Sign In
    Wisconsin Lawyer
    April 13, 2022

    Mobile Device Forensics for Criminal Defense Lawyers

    To better represent clients, criminal defense lawyers should learn about the types of digital evidence that may reside on clients' mobile technology devices and how the evidence can be accessed and preserved.

    Sharon D. Nelson, John W. Simek & Michael C. Maschke

    smarphone data

    According to a 2008 United States Computer Emergency Readiness Team publication, computer forensics is defined “as the discipline that combines elements of law and computer science to collect and analyze data from computer systems, networks, wireless communications, and storage devices in a way that is admissible as evidence in a court of law.”

    Computer forensics, more commonly referred to as digital forensics these days, includes more than laptop and desktop computers. Think CSI with computers and other electronic devices. Digital forensics is the acquisition, authentication, analysis, and presentation of electronic evidence. It is deeply rooted in the scientific process and generally accepted practices of the digital forensic community. From a legal perspective, it is crucial that the digital forensic process and the presented evidence be replicable using various tools and that the outcome is accepted as reliable.1

    With the exponential growth in the use of mobile devices (smartphones, tablets, and so on), digital forensics examiners typically analyze more mobile devices than laptops and desktops – which are often the primary source of evidence sought by law enforcement in criminal investigations.

    Forensic Software for Mobile Devices

    The examination of a mobile device requires specialized forensic software to extract and analyze “artifacts” such as text messages and communications, application data, and user-generated information. There are many different vendors of mobile forensic software, each having different price points and features. Many are widely used by both law enforcement agencies and private consultants (for example, Cellebrite and Oxygen), with a few available solely for law enforcement use (for example, GrayKey).

    Sharon D. NelsonSharon D. Nelson is a practicing attorney and the president of Sensei Enterprises Inc. She is a past president of the Virginia State Bar, the Fairfax Bar Association, and the Fairfax Law Foundation. She is a coauthor of 18 books published by the ABA.

    John W. Simek John W. Simek is vice president of Sensei Enterprises Inc. He is a Certified Information Systems Security Professional, a Certified Ethical Hacker, and a nationally known expert in the area of digital forensics. He and Sharon Nelson provide legal technology, cybersecurity, and digital forensics services from their Fairfax, Virginia firm.

    Michael C. Maschke Michael C. Maschke is the CEO and director of cybersecurity and digital forensics of Sensei Enterprises Inc. He is an EnCase Certified Examiner, a Certified Computer Examiner (CCE #744). a Certified Ethical Hacker, and an AccessData Certified Examiner. He is also a Certified Information Systems Security Professional.

    Get to know the authors: Check out Q&A below.

    Cellebrite’s Universal Forensic Extraction Device. Arguably the leading tool for mobile device forensics is the Universal Forensic Extraction Device (UFED) Touch2 by Cellebrite.2 Cellebrite has the advantage of working with many different cell phone manufacturers and models because Cellebrite constructs the data transfer devices that the cellular carrier technicians use to move messages, address books, and so on, when customers upgrade their phone. This means Cellebrite has “inside” knowledge about how a phone stores its data and how to communicate with the device. Its products are used by law enforcement and other governmental agencies, military agencies, and private companies worldwide.

    Examiners load mobile device extractions into Cellebrite Physical Analyzer software, which allows them to search and analyze the extracted data. Base price for the UFED Touch2 is around $6,000, and annual maintenance and licensing fees are also required, which makes the Cellebrite device somewhat expensive. But given that the cost includes all the necessary cables for the many different types of mobile devices and that the UFED Touch2 is one of the best tools for analyzing mobile devices on the market, we believe it is well worth the yearly cost.

    Oxygen Forensic® Detective. Another popular mobile forensics software is Oxygen Forensic Detective.3 Oxygen tends to retrieve slightly different data from mobile devices than Cellebrite does and is better at extracting information for specific mobile applications. As an example, it does very well at extracting information from the Kik messaging app. It also includes a useful SQLite database viewer and reader, allowing examiners to parse and interpret application databases that might not be “supported” by the forensic software. Both Cellebrite and Oxygen products integrate artificial intelligence into their products: they include automated picture-detection processes to locate images of guns and drugs, screenshots, and depictions of child erotica or endangerment. Of course, a human being must still review the images to determine whether the automatic process has accurately tagged them.

