Mobile device evidence: What are you missing?

Mobile device evidence: What are you missing?

The use of mobile devices has increased dramatically in recent years. Their value in investigations may, however, still not be fully recognised. Bruce Keeble and Sterl Greenhalgh, members of Grant Thornton’s Forensic & Investigations Services Team, discuss the importance of mobile devices to modern investigations.

The rise of the mobile device

In May 2013, the two defendants responsible for the murder of Fusilier Lee Rigby remained at the crime scene and asked passers-by to film their explanations for the murder. Mobile phones and tablet computers were used to video record and photograph the suspects, while nearby pedestrians used social media such as Facebook or Twitter to comment as events unravelled. The evidential value of electronic data in this form, both during and after the event, was crucial to the recent police investigation and criminal trial, highlighting the importance and ubiquitous nature of mobile devices in an investigation.

Whether we like to admit it or not, mobile devices such as our trusted iPhone, BlackBerry and iPad, have become intertwined with our everyday lives and are indispensible for both social and work activities. We find new applications for these devices all the time; we now use them for editing work documents during our daily commute, identifying addresses on our device's satellite navigation systems, taking photographs of our families on holiday, for online shopping and for sending Tweets and Facebook updates. Mobile devices now share almost all facets of our working, social and personal lives and the ascent of the mobile device looks like it is set to continue. Just last year, more mobile devices than PCs were sold. Currently, in the USA and Japan, smartphone users with Near Field Communication (NFC) technology in their devices purchase tickets for travel on public transport and pay for their lunch in their local café by wirelessly swiping their mobile phone at a sales point. Such applications are likely to spread and with the advent of wearable technology such as mobile phone watches and Google Glass, mobile devices will be sharing every facet of our life.

What type of information is stored on mobile devices?

When conducting a forensic investigation involving the collection of information, electronic information stored on mobile devices is often overlooked. However, the way that we use our devices and the information stored on them can prove a rich source of evidence.

The range of information stored on mobile devices is vast and can be fertile grounds for investigation, eg call records, text messages, multimedia messages, email, voicemails, documents, spreadsheets, calendar entries, internet history, photos, recorded audio and video, Wi-Fi, Bluetooth connection information and GPS data, to name a few.

Think also of the types of information that a mobile device could potentially contain, eg:

• apps such as LinkedIn, Skype, Facebook and Hotmail, among others, are used for messaging. However, this information is outside of the corporate email system and would be overlooked if mobile devices were not reviewed

• mobile phone SIM cards can reveal useful information such as contacts details, call logs and text messages. Forensic software can recover deleted text messages that were routed towards the SIM card memory storage

• GPS information—where collusion between two parties is being investigated, GPS information stored on these devices (and information from cell tower masts) can be used to identify the device with attendance at a meeting location

As with laptops and desktops, mobile devices use a variety of operating systems and as a result, the information that can be forensically recovered varies. In early generation iPhones, every time the home screen button was pressed, an internal screenshot was stored in the memory of the handset of the application being used at the time of pressing. This screenshot is hidden from the user, but can be viewed by forensic software providing further potential evidence.

Due to the frequency of digital forensics being dramatised on television programmes, many people are increasingly aware of it and this informs their computer usage. Many people are conscious that deleted data can still reside on a computer hard drive, even if the recycle bin is emptied. The opposite is true with mobile devices; there is currently a lack of awareness of the evidential data they contain and so this information is more likely to remain and prove fruitful for investigations.

Further, even when users believe that they have protected their information, eg when a device has a password or when the information has been deleted, forensic software can often still retrieve the data.

In some instances, the absence of a smartphone or tablet device does not necessarily mean data is unavailable, as some devices are backed up to the user's computer. This backed-up data can be analysed to provide information on how the device has been used. If a device user has not been forthcoming in providing their mobile device for examination, their computer may provide an alternative method of accessing the data required.

Cloud data will also, in general, reside on servers completely separate from the mobile device, however, it is possible that a proportion of data is duplicated on the device (internal or external memory) or computer in relation to a mobile device back-up by the user. Therefore, consideration must be given to other likely areas of stored data in an investigation.

When is 'mobile' information sought and used?

Litigation is increasingly cost-conscious and a review of information on mobile devices is not always appropriate. However, in addition to laptops, desktops and corporate networks, if appropriately examined by a recognised digital forensic practitioner, mobile devices place a fruitful source of evidence at a litigator's disposal and they should be considered at the outset of any action.

As a forensic scientist working on both criminal and civil digital forensic investigations, I have encountered a range of cases demonstrating how beneficial mobile device examination and analysis can be, as long as recognised digital forensic procedures and methods have been followed to ensure the information is admissible. Such evidence has often been the smoking gun that opens up a case or that, at the very least, provides a host of lines of further inquiry.

As this type of investigation can give an insight into a device holder's life, including where they have been, who they have contacted and what they have been doing over a period of time, the range of cases where forensic review of mobile devices is useful is broad. By way of example, cases I have been involved in over the years have ranged from corporate fraud, corporate litigation, intellectual property theft, money laundering, asset tracing, HR matters to criminal matters including counter-terrorism, homicide, violent crime, paedophile rings, harassment, sexual crime, drug distribution, firearms offenses and matrimonial cases.

