Photo: Cellebrite
Criminals and their victims use smartphones, tablets, GPS systems, and other mobile digital devices as much as just about anyone else in contemporary America. Which means that mobile forensics is one of the fasting growing fields of law enforcement technical expertise. And it also means that the labs that perform analysis on mobile devices have been overwhelmed with a huge backlog of work.
One way that many experts believe this backlog will be reduced is by moving some mobile forensic expertise and tasks downstream in the process. The benefits of criminal investigators learning how to conduct at least preliminary mobile forensic analysis are many. But the most important one is that it will help them develop leads from digital evidence faster and potentially prevent crimes that might be committed while waiting on mobile forensic analysis of devices by regional, county, and state labs.
"Our solution set has evolved quite a bit over the years and that has made the process of extracting data from mobile devices easier," says Jeremy Nazarian, vice president of marketing for Cellebrite, a global mobile technology company that produces one of the most commonly used tools in mobile forensics, the Universal Forensic Extraction Device (UFED).
Nazarian says today most UFED users are lab technologists who have been trained and certified in mobile forensics examination. But he believes that is changing. "Mobile Forensics is currently a specialized skill set. However, I would say that it's not going to continue to be," Nazarian explains. "We see tremendous demand for use of mobile forensics outside of the lab and in the field."
One reason why there is so much demand to move the preliminary forensic analysis of mobile devices out of the lab is that agencies are realizing the value of knowing what is on a suspect's or even a victim's smartphone during an investigation. This information has been the key in closing a wide variety of criminal cases in the last few years, including murder, stalking, child exploitation, and even domestic abuse. The data on smartphones has also led investigators to broaden the scopes of their suspect and victim lists.
Nazarian says investigators are now looking at patterns of interaction between subjects in mobile forensic data in a way that was hardly considered in the past. Which is another reason that field officers need quicker access to mobile forensic data and therefore need to be involved in the collection of that data.
Cellebrite has developed tools to help investigators find patterns of contact in mobile forensic data. "A couple of years ago we realized in addition to getting data from various devices and the various applications that run on devices we needed to do more to make that data actionable in both the formative stages of an investigation as well as the pre-trial stages," Nazarian says. "To that end we introduced a link analysis product, which takes data from multiple devices and shows in a visual way the connections between different entities and people who might be relevant to the case."
Of course in order to make use of this information, the investigators need to have someone pull the data off of the device—a process known in the mobile forensics field as "offloading"—in a timely manner. Which isn't possible at some overworked labs. This is why agencies are asking some of their detectives to gain the skills. "The backlog is such now across the board that local agencies are realizing they need the competency in house and need to invest in a device and at least have one person go through training in order to have the ability to use it effectively," Nazarian says.
There are a variety of ways that an investigator can gain the mobile forensic skills needed to not only offload the data from a smartphone or other digital device. They can even actually acquire a UFED and teach themselves, but the problem with that approach is that it doesn't cover key aspects of mobile forensic analysis and how to preserve the chain of evidence that is essential for a successful prosecution.
One of the best options for mobile forensics training is to enroll in Cellebrite's UFED training program. The training can be attended in person or completed online. It consists of three classes: Mobile Forensics Fundamentals, Logical Operator, and Physical Operator. In a final session, students prep for the certification exam and take the exam. Nazarian says the entire program takes five days to complete in the classroom. Of course, online students proceed at their own pace. Many students take the fundamentals course online and attend the Logical Operator and Physical Operator courses in person.
The two main courses, Logical Operator and Physical Operator, teach the two primary methods for extracting data from a mobile device.
Logical extraction is basically a way of looking at all of the active information on a device in a much faster and much more organized way than if you were to just turn on the phone and start rifling through all the e-mails, texts, search histories, and apps.
Physical extraction is a little more involved. It's the bit-by-bit reimaging of a hard drive and a way of recovering deleted files, photos, texts, and other data from a subject's smartphone or other mobile device.
Nazarian says Cellebrite's mobile forensic training is well suited to training criminal investigators to offload data in the field because it was developed by people with backgrounds in both law enforcement and forensics. "All of our instructors have a blended background," he explains. "So in addition to providing the tools and technology to help mobile forensics practitioners extract and analyze data from mobile devices, we are also providing a formal certification to ensure that they not only know how to use the tools properly but understand the best practices for evidence collection for preservation and issues related to chain of custody so that the work they do is most apt to stand up in court."
For more information about Cellebrite go to https://cellebrite.com/en/mobile-forensics/
