Cell Phone Forensics
The purpose of this class is to educate legal professionals on how cell phone forensic evidence is extracted from cell phones, tablets, and other mobile devices. Explanations will be given on what is in accordance with forensic best practices, and how this evidence is properly preserved. In addition, attendees will learn about the fragile nature of digital evidence, and the extent to which this information can be changed if not handled correctly. Attendees will learn the types of evidence that can be recovered from cell phones, including location-based information, messaging application data, voicemails, multimedia such as photos and videos, meta-data, and more. The different forensic artifacts will be explained in detail. Given the rising instances of fake text messages and call spoofing, a section of this class will explain how this is commonly done, even by people with little technical knowledge, and how an investigation is performed todetermine the authenticity of such evidence. Upon completion of this class, attendees will have a working knowledge of how cell phone forensic data collections are performed, the types of forensic artifacts that are recoverable, how data is authenticated, and how such evidence can be used for their purposes when working a case.
Shaun Salmon: Hi, my name is Shaun Salmon and I'm the Vice President of MCLE at Quimbee. Today I have the distinct pleasure of interviewing Lars Daniel so that he can talk about forensic evidence at trial.
Lars Daniel: Hi, I'm Lars Daniel, the Practice Leader of Digital Forensics here at Envista Forensics. Today I'd like to start this class with the following case example. In this case, we were retained by the attorney representing the motor carrier company. On the opposite side, there was a plaintiff's expert. The plaintiff's expert on the opposite side was making two claims. First, that the driver was distracted at the time of the accident and that the driver was fatigued because they had not received enough sleep. Now, this expert utilized the call detail records and the driver's logs to make the argument on the lifestyle analysis, trying to say that they didn't get enough sleep, and they used the cell phone evidence to try to make a claim that they were distracted at the time of the accident.
First, let's deal with the claims of distraction. Now, this expert was claiming that because an album cover was created for a song near the time of the accident, that admit that the driver was on the phone selecting music with their thumb. In the applicant, clicking on something to select music; distracted. Now in our testing and analysis, we were able to prove conclusively that actually what really occurred was that iHeartRadio switched the album cover automatically, as it switched from one artist to another. As it went from Justin Bieber to Rihanna, that this was simply an automated function of the application itself and required zero user interaction, so zero evidence of distraction or utilizing the phone at all during the time of the accident.
With that argument no longer viable, they then proceeded to do a lifestyle analysis. Now, what we have here are driver's logs that you see on this screen. They took the information from this. They correlated it to the phone records, like you see here, where you have incoming and outgoing calls. We have all that information too. They compiled this information together where you have the driver's logs versus the phone records to try to show when they're driving and when there's phone activity. Ultimately, all this information is leading to the following.
What we have here is the lifestyle analysis created by the opposing expert. What we see, for example, on Sunday is that the largest gap of time that the driver would have to sleep was two hours and 23 minutes. On that entire day, we have two hours and 23 minutes, an hour and 30 minutes, an hour and 16 minutes that they could have slept. Now, it is also sporadic through the rest of the times throughout that week with not large enough gaps to get sufficient sleep it does appear. This does look highly problematic. However, this expert made a significant error in their analysis.
You see, they included incoming activity as activity that would require you to be awake, not just outgoing activity. Outgoing activity requires you to do something with the phone; to send a message or to make a call and so forth. Incoming activity does not require you to do that. How many times have you gone to sleep and woken up the next morning with emergency text messages and emails, and you got a voicemail and the rest? You weren't awake for that. You were asleep. If you remove out the incoming activity, this driver had a normal sleeping schedule and there was no evidence of a lack of sleep on the part of this driver.
Shaun Salmon: I know that computer forensics has been around for a while and that a tremendous amount of data can be recovered from them, including deleted data, but when it comes to cell phones as evidence, how are they different from computers?
Lars Daniel: Yeah, that's an excellent question. It's easy to think about cell phones as being little computers we carry around in our pockets, but computers and cell phones are quite different in many ways. In computer forensics, being the oldest discipline within digital forensics, we can force those devices, in most instances, to give all of their data up. We can also collect the evidence in such a way where the device is powered off by removing the hard drive and creating what's called a forensic image as a process of a forensic acquisition. With a cell phone that is different too. We have to collect the data in a different way called an extraction, which we'll cover later, but there's also just the simple fact that there are many phones that come out every year. There's many operating system upgrades and security patches that change the artifacts on that phone and the way we have to go about getting the data, and it's a constant flux between these new devices coming out and then these cell phone forensic tool manufacturers and experts figuring out how to get the data off of those devices.
Shaun Salmon: Given these differences, is there anything attorneys need to know about how to protect the original evidence? Are there certain steps that need to take place to guard against spoliation?
Lars Daniel: Yeah. There are definitely unique preservation issues and things that need to happen in order to protect cell phone evidence. First of all, they need to be isolated from networks, both from cellular networks and any type of wifi network out there. We do that using Faraday bags in forensics, so that bag right there, you see the phone in is a radio frequency shielding bag. You put it in there and the phone cannot communicate out and no communication can get in. It works on the same technology as your microwave, how you put your lunch in there and you go to microwave it. Instead of microwaving your head and microwave your food as you're watching your Hot Pocket spin on the plate in there.
Some of the reasons this needs to be done is first simply turning the phone on can destroy data permanently as new data comes in. It can delete older data. This is especially true for your pay-as-you-go, your flip phones, your burner phones. You can think about it as a conveyor belt. Those phones have less storage capacity and some of them are less sophisticated. As new data comes in, the oldest data is pushed off or deleted to make room for the new. That's not as much of an issue for a newer model or a smartphone, but it still could certainly be an issue as far as changing artifacts on the phone if it can communicate such as times and dates and other information. A second, and we've seen this happen in numerous cases, is that that phone will be taken by someone into custody, allegedly secure custody, but it still has connectivity to a network and it can be remotely wiped. I've had multiple instances where opposing experts, both law enforcement and private, have taken phones into their custody and that device was what typed remotely while it was under their control.
