When CSI character Sara Sidle touches a laptop keyboard to read the victim's e-mail, she's not just advancing the 42-minute TV drama along, she's changing the evidence stored within the device. The same thing happens when crime scene investigator Nick Stokes picks up a cell phone and starts thumbing through the victim's last-called list. Unlike laptops, mobile devices triangulate with cell towers, offering a fairly precise indication of time the victim was at a specific location. Data from cell phones can help investigators associate the victim with other conspirators, revealing critical information that would be hard to break in other ways. The only problem is, unlike desktops and laptops, investigators haven't had any tools to help them reveal the data inside most mobile devices.
Recently, I talked with Bill Siebert, director of customer relations for Guidance Software. He's not just some marketing genius with an English degree; Bill is a former San Francisco police officer who joined Guidance Software in its early days, when the company consisted mostly of former law enforcement, both local and federal. Guidance Software makes EnCase, the premier digital-forensics software package available today, with most of its clients being government and law enforcement agencies around the world, although the company now has an enterprise edition for corporate use. EnCase has mastered the desktop and laptop data environment, but unfortunately, people have been moving all their critical information to their mobile devices, shutting out investigators. Until now.
In response Guidance Software is releasing a Neutrino, a product that allows investigators to peer inside the common cell phone. But getting to this point was a far from a trivial task.
Unlike desktops and laptops, investigators haven't had any tools to help them reveal the data inside most mobile devices.
Origins with 9/11
Siebert said that Guidance Software has been working on this since shortly after September 11 when government officials approached them and stressed the need to sync data between desktops and mobile units. Guidance Software launched it and quickly ran into trouble. Mobile phone data isn't laid out like the Windows operating system, where Microsoft followed a similar data structure from version to version. With mobile devices, it's a free-for-all with hardware and carriers mixing up data sets. Some store critical data in one place, others store it somewhere else on the directory; still others store everything in memory. For a time investigators simply did data dumps then hand parsed the data, which is tedious if not slow.
Even within a single phone model, data locations can vary according to carrier. For example, the same model of phone from Nokia might store its data differently on its Verizon version than on its T-Mobile version. And carriers can also send out a "security" firmware update that completely scrambles the data locations. Guidance Software has since built a database of some of the more popular phones, enabling its EnCase software to find and automatically parse the data, including deleted files.
Software aside, the cell phone hardware isn't consistent. First thing Siebert said field investigators need to do is get ahold of the mobile device's user manual. He noted that LG phones share the power-on with the red End button, which isn't intuitive. Using the user's manual, you can also locate where the SIM chip is stored. Second, place the confiscated phone in Guidance Software's WaveShield, a type of Faraday Cage, a bag lined with conducting metal that's designed to block out electromagnetic signals. Lastly, you need to find the right power cable. Siebert said almost every cell phone they've encountered for investigation has been in the last seconds of a charge; Guidance Software provides a case full of every possible connector cable imaginable.
Using EnCase version 6, Siebert typed in the make and model of his test phone, a Motorola Razr; the software told him which connector was needed out of the hundreds he had. Once inside the WaveSheild bag and powered on, the software then acquired the data. Shortly after, it was possible to root through the data. What's always been cool about EnCase is that you can enter a search string and find all the references on a hard drive in one search; now it will find all the references quickly within phone messages, text messages, and video sent to a particular person within a single search.
What's always been cool about EnCase is that you can enter a search string and find all the references on a hard drive in one search; now it will find all the references quickly within phone messages, text messages, and video sent to a particular person within a single search.
There are limits
Siebert said this is a start. But cell phones are regional. What's popular in Kansas City, Kansas, isn't going to be true in Newark, New Jersey. Carriers are different as are tastes and model availability. Law enforcement officials have found ways of reading cell data on their own, but when a phone from New Jersey shows up in Kansas, that phone must be sent out of state, slowing the overall investigation. Siebert says EnCase makes it possible for them to examine quickly the phones they're not used to seeing.
Do you have anything incriminating on your mobile device? Talk back to me.