Issue link: http://lawandordermag.epubxp.com/i/139048
The Cellebrite UFED Forensics Lab There is no better way to understand the power of mobile forensics technology than seeing it in action. The following case studies—including a homicide conviction believed to be one of the nation's frst for texting while driving—highlight the work done by authorized investigators in the feld of mobile data extraction and analysis using Cellebrite's Universal Forensic Extraction Device (UFED). All four cases underscore the value of mobile forensics technology, and allowed professionals to crack the cases without compromising stringent Constitutional requirements. Cell Pictures Provide Critical Evidence In Columbus, Ohio, Detective Zane Kirby, a forensic examiner for the Franklin County Internet Crimes Against Children Task Force, helped to convict a 23-year-old man accused of trying to solicit an inappropriate relationship with a 13-year-old girl. The case breaker was lewd photos of the perpetrator found on his phone and sent to the victim. Originally recovered from the victim's home computer, the images later turned up on the suspect's phone, together with deleted call logs and the girl's name listed in the suspect's contact list. The usage of mobile data provided strong enough evidence to result in a guilty verdict for the defendant. Mobile Forensics Exonerate Falsely Accused For investigators, clearing the wrongly accused is just as important as convicting the guilty. When an incoming Norwich University freshman was accused of inappropriate communications with an underage female, Peter Stephenson, the university's chief information security offcer, needed an accurate way to prove or disprove the allegations—specifcally, whether the student was calling and texting the girl to solicit sex. During interviews, the accused student denied knowing the girl and stated that he was only connected to her through a shared Facebook Group. In charge of the school's digital investigations, Stephenson needed a way to conduct an objective, scientifc examination of the student's digital devices. The student voluntarily surrendered his phone for the investigation. Although the student's phone was an older device with a primitive operating system, Stephenson analyzed the phone and SIM card using Cellebrite's UFED. Not only did the UFED reveal none of the alleged victim's contact information in an otherwise full phonebook, or a history of text messages between student and alleged victim; the SIM card contained no record of any calls made to the area code where the girl lived. "The logs would've shown up on the SIM card, even if her contact information had been deleted," Stephenson said. The girl's parents, who fled the initial complaint, backed down on their claim. "The claim could have ended this student's career before it even started," Stephenson added. Unlocking a Broken iPhone Getting the right mobile evidence from a mobile device can be challenging enough. What if the phone has been badly physically damaged? That was a question Victoria (British Columbia, Canada) Police Detective Bob Elder faced when an iPhone was destroyed by an arrestee in custody. Having smuggled the phone through a body search and into his holding cell with him, the suspect smashed the phone when he saw police coming to confscate it. Elder, a mobile forensics expert, went to work trying to acquire the evidence. As it turned out, not only would the broken phone not power on, but a nearby repair shop said there was too much damage to put it back in working condition. For this phone, as for others not accessible through typical means, Elder turned to a newer data acquisition method: a "chip-off" RAW dump. Chip-off acquisition is a destructive process that involves unsoldering the phone's NAND memory chip from its board. "You can't put the chip back, so this is a last resort," Elder warned, "only to be used when the phone is too damaged or otherwise can't be acquired in the usual ways, and when the phone's data is necessary for a high-profle case." After manually locating the user data, Elder used Cellebrite's UFED Physical Analyzer to validate his fndings, including the date and time stamps. "On high-profle cases, it's important to carve manually and then validate the fndings using a secondary method," Elder explained. In this case, he was able to use the search functions—includ- www.lawandordermag.com 37