One of the hardest things for us as humans to do is to give up the ability to communicate with others. We use our phones to talk, email, text, take pictures and videos, as well as find directions to the hottest restaurant in a different part of town. A growing percentage of people do not even have a landline to fall back on if their cellphone is broken.
One of the questions I most often receive from attorneys who call and are looking for help is, “What do I do about this client’s cellphone and the data on it?”
Counsel will receive evidence at varying stages of the case. Initially, they might receive a retainer along with a single cellphone, only to find out a few weeks later there is a second phone as well as an online presence that the defendant forgot to mention. Many times, panic sets in and thoughts of “Is the data still there?” or “The client said they deleted this item, can it be retrieved?” present themselves.
These questions can be difficult to answer, and most certainly involve a number of issues. Has the phone been in use since the incident in question? If it hasn’t been in use, what was done with it? Does law enforcement currently have the device?
The answers to these questions are fairly simple and easy to implement from the attorneys’ and investigators’ standpoint, but not so much for the owner of the device that needs to reviewed/imaged.
When I am consulted or retained on these matters, I ask about the phone, the model, where it currently is, how much storage it has, if there is a micro SD card in the phone, if the person is a heavy user of data, and so on.
The first and best thing you can do to any phone that you believe to be a piece of evidence in a case is to take the phone out of service. Putting this idea into practice will present a plethora of issues from your client. You will hear things like, “I have to have this phone on,” “I have no internet at home,” “I can’t be without it,” or “It’s my work phone.”
To some degree, the client believes that this will be intrusive and cause them problems. As I mentioned to a recent client, “You have to weigh you wanting to get on social media versus the chance that you will overwrite, delete (accidently, through system updates, space restrictions, or by another person) data that will win your monetary case, or prove your innocence in a criminal matter.”
Phones have a mode called airplane mode, which prevents the phone from seeking out communication with cell towers and helps maintain the integrity of the data that remains on the phone.
If you are able to convince your client to put the phone into airplane mode, then you must ask if the phone is encrypted and if they know the password. A large number of people do not know if their phones are encrypted. If it is their phone and they do not know if it is encrypted, then the overwhelming answer will be it is not.
Once the phone is found to be unencrypted, the next step is to ask them to unlock it, thus verifying that they know the password for any future investigative efforts. I cannot tell you the number of cases I have had where the client was given the phone by someone else and did not know the password to the phone, or there was a lock on the SIM card. Please note that the password to the phone and a password to the SIM card are two very different things. Not many people use the lock SIM card feature; however, having that feature enabled and not knowing the password to it puts the defendant, counsel and the investigator in a position of having to use the PUK or “Personal Unlock Key.”
The last — and most difficult — issue to sell to the client is for them to allow you to keep that phone, and for them to get a “loaner” phone from their carrier. This type of phone typically is a cheaper phone with less bells and whistles, but is still capable of allowing them to text, email, and access social media.
If I am hired on a case to image a cellphone, I’m typically asked, “How long will I be without my phone?” The answer to that question is as varied as the number of cellphones on the open market. The more time the investigator has with the phone (to a point) typically equals the best results. If the client will only part with the phone for a few hours, then the best job that can be done is likely one piece of software to examine the phone. If the phone is able to be examined for a few days, then the investigator is able to validate their findings with multiple pieces of software/hardware and speak from a position of power as opposed a position of ignorance.
No one wants to be without his or her phone for any length of time. Talk to your clients and explain the benefits of allowing you to have the phone for an extended period of time, versus a one-time go at the phone with the chances of invalidated information which you and your expert will likely be grilled about in court.•
Darren R. Miller (firstname.lastname@example.org) is a computer forensic examiner at Strategic Forensic Partners LLC in Fishers. He handles computer-based investigations as well as cellphone examinations. Miller has 16 years of experience and has testified as an expert in state and federal courts and works on criminal and civil cases. The opinions expressed are those of the author.