    Grayshift’s GrayKey. This product is only available to law enforcement agencies. According to its website, GrayKey can bypass the lock code for the latest iOS devices in less than one hour.4 One version, which costs $15,000, allows for the unlocking of 300 phones, and the device must be connected to the internet to work. A $30,000 version has an unlimited unlocking capacity and doesn’t need to be connected to the internet.

    Very little is known publicly about the technical operation of GrayKey; one theory is that some form of brute-force attack is used. We have personally seen GrayKey being used at law enforcement facilities while a long line of officers waited to have seized phones unlocked. GrayKey devices do work. A client’s inability to recall a device’s passcode might not keep a law enforcement officer out of the device for long.

    Blocking Unlocking. Apple executives were concerned that Grayshift was making money gaining access to users’ iPhone data. Apple released an update to iOS that contained a feature called USB restricted mode. There are several reports that the USB restricted mode has successfully blocked the GrayKey from bypassing lock codes. Another alternative to bypassing lock codes is the advanced-unlocking service from Cellebrite. Cellebrite does the work and does not have an actual piece of hardware to sell to the end user. Cellebrite states that it can “determine or disable the PIN, pattern or passcode screen lock on the latest Apple iOS and Android devices including Alcatel, Google Nexus, HTC, Huawei, LG, Motorola, Samsung, and ZTE.”5

    Data Extraction and Preservation Procedures

    Data from criminal clients’ mobile devices is likely to be used by the prosecution if it might help them establish guilt. Thus, criminal defense attorneys should seek this data once it has been obtained by a law enforcement agency. If a client’s mobile device was seized and analyzed by a law enforcement agency, a copy of the forensic acquisition or data extraction should be provided to the defense’s expert for independent review. Depending on the type of case and the nature of the evidence found, the review might have to be conducted at a law enforcement or governmental facility, especially if contraband is involved. In other cases, the law enforcement agency should be willing to provide a copy for the defense’s expert to review offsite at their convenience, which likely will save the client money.

    Most analysis packages provide a method of data extraction. As an example, Cellebrite provides a custom hardware and software solution to capture data from mobile devices. Of the currently available products, Cellebrite supports the largest number of mobile devices, meaning that it can extract the most data from the largest variety of devices. Depending on the version of Cellebrite, it might be possible to extract logical data (data that a user can normally access) or perform a physical extraction, which is a complete image of the memory from a client’s mobile device (including any deleted data). It’s worth noting that a logical data extraction may also include deleted data as well, often found stored in the SQLite databases used by applications, including messaging. Most attorneys will hire an expert who has the right tools and software to extract data.

    However, a forensic examination of the device might not be necessary. In some cases, preservation of the relevant information might require nothing more than taking a screenshot of relevant text messages. Another way to preserve data from a mobile device with little cost or effort is by using a tool such as iMazing.6 IMazing costs $59.99 per year and allows users to capture and produce messages from an Apple iPhone in a variety of formats, including Acrobat PDF and Microsoft Excel. For Android devices, Dr.Fone does the trick as well. Dr.Fone Android Toolkit costs $79.95 per year, or if you want both Android and iOS recover support, the Full Toolkit costs $139.95 per year.

    If a lawyer is not acquiring data from a client’s mobile device using forensic tools, the most common way to preserve data is via a device backup. iPhone users should be using iTunes as a backup because it contains more data than an iCloud backup. Android users can use many of the various backup products that are available. It is even an option to connect the phone to the computer and copy the files directly to the hard drive or some other external storage device.

    In most criminal cases, self-collecting data from a mobile device rather than hiring an expert to collect the data should be done only after careful consideration, given what is at stake for the client.

    Types of Data on Mobile Devices

    Several types of data, many or all of which might be useful to the prosecution or the defense in a criminal matter, can be recovered from a mobile device.

    Emails and Text Messages. Probably the most sought-after type of data is communications. That includes email, but text messages (iMessages on iOS devices) are the most used method for communications among mobile device users. It is not difficult to extract messages in a format that is easily reviewed in a spreadsheet. It is important to keep the threaded messages together because there may be multiple conversations with various people.

    Message attachments should also be extracted and associated with a specific message. It is also crucial to preserve any emojis associated with a message. This means that the exported data file must be encoded to Unicode UTF-8 to preserve the emojis. The challenge is how to deal with other messaging apps such as Signal, WhatsApp, Facebook Messenger, and even Slack. The data might be encrypted and stored in the cloud with the vendor and not on the local device.

