MENU
SEARCHWith people now relying on technology, increasingly investigators can uncover a wealth of possible evidence through forensic analysis of electronic devices, including cellphones.
Artifacts on cellphones can provide key evidence.
PHOTO: St. Joseph County Prosecutor's Office Cyber Crimes Unit
With people now relying on technology, increasingly investigators can uncover a wealth of possible evidence through forensic analysis of electronic devices, including cellphones. In today’s society, those phones accompany most of us throughout our daily lives and stockpile a treasure trove of data.
Police, in the course of an investigation, now potentially can uncover leads and discover and document evidence by having a forensics lab process cellphones to collect key data.
Caroline Torie, co-director of the St. Joseph County Prosecutor's Office Cyber Crimes Unit, helps lead the digital forensics lab in assisting with criminal investigations in northern Indiana and southern Michigan. The cyber crimes unit is located on the campus of Notre Dame University in South Bend, IN, and is staffed by several full-time professionals and 20 students who each work 10 hours a week. The students are trained and work on real investigations.
The St. Joseph County Prosecutor's Office Cyber Crimes Unit performs forensic analysis on iPhones, Android devices, computers, laptops, micro SD cards, USB drives, and other items based on the nature of the cases. Because of the success of this program, the state approved $3 million to establish nine similar cyber crimes units across the state. Those operate under the Indiana Prosecuting Attorneys Council.
“Just about every person we know has a cellphone and we really document and record a lot of our lives with them. Modern phones increasingly can store a lot of information related to how a person lives, their pattern of life, places they go, people that they communicate with, things they buy, plans they make, pictures they take,” Torie explains. “This information is so valuable in just piecing together what led up to a crime and it could give insight into the motive. Cellphone data is truly important because it helps investigators get closer to the truth.”
Torie was recently talking with Mitch Kajzer, executive director of the cyber crimes unit, about just how many artifacts can be on a single phone. She says he estimated that an average iPhone has about 800,000 artifacts stored. But, in some cases, there could be a million or more artifacts and Torie points to one case where a phone had more than a million text messages, plus other artifacts.
“The more data it is, obviously, the longer it will take for us to process it and for the investigator to review it. Most phones don't have that much, but they probably take up to maybe 24 investigative hours to complete the exam from start to finish,” Torie adds.
Not all phones are in pristine condition when taken in by police as evidence. Some have been submerged in water, burned in a fire, or damaged in various ways. Torie even recalls a phone in one case had been damaged by a bullet. The goal at the end is to be able to get the phone to power on so data can be acquired, says Torie. When a phone has been submerged in water, Torie suggests the officer dry it off with a cloth and leave it to let the charge port breathe and dry out. In any such cases of damage, she suggests police get the phone to a forensics lab as soon as possible.
Of course, much of this country is still comprised of small towns and rural police and sheriff’s departments that do not have a forensics person capable of extracting data from phones and devices. In the case where an agency has not already established a working relationship with a digital forensic lab, Torie suggests they simply reach out to their state police or investigations agency, which in turn should have resources.
“If they believe that digital evidence is involved in a case, the sooner the phone gets to a forensics lab the better because if there's a delay in getting that to the forensics lab, that could mean potential data loss from the phone,” says Torie. “Time is really of the essence when it comes to digital evidence.”
Given police now have the ability to contact a digital forensics lab and seek out possible evidence to be used in criminal investigations, just what are the key types of evidence that can be recovered?
Location data can provide the answers to a variety of major questions. Was a suspect’s cellphone at the scene of a crime when the crime occurred? Where did the phone go before and after the crime? How fast was the suspect’s vehicle traveling at the time of the impact of a crash? Plus, location data can be very accurate.
Media, such as pictures and video can also be a crucial key during an investigation. Were the images taken by the phone, saved to the phone's camera roll, or sent to others? Or did the phone receive the images from others?
Communication data can reveal a lot about the suspect’s actions. Was the suspect messaging others about the crime? Were any of the messages deleted? What applications were they using to message people?
What is the suspect’s web history. Could a suspect have viewed news stories related to a crime that occurred? Did they search ways to carry out or get away with a crime?
So, when an investigator is planning to take possession of a cell phone and use it to find digital forensic evidence, what do they need to know? Torie has some advice, and provides the tips below:
Obtain proper search authorization for the device and ensure that your search authority is not too broad. In accordance with the 4th Amendment, your warrant should be specific in describing what you are searching for, the timeframe that you are searching, and why you have probable cause to believe that the evidence is present. Your affidavit should also contain detailed facts related to the investigation and explain where that phone was found or who had possession of it at the time of seizure. These types of specifics decrease the possibility of evidence being suppressed.
Whenever possible, obtain the passcode for a phone.
PHOTO: St. Joseph County Prosecutor's Office Cyber Crimes Unit
Get the passcode to the phone if possible. Having a passcode ensures that the maximum amount of data is acquired from the phone.
Maintain the power state of the phone when it was seized. If it was powered off, leave it powered off and do not plug it into a charger. If it was powered on, make sure you find a charger and keep it powered on. A phone that has not lost power ensures that the maximum amount of data is acquired from the phone.
Remove the phone from the network. This can be accomplished by placing the phone into airplane mode or by storing it in a Faraday bag. Both will preserve evidence on the phone.
Understand that technology is continually changing, and forensics techniques continue to evolve. Capabilities change daily. Search online and read about new technology, but also reach out to other investigators, departments, and forensics labs to stay on top of technological advances.
In the relentless heat of summer and even early fall in some parts of the country, officers face the important task of protecting their K-9 partners while working in sweltering temperatures. Recognizing changes in a dog’s behavior is the key.
Read More →
ILEETA is a complete resource for trainers to address trainers' needs. Its mission is to enhance the skills and safety of criminal justice practitioners while fostering stronger and safer communities.
Read More →
Technologies for improving law enforcement training and training management were some of the highlights at this year's show.
Read More →
The 2024 pursuit-rated vehicles--all pickup trucks or SUVs, including two battery electric models the Chevrolet Blazer EV AWD and Ford Mustang Mach-E--were put through their paces.
Read More →
As more alternative-fuel and hybrid vehicles hit the road, police and other first responders need to understand that they are no more dangerous than conventional vehicles. However, there are certain safety considerations every cop should know.
Read More →
Garmont Tactical has found wide acceptance by military boot buyers, but now the company is trying to better respond to the needs of police officers. Many cops now are not fans of 8-inch boots, so Garmont is adapting.
Read More →
Through our magazine and website and our Police Technology eXchange event, we promise to provide you with information and access to resources to help you do your job safer and better.
Read More →
The Harris County Sheriff's Office is a model for other agencies that want to learn about crisis intervention and mental health crisis response. Sgt. Jose Gomez shares the story of their programs and provides 10 tips for mental health crisis call response
Read More →
Mike Barham, of Galco Holsters, shares five important considerations to keep in mind when you buy off-duty concealed or plain-clothes carry holsters.
Read More →
While the burden of accurately reporting use-of-force situations is on an individual deputy or officer, the person reviewing those reports shares in the responsibility of making sure the reporting is done properly, with clear details included.
Read More →