Overcome the Challenges of Digital Evidence
When you have a suspect in hand and have legally seized their phone, the evidence for your case is literally at your fingertips. Now, you need to obtain a search warrant to access the phone’s data. Though verbal or written consent is legal and enough in some states, it must be documented well. For instance, if a suspect provides verbal consent, the investigator should record it on their body cam. However, the majority of the time, the safest step to take is to get a warrant, especially in the event that the incident in question includes a higher charge such as a felony crime.
Ensuring probable cause is in place is another challenge investigators face in order to access the digital data and get the search warrant. Making sure the actual warrant contains the correct language is key to maintaining a strong case and may effect the outcome of the evidence collected. Use words within the text of the search warrant that encompass any type of data that may need to be collected. It is better to already include this in the search warrant, especially if you have probable cause already and not need it than be executing the search warrant and find you need to stop what you are doing and amend it. However, once you have the actual devices, an additional search warrant will need to be drawn up. This one can include the type of information or images you are specifically looking for.
"By enabling the recovery of mobile evidence quickly and completely, without delays, and by facilitating the fast, effective analysis of that data play a vital part in empowering law enforcement and helping them solve more cases, solve cases faster and close the loop with successful prosecutions.”
—Glenn Hickok, President of MSAB Inc.
One of the biggest hang-ups investigators encounter include phones and other digital storage devices that may have added security. Access control software, which monitors who may access a device and who may not, can delay an investigation if the suspect does not cooperate or provide a pass code voluntarily. Tricky pass codes, fingerprint recognition, and other forms of security may be difficult to get around. However, proper training combined with the right software can overcome these interferences.
Though some devices are difficult to access and require an expert, many devices are set up in an easy to use way that detectives and patrol can use. This allows easy, fast, extraction. These devices are particularly helpful in cases such as harassment or stalking. Officers can conveniently dump the phones in order to view those messages. For larger, more in depth cases that involve strict or multiple pass codes or embedded/encrypted information, more advanced techniques must be utilized. In these instances, agencies can sign their evidence over to certified forensic examiners usually housed in state or federal laboratories.
Technology
Forensic software programs can access even the most difficult phones to get into. The majority of these programs are similar and work in a similar way. Mobile forensic kits come equipped with a variety of phone cords and chargers to accommodate a number of phones. One common challenge law enforcement agencies run into is the constant upgrading the world of mobile devices does. This poses a problem when the forensic equipment an agency may have available is not up to date with the latest phones and other devices. Investigators can overcome obstacles and expedite cases with training and up-to-date equipment.
The Data Pilot 10 from Susteen Inc. is a handheld, rugged device equipped with the ability to report in real time and is compatible with the devices and tools investigators may already have. The Data Pilot 10 contains acquisition applications including the ability to extract contact data on phones, images, call history, messages, as well as application information. Each of these may be extracted quickly and in real time. The device is also able to work with both Apple and Android phones. The company’s three applications—Acquire, Optical Screen Capture, and Linked Screen Capture—provide the user with multiple options to extract data quickly. Acquire is able to extract data such as call history, calendar information, messages, and other similar information. Optical Screen Capture may be used on any device and includes a built-in camera. This application is able to collect evidence from phones quickly. Linked Screen Capture is able to mimic or mirror evidence which includes auto scroll and can collect data and evidence in real time.
Sussteen offers several, devices that allow law enforcement to extract digital evidence easily.Susteen Inc.
Data Pilot 10 may be used by any individual in law enforcement including crime scene investigators, patrol, or detectives. Using the device does not require specialized training as it is easy to navigate.
Susteen has also developed software for pulling data off of digital devices. Secure View 4 is able to extract information from numerous phones, computers, and tablets. The SV Probe provides full analytics and allows the user to create a case file for data processing. Also, their SV Strike is able to acquire six digit passcodes in order to get into many phones that may be difficult to get into.
MSAB Inc.’s XRY software utilizes both logical and physical ways of extracting data including log in information that may otherwise be hidden. Glenn Hickok, President of MSAB Inc. says that the software was designed from its inception to be a forensically sound tool for extracting digital evidence from mobile phones and remains unique in that regard. The format of the software ensures that any digital file extracted cannot be altered making the digital evidence. This means the evidence can be presented in court with the highest integrity and confidence, he explains.
