Existing within the United States are various types of
cellular and digital networks available for mobile device use. The two most
common cellular networks are known as Code Division Multiple Access (CDMA) and
Global System for Mobile Communications (GSM). CDMA is commonly found in the
United States, whereas GSM is used worldwide and originated in Europe. More
modern devices, such as Apple’s iPhone, are compatible with both networks,
while many other devices are not without replacing the SIM card. Mobile devices
are typically tied to a mobile service provider that uses one or more types of
cellular networks. Despite the differences in cellular networks, are the
technology and organization of the cellular network which are basically one in
the same. Mobile Phones Communicate with Cell Sites, Cellular to Cellular
Communication, Mobile Switching Centers, and the Base Switching Subsystem. Cellular
networks are very different from computer networks found in a typical home or
Mobile Devices Communication
with Cell Sites
Most mobile devices communicate with certain subclasses
the network types mentioned above, in most case those associated with the
mobile device service provider for which the phone was purchased from or the
company for the mobile device user has a service agreement with.
Digital cellular networks
deliver service by segregating large geographical areas into concentrated areas
of mobile device service. Cellular towers performance is an important role in the
use of radio frequencies within the radio spectrum available which allow more
cellular commination to happen weather this communication is mobile device
calls or data to occur. As a mobile device travels from one cellular tower to
another, a mobile device cellular agreement involves all mobile device activity
and connections to be observed and successfully distributed between cellular
towers to uphold the connection. Managing the cellular network, administering
subscriber amenities, and accurately billing mobile device subscriber financial
records, data, service agreement and activities is encapsulated and sustained
by the cellular network infrastructure.
Mobile Switching Center
Mobile switching centers
oversees the general communications for the entire cellular network, including
registration, authentication, location updating, handovers, and call routing.
Mobile switching centers interact within the public switch telephone network
(PSTN) arena via a Gateway MSC (GMSC). Mobile Switching Centers utilizes
various databases. The main database is known as the central repository system
for cellular subscriber services and usage information, referred to as the Home
Location Register (HLR). Several other databases which work in combination with
the HLR is the Visitor Location Register (VLR), which keeps track of mobile
devices roaming inside and outside of the mobile device user service area. The
Serving GPRS Support Node performs a similar role as that of MSC and VLR
databases, however, provisions General Packet Radio Service also known as
packet-switched services for allowing access to the Internet. Mobile device
user information relevant to the user account, Information such as user data, user
services, and the last user location registered within the network are contained
within the HLR database and interacts with MSC database to generate usage records route
calls and messages and Call Detail Records.
compressed form factor of today’s mobile device such as a tablet and smart
phones limitations in power and capability should not miss-lead people to view
them as being ineffective. These mobile device are very well built and contain
powerful processors with an ample amount of memory and features.
These mobile device can
operate on dual networks including cellular and Wi-Fi simultaneously. Employees
may now come to the office with private Internet access in their pocket, with
little or no control via the information security team.
As these devices travel
across multiply wireless networks and cellular networks, Mobile devices have
the ability to connect and disconnect as the network infrastructure transitions.
These mobile devices also continuously eavesdropping for all wireless networks
both known and unknown. These Mobile devices will frequently query the preferred
network list (PNL) for previously connected wireless networks. Once the
preferred network is in range the mobile device will connect to the network
with the strongest signal.
mobile phone devices have a large storage capacity and a wide range of
applications and connectivity options available to the user with each
telecommunications provider. Mobile device forensics applications and toolkits
are relatively new and developers are having difficulty in keeping up with the
emerging technological advances due to the revolving door of products from
market demand. The forensic tools available are often limited to one or more
phone manufacturers with a limited number of devices supported (Marwan, 2-3).
Mobile Device Standards
standards, the only evaluation document available for mobile phone forensics
toolkits is published by the National Institute of Standards and Technology
(NIST) (Ayers NIST Web, 1-2). NIST and various law enforcement staffs help to
develop the requirements, assertions and test case documents to evaluate the
toolkits and to assist in providing guidance in choosing the correct product to
fit their need. The NIST evaluation document contains generic scenarios created
to mirror real-life situations that may arise during a forensic examination of
a mobile device. The NIST scenarios serve as a baseline for helping the
forensics community determine a tool’s capacity to acquire and examine data in
order to gain a perspective on the correct tools to invest. The NIST evaluation
documents are considered to be an important resource for forensics
investigators to maintain quality control and to validate toolkit functionality
for mobile device forensics in proper data acquisition and reporting.
It is no simple task to
try and create standards for such a varying group of device manufacturers who
utilize proprietary circuits and do not seem to agree on a communications
standards so the forum has had limited success in the United States. Apple has
already stated they will not join any standards. The outcome of the WAC will
likely be a broad set of guidelines that will be adopted inconsistently by
manufacturers. It would be prudent for the government to support open standards
in order to lower the cost for law enforcement forensics investigators to
recover data for investigations and to choose the appropriate tools to utilize.