With that being said, what should typically happen? Well, first the phone should be collected and turned off. That's a pretty normal procedure; that there's no concern of how to passcode lock or the passcode lock is known, or that passcode lock can be broken. For most phones, thousands of models of phones with modern forensic software and hardware, we can correct the passwords on cell phones in a matter of seconds. The other option is that the phone is collected, kept active, and left on. This is typically only law enforcement only. Here would be your scenario for this. There's a suspect, the law enforcement sees that person, the phone is unlocked at the time, they take the phone from that person, they rub their finger back and forth on it simply to keep it awake until they can connect it to forensic software and pull the data off of it. That way it doesn't lock itself and make the information inaccessible. Once again, this is commonly law enforcement only, and very rare that you'll see this actually happen, but I did want to make you aware of it.
What happens too often? What happens too often is that first responder thumbs for the phone at the scene with no documentation, no training and no clue, and the first responder could be anyone who receives that phone into their custody or takes it, collects it. When you do that, it creates a lot of problems. Their problems are created because this happens before we have a forensic extraction in place. You are touching the phone and manipulating data before we have an opportunity to create a perfect snapshot in time that has a mathematical algorithm run against that data set to say, this is exactly as it purports to be and has not been modified or changed in any way. Thumb forensics creates real issues because we can no longer tell, because this happens before the forensic extraction of the data on the phone, if something has been created, deleted, or manipulated intentionally or unintentionally through ineptitude by that first responder.
Shaun Salmon: It makes sense that improperly handling the cell phone could permanently change data of potential interest. How exactly is data collected from cell phones in a way that also protects the evidence? Is there only one way or are there multiple methods?
Lars Daniel: Yeah. One of the foundations of digital forensics is to protect the original evidence as best as possible while extracting the information that you need off of that device. The types of extractions that are done using forensic hardware and software are logical, physical, and file system. First, we're going to look at logical here. This only gets still existing data. That is data like in your filing cabinet; you open it up and you pull a file out. Stuff you can access as a normal user of your device. It gets that information and some more, and it doesn't actually get to what would be commonly called deleted or unallocated space on the phone, but it can recover deleted data.
The reason it can do this is that all applications just about on your phone use a database type system. What that means is that you're in your messages, for example, and you delete a message. That message is not actually gone. The phone is marked where that lives and says, don't show this message to the user anymore. Inside the database, we simply reconnect where it is listed to be in the database and where it actually exists, connect those two points and you can recover the message.
Our next type of extraction is a file system extraction. This is, in many ways, an extension of a logical extraction. You're getting all of that logical data like we talked about, but you're also getting more of the deleted type files, not unallocated space deleted, which we'll talk about in a minute, but you're getting more raw materials in other words. You get all that logical data. You're also able to access with this method the internal storage, the internal memory of that phone, so you're getting more database files, system logs, operating system files, and other information that can absolutely be critical in some investigations.
Our final extraction is a physical extraction, and this gets all of it in almost every instance. It gets all the logical files like we talked about, the stuff that you can still see as a normal user, it gets the deleted files, quote unquote deleted as in files that exist in databases and in the file system that we would get with the file system extraction, and it also gets all the unallocated space. Unallocated space is space on your phone that is not allocated to any data. In other words, this is either space that is empty or this is space that has data inside of it that is no longer used. That data inside of the space that's no longer used is absolutely full of information. This is where we would do things like forensic carving to recover pictures or videos, or look for keywords to find documents and things like that.
That's what you do in allocated space. You're looking for that type of information. If we go back to our database analogy, if you want to think about your whole phone as a big database and everything contained on it, the way that would work is that you have all the data on your phone, the database entry, that tells you where the file lives is no longer exists, but the data can still absolutely exist in unallocated space. That's why you have to go search for it using keyword terms or try to carve out the files using different parameters within forensic software to recover information, but there's a tremendous amount of data that can be recovered in a physical extraction.
Shaun Salmon: Can you tell us about damaged phones? Is it possible to recover data from a phone that has been damaged by fire or something else?
Lars Daniel: Yeah, that's a great question. There are advanced methods to recover data from phones that have been damaged. What you see here is from an actual case. This is a motor carrier accident case. You see the damage to this phone. It is burnt to a crisp. We simply remove the case, pop the chip out, and we can recover the data directly from the chip. That's known as chip-off. There's other methods, JTAG, which is Joint Task Action Group, or other methods by which you're actually able to connect to the chip itself or to the phone in such a way you're able to collect the data in many ways without it being powered on.
Those methods allow you to get data off of highly damaged phones and phones that appear to be completely inoperable. If the chip is still intact, there's absolutely a possibility of being able to recover the data. Second, on some models of phones, they may have a password lock that cannot be broken by forensic software. However, if you crack them open and you to pull the chip off, you can get the data just like the phone was not password locked and was not damaged, even with those devices, so it serves multiple purposes like that.
Shaun Salmon: If you or another expert provide me a report, how do I know that report contains all the evidence that was on the cell phone? Is there any way to know?
Lars Daniel: It's hard to estimate how important that question is, and I'll give you a case example in a moment, but here's how you can tell. First of all, what you see here is a screenshot from within Cellebrite forensic software. If you look under the content slide, you will see included in report in the first column, and over there you see total. The total is everything that was collected from the phone. The included in report is what the examiner has decided to include in the report. Now, this is what it should look like. Everything's included. All the numbers match in both columns.
I have worked on cases where they don't match. The attorney thinks they have everything, but what has actually occurred is that the examiner has only provided what they thought was relevant. I've also had that happen in a case where they provided what they only thought was relevant on the opposite side and lost the original forensic file, meaning that over 95% of the data was not ever included or able to be examined by counsel because it was gone. The only thing included in the report was what that examiner thought was relevant. I would always ask that they have included everything in the report or for them to show proof of the fact from forensic software itself within a report like Cellebrite here, and all the other tools have similar sheets that would allow you to see this information.
Now, we talked about the different methods of getting data off a phone. One thing that's really important to understand is that the acquisition process to do a file system physical or logical acquisition is pretty low. For most phones, it does not require a great deal of expertise to be able to actually collect the data from phones; for about 80% of them. About 20% of them are technically difficult. That being said, where the expertise really comes in is in the analysis of the data. Now, I include these little funny pictures because yeah, we get jokes about push button forensics and the tools just gather everything, and you'll hear some people say stuff like that, but the difficulty comes in actually understanding and interpreting the data.
