Important Considerations for Cell Phone Forensics
When it comes to the expanding field of cellular phone forensics, there are many misconceptions. Some clients are shocked to learn that specialized software is necessary for their particular investigation, or that not all phones rely on similar operating system codes. Of literally thousands of models of cellular phones, many run on “one-off” codes or archaic, obsolete and unique software. Clients must recognize that the particular device being reviewed largely dictates the forensic tool utilized to complete the examination.
A great deal of information on any target device can be gleaned by our experts before the phone is even powered up. Per governmental and industry regulations, a great deal of information is housed within the battery cavity of each cellular phone. The label from the manufacturer gives the make and model number of the phone as well as unique identifiers like the Federal Communications Commission Identification Number (FCC ID) which is found on all cell phones sold in the U.S.
For GSM (Global System for Mobile Communications) devices which require SIM (Subscriber Identification Module) or USIM (Universal Subscriber Identification Module) cards, the (U)SIM is usually located underneath the battery and is imprinted with a unique identifier called the Integrated Circuit Card Identification number (ICCID), which is also stored within the SIM.
The ICCID is composed of 2 fixed digits which represent the Major Industry identifier, a Country code, composed of 1 to 3 digits and the Issuer identifier, composed of 1 to 4 digits.
One other issue of key importance is determining a particular device’s memory structure. Phone memory can be partitioned into set areas for certain data (such as fixed areas to house contacts, call logs, text messages or calendar entries), or assigned common space from a shared pool of memory. Because memory can house deleted data, our experts are careful to proceed only after discerning whether a specific software or hardware solution is required for memory acquisition.
This is not an area for amateurs; attempting to retrieve data without handling it properly can permanently spoil significant records from being useable in any venue subject to third party review.
Data Transfer and Synchronization
Many of our clients would be of the opinion that synchronizing a device before examining it is a good idea, as the data on the phone will be the most up-to-date and complete. However, our goal is often to preserve the data on the device as-is, without modifying it in any way whatsoever.
Thus, isolating the phone from other devices used for data synchronization is of key importance prior to retrieval of information, to prevent contamination of existing evidentiary data and possibly overwriting deleted, but sometimes even more critical, evidence. In addition, it is of great importance to isolate the phone from its radio network, thus avoiding incoming messages and data that can overwrite existing data.
When in doubt, call upon qualified experts before attempting the retrieval of evidence from digital media, including cellular phones.