Forensics evidence is
only as valuable as the integrity of the method that the evidence was obtained.
The methods applied to obtain evidence are best represented if standards are
known and readily established by the digital forensics community. The Fourth
Amendment limits the ability of government agents to perform search and seizure
evidence tactics without a warrant, including computers.
The Fourth Amendment
states: The right of the people to be secure in their persons, houses, papers,
and effects, against unreasonable searches and seizures, shall not be violated,
and no Warrants shall issue, but upon probable cause, supported by Oath or
affirmation, and particularly describing the place to be searched, and the
persons or things to be seized.
The Fourth Amendment
question that typically comes up in digital evidence cases asks whether an
individual has a reasonable expectation of privacy having electronic
information stored on electronic devices under that individual’s control.
Computer evidence can present a challenge for both prosecutors and defendants
alike. A guide to offering mobile device data as evidence is beyond the scope
of this research but a few examples of some digital forensics issues in real
life situations are described below.
Like digital evidence
from a computer, it is necessary to have proper legal authority in order to
perform a forensics investigation of cellular telephones and mobile handheld
devices. Such searches are allowed by the court to be performed for the preservation
of evidence that could easily be altered or damaged. The authors of the Fourth
Amendment could not have envisioned the powerful technology of today’s
electronic age and courts have only begun to answer difficult questions that
are being introduced through the use of these devices. Current Fourth Amendment
doctrine and precedent cases suggest that the United States Supreme Court would
consent to invasive searches of a mobile device found on the person of many
individuals and has allowed an exception permitting warrantless searches on the
grounds that law enforcement should be allowed to look for weapons or other
evidence that could be linked to an alleged crime. The Obama administration and
many local prosecutors feel that warrantless searches are perfectly
constitutional during arrests (McCullagh,2).
Privacy advocates feel
that existing legal rules allowing law enforcement to search suspects at the
time of an arrest should not apply to mobile devices like the smart phone
because the value of information being stored is greater and the threat of an
intrusive search is much higher, such as PII. Personally identifiable
information (PII) is information connected to an individual including but not
limited to education, financial transactions, medical information, and criminal
or employment history which can be used to trace that individual’s identity
such as name, social security number, or birth date. While technologies have
evolved over the years, the search incident principle has remained constant.
In digital media
searches, the media is frequently searched off site and in an enclosed
forensics laboratory. Generally, courts have treated the offsite forensics
analysis of seized digital media as a continuation of the initial search and
thus, the investigator is still bound by the Fourth Amendment. Because this
analysis is often treated as part of the initial search, the government bears
not only the burden of proving the seizure was reasonable and proper, but also
that the search was conducted in a reasonable manner. To ensure that search and
seizure forensics analysis meets the burden later at the trial, the forensics
investigator should generate a written report with clear documentation of the
Chain of Custody and
Preservation of Evidence
The goal of a forensic
investigator is to obtain evidence utilizing the most acceptable methods, so
the evidence will be admitted according to law in the trial. Obtaining a
judge’s acceptance of evidence is commonly called admission of evidence.
Evidence admissibility will require a lawful search and the strict adherence to
chain of custody rules including evidence collection, evidence preservation,
analysis, and reporting.
According to the
International Organization on Computer Evidence, some general principles should
be followed in recovering digital evidence for chain of custody:
All of the general forensic and
procedural principles should be adhered to when dealing with digital
Upon seizing digital evidence, any
actions taken should not modify the original evidence.
When it is necessary for personnel to
access the original digital evidence, the personnel should be
appropriately trained for the purpose.
All activities associated to the
seizure, access, storage or transfer of digital evidence must be fully and
properly documented, preserved and available for review.
An individual is responsible for all
actions taken with respect to digital evidence when digital evidence is in
that individual’s possession.
Any agency that is responsible for
seizing, accessing, storing or transferring digital evidence is
responsible for compliance with all six principles (Guidelines for Best
Practice in the Forensic Examination of Digital Technology 17-18).
While a mobile phone is
powered on, it will search for the strongest signal, usually from the nearest
active cellular tower, or a tower that enables the device to obtain the best
signal. As a mobile device is transported, it will continue to search and
adjust to maximize the strength of signal with that tower. The designation of
the most recently connected cellular tower is then recorded as a database entry
in the file system of the cellular phone; thus, when a mobile device moves to a
new area, a new entry will be updated in that database.
The most important step
for a first-responder investigator, when arriving at the scene of a crime and
identifying a mobile device for possible evidence submission, is to determine
how best to preserve that device and its data. Recording and documenting the
scene, including photographs of the mobile device in an undisturbed state
should be included. It is recommended to power the mobile device off to
preserve the data and battery power. If it is not possible to power the device
off in a safe manner, the phone should be protected from cellular phone towers.
Aside from locking down the mobile device by either disengaging or maintaining
the power supply, the investigator should seize any additional accessories to
the device such as SIM and media cards, headsets, charger cables and cases that
could potentially contain evidence.