There are hundreds of thousands of artifacts that can exist on phones from all the applications and everything else that are out there in the wild and knowing what they mean, knowing what the times mean, knowing what the data means as far as the who, what, when, where and why of what a person did is where the real technical expertise comes into play, not in the actual collection of the data from the phone. Yes, that requires expertise. Yes, the experts should be certified in those, but it's the analysis that requires the real skill. A couple quick examples of that; as an examiner, I can look at this and tell you that this is a JPEG picture. If you look to the left under text, you see JFIF. I know that's a header for a JPEG picture. I would select that, scroll all the way down to find what's called the file footer, select all of that information and then parse it out correctly. In our next slide, you will see what this actually is if we parse it out.
It's a picture. It's that nice, scenic picture right there that is deleted and has been recovered by rebuilding it. That's an actual screenshot from forensic software that you're seeing that rebuilt in, so that's one such example. Yeah, and here's one more example. Forensic software doesn't do everything for you automatically. In this case, this was a doctor who was accused of talking to an underage girl inappropriately. Now, we had her devices in this case. She had a Mac desktop laptop, an iPod touch, an iPhone, an iPad, I everything, and she's switching between all those devices and different applications to communicate with this doctor.
Now, in looking at the communications, there were gaps in time that did not seem to make sense. Well, if we had simply relied on only what was available in the forensics report automatically recovered, we would've missed this, but one of our examiners was able to determine that actually that chat had happened within Words With Friends, as you see here. Words With Friends is like a Scrabble you can play across the world with your friends on the phone, but there actually is a chat application inside of it. For us to recover that, it had to be rebuilt by hand. In the recovery of that, we were able to complete the entire timeline of all the communication to finish that story for a good outcome to our client.
Shaun Salmon: Are there some phones you cannot get data off of using forensic tools? If so, is it possible to collect that data from those phones in some way, and how would that be done?
Lars Daniel: Yeah, actually there is. If you cannot get the data with forensic tools, software or hardware, the only option left is a manual examination. Now, pay particular attention to this because if you are an attorney and you go to receive information or you go to collect something yourself, this will be applicable because you may only be interested in collecting a single text message or email. However, I'm going to explain to you the entire forensic process so you can know what an expert should do if they are asked to do a manual examination in your case.
First of all, this is what you do if there's no other option available, and it absolutely must follow forensic best practices, and I will talk later on how to challenge this if it is not. First of all, a manual examination, what you are doing is that you were using a camera and a video camera to record the entire process of the examination. This is the type of gear that you would need. Here's how it would be done. You have a camera, an external camera taking pictures of the screen of the phone. You're taking pictures of the messages as you are going through it, manipulating the device with your finger, and you're doing the same thing with the calendar or the contacts or the emails or whatever else. You're doing that and you're taking photographs.
The entire time that you're doing that process, you have a video, separate video camera, recording the entire thing. From the time you take it out of secure storage and power it on, do your examination, pack it back up and put it away, you need a video recording of that. This is the only verification that you have that you have not deleted, changed or modified anything on that device. Without this, you have no verification because we don't have a forensic extraction that would have a mathematical hash algorithm that is our forensic verification, so that absolutely must be done. If you're doing this yourself, you can take a picture of it with a camera and just have somebody record the process with the iPhone. At least create that for yourself so you have some kind of verification that you have not manipulated that device. That will be my suggestion, but that is what the process of a manual examination looks like.
Shaun Salmon: Everything we have been discussing so far relates to protecting the evidence, but when you get into the actual analysis phase, what kinds of forensic artifacts can be recovered from cell phones and how can those be used in actual cases?
Lars Daniel: Yeah. There are many artifacts that can be recovered from cell phones. We'll do a quick fly over to see some of the various kinds and how they can actually be used in cases. First of all, your phone sees wireless networks. You've been riding down the road or you've gone to a coffee shop and your phone pops up and asks hey, would you like to join this network? Whether you say yes or no, your phone, depending on the operating system and the model, can still be recording that your phone saw that network. Now, the average broadcast range for a wireless router in your home or location is about 150 feet, so if your phone saw that, you have very granular, excellent location data.
As we're looking at right here, we see not only the name of the wireless network In this one, it is Bill Wii the Science Fi; probably one of the best names for a wireless network ever, but in the slide over next to it, what we see in that screenshot is we can see the time, the application you were using when you accessed the wireless network, and the name of the wireless network itself, so a lot of information.
To show you an actual case example of how this can be used, this is from a murder case and that street to the left, the suspects drive up that street and then they go to the crime scene and they drive out to the right side on the other side. Now, every single one of those pins that you see is a wireless router that their phone saw. That phone recorded seeing all of those wireless routers. The average broadcast range is 150 feet, and each one of those is timestamped, so you have a tremendous amount of location and time data right here that is used to show that the phone at least was in the area at the time of the incident.
We also have Google Map location data. Yes, your phone does record this. These are all Google Map examples here with geolocation data and the time you search for it and the name of the place that you were trying to find. When your phone is recovering location sources from multiple places, one is seeing cell tower location data. It's also getting harvested from other places, wifi networks like we've talked about, and GPS coordinates. Now, your phone uses all of these in order to give you very accurate location data.
All modern smartphones have a GPS chip in them. That GPS chip plus the ability to see wireless networks, Bluetooth and cell towers gives you better location data than your old school GPS devices that were single use that you used to buy. That's why your phone is so good at navigating. That's why your phone can tell you if you have time to get coffee before you go to work or the rest, because it's harvesting all of this data in real time and as well as seeing data provided through your mapping applications and the rest. Your phone absolutely is recording that information, and much of it does still exist on the phone.
We also see here location data from within forensic software coming from a lot of different location sources. If you look to the left, you'll see under locations this from within Cellebrite forensic software. First, note that whenever you see the red, those are deleted locations that have been recovered, but we have it coming from Apple Maps, we have it coming from your calendar, so if you have your calendar and you have set to meet someone at a location, that would be recorded. You have it from Find My iPhone, from Google Maps, from iMessage, where you can share your location with someone else, from iOS locations, which there'll be a whole lot of those, from your mail, if you send a location in that in the calendar invite or otherwise, and other forms, including both Uber. If you call a car, get in a car, ride in a car, in a Waze. Waze is a very popular mapping application to see where things are at, and when you're riding around, lets you know when the law enforcement's out or where there's an accident.
All of that is providing location data, and that's simply a sampling of the location data that can be recovered from a cell phone.
Shaun Salmon: It seems like everything we do is creating location evidence on cell phones, but is there any way to leave no digital footprints? In other words, would it be possible to create no location evidence?
