What was once a very challenging forensic task has become easier with the development of push-button cell forensic extraction devices. We will recommend several of these cell forensic extraction devices – some that cost, but also many that are free.

Manual Data Extraction

The manual extraction of cell forensic data is a tedious, time consuming process. There is very little training available. In addition, the amount of customized hardware and tools required present challenges for even the most seasoned professional technicians.

Over in the UK, analysts are disassembling the phones and pulling data directly off of the data boards themselves; so, we know the manual approach can work. But I would submit that in light of rapidly advancing extraction toolset available, manual analysis is no longer yields the best time to results ratio.

Automated Extraction Tools (free)

There are sites on the web that offer free tools for an investigator to use to perform cell forensics. Many times, these tools are limited and focused a small set of phones – but can be useful nonetheless. One tool is Bitpim. BitPim is a program that allows you to view and manipulate data on many CDMA phones from LG, Samsung, Sanyo and other manufacturers.

Another free tool focused on Blackberry devices can be found BlackBerry.com. The user can download the Blackberry Device Manager and back-up any Blackberry device. The back-up file is in a proprietary format (IPD) and extracts some very useful forensic data including call records, SMS, emails (including all content) and calendar events. An IPD file can be converted to a useable format by using another tool – ABC Amber Blackberry Converter. It is not free, but only costs $19.95 for the tool.

Automated Extraction Tools (cost)

• The Cellebrite UFED (Universal Forensic Extraction Device) automatically extracts and parses data from over 2,000 different cell phones, including CDMA phones (like the ones that run on Verizon and Sprint) and GSM phones (AT&T & most international carriers). That is 95% of all phones in existence. Their new UFED Physical Pro model also allows investigators to access deleted content.
• Another significant tool widely used is the Micro Systemation’s XRY/XACT. Touting support for almost 1000 phones including the new Android, this cell forensic tool is becoming a must for investigators.
• Susteen / Data Pilot’s Secure View is a unique hand-held computer that allows the user to both extract forensic data and do basic analysis

But in the next article on analysis, we will move beyond extraction.  We will look at some cutting-edge investigation software that imports and analyzes the call records, phone books, text messages, emails, and more with the push of a button.

And yet, it is hardly acceptable to just call these devices phones;  they would more appropriately be dubbed as “mini computers” with a whole host of valuable information for investigators.

Sadly, though, many local law enforcement agencies seem to think that analyzing cell forensics is “out of their league”.  Nothing could be further from the truth.  In fact, Europe, and especially the UK, are leaps and bounds ahead of us when it comes to taking advantage of mobile forensics – not because cell forensics are all that difficult, but because they recognize the value of the intelligence. In this article, we discuss the importance of cell forensics. In the next article, we will point out our favorite tools for extraction and analysis.

What are cell forensics?

This may seem like a stupid question, but I can think of at least a couple PDs that would give me a blank stare at the mention of “cell forensics”.  So here is my definition:

The extraction and analysis of data present on seized cell phones.

These phones are most often on an arrested suspect or are obtained through a warranted search.  I will not be going into details on how to legally obtain these devices; I have to assume a certain level of criminal justice knowledge here.  However, know that the entire process from acquisition to conclusions needs to be documented if you plan to use the data in court.  Consult your DA and make sure you acquire the devices correctly.

The data acquired from these phones includes:

• Numbers called and numbers calling in (aka Call Detail Records or CDRs)
• Address books
• Text Messages
• Pictures (sometimes with geographical location data!)
• Emails

Why are cell forensics so important?

If applied correctly, they can lead you to the next step of your investigation.

You get to see who has been called recently by your suspect, who is important enough to make it in his phone book, and in the case of a growing number of devices, you get to see who he is emailing.

However, cell forensics only have value if you have a system for analyzing them.  I have heard digital forensic acquisition professionals rant on and on about how they can get thousands of files off a phone.  This “feat” is completely pointless unless you have a plan for actually analyzing the data from the phones in the context of the case you are working.

In the next article, we will look at the hardware necessary to extract information along with the only software system in existence today that is actually performing analysis on cell forensics in the context of the rest of an investigator’s case.

If you have any questions, feel free to send us an email using the “contact us” tab at the top of this page.