When a mobile device has
been powered off, text messages and other data may queue for delivery when the
phone is powered back on and returned to service. The queued messages and data
can overwrite old and deleted messages and/or data once they are delivered to
the carrier. Carrier providers may update system files and roaming services
when the mobile device is connected to the system. There will also be the
potential for corruption of downloaded data as well as the file system of the
device during a forensic examination when the system updates are transmitted to
The equipment that works
the best is Radio Frequency (RF) shielded test enclosure boxes such as the type
from a forensics product vendor like Ramsey Electronics. The Ramsey boxes
ensure the mobile device is isolated from a cellular carrier’s network, and
other RF signals to prevent any incoming or outgoing communications, including
Another option to
transport a mobile device from the crime scene to the crime lab is a Faraday
bag. Faraday bags are specially designed RF plastic coated shielded bags used
to shield a mobile device from external contact. The bags are coupled with a
conductive mesh to provide secure transportation to the laboratory. One issue
with Faraday bags is that, oftentimes a cell phone will continue to search for
a signal even while in the protected bag thus zeroing out the register that
holds the location data – and making the device useless as an evidence
artifact. Yet another issue is the increased activity while in the Faraday bag
while the mobile device is powered on that can cause the battery to fail at a
faster pace. With the Apple iPhone in particular, it is imperative for the
forensic investigator to properly seize the mobile device due to the option of
the Remote Wipe feature on the phone. A user can perform this command if the
smart phone is connected to the Internet or phone network. If the device is
powered off or placed in a Faraday bag, it cannot be remotely wiped; however,
once powered back on, the wiping process, if activated, will automatically be
When choosing a shielding
artifact like one of the above-mentioned products, it is important to enable
the forensics investigator to utilize the necessary tools to complete the
examination and within the shielded area of a forensics laboratory if possible.
Need for Mobile Forensics
device forensics is the process of recovering digital evidence from a mobile
device under forensically sound conditions and utilizing acceptable methods.
Forensically sound is a term used in the digital forensics community to justify
the use of a particular technology or methodology. Many practitioners use the
term to describe the capabilities of a piece of software or forensic analysis
approach (McKemmish). Mobile devices vary in design and manufacturer. They are
continually evolving as existing technologies progress and new technologies are
introduced. It is important for forensics investigators to develop an
understanding of the working components of a mobile device and the appropriate
tasks to perform when they deal with them on a forensic basis. Knowledge of the
various types of mobile devices and the features they possess is an important
aspect of gathering information for a case since usage logs and other important
data can potentially be acquired using forensics toolkits.
Some of the reasons
Mobile devices require specialized
interface, storage media and hardware.
File systems that are contained in
mobile devices operate from volatile memory or computer memory that
requires power to maintain stored information versus nonvolatile memory
devices like a standalone hard disk drive that does not require a
maintained power supply.
The diverse variety of operating
systems that are embedded in mobile devices.
The short product cycles from the
manufacturers to provide new mobile devices and their respective operating
systems are making it difficult for law enforcement agencies to remain
current with new technologies.
device forensics is an ever-evolving field filled with challenges and
opportunities when analyzing a mobile device for forensic evidence in support
of a criminal investigation. The process can be more difficult than traditional
computer forensics due to the volatile nature of electronic evidence. A well
trained, highly skilled digital forensics investigator plays an essential role
in the criminal investigation process when performing forensics analysis of
such a pertinent piece of forensics equipment, like the Faraday bag for the
first-responder, is not free from issue. Once removed from the Faraday bag, a
mobile device can start receiving data if powered on and be able to connect to
the network. This may be difficult to control for the first responder if he is
instructed by a higher official to leave the mobile device powered on upon
discovery at the crime scene. Some devices can be controlled by placing the
phone in airplane mode, thus disabling the wireless features, but not all
mobile devices possess this functionality. For the most part, Faraday bags are
reliable but cannot fully guarantee that a signal will not reach the phone.
Successfully blocking the signal depends upon the quality of the bag, the
distance to the cell tower, and the power of the transmitter in the mobile
computing continues to play an increasingly important role in civil
litigations, especially in electronic discovery, intellectual property (IP)
disputes, as well as information security and employment law disputes.
Forensics investigators must be aware of certain issues pertaining to data
acquisition and the preservation of digital evidence for a criminal investigation.
Electronic data is very susceptible to alteration or deletion, whether through
an intentional change or from the result of an invoked application in some
computing process. As electronic data is created, modified or deleted through
the normal operations of a computing system, there lies the possibility of
modifications arising from an incorrect or inappropriate digital forensics
process. Given that the results of such actions can be treated as critical
evidence in a case, it is essential that every measure be taken to ensure the
reliability and accuracy of the forensics process. A digital forensics process
must be developed and applied with due regard to jurisprudence issues. It is
imperative that the digital forensics process is capable of being examined
thoroughly to determine the reasonableness and reliability to refrain from