Lars Daniel: Yeah. It'd be nice to think that we could unplug; that we could create no location information, but even if you found a way to turn location services off and everything that records location on your phone itself. In order for you to have access to the cellular system, you have to have an account with a provider, like AT and T and Verizon, and as a part of what they do on their end to provide you service, they record your location activity historically based upon what cell tower you attach to to make a call or to send a text message. In reality, there is no way to create no location information if you want to have a cell phone that works.
User accounts are an excellent source of evidence as well, especially for generating leads. It's not uncommon for someone to say that they only have one email account, one messaging application or whatever else that they utilize, but when you see, for example here, this person has a Yahoo email account in our screenshot to the left. If you look at the totality of the accounts on the right, we see a Yahoo, a Gmail, Hotmail, and other accounts here, so obviously this person has more than one account. That gives you additional leads to go after information via subpoena or to ask that person about to try to get that additional data. Also, if you'll notice, we've recovered the passwords for all of those accounts as well as a part of this process. Accounts are excellent in generating leads. I've had a case, for example, one time where a gentleman said he only had one email account. We examined his devices. He utilized regularly over 50 for his various personal and business enterprises he was engaged in. Absolutely user accounts can be valuable in determining the different areas that a person has information stored in.
When you think about searches, you need to think about more than just Chrome, Internet Explorer, and Safari or web browsers. We all understand that you can search Google to find information and yes, we're recovering those and we're recovering an extensive amount of deleted searches, but also think about anywhere that there's a search bar period we can recover search data. For example, there on your left, you see the Play Store. Got fake text prank, pranks on your phone, voice changer; somebody looking for applications that do those things. Yes, that's from a real case and yes it did happen.
We also even have places like YouTube. That may not seem very important, but remember that YouTube is the video repository of all human knowledge these days. I've had cases where someone beheaded their girlfriend and before doing so, they search for how do I behead my girlfriend. I worked on a case where a lady was accused of embezzling a very specific amount, a large amount of money and very specific amount. She searched before finding out what they were accusing her of, how long will I go to prison for embezzling X amount of dollars? That can be a very valuable source of information as well.
A quick example of the value of searches. We worked on a case where a young lady rear ended an 18 wheeler. Trying to deter and what had actually happened, we examined her phone. We were able to see that at the point of impact she was searching on her phone within Google, looking for the obituary of a friend who had recently passed away, showing that she was distracted at the time of impact. Next, we have internet history.
I'm showing this particular screen because all the covered Google searches, just to show you once again, to reinforce the fact that we can recover searches from your devices, many of them, but do understand that if you are utilizing a web browser on your phone that even a short web browsing session, a couple minutes, can create hundreds, dozens of records because the way your internet browser works. It's redirecting information, it's looking at other things when you're looking at one thing, so it's creating extensive timeline data, and it's showing us what you're looking at and what you're reading and what you're doing. A lot of times we can see that down to the second during one of these sessions.
Let's illustrate this with a case example. In this case, there's a truck driver riding down the road. He's inside the Facebook application. He sees the link, he clicks on it. It kicks him out to the web browser just to play a game. The game is to see what nationality he should really be based upon his favorite pizza toppings. He answers all the questions while he's riding down the road, and he clicks the final button to see his results to find out what nationality he should truly be. At the time that he does that, he plows through an intersection causing a lot of damage to property and people. We can see down to the second as he clicks on and answers each answer, and we can see when he clicks to see the result, literally down to the second, all within the web browsing history and obviously from other areas too within the Facebook application, but that web browsing history recorded everything you need to show the entire timeline of events of what he was doing on that phone and the distraction that he had.
Now let's look at call logs. Now, it's no surprise to you I'm sure that we can recover call logs. Pretty common form of data on a phone, but a few things to look at. First of all, everywhere you see these red Xs, that's a deleted call log that's been recovered, but mostly what I want you to see is that larger screenshot I've popped out onto the left. Now that is from the very bottom entry on your right. We have an outgoing call. The duration is 000000 seconds. Why do we care about this?
This is outgoing. This means the person in possession of the phone sent an outgoing call to someone else. The reason this matters is that that duration is super short. This is probably a butt dial or somebody clicking call and cancel immediately, but it puts the phone in someone's hand at a particular time. Now, that call did not last long enough to connect to the cellular system. It will not show up in a phone bill. It will not show up in a call detail report. If you need to know if a person had this phone in their hand at a particular time, the only place you're going to find that evidence would be from the phone itself, like you see here in a call log.
Shaun Salmon: Interesting. Speaking of call logs, I have noticed that when comparing call detail records that I've received from a cellular service provider that the times don't match with what the phone is reporting. What's going on with that?
Lars Daniel: Yeah. You've hit on one of the real complexities with digital forensics, and that's understanding time. With cell phone forensics in particular, your phone as you see it, when you have it in your hand and you're looking at your phone, it's going to record everything in local time and show it to you that way; the time zone that you're in. That makes sense, but when you look at call detail records or even phone bills, but call detail records that we're going to look at in this example here, those are based upon the cellular system; the switch that it's associated with and so forth. In other words, what this means is that you have to calculate time offsets. You'd have to calculate the time from UTC, whatever it is, UTC is zero by standard to the appropriate time zone that your phone is in and remembering things like daylight savings time and so forth to get the accurate time.
What you see in this example in front of you, in this particular case, the opposing expert did not account for a seven hour time difference, so all of this activity that was really important to their case not only didn't happen at that time, it's seven hours off, it actually happened on a different day when you calculate those seven hours. Call detail records can be even more complex than that. In some ways, what you see here in this following example with these Verizon records is that everywhere you see a five that that is an automated function. It's a routing number. When you see that number, that means that this is transactional data. This is the cellular system sending information back and forth and has nothing to do with a user making a call.
In this case, they were trying to say that this truck driver made all these phone calls. This was the linchpin of their case. We showed them this. As you can see, it's directly on the actual information you receive from the carrier. If you see it says under call direction on the right, any other letter or number is a routing or unknown call type and does not detail actual transactional data for a completed call. That could be confusing to someone who doesn't understand this information, but this is conclusively not something that a person has done. This is an automated function of the cellular system simply to make a call go from one place to another.
