Technology
Cellphone Forensics
What information is stored by a cellphone?
By Richard Miletic
The cellphone provides access to a wealth of information about its user. With the right tools and procedures, data can be extracted from the phone that provides a complete profile of its user with evidence to either incriminate or exonerate the defendant in civil or criminal cases. This article is directed toward both law enforcement/prosecutors and defense attorneys.
In order for law enforcement to access the cellphone data, they must obtain the phone itself and then make sure the data on the phone can’t be erased from a remote location. It is important for law enforcement to move quickly to turn the device off or place it in a radio frequency protected enclosure, which prevents the phone from connecting to the cellphone network and thus preventing remote access.
The phone may be password protected and the defendant may not willingly provide the password to law enforcement. Some passwords can be cracked using software tools, but it can be time consuming and success depends on the phone model and type of locking mechanism. It is best to obtain the phone password voluntarily from the defendant or obtain the phone from the user before it can be password locked. In some cases, the defendant can be forced through a warrant to provide the password.1
In the landmark case Riley v. California, the U.S. Supreme Court unanimously held that the warrantless search and seizure of digital contents of a cellphone during an arrest is unconstitutional. Therefore, prior to extracting data from the phone, a search warrant is required. Without the search warrant, the defense can argue the information obtained can be inadmissible in court.
It is also important for defense attorneys to extract information from the phone as this could help disprove the prosecution’s case against their client.
What can be extracted from the phone?Following is a list relevant to legal cases.
• Website search terms, bookmarks, and browsing history;
• GPS location history with mapping (can be multiple years of
history);
• Accessed Wi-Fi networks with connected time and date;
• Accessed cell towers with connected time and date;
• Bluetooth pairing history;
• Application data including stored login (username/password), e.g.,
Facebook, Twitter, Instagram;
• Calendar events;
• Saved passwords—email, web;
• Saved credit card payment info;
• Recent calls—received, dialed, and missed with time and date;
• Contacts (internal phone memory, as well as SIM card);
• Tasks and to-do lists;
• Text and email messages;
• Pictures and wallpapers;
• Ringtones and music; and
• Video and movies.
As you can see, with this information, a complete profile of the user
can be constructed. Through location history, GPS, Wi-Fi, and cell tower
connections, his or her location can be determined, potentially going
back years. One can tell if the user was on the phone and what he or she
was doing just prior to a traffic accident. Through contacts and phone
records, one’s circle of associates can be obtained, potentially
identifying conspirators. Individual text and email messages can be
read. Web search terms and website history can be viewed. Login
usernames and passwords for external accounts are stored on the phone
allowing access to these accounts. Credit card information can be used
to determine items purchased and location of the individual. These are
just a few examples of what can be done with this vast amount of
personal information.
This is powerful information that can be used by prosecutors and defense attorneys in civil and criminal cases. It can paint a detailed picture of the defendant. It is key forensic evidence that should be utilized to its full benefit following legal procedures. TBJ
RICHARD MILETIC is the CEO of ZK Services, a wireless testing and consulting business, and has been in the wireless field for over 30 years. He holds a bachelor of science in engineering from the University of Illinois in Urbana, Illinois, and a master of business from DePaul University in Chicago.