Mobile forensics or cell forensics information acquired from cell phones are increasing as more and more as agencies incorporate tools like the Cellebrite UFED, XRY, SecureView and THREADS into their investigative process. As the need for this type of investigative analysis has increased, so has the debate about warrantless searches has escalated.

“Most police across the country are given wide latitude to search persons incident to an arrest based on the premise of officer safety. Now the nation’s states are beginning to grapple with the warrantless searches of mobile phones done at the time of an arrest.” Let’s hope for law enforcement’s case that Gov. Brown’s veto sets a precedent of where this thing is heading.

In addition, they have analyzed Mr. Coleman’s cell phone records and determined that one of his calls hit a certain cell tower on his way home from the gym the morning of the murders.  The article continues ” Coleman has contended he rushed home from the gym the morning of the murders because he tried calling, but couldn’t reach his family. Monday afternoon an AT&T Network Director testified about the calls made by Coleman that morning. James Kientzy said one of Coleman’s calls on his return home hit a cell tower North on I-255, which suggests he passed up Rt. 3 to give police extra time to get to the scene. It took him 15 minutes to get home after a call placed on the JB Bridge, a drive that should only take 5 minutes.” 

Finally, there are some damning computer forensics acquired from Mr. Coleman’s emails.  The defense is contending that someone else wrote these emails, but the forensic expert has stated that they originated form Mr. Coleman’s Dell laptop. Again the article states “The defense tried to argue that someone else could have logged on remotely and sent the emails. They provided no evidence and the technician said it was unlikely since no program can remotely power on a computer that requires a wireless card to connect to the internet.”

Interesting evidence.  Glad they got him!

This problem has caused the correctional industry to look hard at cell jamming and finder techniques to limit the infiltration of the cell phone contraband.  Realizing that this is really a huge problem, it can be an opportunity as well.  An opportunity – you say – how does that make any sense? 

Trying to think outside of the box, lets look at some of the advantages of a cell phone in an inmate’s hand.  A contraband cell phone gives law enforcement something that they are not afforded (as readily) through the inmate use of a “secret” cell phone.  An inmate with a cell phone is  now “free” to make calls and speak freely.  They are more apt to contact individuals that would not normally contact to facilitate activities that they would not dare do on the recorded prison calls.  When a phone is then confiscated, and the cell forensics data is retrieved through the use of a Cellebrite UFED or SecureView device, we now have a full and open profile of the inmate.  We can not a only see who he talked to and text-messaged, we can bounce that against other inmates to look for collaborations on the outside and common contacts. 

Analysis of this type can be readily done using techniques in Excel – looking for correlations or other software products on the market such as THREADS - that specifically analyzes inmate phone CDRs (call detail records) and cell forensics to provide calls and callers of interest.

Take a particular homicide case that is currently being tried in Lakeport, CA. The prosecution in this case has presented cell forensic and phone analysis vital in determining who communicated what, where and when.  Much of the cell phone analysis is based on cell phone forensics produced by the Northern California Computer Crimes Task Force (CCTF).

In the case, a detective at the CCTF provided testimony related to information retrieved from the (victim’s) cell phone as well as a cell phone associated with the (main suspect). The testimony provided related to call logs, contact lists and text messages sent and received between the phones.

“The defense voiced objections to taking information within messages allegedly sent between (the victim, the main suspect and a witness) on the grounds of hearsay as the CCTF detective testified that forensic capabilities do not allow for identification of who actually used a specific phone at any specific time.” Fortunately the objection was over ruled in this case.

The Task: Analyzing Cell Forensics

Sadly, most investigators are just viewing the data on a manual, phone-by-phone basis. This painstaking, manual process is certainly more worthwhile than not analyzing cell phones at all – but it requires the investigator to move back and forth between other data related to the case in order to identify correlations.

In our experience, most investigators dealing with cell forensics end up with multiple phones at once. This is particularly true for narcotics and gang related investigations. When you start dealing with multiple, likely affiliated phones the need for correlating the data becomes increasingly more important. However, because there is so much data to work with, the detective assigned to the case is only able to scratch the service with a manual approach due to time constraints.

Here in the USA, we are behind other countries – like the UK fore example – who have been on the mobile forensics analysis scene for a long time; but the reality is that even for the pros, the process from acquisition to extraction to analysis to correlation to lead generation is very manual. When we considered the fact that systems like the Cellebrite UFED, Secureview, and XRY already export to a standardized format, we recognized serious need for an analytical software tool that imports from these existing systems to for correlation. What do investigators need to be able to do? Here is a partial list.

The Requirements: Software Capabilities for Cell Forensic Analysis

1. Automatically import from most common cell forensic extraction hardware
2. Case management database with names, numbers, events, and whatever else is related to the case
3. Automatically match subject names & aliases, phone numbers, emails, calls, and other data to existing data already in the case management system – with manual override as needed
4. Produce graphical linkage reports based on individuals and groups of individuals connected by calls, text messages, email, calendar events, and especially phone books
5. Upon identifying numbers or names of interest, the ability to attach additional subpoenaed records to the names, images, and aliases found on the mobile phones
6. Cell tower import and mapping for subpoenaed records with lat / long data
7. The ability to maintain and export source files in an organized manner for use in court

You may be able to generate some link charts in I2 Analyst’s Notebook, but it is certainly a VERY manual process. The goal here is to make everything happen at the push of a button; that way, even if you are not a technical forensic analyst, you can still get the job done quickly. This is especially crucial for investigators; they need something that generates leads in the office so they can follow up in the field. Software systems exist for extracting the data and running a few rudimentary reports; but nothing comes close to meeting the 7 expectations listed above.