I'm sure it's no surprise that messaging is one of the most common forms of evidence we're asked to retrieve from cell phones, and messaging does come in multiple forms. The first type of messaging that was really out there was SMS. That's short message service messages. This allowed for the transmission of a certain number of characters back and forth. Text only. Then you had MMS as the next phase of messaging. This is multimedia service messaging. These messages transmitted both texts in longer form, as well as media files like pictures and videos and audio. Then our modern space now is mostly at based messaging, and this is going to be your kick messenger, WhatsApp, Snapchat, Facebook Messenger, Instagram Messenger, and so forth. Any kind of messaging that happens through an application and not MMS or SMS.
Now, everywhere you see a red X on these slides, those were deleted messages that have been recovered. Also, if you look under the parties field, you'll see those names are in red. This person had deleted their contact list. Now, if you've ever had a long list of phone numbers and you have associate who those belong to, trying to figure out who's who at the zoo can be very frustrating. Well, forensic software recovered that contact list and rebuilt it back to the numbers that person had associated those names with, saving us a lot of trouble as far as identifying those people or at least getting a lead on who they are. Now also, I want you to look at the bottom of this slide. You'll see I have a message at the very bottom. The text reads, guess so, it'll be here soon. No worries. It's in the inbox. It's listed as unread.
Recall back to we talked about thumbing through the phone as a first responder. If someone had this phone and thumbed through it at the scene and they clicked on that message, it would go from unread to read. You're now attributing knowledge of the contents of that message to the custodian of that phone when they never saw it. You can see how data can be changed permanently and possibly implicate something they didn't actually do. Now look to your right, something very important to understand here. If we look under our messages, at the very bottom, you see there's about 13,000 SMS messages. SMS messages, depending on the cellular carrier, will show up as having been sent or received in a call detail report. You won't get the content, but you'll get that there was a transaction that occurred.
If you go up, there's 28,000 iMessage communications on this phone. Those are transmitted via data. They will not create a record in a call detail report. You will have no evidence as those are sent or received unless you get the phone or you get a backup of the phone or you pull the data from the cloud or something like that, but you need a source from the phone's data itself to get that. You will not get that in a call detail report. If you only got a call detail report to see there were transactions of text messages, you're only getting SMS and MMS. You're getting nothing that's app based. You'll get nothing from anything that's app based, whether it's Facebook, Instagram, iMessage. You name it. You're not getting any of that information.
Another helpful source of data is installed applications. Applications on phones tell us what you potentially were doing with it. If we see here, we see a free text plus calls. That would give us an indication on this particular phone. That they had a app based messaging application. Once again, there'd be communications in that that would not be recorded in a call detail report, so that's helpful to know. That also means we can probably we go find their account information associated with that for additional subpoenas if needed with the data from the phone itself.
Now, another reason this is helpful is simply trying to correlate outside devices and so forth and other accounts a person may have. One quick case example. We had a gentleman who was accused of placing a GoPro camera in a lady's dressing room. As a part of our analysis of this case, we read his transcript and he claimed that this was not his camera. He did not put it in there. He had no idea about it. We did examine his cell phone and there was no application related to the GoPro on there. However, when examining it, we found artifacts and ultimately the data really related to GoPro to see that it was installed on that phone at one point. Not only that, we found information that directly connected it to the camera that was in the dressing room, showing it and attributing that information to that user of the phone.
Recovering media is also valuable, obviously pictures and videos. We live in a world now where there's more video than there ever has been before. Everyone has a camera in their pocket. They have a video camera in their pocket. You name it. A few things to note. Voicemails, for example, are stored locally on most phones now, so you don't have to go and call in to try to get those. We can simply pull those from a phone, including deleted voicemails, but what I really want to focus on here are these pictures that you see on this slide.
Now, that first picture, we look at the metadata. First let's answer what is metadata? Metadata is data about data, like metacognition is thinking about thinking. Metadata is data inside of a file that gives you particular information about it that you need a special tool to see. Well, we can look at that first picture. We see the camera make is an LG electronics. The model is VM670. We have the capture time. The capture times 11/5/2012, and then we have the latitude longitude coordinates. It geolocated that picture. Almost all devices now will attempt to put geolocation coordinates in pictures and videos so that they can plot them on maps and things like that for Instagram and so forth.
Now, look at that second picture. We have a Samsung SPH-M820. We have a pixel resolution listed as well, and then the resolution. If the phone that we're examining is an LG electronics VM670, I know that that first picture was taken on this phone. That second picture, an SPH-M820, if that person claimed that that picture was taken with this phone, we could say, no. This came from a phone that's not yours. This is probably from the internet or you received it from someone else, but you didn't take that picture. This is very valuable information when somebody claims that they were hurt or there was damages or whatever else; that they may have just pulled that picture from the internet.
Another thing that's really important to note, if you look at the created date on a file, like a picture, that is not the date that the picture was taken. The created date relates to when that file came to exist on the device that it's on. Okay. With some exceptions. Now, the actual time the picture was taken is in the metadata. That's going to be the capture time. That's that first one you see there. The capture time is when the picture was actually taken, not the created date. You also will see the discrepancies in that first photo in those times. The time that picture was taken was on 11/5/2012, but it did not create itself into that file system to come to exist in a certain way until 11/7/2012. If you're trying to correlate that time using the created time, you'd be two days off.
Yes, we are often asked if we can tell if somebody's been turning a phone on and off in custody or any other way. Absolutely. We can see powering events on many phones. We can see when you turn it on, when you turn it off and so forth. Sometimes it's also important to know if somebody had hands-free technology as a part of using their phone. If this is a distracted driving case, for example, it's important to know if someone was using a Bluetooth headset or if they were talking on the phone via speaker phone or any other type of function like that. That can be valuable information for counsel to know or for someone like a human factor's expert to determine the level of distraction or whatever else the driver may have, but yes, we can see not only if it's connected to Bluetooth device, but we can see when it was connected to that Bluetooth device and when it was disconnected from that Bluetooth device and more on many phones.
Further speaking to distraction, one claim is often that if you're holding the phone in your hand, if you're holding it up with speaker phone or so forth, that is more distracting than if you have it connected to the car. On the phone itself, we are able to see on many phones if you've connected that phone and when you connected it to a CarPlay type system. This particular screenshot you see at the bottom, we can see that this phone was connected on 7/30/2020 at 2:53 PM to the car. We see that it was connected via USB in this case. We can also see if it's connected via Bluetooth. If someone says that they were using CarPlay, we can prove that. We can also see if there's evidence they did not do that as well and they were using the phone in another method to communicate.