    If a message is viewable on a device, but not contained within the extraction, typically it is possible to take a screenshot to preserve the message.

    Photos and Videos. Many mobile device users constantly use their phones to take pictures (for example, selfies) or videos to share with others. Like messages, pictures or videos are relatively easy to extract from a phone. Photos also can be synchronized with a cloud account to preserve them. Any downloaded or created files are also available to be copied from the phone to some other media type.

    Geolocation Data. Many mobile device applications use geolocation to help improve the user experience. GPS coordinates are used for map applications such as Waze and Google Maps. Shopping apps use geolocation to target ads for a device’s location. In other words, it does no good to display an ad for a store that doesn’t even exist in the area in which a device is being used.

    GPS coordinates, which might be included in the metadata of photos (EXIF data), can be very useful when used as evidence and to provide some level of authentication and determination as to where the device was physically located on a particular date and time. As an example, you could crowdsource Twitter to see who posted photos of a traffic accident at a particular intersection. GPS coordinates would be used to determine photos taken at the intersection during a specific time. The GPS coordinates could also be used to validate a photo as being taken at a particular location.

    It is easy to access GPS data for photos. Merely looking at the photo properties reveals the metadata including such things as GPS coordinates, the date and time the photo was taken, the camera manufacturer and model, camera lens settings, and so on. Typically, it’s harder to get GPS information from other apps, especially if they’re not supported by forensic software. The information may be stored in a database and not specifically attached to individual files. Finally, the user might have turned off location services or the app might not preserve GPS data.

    Location data can be requested from Google, either by the account holder or someone who has the account holder’s credentials, if the phone was set up or configured with a Google Mail account. You might be surprised at how frequently Google is tracking the physical location of the mobile device and how easy it is to download the location history data set if you are the account holder.

    Call History. Another possible source of relevant data is a device’s call history. The call history shows the duration and time of calls (including FaceTime on iOS devices), the phone numbers and contact information if they exist on the device, whether calls were answered or missed, and whether calls were incoming or outgoing. Call history records and even individual entries can be deleted (and potentially recovered) from the mobile device. Requesting the call history from the cellular services carrier is a lot more difficult and will take longer than looking at the history on the device itself. Also, records provided by the carrier might be in a cryptic format and difficult to understand.

    Web Browser History. Forensic examiners often are asked to extract internet history from a mobile device. History can be recovered from all major mobile browsers, including Chrome, Firefox, and Safari. It is unlikely that any history will be stored on mobile devices for the Tor browser. Additional browsing artifacts that may be of interest include files that were downloaded on the mobile device, as well as search terms entered and websites logged into.

    Voicemail. Relevant information associated with voicemail messages might exist on a mobile device. In some situations, it might be possible to export the actual audio file. However, there will be no link between the voicemail activity and the actual message file, so it’s important to document which message file goes with which underlying information. A little-known fact is that it’s also possible to retrieve a voicemail message after it has been deleted. This is particularly true if visual voicemail is used. The file is downloaded from the carrier to be played back visually. Deleting the file from the carrier doesn’t necessarily delete the file from the device, so a forensic expert might be able to recover the file.

    App Data. The methods for extracting and preserving data from apps are varied and so these processes are probably best left to a forensic examiner. Despite this, it might be possible to find a specific piece of software that is designed to target the data from a particular mobile phone app.

    More and more app developers are storing data in databases as opposed to discrete files. Apps may use PLIST, JSON, or SQLite file types to store information and records. The database of choice for many apps is SQLite, which is a “mini” version of SQL. Many forensic software tools can analyze and decode the contents of the SQLite database for a particular app and report on its contents in a usable and understandable format. If the specific app is not supported, then the examiner must perform a manual process of testing and querying the database with SQL commands. This is a slow and tedious process and can be expensive. If usage of a particular app is significant in a client’s case, it may pay to run through the manual process to extract the relevant evidence. Many times artifacts stored within third-party viewers have been able to show how many times a file was viewed or played on a mobile device, including when that activity took place.

    Conclusion

    It is impossible to know all the data available for preservation and extraction from mobile devices. Apps are constantly being updated, which compounds the problem. For instance, there may be a software tool to extract data from version 2 of the app, but not if the app is upgraded to version 3. As legal counsel, you know what questions need to be answered – and the mobile device may hold the key. No matter which types of data you may be after, working with a digital forensics expert to examine a mobile device will help you be prepared for trial and can be beneficial to a client’s defense. It can also bring a quick resolution to the matter. Either way, justice prevails.