The Only Solution: THREADS™ Crime Analysis Software

The core capability of THREADS™ is criminal communication analysis, especially when it comes to call detail records. Its analysis is backed by a robust case management system that allows the analysis to link back into the records themselves, and to correlate with existing data in the case. In it’s 1.4 release which is coming out this January, THREADS™ is adding cell forensic import from the Cellebrite UFED, the Secureview, the Blackberry IPD, and soon the XRY.

Analysis inside THREADS™ investigation software yields focused leads for investigations involving cell forensics because it correlates the calls, address books, subject names (and nicknames), and more with other data relevant to the case. Existing case data can be brought into the system, and on import, everything gets matched up. There is no redundancy in the data; the more you bring in, the more rich your analysis becomes. As the system points you to new leads, you can proceed to subpoena their call detail records (CDRs) and bring those in as well. And yet, the reports inside THREADS™ are easily filtered to exclude irrelevant or distracting links.

Some Reports that THREADS™ Generates from Cell Forensics:

Subjects can be correlated to see who knows who – this chart was automatically generated inside THREADS™ based on two cell phones; one from a Cellebrite UFED, and another from a Susteen / Datapilot Secureview:

When is a subject hot and heavy on the phone? Run a timeline report to correlate events and see if communications are causal, operational, or reactionary:

Subjects (suspects) can be automatically correlated based on their communications, activities, enterprises, and virtually any sort of connection that an investigator would encounter:

Here in the near future, we will post some case studies here of real-life scenarios where cell forensics are being correlated with case data inside of THREADS™ to generate valuable leads for law enforcement. Feel free to contact us at Direct Hit Systems to Request a Demo of THREADS™.

See the article on the McAlester office of the Oklahoma State Bureau of Investigation.

Although there are a few ISP companies that offer a web interface to subpoena data (Sprint is one of them), there is no excitement in the ISP world for setting up a national system to handle this type of data.  There are too many security and privacy issues to overcome.  This is exacerbated by a recent Justice Department’s 289 page report that claimed the “FBI obtained Americans’ telephone records by citing nonexistent emergencies and simply asking for the data or writing phone numbers on a sticky note rather than following procedures required by law.”

Maybe a national web interface is not the answer, but a better system needs to be put in place to allow law enforcement to obtain legal and timely information from ISPs and the Social Networks (Facebook, Myspace, etc.) to assist them in solving their cases.

The missing person’s case that captured the nation’s attention came to an abrupt end thisweek with the confirmation that Morgan Harrington’s body had been found on a farm near Charlotteville, Virginia.  How was Morgan killed and more importantly, who killed her?

The how part of the murder should be know fairly soon with an autopsy.  Hopefully, the Virginia State Police can garner enough DNA evidence to determine some physical evidence of who might have been involved.  It has been over 3 months since that fateful night, 17 october 2009, but DNA forensic experts know that you can determine a lot with very little. One such article I read indicated that, to the examiner’s advantage was the fact that Morgan’s body was perserved in snow for much of the time.  Heat causes faster decompostion, so hopefully the cold winter will play to the investigator’s favor.

Another area that the investigator’s should look into is finding the perps through cell phone analysis.  Cell phone analysis?  What is this guy on, you might ask?  Hear me out.  Per the police timeline/map,Morgan was last seen about 9:20PM walking away from the stadium (Metallica concert).  Obviously someone picked her up sometime after that and took her body approximately 10 miles away onto a farm where her body was found this week.  What if, the perp(s), any of the them, used or received a cell phone call around the time of Morgan’s disapperance at or near the stadium?  Then what if, that same perp or perps, made or recieved a phone call at or near the farm later that evening when Morgan’s body was dropped off?  We would have a way to identify through correlation analysis matching phone numbers from the appropriate cell towers.  Do a cell tower dump the night of 17 October around 9PM near that bridge and another cell tower dump where the body was found.  It is worth a try and possibly a case buster.

In fact, I called the computer forensics department at the University of Central Florida – which is about 45 minutes North of here -  the other day and made some fantastic connections.  You guys know who you are.

Often times, these programs offer valuable resources for local law enforcement.  Faculty often volunteer at the local sheriff’s department to help with data collection and extraction.

More than just getting help on individual cases, though, nearby collegiate forensics programs offer a tremendous resource when it comes to staying on top of the latest techniques and technology.  It is their full-time job to stay on top of the operating systems, software, hardware, networking, data-basing, and other related digital forensics issues.  Although law enforcement often like to think that they are the experts, a dose of humility and an ability to ask the right questions can yields some enlightening ideas.

Another opportunity for local law enforcement – and even state agencies for that matter – to take advantage of in their local university is to provide internship opportunities for students.  Not only does it provide a fantastic chance to get some good PR, but in many case, the students need on-the-job training to earn necessary credits.  Therefore, the students are very incentivised to offer some worthwhile help.

Forensic Focus has made an effort to collect a list of computer forensic degrees – and it seems to be a relatively complete list.  Check it out on their course directory.  This nice, state-by-state list makes it easy to see where your nearest forensics course offerings are located.