John J. Carney//February 24, 2020
Exemplary evidence is best evidence. Black’s Law Dictionary defines best evidence as “Evidence of the highest quality available, as measured by the nature of the case rather than the thing being offered as evidence. The term is usually applied to writings and recordings.” Today’s best evidence is often mobile evidence. On a smartphone writings are often text messages, email, and notes. Recordings are often videos, voice messages, and other audio clips.
Mobile evidence is often recovered and admitted in criminal justice, family law, personal injury, employment law, probate litigation, and civil rights cases. It is also prominent in complex civil litigation like theft of intellectual property, wrongful death, dram shop liability, and various types of fraud cases. Mobile evidence is frequently admitted in Internet and cybersecurity cases for theft of computer data, unlawful computer access, and defamation torts.
Mobile device forensic examiners spend perhaps 50% of their time in a quest for deleted text messages. Text messages comprise unique, fact-specific evidence that answer what and when questions for cases in which it is required. Orders for Protection and Harassment Restraining Orders are good examples of an exact match for production of relevant text messages from mobile devices.
Lawyers often request important photograph and video evidence. They frequently seek device locations, GPS data with date and time stamps, for admission in criminal cases to establish alibis. They seek them in civil matters for motor vehicle accidents, especially distracted driving cases, to develop fact patterns.
Gary Kessler, a noted professor of digital forensics, says, “Phones contain more probative evidence per byte of data than computer hard drives do.” Digital forensic examiners also find mobile evidence more probative than traditional electronically stored information forms like Microsoft Office documents, PDF documents, and corporate email systems like Outlook. Many lawyers now conclude mobile evidence is often best evidence with a greater likelihood of becoming the material evidence upon which their civil and criminal cases will turn.
As a footnote, mobile evidence is often superior to cell tower evidence derived from telco switches, cell towers, and antennas mounted on those towers. Most mobile evidence stored on smartphones is not available from cell towers. Mobile messaging apps and phone books of contacts are not recoverable from the business records of cell phone service providers like Verizon, AT&T, Sprint, and T-Mobile. Also, the accuracy and geographical precision of cell tower evidence is substantially inferior to the GPS evidence recovered from mobile devices.
Mobile evidence is digital evidence recovered from smartphones and tablets. Think Apple’s iPhones and iPads, also Android smartphones and tablets from manufacturers like Samsung, Motorola, and LG. The phone book of contacts is basic mobile evidence. A decade ago feature phones, sometimes called flip phones, contained a trivial amount of contact evidence. Those contacts contained a person’s name, a cell phone number, and usually nothing else. Today’s smartphones are a cornucopia of rich information about the phone user’s contacts. They can be complex containing a person’s name, but also aliases, credentials, many phone numbers, email addresses, website addresses, social media accounts, street addresses, employment information, and so on. The phone book of contacts becomes a directory of actors and players for use by the lawyer and his or her mobile device forensic examiner during the pendency of the case.
Text messages are the most popular form of mobile evidence recovered and admitted in civil and criminal cases today. They consist of Short Message Service messages and Multimedia Messaging Service messages found on iPhones and Android smartphones. They also consist of proprietary iMessages on Apple’s iPhones and iPads. Rounding out the mix are many scores of alternative or specialty mobile messaging apps in use today. WhatsApp is the most popular and has broad international market share. But Facebook Messenger, WeChat, Snapchat, Telegram, also Text Now, Text Free, Text Plus, and Text Me are a few of many mobile messaging apps from which to choose while shopping Apple’s App store and Google’s Play store.
Call log evidence is a record of phone call metadata, not a voice audio recording of the call. It contains phone numbers to and from the smartphone often with a user’s name matching the phone number taken from the phone book of contacts. It also contains a date and time stamp and duration of the phone call in minutes and seconds.
When a phone user checks his or her voice messages those messages are downloaded to the smartphone from the cell phone service provider. They are stored in the smartphone’s file system as live evidence, and when deleted by the phone user, they are often still recoverable. Sometimes the smartphone transcribes voice message recordings accurately and produces a textual record. When cases go to trial, we find recovered, admitted voice message audio is often persuasive in the courtroom, especially if deleted.
Important metadata provides foundation for text messages. For instance the message’s deleted status indicates whether it was deleted. The message’s read status indicates whether the message was opened and read by the phone user. Some messages, like iMessages, have read receipt metadata which records when the correspondent read the iMessage. Each text message identifies phone numbers to and from the smartphone often with a user’s name matching the phone number taken from the phone book of contacts. And date and time stamps show when the message was sent and received.
Device locations are important metadata taken from GPS evidence sourced from navigation satellites and stored in the smartphone. Examiners find them in photographs, videos, navigation apps, also Wi-Fi networks, and other mobile apps like Facebook and Foursquare. One of our best mobile device forensic tools enriches device location metadata by inspecting Wi-Fi networks and cell tower sites stored in the smartphone and returning device locations for them.
Recovery of mobile evidence from a smartphone starts by the lawyer requesting it during discovery. Normally that begins with a request for production, but sometimes a motion to compel is necessary. The device produced for examination is the handset, which we think of as the smartphone itself. Enclosed in the handset is a SIM card. A SIM card is a Subscriber Identity Module which stores network credentials, last tower identity, and the user’s phone number. Android smartphones also feature a microSD card, a memory card enclosed within the handset. It stores photograph, video, audio, and sometimes document evidence.
After the lawyer arranges for the examiner to take possession of the mobile device the examiner extracts the phone’s memory or file system. He or she uses a specialized tool like Cellebrite’s Universal Forensic Extraction Device to perform this initial task. The examiner then processes the extracted memory or file system with one or more mobile device forensic tools. The tools generate mobile evidence artifacts like contacts, text messages, call logs, voice messages, photographs, videos, etc. At this point in the examination the examiner will often generate an artifacts summary document and send it to the lawyer to start a conversation about the goal of the examination. The artifact summary names the artifacts and the quantity of each on the smartphone. It highlights evidence available for analysis, but also evidence unknown to the lawyer. Together they educate each other and collaborate on development of the goals for the examination.
The examiner’s analysis is guided by the lawyer’s goal of the examination. It is usually designed to recover and describe evidence that supports the lawyer’s theory of the case. After analysis the examiner will use his or her mobile device forensic tools to generate reports responsive to the lawyer’s goal of the examination. For instance, one report might be a chronology of text messages with content and descriptive metadata. A second report might contain photographs from the particular date of an incident to be litigated.
Mobile device forensic reports reviewed by the lawyer or paralegal can be a PDF or Microsoft Word document. They also can be an Excel spreadsheet, or a compound report viewable in a web browser like Chrome, Firefox, Edge, or Safari. Or, alternatively, reports can be a no-charge reader application which provides the lawyer or paralegal the ability to not only review the evidence, but also search, filter, or bookmark it. Then the lawyer or paralegal can generate his or her own custom reports for review by a client or for production to the court or opposing counsel.
Next month Exemplary Evidence will focus on best practices in mobile evidence recovery that combine advanced extraction techniques with creative approaches to analysis that produce material evidence cost effectively. One best practice is a major, transformational advance in mobile device forensics for iPhones. The industry has been waiting almost a decade for this development which will offer substantially improved recovery of probative iPhone evidence.
John Carney is the founder and Chief Technology Officer of Carney Forensics. He has a Bachelor of Science degree from the Massachusetts Institute of Technology and a Juris Doctor from Mitchell Hamline School of Law. He is admitted to Minnesota state and federal courts.