Expert Witness Corner: Forensic Analysis of Mobile Telephones – A Brief Guide

Mobile Telephone Handsets – The Essentials:

Modern communication devices of this form comprise of three distinct components: a finger-nail sized chip known as the ‘Subscriber Identity Module’ (SIM) that is responsible for service with the telecom network provider, the handset, which provides the user interface and memory capacity to store information, and removable memory modules that facilitate simple exchange of information and markedly improve the data storage capacity of the phone.

Many specialists argue that the mobile phone has become the new fingerprint – a case in point being Ian Huntley’s conviction for the Soham murders  in the U.K which was based partly on crucial mobile phone evidence.

Digital Evidence:

Mobile phones employ what is known as ‘flash memory’ to store data and settings. Unlike the ‘Random Access Memory’ (RAM), which is found within computers, flash memory can continue to store information even in the absence of a power source.

As mobile communication devices continue to evolve, with features like word processing and photo imaging applications becoming commonplace, the memory storage areas have become increasingly important silos of digital evidence.

The following materials can be recovered from the handset and can greatly assist in case preparations:

• Logged Incoming & Last Dialled numbers
• Text & Multimedia messages
• System Settings (including date/time/volume)
• Stored audio/visual materials
• Saved computer and data files
• Calendar and Alarm notifications
• Internet settings and websites accessed.

Common Questions:

Q: Where does evidence reside – on the handset or on the SIM?

A: Materials of evidentiary value are stored on both the SIM4 and within the handset memory. Therefore it is recommended that comprehensive evaluations of both are undertaken. The SIM will tend to contain valuable user-specific information such as network identity, whilst the handset will contain large amounts of information relating to calls made/received, texts sent/received, images/video clips created etc.

Q: Can obscene images/material be stored on a handset?

A:The prevalence of high resolution cameras on most mobile telephones has led to an increase in the number of offences being committed in relation to creation, or attempted creation, of obscene images. Assuming a standard handset with 32MB of memory, close to 500 still images could be taken and stored.

Q: Data deleted six months ago – can it be recovered?

A: Dependent upon a number of factors, such as whether the information has since been over-written, it is possible to retrieve even the oldest materials committed to the phone – including material that were never saved by the user. In most cases a surprising amount of information can be retrieved, often going back several years.

Q: Does locking the handset keep information private?

A: Personal Identification Numbers (PINs) and pass codes can be used to restrict access to the handset, but forensic assessments typically bypass such controls by interrogating the memory module directly5. At this time encrypted file-systems and data storage areas are not available in standard retail handsets.

Q: What else can the handset tell us?

A: Aside from digital evidence the presence of DNA traces on the keypad, earpiece and mouthpiece can tie a user to device. Similarly, ‘Call Data Records’ (CDRs)6 can be retrieved from the network provider, providing near post-code location information as to where and when the device was used.

Q: How do you identify the International Mobile Equipment Identity?

A: The IMEI is a 15 digit Code used to identify the phone to the network. Whilst this code can be retrieved during a forensic examination, a quick way to force the handset to display onscreen the code is to enter *#06# on the keypad7. Caution: this approach to identifying the IMEI may affect valuable evidence in storage.

Q: OK, I’ve got the basics, but where can I find the right expert to help my case?

A: There are a number of expert witness directories available, particularly online, where you can find an expert witness with the relevant experience to help you. If you can find someone recommended by a fellow professional who has used the expert before, so much the better.

Did you know?

New mobile telephones have as much as 32 megabytes of internal memory – enough to comfortably store a document with over 2,000 pages of text!

Telephone handsets will typically store user defined words that are not in a normal dictionary. Names of individuals and places are therefore often stored in this archive – a potentially valuable source of intelligence for investigators.

Ross Patel is a forensic computer consultant with Afentis Forensics. You can view the company profile and find an expert witness at X-Pro UK, the innovative expert witness directory.

Double-murder trial delayed for new defense expert analysis

Double-murder trial delayed for new defense expert analysis
The reversal, the judge said, came "for failure to grant the defense an expert witness." PTSD, Pounds conjectured, "isn't nearly as important" as other issues in Brown's case. And he termed likely trial testimony by the state as "contradictive" and in …
Read more on Northeast Mississippi Daily Journal

Brakes become key issue in deadly Calif. bus crash
It will encompass a broad range of factors, from road conditions to witness accounts, an exhaustive review of the vehicle to an evaluation of the driver and his decisions. Investigators have also taken a … Chris Medwell, an expert in heavy vehicle …
Read more on Boston Herald