    Meet Our Contributors

    How do you refresh your batteries? 

    Michael C. MaschkeWork can be 24 hours per day, 7 days per week if you allow it to. I try my best to carve out time in the evenings and over the weekends to recharge and put down the computer or smartphone screen. 

    The problem is that the big screen takes over. Sports have been part of my entire life. It doesn’t matter which sport is on, I’ll watch it instead of other TV shows every time. If I’m not taking kids to ball practice or playing with them in the yard, you can often find me watching football or college basketball. I find baseball extremely boring but will stomach it.

    The kids are excited when I go down to the basement to watch the game on the “big screen” so they can finally play down there without a worry – knowing they are safe from any bad dudes, ghosts, or scary monsters with shooter guns that may be hiding to get them since they now have “dad protection.”

    Michael C. Maschke, Sensei Enterprises Inc., Fairfax, Va

    What was your funniest or oddest experience in a legal or digital forensic context?

    Sharon D. NelsonLong ago, a gentleman visited Sensei Enterprises with a most unusual request. He told me that his wife was pregnant and that he knew the child was not his because they hadn’t had a sexual relationship for some time. When he asked his wife to explain how she got pregnant, she told him that aliens had come through her computer and made her pregnant.

    He had the computer with him and wanted us to search for the presence of aliens, which would support his wife’s explanation of her pregnancy. He was extremely agitated and pleaded with me to accept the computer.

    One of my forensics technologists analyzed it. To no one’s surprise, there was no trace of aliens; however, the computer was a mess in any number of ways. We cleaned things up, updated the computer, and provided some basic cybersecurity. We charged a paltry sum of money.

    When he returned to the office, I told him what we had done to the computer – that was all fine with him, but he became agitated again when I told him that we saw no trace of aliens.

    He was so distraught, asking me repeatedly, “Are you sure?”

    He began crying and I found myself, unaccountably, uttering these words: “We really can’t be sure what happened. It is well known that aliens are very good at hiding traces of their presence.”

    That cheered him right up, he thanked me vigorously, and went home to make peace with his wife.

    Sharon D. Nelson, Sensei Enterprises Inc., Fairfax, Va

    If you could choose a superpower, what would it be?

    John W. SimekI would choose the power of flight. I grew up a military brat as my father was a career Air Force man. He was a crew chief for an F-104 fighter jet. As a child, I would help the crew prep the plane for the air show and even got to sit in the cockpit. Obviously, that would never be allowed today. I had my heart set on going to the Air Force Academy to fly fighter jets.

    During my flight physical, I learned that my vision medically disqualified me. Not to be discouraged, I successfully graduated from a different federal service academy, the United States Merchant Marine Academy. Even though I never got to fly fighter jets, I satisfy my flight desires with sporadic experiences at an iFly skydiving simulator because my wife won’t let me jump out of a perfectly good airplane for real.

    John W. Simek, Sensei Enterprises Inc., Fairfax, Va

    Become a contributor! Are you working on an interesting case? Have a practice tip to share? There are several ways to contribute to Wisconsin Lawyer. To discuss a topic idea, contact Managing Editor Karlé Lester at (800) 444-9404, ext. 6127, or email klester@wisbar.org. Check out our writing and submission guidelines.

    Endnotes

    1 Wis. Stat. § 907.02; Daubert v. Merrell Dow Pharm., Inc., 509 U.S. 579 (1993); Fed. R. Evid. 702.

    2 Cellebrite, Transformation for the Age of Digital Investigations, www.cellebrite.com/en/home (last visited Feb. 4, 2022).

    3 Oxygen Forensic® Detective, https://www.oxygen-forensic.com/en/products/oxygen-forensic-detective (last visited Feb. 4, 2022).

    4 Grayshift, New Expanded Android Device Coverage, https://www.grayshift.com/ (last visited Feb. 4, 2022).

    5 Cellebrite Advanced Unlocking & Extraction Services (Jan. 2018), https://cf-media.cellebrite.com/wp-content/uploads/2017/12/advanced-unlocking-extraction-datasheet-jan2018.pdf.

    6 https://imazing.com (last visited Feb. 4, 2022).

    » Cite this article: 95 Wis. Law. 32-36 (April 2022).


Join the conversation! Log in to comment.

News & Pubs Search

-
Format: MM/DD/YYYY