Cell Phone Forensics: Recovery and Preservation
By Alex Fox and Dorothy Fox (04/01/2011)

The need for cell phone detection and cell phone jamming is quite obvious, but significant challenges and barriers to the introduction of these technologies within the industry still exist. While these issues are being sorted out, there is a critical element to dealing with confiscated cell phones that is within our control but sometimes overlooked or minimized.

To the credit of many state Departments of Correction, they are enacting laws to criminalize the possession and use of cell phones.

Cell phone forensics is the science of recovering digital evidence from a mobile phone under forensically sound conditions using accepted methods. It is a highly specialized and complex field and requires specially trained technicians. The spectrum of cell phone forensics includes five distinct stages — preservation, acquisition, examination, analysis, and reporting. Preservation involves confiscating and securing the phone without altering the data contained in the device. Acquisition involves imaging or obtaining evidence from the device and any associated equipment and media. Examination and analysis involve the use of tools to uncover potentially hidden or obscured evidence within the device. Reporting and proper documentation of the preceding steps and conclusions is an important last stage in the investigation. 

In cell phone forensics, preservation and acquisition are the most critical stages of the process. These steps must be conducted methodically and with precision as the remaining stages are entirely dependent on how proficiently these first two steps were performed. Given that preservation is the most critical step, performing this aspect of the forensics process is a must for correctional first responders and investigators when recovering cell phones in prisons. Like any other form of evidence following strict rules for handling it and maintaining chain of evidence must be adhered to for the evidence to be admissible in court. Agencies can choose to stop there and turn over the evidence to outside law enforcement to conduct the remaining stages of the process, or they may choose to provide specialized training to select staff in order for them to conduct other aspects of the forensics investigation internally.

There are a number of “do’s and don’ts” that must be followed to properly recover and preserve cell phone evidence. As a general rule it is recommended that the phone be left in the state it was found. If the phone is on do not turn it off. If it was off leave it off. It is important to resist the urge to perform any functions on the phone to look for evidence such as the last number called, visible text messages, etc. as this may alter data or corrupt data integrity and jeopardize the evidence recovery and investigation. If it is on, make every attempt to keep it charged until it is properly evaluated. It is also recommended that facilities make several low cost purchases such as bags that prohibit the phone from receiving and transmitting, evidence tags or labels designed specifically for phone recovery, and universal-charging kits for the most frequently used phones. While these are general guidelines in most scenarios, there are many factors that dictate the proper action to take. It is imperative that staff be officially trained on the accepted industry standards.

Because this has become such a prevalent issue throughout the law enforcement and corrections communities, a welcome outcome is that cell phone forensic training and related tools are now more readily available and extremely inexpensive. Some federal agencies offer training free of charge and private companies offer excellent short duration training at a reasonable price. This is good news for addressing the needs of all first responders. If you are considering training staff to conduct forensic analysis beyond the initial first line responder recovery stage, it is important to know that there are several elements that make for a skilled digital forensics technician. Knowledge of digital forensics and technical aptitude are essential, but IT specialists may not be well equipped to be digital forensics technicians without investigative experience. 

In addition to training there are resources that provide guidance and technical assistance to assist your agency in implementing proper procedures. Such resources include the FBI and the Department of Public Safety (state police). Another resource is the National Institute of Standards and Technology, which has developed guidelines for cell phone forensics, including the recovery and preservation process.

After 29 years with the Massachusetts Department of Correction, Alex Fox retired from his position as director of security technology to launch a private consulting venture. Dorothy Fox served as director of systems development during a 22-year career with the Massachusetts Department of Correction.

PrintPrint EmailEmail