CSi: Crime Scene iPhones Yield Forensic Evidence, Confusion About Data Handling

During the trial of Dr. Conrad Murray concerning the death of pop icon Michael Jackson, prosecutors used Dr. Murray's iPhone to collect forensic evidenc.

The evidence, which included a recording of Jackson speaking in a slurred manner, was gathered by DEA computer forensics examiner Stephen Marx. It helped prosecutors make the case that Murray veered significantly from acceptable medical practice. Through the iPhone, Marx found digital medical charts thought to be non-existent, as well as emails Murray sent hours before Jackson died on June 25, 2009.

And yet, according to several high-tech forensic experts, there is plenty of confusion among those who work in law enforcement in terms of what smartphone and tablet data can be captured and analyzed, how to do that correctly, and how reliable the information is--particularly GPS location data. 

Mark McLaughlin of Los Angeles-based Computer Forensics International, who has 14 years of experience as a computer forensics examiner, says few understand that "digital evidence is very fragile." During the past 18 months, while working on many criminal defense cases, he has seen law enforcement use flawed procedures. "They are collecting data in an invasive manner," he says, "which means they're changing the original piece of evidence." They don't have extensive training or experience, according to McLaughlin, "and they can just go out an buy software and call themselves ‘examiners.'" In court he has proven that some have unwittingly altered data when copying it from a smartphone. "It all starts with a good forensic copy," he says, "and if you don't have that, everything you do after is suspect."

Furthermore, attorneys and judges are generally unaware of the extent to which experts can recover such evidence, McLaughlin says. "I teach continuing legal education courses for them so they can understand computer forensics and get up to speed, so they know when something goes awry," he says. "We try to explain in very simple terms. Most are clueless, but not in a bad way. They just don't know." 

A professor of math and computer science at the John Jay College of Criminal Justice at the City University of New York, Ping Ji, says the state of the art of smartphone forensics today is "in its infancy." Evidence sometimes is hard to seize, and procedures for acquiring it from smartphones are quite different from getting evidence from a computer, she notes. For example? "[Investigators] shouldn't shut down right away or remove the battery, because [they] may lose some evidence."

Surprisingly, John Jay's Masters Program on Forensics Computing does not yet cover smartphones and tablets. Because today's mobile devices are smart enough to let users access the Internet through network providers as well as wireless systems, like Wi-Fi, Ji is considering proposing a course on wireless network forensics or wireless network security, which would have a component on smartphone systems.

Lee Reiber, Director of Mobile Forensics at Access Data, in Lindon, UT--providers of digital investigations and litigation support tech and services--can see two extremes among the law enforcement officers he trains. Some bypass gathering data because it's too hard and they don't have the training. "It's bizarre that right now this is so brand new to law enforcement people, which sometimes is a little scary," he says. "It's crazy because the smoking gun might be in that device."

To the other extreme, students already trained in computer forensics mistakenly assume their training applies to smartphones. "That mindset hurts the examination," says Reiber. "How you process smartphones and attack data on a computer are far, far different. Overcoming that is hard. Starting from square one is frustrating for them."

One difference between computer and smartphone forensics is that it is impossible to copy data from smartphones that are turned off, whereas disc drives just sit there. Examiners therefore isolate the phones in a Faraday Box (a.k.a. Faraday cage or shield), which blocks network access and inhibits signals. Alternatively, examiners can remove the portable memory chip known as the Subscriber Identity Module, or SIM card. 

But the biggest challenge is time, Reiber says. "You have to have lots of patience with a mobile device," he says. "Examiners can just extract phonebook contacts, calendars, text messages, multi-media mobile messages, and pictures. But if they choose to dig in, they can find far more information, like geo tags, passwords, where the owner surfed, Google searches, and what type of information they were looking for...But law enforcement is typically only getting the low-hanging fruit, asking 'What can I get right now based upon the time I'm given to do it?' [That's] push-button forensics."

Reiber estimates that law enforcement professionals only acquire 10% of the data that's relevant and available on iPhones and iPads, and similar devices, but failing to harvest other important, digital artifacts. He also acknowledges, sympathetically, that in this economic climate, officers often have trouble getting funds for equipment, software, and training.

Some companies sell forensic software tools for $5,000 to $8,000 and require yearly payments of 50% of the original cost, he says. With training, that's very costly for a small agency.

There are federal and state grants and training programs available from the likes of the National Computer Forensics Institute (NCFI) in Hoover, Ala., which is part of the U.S. Secret Service, and the Federal Law Enforcement Training Center (FLETC) in Brunswick, GA, which is part of Homeland Security. But they can be hard to obtain, and the federal agencies that govern them must recommend the students. 

Is the usefulness and nature of smartphone data over-rated?

A suspect's past locations can be determined by downloading photos they took with their iPhone onto mapping software, Reiber says. Coupled with geo-tags embedded in the picture, this gives examiners the latitude and longitude to tell where the shot was taken, he says. That's a "fantastic piece of evidence," Reiber says. But as a counterpoint, see last April's IEEE Spectrum piece by Purdue University Professor of Cyber Forensics Richard Mislan. In it, he argues that iPhone location data are designed to improve location identification, not to track it.

The iPhone "relies on multiple technologies to determine its location--satellites, Wi-Fi hotspots, and cell towers combined depending on their availability," Mislan wrote. "This hybrid method is very inaccurate in rural areas, though is usually slightly better in urban areas. And while someone analyzing the collected data can often identify a basic route, it's usually only accurate to within five to ten miles." Mislan concluded that "Law enforcement agencies will continue to use the iPhone location data and other related intelligence for corroborating information about where phone users have been originally obtained from other sources, but...relying on the iPhone data as evidence itself may be a crime."

Looking at only one piece of electronic evidence is insufficient, admits Reiber. He recommends examining suspects' smartphones as well as their personal computers, in case they synched their phone with their computer or sent text messages and pictures to their computer from their phone. "Together, the case is complete and I have enough information to put people in jail forever because I collectively took data from all these different pieces. If I look at them separately, I can't put anything together. Together, I have the crime."

[Image: Flickr User Wackystuff]

Follow @KarenAFrenkel and @FastCompany, too.

Add New Comment

1 Comments

  • Louann Oravec

    I agree "[Investigators] shouldn't shut down right away or remove the battery, because [they] may lose some evidence."  Some people have their phones set up to delete messages when they are shut down. Also it may lock the phone. Some phones have backup assistance so the data can be changed on a computer, then when the phone is booted, data may change.