Now, if you look in here, we also see application events. These application events can be very, very helpful. If you look right there on that highlighted one at 7/30/2020, you'll see, if we looked on that long string of letters and numbers, you see backlight dot transition, reason dot lift to wake. What does that mean? That means this person had picked up their phone. When you pick up an iPhone, it turns a screen on. It automatically turns that screen on. Here is evidence that someone had the phone, they picked it up, they held it up to their face. If they unlocked it or not doesn't matter, but it transitioned, the phone did, to wake itself up. Once again, attributing an action to a user.
We have even more device interactions. Now, phones today are recording so much about what you're actually doing with these, and this is from Cellebrite forensic software. We can see when you have that phone, when you unlock it, when you change it from vertical to horizontal landscape, we can see when you route it to your AirPods, then back to your phone, then to your other headset, maybe the different one for the gym. We can see all of that activity. We can see when you power the phone on, when you power it off. A huge amount of information and it's very granular down to the second activity. The amount of activity that is recorded based upon a user's usage of the phone is not just what you're creating, like messages and email. It's also what you're physically doing with the phone and the devices associated with the phone, like AirPods or wireless speakers and so forth.
Finally, to make a point, there is nothing better than electronic evidence for creating timelines. Electronic devices have to create everything via time to organize the data, so they create comprehensive, extensive timelines. We can actually show all the activity on a phone in order of time and not just by artifact types. If you see here, we see we have some recovered, deleted stuff on this one, but we have SMS messages then an instant message, the web history, then back to instant messages. We can see the activity a person's doing right through time in a way that's easy to understand.
The value of time and timelines and the information that can be extracted from phones can be found in this case example illustrated very well. If you go toward the bottom of this, you'll see three pictures that were taken at 12 and 20 seconds, 12 and 23 seconds and 12 and 24 seconds, respectively. Okay. This is a gentleman riding in his car and he's got his phone out and he's trying to take pictures of a pill bottle in his passenger seat to upload the picture to his pharmacy application to get his prescription refilled. The first picture is blurry. The second picture is blurry. The third picture is perfect. However, at the time of taking that third picture, he goes under the back of an 18 wheeler and is decapitated. Having that information was very valuable for the defense and making an argument that the plaintiff was the one who was distracted in this case.
All right. Now let's talk about some ways of challenging the evidence. In particular, as I mentioned early, we're going to start with and spend some time on challenging manual examinations that are not performed correctly. This is important because manual examinations are rarely performed correctly in the first place. Remember we have to isolate phone from networks, we need video verification and we need complete documentation. Now, there's some text from my affidavits and stuff here you can review later. This is work I've done in actual cases. I've had cases dismissed over these issues and so forth, but here's the thing. If you're taking pictures or screenshots of a phone, that constitutes some manual examination. That's what I'm saying as a part of this affidavit and that you need special skills and training and stuff to do that, or at the very minimum, you need to do it as I explained earlier with a video camera recording it, even if you don't have super professional equipment. If you're just trying to document a single message or a single email, it's good to do that to protect yourself as well.
Now, first we have to isolate it from the cellular network. That's the argument we make. There's the language right there from the affidavit explaining it. Then you go to court. How do you want to make this? How do you want to prove it? How do you want to make your argument? My suggestion is to use exhibits. Here is an exhibit from NIST. That's the National Institutes for Standards and Technology, written by Wayne Jansen and Rick Ayers. Now understand that if NIST does not approve a standard or a tool, many times government agencies cannot use it until they do. Here they are saying you have to isolate this information from a cellular network to ensure that the phone is safe. Once again, this is from Digital Evidence in Computer Crime, third edition by Eoghan Casey and Benjamin Turnbull. They say the same thing. You must isolate the phone. Finally, this is from my first book, Digital Forensics For Legal Professionals, where we say the exact same thing.
Before we begin talking about video verification, let's clarify something. If you only have screenshots or pictures of messages, how can you tell if it was isolated from a cellular network? Well, if you look at those pictures and you see wifi bars and you see cellular bars, it's not isolated from a cellular network. Simple as that. All right. Onto video verification. As we talked about earlier when we made the case, you need that to show that there was nothing changed, deleted, or modified on that phone. You've got to have the video to do that because we don't have forensic tools to give our verification. All we have is that video. There's your affidavit highlights.
All right. Once again, here are exhibits we can introduce. This First one is from NIST once again, the National Institutes of Standards and Technology, very important, by Wayne Jansen and Rick Ayers, making the case that you need video verification. Next, we have Eoghan Casey and Benjamin Turnbull and their book, Digital Evidence in Computer Crime saying that this needs to be videotaped. Finally, from our first book, Digital Forensics For Legal Professionals, we make the case as well that you need that video verification.
Shaun Salmon: Let's say I have a case where the opposing side wants to introduce pictures or screenshots of text messages into evidence. In this scenario, they did not follow the best practices you've laid out for a manual examination. From a forensic perspective, how would you challenge this?
Lars Daniel: Yeah. Challenging that is not difficult. Challenging this is simply showing how easy it is to fake messages. A screenshot cannot be verified. You cannot verify a picture of messages alone without a video or otherwise. You need the original data to do that, and that's going to be contained on the phone or in a cellular service provider. When I want to challenge this one, I use the examples we've already shown to show how they may have not followed the best practices for the examination of a cell phone using a manual process, but then we also can simply show how easy it is to fake messages. Trust me, it is easy. It does not require special tools or skills, and it requires a very low level of technical sophistication to do so.
Let's look at some spoofs and some fakes and how it's actually done. First, we'll begin with web based applications to do this. If you look at this right here, this is a Facebook post and Facebook conversation that I have made, because this doesn't just apply to messages. It applies to social media and the rest as well. All of this is fake. It's completely fake using a website to create all of this. You can find something like this right online with a simple search. I'm having a communication with myself there. I also have a fake post and fake comments and all of it looks absolutely real. We can go onto the next slide, and the same thing with Instagram. The account is fake, the blue check is fake, location, photo, the contents, comments. All of this is fake. You see the comments there beneath the post. You see where I was at. You can see you can follow me. You can like it. You can see the conversation. All is fake.
