no longer be actionable. The prosecutor was thrilled to have this data, because it provided credibility for the victim’s statements. Up to that point it really came down to a matter of she-said, he-said. The tool gave us the information we needed in minutes instead of weeks or months. In fact, it took Google over a month to respond to our warrant for this same information.”
A critical tipping point
The impact of mobile device data on criminal investigations is difficult to ignore. Today, call logs, social media posts, location data and messaging apps can provide the critical intelligence needed to determine a suspect’s innocence or guilt. Officers, investigators and prosecutors need forensically sound solutions to extract, analyze and act on mobile evidence quickly. The ability to serve and protect effectively now depends on it.
Buddy Tidwell serves as the Director of Global Training for Cellebrite, the world’s leading Mobile Forensic Company. Formerly a Master Forensic Instructor for a major forensic software company, Buddy has served as trainer program manager, Lab Manager and Senior Computer Forensic Examiner at the Joint Computer Forensics Lab for Law Enforcement in Middle Tennessee, as well as an investigator for the District Attorney General’s Office and Dickson County Tennessee Sheriff’s Department where he was the lead investigator in hundreds of Cyber Crime incidents and complex felony investigations. Buddy's 24 years of law enforcement experience includes service as an undercover narcotics agent, vice division manager, and much more. He served as a member and leader of a specialized team of crisis negotiators for more than a decade and has regularly provided training to law enforcement agencies in the investigation of computer-related offenses, and the recovery of digital evidence.