Digital Forensics

Printer-friendly versionPrinter-friendly versionPDF versionPDF version
Tuesday, July 30th, 2019
Digital Forensics

Digital Forensics can be a difficult boat to master. There are many ropes to learn, several courses to choose from, and without local knowledge, you don’t know what lurks in the unchartered seas ahead. What must one do in these days of digital ubiquity to ensure the safety and success of your client, boat, and yourself? Please listen up.

Where once the Digital Forensics (DF) examiner would process 20 computers per cell phone, those numbers have inverted. Now, to be the best criminal defense attorney you can be means always considering cell phones. They can be critical.

In 2014, 18-year-old Greg Kelley was charged with a child molestation crime, found guilty, and sentenced to 25 years with no parole. Three days after his conviction, his appellate attorney, Keith Hampton, sent us his iPhone. We learned that neither the defense nor the prosecution examined his phone prior to trial, so we decided to examine it that same day. From our initial findings it was clear that Greg’s phone was 180 degrees opposite a pedophile’s phone. His phone was not riddled with the “child love” advertisements and suspicious chats we normally see. There were not hundreds of hours of YouTube videos portraying young children. In fact, we saw the opposite and immediately notified Keith. While no one knew it then, that information became the “kickoff” for Greg’s new trial three years later. In August 2017 the new judge found Greg to be “Actually Innocent.” After 18 months, the Texas Criminal Court of Appeals still must rule to affirm, or perhaps deny, the lower court’s ruling. Meanwhile Greg and his fiancé tell us that they are planning their wedding and trusting in God.

Of course, not all cell phones have an immediate impact. Still, being mindful of the immense amount of data that phones contain, you should preserve that data for future use. Allow your DF expert to create forensic evidence files and store the phone in accordance with NIST-certified procedures. Today’s solid-state memory chips will store their data for at least five years after the batteries have been fully discharged.

Another aspect of cell phone usage needs preservation. They are “Call Detail Records” (CDRs), which provide details such as dates, times, numbers of the called and calling parties, as well as additional critical data. They offer a great amount of important data.

CDRs are a billing and usage record. As such, they usually only note events that cost money. For example, if a Voice Over Internet Protocol (VOIP) call is made over a business system offering free VOIP calls, then that call may not be listed on the CDR. If it is not listed, then that data must be retrieved forensically from the VOIP system.

Each carrier has its own procedure for preserving CDRs, but they all involve transmitting a preservation request to the phone’s carrier. Do it early before the carrier automatically purges that data. Some carriers purge early on, some later, but don’t take a chance. We often send preservation requests in our cases. Furthermore, the admin of a business service VOIP system can provide their own VOIP CDRs if allowed. If the admin is not allowed, then subpoena.

If you have saved or otherwise retained the digital data, your DF expert will also be able to perform a link analysis to tie everyone together. Names, phone numbers, calls, texts, and more will be analyzed and linked, allowing you to visualize relationships that were previously hidden within the background chatter. CDRs can also contribute greatly to creating a link analysis.

Digital Forensics - 1

There are two different messaging formats that interact via your phone carrier on your cellular phone. One format is the familiar Short Message Service (SMS), and the other is the Multimedia Messaging Service (MMS)—both in use since the 1980s. Another, newer format is the Over The Top (OTT) messaging applications.

OTT messages travel via the internet. If someone does not pay their bill, and thus loses cellular service, he can still send messages by utilizing OTT apps and a wifi connection. OTT apps include “WhatsApp,” “WeChat,” “Viber,” “Telegram,” “BBM,” and many more.

OTT message content and metadata does not appear on CDRs and must be acquired from the phone or the specific application’s own servers. Some OTT apps allow for retention of the message content on the device, but many OTT apps retain the message content only on the OTT app’s servers.

Additionally, for most OTT apps, users may decide to retain the message content by saving the message to their own phones. If the user elects to do so, then we can recover those messages as well. If the user’s OTT message content is retained on the OTT app’s servers, then recovery requires a subpoena.

We recently closed a case involving a young man accused of sending violent and threatening text messages to his former girlfriend. In her effort to obtain a TRO, the ex-girlfriend contacted law enforcement. She then swore out an affidavit for the arrest of her ex-boyfriend. During that process she showed the LEO her cell phone with the violent texts. They all indicated the ex-boyfriend’s number as the sender. The TRO was issued and, due to the threats of violence, the judge required our client to wear a GPS device. When we began this case, he had been wearing it, and bearing the associated expenses and embarrassment, for two years.

Digital Forensics - 2

Our investigation almost immediately proved that the ex-boyfriend could not have sent the SMS text messages. His phone had its carrier’s cellular capabilities “disconnected” about six months before the threats began because he could not pay his bill. He did send her three messages via an OTT app, but these messages were telling her to stay away from him. The image shown above is from DF software by Magnet Forensics. It is an industry standard product and NIST certified.

When the ex-girlfriend was confronted with our evidence, she admitted to using a spoofing app to send herself the threatening text messages from another phone. Our client, after more than two years, got his GPS bracelet removed the following week. His attorney was successful in getting all the charges dismissed.

Ours is a science relying heavily on the foundation of the scientific method. Any DF expert you choose must be well-qualified, certified, and licensed in Texas. Some of the leading forensic software tools are produced by companies like Magnet, Cellebrite, Access Data, EnCase, FTK, Blacklight, Autopsy, Oxygen, and others. Make sure that your expert is certified on the tools they use.

Also, be sure that your expert is using hardware and software tools certified by the National Institute of Standards and Technology (NIST). NIST tests and certifies write blockers, disc duplicators, and multiple packages of DF software tools. If not, you might have trouble on your doorstep. Everyone should remember one of the original computer science acronyms— “GIGO.” It stands for “Garbage In, Garbage Out,” and while it is not as prevalent as it once was, it remains just as relevant.

There is one DF software tool all defense attorneys must be familiar with. It is the most commonly used DF tool for LEOs and agencies worldwide. It is called “Cellebrite.” While Cellebrite is not best at recovering all data, especially the new chat and message apps that continue to enter the cell phone market, it is undoubtedly best for recovering the most deleted data. If your DF expert can combine Cellebrite with Magnet’s Axiom, or IEF software, then you will have truly done your complete DF due diligence.

I’ve seen Cellebrite work against my own efforts, and it’s difficult to underestimate the dangers of being uninformed—enough so that we happily spent $15,000 to acquire it. If your DF expert does not own Cellebrite, then consider bringing in a consultant who can provide your expert with a Cellebrite report. It may raise the cost, but when your client is innocent, it is a bargain.

We hope this helps you as you begin to navigate through some of DF’s unknown waters and dangerous shoals. As all seas evolve over time, so does this ocean we call digital forensics. We will post additional articles this year to help keep keep your boat righteously sailing in tropical winds with following seas. We would love to have your questions. Please send them to admin1@pfforensics.com.