Once again with Twitter, all of this is fake as well. Nothing on this page is real, despite the fact that it looks absolutely real. It looks just like a screenshot you would receive in evidence that someone was trying to send this to you and document it and claim that it was authentic. We also have things like WhatsApp. We're now talking about communication based applications. This is all fake right here. Snapchat, this is a fake Snapchat too. You can even do that. Here is fake iMessage communications. This whole conversation is completely fake. You can change anything you want to on this. I can change the service provider, the service bars, my name, the content contained in it, the badges. You name it. All of this can be changed. It looks absolutely the same as a screenshot you would take of messages on your phone, and you can even create these fakes by using the phone alone without any outside websites or applications.
First, you can simply change the name of the person. You've had a conversation with Larry. Larry's your friend, and you don't want to implicate them in something bad, so you change the name to David and David's the creepy person down the street or whatever, whoever you want it to be. You've got a grudge against that person. You change the name, you take your screenshots, you submit those screenshots as evidence. What have you done? You've implicated someone else other than the person who actually did it with your phone, your iPhone, you can still do this. You can set the time yourself, so you can turn off it automatically setting the time and you can set the date to anything you want.
In our example here, I'm going to set it to January 2019 and send some messages, even though it's 2021. We look here. We can back date it and now I can create one contact under my name using my email address. I'm going to create another contact called fake contact using my mobile number. I'm not going to have an iMessage communication with myself because iMessage can use email or it can use phone number. I'm talking to myself with just the phone that I have in my hand. You'll see fake contact over there on that third picture. Hey there, self. How are you? I'm great. Hope you are also. I always enjoy talking to you. We have so much in common. Sometimes I think we are the same person. All that is completely fake and that name of fake contact obviously I can change to anything I want and then take the screenshots and submit those as evidence. Looks absolutely real.
Shaun Salmon: It seems surprisingly easy to make fake evidence on cell phones. To my understanding a spoofed call is one where you disguise your number so the other party can't see it. How is spoofing different from these faked messages and social media content?
Lars Daniel: Yeah. Spoofing is different than faking those messages, and actually I have a case example that will illustrate this perfectly, so we'll hop straight to that. In this particular case, there was a client who was accused by his ex-girlfriend of threatening her. The client was arrested and has been sitting in jail for six months by the time we got this case. We'll see from the police report, as we move forward, what happened, how is the crime committed? The victim has a 50B order on the defendant. States he cannot contact her via text or phone. He sent a text to the victim stating that he was going to her place of work with a gun and cause death or bodily injury. Okay. Further facts that point to this, he's violated the 50B order twice in the past, stated on text he's aware of the police, he's going to go after her, he threatened her life. He stated, you are so dumb. I don't care about a restraining order, ma'am. I don't give a care in the world about the law. I'll do whatever I want. Normal stuff like that. The law didn't take my guns. Okay.
All right. Now, what is the evidence that she provided that this occurred? She provided the following to law enforcement. First, we have pictures of text messages. Okay. Here's her first one. We don't see much on here. We have the conversations. This is allegedly before 4/16/15. Now note we do not have a year on this. We have a day and a time, so we have all that conversation taking back and forth, the alleged threatening messages and so forth. The next one, we have more photos of text messages on the girlfriend's phone. This is pretty inflammatory. You're so dumb. I don't care about a restraining order. I don't care about the law. I got a lawyer in my family if you press charges, so on and so forth. Normal things that couples say to each other.
If you notice in the top right, we have a date on this one, but that date is handwritten in as 4/22/15. Once again, this is not sufficient to authenticate anything. Now, she alleges that he begins using a new phone to harass her. Okay. What was helpful for us in this is that we have a phone number at the top. You'll notice this is the only screenshot with a phone number anywhere. We have that phone number and now we have something we can work with to figure out if these are real or not. First we have to find out who that phone number belongs to. There's a website you can go to, fonefinder.net, F-O-N-E F-I-N-D-E-R.net. That website will tell you, when you look up a phone number, who it belongs to, and when I say who it belongs to, I mean the provider that it belongs to; who owns the number. That would be like Verizon or AT and T, or a service, as in this case, it went back to Go Text Me.
Now, once we determined that, we're able to see who owns the number, we can send a subpoena to find out the subscriber information, which is what we've done here. If you see, we have the signup date, you have the email account that was used, and it's [email protected] If you were in the room with me right now, I'd have everyone raise their hand who has a Tahoo email account, and no one would because it's a fake email account. We also have an idea of that further because as you see, it says not verified as specified by user. When you create a new account and it sends you an email, you have to click on a link to verify you're a real human and not a bot. That's what that would be. Phone number, same thing. You receive a text message you have to click on to finish completing your account. Did not happen.
Now, two really important things here. One is that we have the IP address when this account was created. That IP address and the way the phones work, it's a little bit different than with computers, but in this instance, so we understand, this will go back to an actual account and an actual phone that that's associated with. Then we have the device ID. The device ID uniquely identifies a piece of hardware, like the phone you have in your hand. That is specified and tied to the actual phone itself.
Now we look at that IP address. First thing we see when we look that up as well is that it belongs to Verizon. His phone is on Sprint. For him to create these fake messages, he'd have to get a whole new account with a whole new provider. Next, what we need to do is we need to subpoena Verizon for the subscriber information to see who had this IP address at the date and time when the account was created. When we do that, what we find is that she had the IP address at that date and time. Further, the device ID for the physical phone matches the phone that was in her possession, so we have conclusive proof that these messages were in fact fake; that she created the account. The boyfriend who had been in jail for six months was released and charges were dropped at the completion of this examination.
Fake pictures are real. Pictures and screenshots of text messages and not enough and many services are available on the internet and using just the phone itself to create fake numbers, to create fake text messages, fake social media content and the rest. If you have evidence that's provided as a printout or a screenshot or a pictures that in it's original form is digital evidence, you have a reason, if you choose to, to challenge the on evidence.
All right. Let's talk about other ways to challenge the evidence, and let's illustrate this with a case example here. In this particular case, this is a criminal case. We were appointed by the attorney representing the defendant. In this case, what it was is there's a gang. This gang would go or they'd find people were pumping gas. If they were elderly or infirm, they'd hit you on the head of the black jack, hop in the car, steal it, drive it down to the docks, get it loaded onto a container ship. It'd be shipped to China and they'd sell that car. If you had a really nice car and you were older or infirm, you were a potential target for this group.