A criminal case I worked on a few years ago, involved allegations of a multi-million pound money laundering and financial fraud, whereby several mobile phones and computers were seized. Forensic analysis of the computers did not recover any intelligence or incriminating activity. However, when I examined the mobile devices, one in particular was beneficial in terms of intelligence and evidential value. I was able to bypass the password to the handset and recover a wealth of evidential information such as:

• photos of the passports of numerous individuals

• details of fake passports of the suspect with a variety of names

• photos of money (with the suspect posing on a bed full of £50 notes)

• text messages (including previously unknown linked individuals) with over 100 bank accounts, names, addresses and transferred amounts

• spreadsheets (a crib sheet of money movement and assets that he had abroad including homes in Jamaica)

• emails to his personal accounts containing bank account information and instant messaging applications with messages detailing agreements of exchanging huge sums of money

• identities of other potential unknown suspects as evidence of collusion

The handset had exceptional evidential value, more so as the suspect believed his data was safe and unattainable on his password-protected mobile.

How is information in potential or actual litigation protected?

Mobile devices should be examined using forensic software under recognised procedures to preserve the integrity of the device as a potential exhibit and to prevent the adulteration or contamination of data that may render evidence inadmissible in court.

As with all digital evidence, even before a mobile device can be examined, it is necessary to obtain the correct legal permission granting access to the data on the device by the legal owner, whether it is a company under investigation or an individual. In company civil litigation, the IT policy and employee handbook should be reviewed in relation to the designated use of IT equipment. The Regulation of Investigatory Powers Act (RIPA) 2000 and the Data Protection Act 2003 prohibit unauthorised access to data and therefore appropriate authorisation must be obtained. However, RIPA laws detailing the interception of communications are more relevant to criminal law. Recent high-profile cases such as the News International 'phone hacking' and the Leveson inquiry into unauthorised access to celebrity voicemails highlighted the issue of unauthorised access to data by a non-recipient.

Investigation work relating to electronic data must also be proportionate. It would not be reasonable to examine all mobile devices, computers, servers, back-up data and memory sticks for a listed company with many staff over multiple international locations; a targeted approach must be tailored for the allegations or for the investigation's aim. For example, if a whistleblower indicated a single employee from the UK was taking intellectual property from his employer, a covert approach for intelligence purposes at first may be performed to determine if there was any truth to the allegations. It would not be proportionate to forensically examine data relating to the employee and all employees working in their office building.

The actual securing of the device must also be planned. If a suspect in a case is aware of any potential review of his mobile device, he may attempt to destroy evidence. Some devices have a facility by which through the device's network provider instructions can be sent to a device to wipe all data. Even turning on a phone could allow such a process to start, thereby overwriting crucial evidence; by taking appropriate advice, this can be avoided.

The information stored on mobile devices is volatile and potential evidence can easily be made inadmissible or data lost/overwritten due to incorrect handling, leaving evidence open to subsequent allegations of tampering. Smartphones are mini-computers and the best practice for the forensic capture of computer data is the Association of Chief Police Officers (ACPO) digital forensic guidelines. These principles should be followed for all mobile devices.

Expert advice should be sought to preserve the integrity of the original device and the data stored within it. A forensic copy of the information on the device (known as an 'image') which does not alter the original evidence in any way, should be taken. Further, documenting a chain of custody for the item, showing who has handled the item and when, ensures the admissibility of future evidence.

As such, it is recommended that lawyers should always contact a recognised digital forensic practitioner with the appropriate training, experience and qualifications for advice in the event of potential litigation where digital data may need to be forensically captured; these matters tend to be confidential by nature. Advice from a digital forensic practitioner at a very early stage, even without specific details on the case, can be crucial to ensure material is seized, preserved and forensically captured in an evidentially sound manner.

What if I receive disclosed digital forensic information from a mobile device?

Where a lawyer is at the responding end of disclosed digital forensic evidence, a digital forensic practitioner can advise on areas of challenge, potentially identifying procedural shortcomings in the way that the information was acquired. In addition, any conclusions reached can be reviewed in light of a second examination and image of the original mobile device by a digital forensic practitioner under the respondent's instruction.

An added complication—Bring Your Own Device (BYOD)

Small or medium-sized companies are increasingly adopting a Bring Your Own Device (BYOD) scheme, whereby employees can use their own personal mobile devices (or those which their employer has paid for in part) for work use. This is new territory and will present challenges in relation to what constitutes 'company data' and 'personal data' when both are held on a device owned in whole, or in part, by the device user. Note that where a company's IT policy is unclear on this topic, the risk is that access to the device may not be allowed legally. A digital forensic practitioner can assist with interpretation (or drafting) of IT policies in this regard.

Sterl Greenhalgh (Partner) and Bruce Keeble (Assistant Manager) are former members of the Forensic & Investigation Services team for Grant Thornton.

This article was first published on  Lexis®PSL Arbitration on 6 February 2014. Click  here for a free trial of Lexis®PSL.

Related Articles:
Latest Articles:
About the author: