See the article on the McAlester office of the Oklahoma State Bureau of Investigation.

Although there are a few ISP companies that offer a web interface to subpoena data (Sprint is one of them), there is no excitement in the ISP world for setting up a national system to handle this type of data.  There are too many security and privacy issues to overcome.  This is exacerbated by a recent Justice Department’s 289 page report that claimed the “FBI obtained Americans’ telephone records by citing nonexistent emergencies and simply asking for the data or writing phone numbers on a sticky note rather than following procedures required by law.”

Maybe a national web interface is not the answer, but a better system needs to be put in place to allow law enforcement to obtain legal and timely information from ISPs and the Social Networks (Facebook, Myspace, etc.) to assist them in solving their cases.

Take a particular homicide case that is currently being tried in Lakeport, CA. The prosecution in this case has presented cell forensic and phone analysis vital in determining who communicated what, where and when.  Much of the cell phone analysis is based on cell phone forensics produced by the Northern California Computer Crimes Task Force (CCTF).

In the case, a detective at the CCTF provided testimony related to information retrieved from the (victim’s) cell phone as well as a cell phone associated with the (main suspect). The testimony provided related to call logs, contact lists and text messages sent and received between the phones.

“The defense voiced objections to taking information within messages allegedly sent between (the victim, the main suspect and a witness) on the grounds of hearsay as the CCTF detective testified that forensic capabilities do not allow for identification of who actually used a specific phone at any specific time.” Fortunately the objection was over ruled in this case.

The missing person’s case that captured the nation’s attention came to an abrupt end thisweek with the confirmation that Morgan Harrington’s body had been found on a farm near Charlotteville, Virginia.  How was Morgan killed and more importantly, who killed her?

The how part of the murder should be know fairly soon with an autopsy.  Hopefully, the Virginia State Police can garner enough DNA evidence to determine some physical evidence of who might have been involved.  It has been over 3 months since that fateful night, 17 october 2009, but DNA forensic experts know that you can determine a lot with very little. One such article I read indicated that, to the examiner’s advantage was the fact that Morgan’s body was perserved in snow for much of the time.  Heat causes faster decompostion, so hopefully the cold winter will play to the investigator’s favor.

Another area that the investigator’s should look into is finding the perps through cell phone analysis.  Cell phone analysis?  What is this guy on, you might ask?  Hear me out.  Per the police timeline/map,Morgan was last seen about 9:20PM walking away from the stadium (Metallica concert).  Obviously someone picked her up sometime after that and took her body approximately 10 miles away onto a farm where her body was found this week.  What if, the perp(s), any of the them, used or received a cell phone call around the time of Morgan’s disapperance at or near the stadium?  Then what if, that same perp or perps, made or recieved a phone call at or near the farm later that evening when Morgan’s body was dropped off?  We would have a way to identify through correlation analysis matching phone numbers from the appropriate cell towers.  Do a cell tower dump the night of 17 October around 9PM near that bridge and another cell tower dump where the body was found.  It is worth a try and possibly a case buster.

In fact, I called the computer forensics department at the University of Central Florida – which is about 45 minutes North of here -  the other day and made some fantastic connections.  You guys know who you are.

Often times, these programs offer valuable resources for local law enforcement.  Faculty often volunteer at the local sheriff’s department to help with data collection and extraction.

More than just getting help on individual cases, though, nearby collegiate forensics programs offer a tremendous resource when it comes to staying on top of the latest techniques and technology.  It is their full-time job to stay on top of the operating systems, software, hardware, networking, data-basing, and other related digital forensics issues.  Although law enforcement often like to think that they are the experts, a dose of humility and an ability to ask the right questions can yields some enlightening ideas.

Another opportunity for local law enforcement – and even state agencies for that matter – to take advantage of in their local university is to provide internship opportunities for students.  Not only does it provide a fantastic chance to get some good PR, but in many case, the students need on-the-job training to earn necessary credits.  Therefore, the students are very incentivised to offer some worthwhile help.

Forensic Focus has made an effort to collect a list of computer forensic degrees – and it seems to be a relatively complete list.  Check it out on their course directory.  This nice, state-by-state list makes it easy to see where your nearest forensics course offerings are located.

The Task: Analyzing Cell Forensics

Sadly, most investigators are just viewing the data on a manual, phone-by-phone basis. This painstaking, manual process is certainly more worthwhile than not analyzing cell phones at all – but it requires the investigator to move back and forth between other data related to the case in order to identify correlations.

In our experience, most investigators dealing with cell forensics end up with multiple phones at once. This is particularly true for narcotics and gang related investigations. When you start dealing with multiple, likely affiliated phones the need for correlating the data becomes increasingly more important. However, because there is so much data to work with, the detective assigned to the case is only able to scratch the service with a manual approach due to time constraints.

Here in the USA, we are behind other countries – like the UK fore example – who have been on the mobile forensics analysis scene for a long time; but the reality is that even for the pros, the process from acquisition to extraction to analysis to correlation to lead generation is very manual. When we considered the fact that systems like the Cellebrite UFED, Secureview, and XRY already export to a standardized format, we recognized serious need for an analytical software tool that imports from these existing systems to for correlation. What do investigators need to be able to do? Here is a partial list.

The Requirements: Software Capabilities for Cell Forensic Analysis

1. Automatically import from most common cell forensic extraction hardware
2. Case management database with names, numbers, events, and whatever else is related to the case
3. Automatically match subject names & aliases, phone numbers, emails, calls, and other data to existing data already in the case management system – with manual override as needed
4. Produce graphical linkage reports based on individuals and groups of individuals connected by calls, text messages, email, calendar events, and especially phone books
5. Upon identifying numbers or names of interest, the ability to attach additional subpoenaed records to the names, images, and aliases found on the mobile phones
6. Cell tower import and mapping for subpoenaed records with lat / long data
7. The ability to maintain and export source files in an organized manner for use in court

You may be able to generate some link charts in I2 Analyst’s Notebook, but it is certainly a VERY manual process. The goal here is to make everything happen at the push of a button; that way, even if you are not a technical forensic analyst, you can still get the job done quickly. This is especially crucial for investigators; they need something that generates leads in the office so they can follow up in the field. Software systems exist for extracting the data and running a few rudimentary reports; but nothing comes close to meeting the 7 expectations listed above.

The Only Solution: THREADS™ Crime Analysis Software

The core capability of THREADS™ is criminal communication analysis, especially when it comes to call detail records. Its analysis is backed by a robust case management system that allows the analysis to link back into the records themselves, and to correlate with existing data in the case. In it’s 1.4 release which is coming out this January, THREADS™ is adding cell forensic import from the Cellebrite UFED, the Secureview, the Blackberry IPD, and soon the XRY.

Analysis inside THREADS™ investigation software yields focused leads for investigations involving cell forensics because it correlates the calls, address books, subject names (and nicknames), and more with other data relevant to the case. Existing case data can be brought into the system, and on import, everything gets matched up. There is no redundancy in the data; the more you bring in, the more rich your analysis becomes. As the system points you to new leads, you can proceed to subpoena their call detail records (CDRs) and bring those in as well. And yet, the reports inside THREADS™ are easily filtered to exclude irrelevant or distracting links.

Some Reports that THREADS™ Generates from Cell Forensics:

Subjects can be correlated to see who knows who – this chart was automatically generated inside THREADS™ based on two cell phones; one from a Cellebrite UFED, and another from a Susteen / Datapilot Secureview:

When is a subject hot and heavy on the phone? Run a timeline report to correlate events and see if communications are causal, operational, or reactionary:

Subjects (suspects) can be automatically correlated based on their communications, activities, enterprises, and virtually any sort of connection that an investigator would encounter:

Here in the near future, we will post some case studies here of real-life scenarios where cell forensics are being correlated with case data inside of THREADS™ to generate valuable leads for law enforcement. Feel free to contact us at Direct Hit Systems to Request a Demo of THREADS™.

What was once a very challenging forensic task has become easier with the development of push-button cell forensic extraction devices. We will recommend several of these cell forensic extraction devices – some that cost, but also many that are free.

Manual Data Extraction

The manual extraction of cell forensic data is a tedious, time consuming process. There is very little training available. In addition, the amount of customized hardware and tools required present challenges for even the most seasoned professional technicians.

Over in the UK, analysts are disassembling the phones and pulling data directly off of the data boards themselves; so, we know the manual approach can work. But I would submit that in light of rapidly advancing extraction toolset available, manual analysis is no longer yields the best time to results ratio.

Automated Extraction Tools (free)

There are sites on the web that offer free tools for an investigator to use to perform cell forensics. Many times, these tools are limited and focused a small set of phones – but can be useful nonetheless. One tool is Bitpim. BitPim is a program that allows you to view and manipulate data on many CDMA phones from LG, Samsung, Sanyo and other manufacturers.

Another free tool focused on Blackberry devices can be found BlackBerry.com. The user can download the Blackberry Device Manager and back-up any Blackberry device. The back-up file is in a proprietary format (IPD) and extracts some very useful forensic data including call records, SMS, emails (including all content) and calendar events. An IPD file can be converted to a useable format by using another tool – ABC Amber Blackberry Converter. It is not free, but only costs $19.95 for the tool.

Automated Extraction Tools (cost)

• The Cellebrite UFED (Universal Forensic Extraction Device) automatically extracts and parses data from over 2,000 different cell phones, including CDMA phones (like the ones that run on Verizon and Sprint) and GSM phones (AT&T & most international carriers). That is 95% of all phones in existence. Their new UFED Physical Pro model also allows investigators to access deleted content.
• Another significant tool widely used is the Micro Systemation’s XRY/XACT. Touting support for almost 1000 phones including the new Android, this cell forensic tool is becoming a must for investigators.
• Susteen / Data Pilot’s Secure View is a unique hand-held computer that allows the user to both extract forensic data and do basic analysis

But in the next article on analysis, we will move beyond extraction.  We will look at some cutting-edge investigation software that imports and analyzes the call records, phone books, text messages, emails, and more with the push of a button.

Point number one on Kelly’s plan outlines the need to update crime labs throughout California; both DNA and tech labs, in his opinion, need to be implementing better technology and standards accompanied by better training. The second point on Kelly’s criminal investigations technology plan is to create a “standardized crime mapping system across California”.  This would allow agencies to collaborate on geo-crime data for incidents, suspects, and even live tracking.  The other points are rather vague or somewhat irrelevant for the content on this blog  – so we will focus on these two.

We at Solid Forensics think that Mr. Kelly’s plan to improve lab technology and provide cross-agency mapping sounds great – but the “devil is in the details” as they say.  He claims that implementing new technology will reduce costs for an economically struggling California budget.  But in our opinion, which is based on extensive experience in actually providing this technology to law enforcement, their are plenty of systems out there that will not save anyone money.  Why?  Because they are developed and selected by government bureaucrats.

Kelly’s plan that is missing is the partnership with the private sector to needed accomplish these developments. Kelly mentioned “improving the DNA labs” across the state.   Good luck with that.  You may be able to speed up the processing of DNA samples from high-profile crimes, but you will never reach the level of effectiveness that is possible with a local partnership with a private firm.

Take the Palm Bay, FL successful implementation of a Local DNA Indexing System, for example.  They have managed to reduce their crime by 20% by partnering with DNA:SI labs to develop a LODIS system for use throughout their department.  We will write more on this development in the future, but the point here is that they saved residents millions of dollars in lost assets with a minor investment in a small firm to provide a service that – like the local PDs in California – is also provided by the state.

But the state – just because of it’s size – will NEVER be able to handle the volumes of DNA collection, identification, and analysis required to reduce crime like Palm Bay did.  It takes collaboration with private firms on the local level.  Any state-wide programs will be inhibited by red tape, lack of support for the systems, and sheer sluggishness due to size.

So, although Chris Kelly may have the right intentions, his state-wide, government-based solutions will ultimately end up costing taxpayers even more dollars that in our opinion, will never produce the return on investment that simply promoting local crime-fighting partnerships would generate.

And yet, it is hardly acceptable to just call these devices phones;  they would more appropriately be dubbed as “mini computers” with a whole host of valuable information for investigators.

Sadly, though, many local law enforcement agencies seem to think that analyzing cell forensics is “out of their league”.  Nothing could be further from the truth.  In fact, Europe, and especially the UK, are leaps and bounds ahead of us when it comes to taking advantage of mobile forensics – not because cell forensics are all that difficult, but because they recognize the value of the intelligence. In this article, we discuss the importance of cell forensics. In the next article, we will point out our favorite tools for extraction and analysis.

What are cell forensics?

This may seem like a stupid question, but I can think of at least a couple PDs that would give me a blank stare at the mention of “cell forensics”.  So here is my definition:

The extraction and analysis of data present on seized cell phones.

These phones are most often on an arrested suspect or are obtained through a warranted search.  I will not be going into details on how to legally obtain these devices; I have to assume a certain level of criminal justice knowledge here.  However, know that the entire process from acquisition to conclusions needs to be documented if you plan to use the data in court.  Consult your DA and make sure you acquire the devices correctly.

The data acquired from these phones includes:

• Numbers called and numbers calling in (aka Call Detail Records or CDRs)
• Address books
• Text Messages
• Pictures (sometimes with geographical location data!)
• Emails

Why are cell forensics so important?

If applied correctly, they can lead you to the next step of your investigation.

You get to see who has been called recently by your suspect, who is important enough to make it in his phone book, and in the case of a growing number of devices, you get to see who he is emailing.

However, cell forensics only have value if you have a system for analyzing them.  I have heard digital forensic acquisition professionals rant on and on about how they can get thousands of files off a phone.  This “feat” is completely pointless unless you have a plan for actually analyzing the data from the phones in the context of the case you are working.

In the next article, we will look at the hardware necessary to extract information along with the only software system in existence today that is actually performing analysis on cell forensics in the context of the rest of an investigator’s case.

If you have any questions, feel free to send us an email using the “contact us” tab at the top of this page.