Now, as a part of this case, and they readily admitted the defendant did, that they hit people on the head with black jacks and they steal cars. No problem. All about it. Love doing it. My favorite thing to do is to steal cars and hit people in the head. However, in this case, law enforcement was claiming that the defendant had a firearm at the time of the commission of the felony, so that it raises the stakes as far as the charges are concerned. Now, here is the picture that they had. They did not have a firearm. They only found a picture from the actual phone itself that was around the time of the incident, so they're saying that this was something he had in his possession. They're postulating that and that he just dumped it or whatever else.
Well, if we look at this picture under the metadata once again, we see this was taken with an Apple iPhone 4S. The model of the phone that took this picture is an Apple iPhone 4S. Remember that. From my report, I examined two phones that belonged to this defendant. Both were iPhone 4s. Right there we have a discrepancy. Second, remember how we talked about the advanced analysis; you have to rebuild information by hand sometimes. This is what you have right here as well. These messages were not recovered by law enforcement. I did recover them as a part of my analysis. You have a conversation here between the defendant and a gentleman named Walta. They're talking back and forth, and then Walter sends pictures of this firearm to the defendant. Walta is in Africa. He's in a completely different country. The defendant did not have this firearm at the time the felony was committed. Also, for your education, I am including here the section from my report where I explained these details so you could see what it would look like in report language.
All right. Let's look at another case example showing why the details really matter when it comes to digital forensics. This is a sex crimes case. In this case, I made a purely technological argument. As a background to how this case came about, you have a firefighter about 22, 23 years old. He's talking to an underage girl who's about 17 in a chat application on the phone. They're chatting back and forth. Mom finds her phone, gets concerned, gives it to law enforcement, law enforcement impersonates to be the girl, try to get a meet up. They do actually meet up at one point. Luckily for the defendant and for the attorney representing the defendant, he shows up with movie tickets and flowers in a movie theater and not a box of chocolate and condoms, which is excellent. Further on, as a part of that, they're unable to make any kind of case for solicitation. What they then do is charge him with receipt and possession of child pornography.
With those new charges, we're going to talk about the actual technological argument now. The defendant didn't recall possessing the photos that she had sent to him anymore. Now, when you were talking about information that you receive on your phone or your computer, you have no way to stop it from getting to you. If I sent you an email right now, unless you've previously blocked me, you're not going to stop it. If I send you a picture right now, you can't stop it. It's going to get to you. I have explanations from my report and sections from that explaining it here on this slide, but as we move forward, we'll see it in screenshots as well.
Here's how you would explain this to the trier's effect. First, you have a phone. You have notifications turned on or off. What you see is either this, a preview that you received a message, or a small picture of the message itself. Either way, this is on your phone. It exists on your phone. My question is, do you have command and control of those photos? Have you done anything with them in any fashion to try to preserve them or otherwise show your intentions with that evidence? What we have in order to actually actively preserve those photos would be to unlock the phone and then select the share modify button, select the picture and save it to your images.
If you save it to an album or you save it to a folder, that shows command and control over that file, but in this case, all of the messages lived within the message stream. That would be in your library SMS part. That's big long in a series of numbers like that, as you see on the screen. That's the automated place those messages go. They go there automatically. That is nothing that a user does to organize or otherwise execute control over those messages. They live there automatically. If I sent you a picture, even in a legal picture, it would live in your message stream right now. It would be right there and you would be in possession of it in a technical sense of the word.
As we see from the law enforcement report, it correlates exactly to what I have said. Both of the images in question that the girl sent to him were in library SMS parts. No evidence in that particular threads that he executed any commander control over those images, saved them or otherwise attempted to preserve them. This defendant was looking at 25 years. They offered him non-sexual endangerment of a trialed, no registry, and he didn't lose his job. He did accept that offer and he's still at work.
Shaun Salmon: What happens if I don't have the cell phone? Let's say it's gone missing. Is there any other way to get the data from a cell phone, even if you no longer have access to the device itself?
Lars Daniel: Yes. There are other ways to get to that data. Remember first of all that device manufacturers want you in their ecosystem. That's why data syncs everywhere. That's why Google will sync all of its information across your devices. Why your apple devices, your phone, tablets, and laptops that are all made by the same companies, want to sync the information all around to everything else, so that you'll stay within their ecosystem and use their products exclusively, hopefully, but also it is syncing that information from one device to another. If the phone goes missing, the dog ate it, the aliens took it, all those messages and information and emails that you care about could exist because it was synced onto a tablet or a computer, even though it was originally created on the phone.
Second, backups can be just as good as having a phone as well. Okay. Especially if an incident occurred a while ago. Let's say something happened a year ago, but you just now have the opportunity to image the phone. Okay. Do I want the image today or do I want to check the computer to see if there's a backup of the phone closer to the time of the incident in question? That might be better. Something closer to the actual event itself in a timeline perspective. That's another option to consider there too.
Finally, I'll give you a case example to really drive this home, and that is this. I had a bank employee who had sent out an email to the CEOs of very important people of many, very large organizations that you've heard of. This came from a Gmail account from his name. We'll call him John Doe, so [email protected] In this email, was pictures of his genitalia, so highly problematic. He says I was hacked. I was otherwise compromised. It wasn't me. We do an examination of his devices at the request of the bank itself.
We are examining his devices and what we find is that one, the computer never makes it to us. One of the phones has been wiped and another computer that he had had been partially wiped because anti-forensic tools ran against it. While that computer that was partially wiped still had data on it, this person had deleted the iTunes application, thinking that it got rid of your iTune backups of phones. Okay. Well, in our examination, we found the iTunes backups. Just because you'll delete iTunes doesn't mean it deletes the backups of your phone, and they're actually quite hard to find. They're buried very deep into a file system. We locate those and I rebuild them.
What we see is we could see all the pictures he took, vertical and horizontal and thumbnail view and everything else that the phone has created and saved. I recovered the emails as well and was able to determine what actually occurred is that he sent these photos to his contact list for work of very important people, instead of sending it to his mistress, who he intended to send it to. Finally, all your AirPod touches, your pods, players and tablets, they're all just phones that don't have a cellular service, so they absolutely can create and contain all the same types of data as phones for the most part using a wireless connection. Yes, we can examine those just like we can a phone.
Shaun Salmon: Thank you so much for joining me today, Lars. This was fascinating, and in all seriousness, I think I have more questions for you. I just want to tell everyone to go back and re-review your extremely comprehensive materials and reach out to you through the contact button if they have any questions or are looking for a forensic expert. Thanks so much and talk to you soon.