MSAB kiosk serves as a work station for investigators.MSABXRY is able to extract as well as decode the data from mobile devices. From there, an additional analytical tool called XAMN helps investigators view and analyze data quickly. The software can be used on most computers or tablets equipped with Windows. MSAB has also developed a special kiosk, and tablet. Hickok says this is designed to make the extraction process fast and easy for non-expert users in the field, while more complex cases can still be handled by the digital forensic experts in a central lab.
Since mobile technology is constantly changing, the latest version of XRY, the 8.0 edition, is able to automatically recognize most mobile devices. This feature speeds up the extraction process while also simplifying it as well. In addition, XRY is updated at least once if not twice a year making the ability to get into phones and applications within the phones much more efficient. Hickok says their product is able to get into 27,400 devices and app profiles, including most Samsung 7 models.
Recently, MSAB introduced two new services that enable law enforcement agencies to overcome security measures and gain access to the most challenging mobile devices. One of these is the MSAB Access Service— an unlocking and extraction service done by MSAB experts. Hickok says the other new product-service combination offered now is the MSAB Advanced Acquisition Lab. This supplies qualified law enforcement customers with hardware, software and advanced training.
“It’s almost impossible to overstate the critical role of mobile forensic evidence in most investigations today,” he says. “By enabling the recovery of mobile evidence quickly and completely, without delays, and by facilitating the fast, effective analysis of that data play a vital part in empowering law enforcement and helping them solve more cases, solve cases faster and close the loop with successful prosecutions.”
The Cellebrite programs are easy to navigate by plugging in the phone in question into a tablet or work station that gives the investigator multiple options to choose from that include specifics down to the type and model of numerous phones. Buddy Tiddwell, Senior Vice President of Global Training for Cellebrite, says the three main points on the digital evidence checklist include identifying what evidence to preserve, extracting it, and analyzing that data for the final report. However, Cellebrite takes the process deeper, by delving further into the analysis process.
Additionally, the program requires upgrades every few years in order to keep up to date with the latest mobile technology. Tiddwell says the company has been training law enforcement professionals for six years and are now able to offer turn key solutions to law enforcement personnel for quick, easy access to digital data. The Cellebrite Academy offers 23 programs that teach everything from basic digital evidence extraction knowledge to in depth.
Software
In order to obtain evidentiary information quickly, investigators can attend specialized training in order to access devices. Many of these trainings are focused on a particular software program or data extracting device. For instance, Cellebrite holds a variety of trainings for all levels of expertise in both classroom and online settings. They have also partnered with Felician University to create courses that count as college credit towards related degrees.
However, even the most basic training from Cellebrite is detailed enough so that departments can make these extraction tools their go to for investigations without having to take their evidence elsewhere for analysis. Their UFED Cloud Analyzer can help investigators speed up the process of digital evidence extraction.
Recently, Cellebrite designed the cloud analyzer capable of extracting data from clouds. This can also work with social media outlets as well. Their programs and technology are constantly upgrading so investigators can stay ahead of the game. The UFED Premium allows officers to unlock even the most complex devices using specific algorithms that can work with a variety of devices, iOS and Android alike.
Preserving evidence
Equally important as extracting and downloading digital evidence is preserving it. Collecting electronics can be tricky these days due to the fact so many devices are hooked up to a cloud.
In order to maintain any evidence that may be stored on electronic devices, especially phones, investigators should put all phones on Airplane Mode until they may be looked into. This prevents anyone from taking or receiving information that may be on the device. If for some reason the phone cannot be accessed to enable Airplane Mode, the phone can be placed into a Faraday bag or a metal can until it may be processed for information extraction. Both the Faraday bag and the metal can prevent the allowance of signals transmitting or cloud access from an outside source.
With the proper training and equipment, any law enforcement officer can use the software programs used to extract data from phones in order to strengthen a case.
Hilary Rodela
Hilary Rodela is currently a Surveillance Officer, a former Private Investigator, a former Crime Scene Investigator, and Evidence Technician. She worked for the Ruidoso (NM) Police Department as well as the Lubbock (TX) Police Department. She has written for several public safety publications and has extensive law enforcement and forensic training and is pursuing forensic expertise in various disciplines. Hilary is a freelance public safety writer and curriculum developer for the National Investigative Training Academy.