Searching For Mobile Forensics Gold
29th July 2010
Dan Williams, one of our mobile forensics investigators, recently contributed to an article for the BAPCO Journal
Mobile forensics is becoming widely established as a vital component of modern policing with forces across the country embracing the technology and increasingly “doing it for themselves” rather than relying on third party outsourcing – something that actually makes economic sense. And interestingly, the more complicated that mobile phones become the better a source of potentially incriminating data they are.
Jose Sanchez de Muniain finds out what the fuss is about and uncovers how the latest smart phones are – literally – forensic gold mines.
Dan Williams is a mobile phone forensics investigator at CYFOR, a global computer forensics company that conducts investigations on a broad range of digital media, including computers, PDAs and mobile phones. Williams’ duties involve acquisition of handsets, examination, reports, and witness statements, plus appearances at court as an expert witness if required.
While traditionally CYFOR’s workload would mostly entail law enforcement work, the company has noticed a shift away from this work and now there is a 70-30% split in favour of commercial cases. Such cases may relate for instance to the examination of company handsets used by a departing employee (e.g. to check no data has been lifted): “There is a rise in IP theft because the plethora of small devices such as thumb drives means it is much simpler, and therefore perhaps more tempting. But it does leave footprints we can investigate.” Today, explains Williams, the trend in the police is towards “civilianising” many of their units. “Traditionally officers could have served two years in the cyber-crime unit, and then gone back on the street. But they realised that it didn’t make sense to train them up and spend all that money to then do that.”
Williams handles between 10 and 20 devices per week. “Most investigations ask for a logical examination, but often the Defence is more interested in a physical examination in order to get deleted information. Often a client may feel that deleted text messages may turn the case in their favour. Or they may want to get hold of call logs that are no longer viewable on the handset as they may have been deleted.”
So what kind of issues require clarification in court? Williams says most court appearances relate to technical
clarification. “With mobile phones dates and times are often called into question – the log of when a text was sent, for example, may differ from a billing record. That’s often down to date and time changes on a handset, and how that could have happened. If a battery dies the phone may reset the time and date. Also, the only completely accurate times on phones are actually on inbound text messages, because those dates and times are put on by the telephone network – other dates and times are taken form the handset locally. So sometimes the Court needs more detailed explanation.”