Fighting Crime with Mobile Forensics
WHEN THE MOTHER of an eight-year-old girl in Momence, Illinois, reported to the Kankakee County Sheriff’s office that 66-year-old Jerry Lee Hendricks had sexually assaulted her daughter and taken photos of the acts with his cell phone, the officers arrested him on suspicion of child molestation and began an investigation. They also immediately confiscated his phone.
The officers knew that Hendricks had been convicted of child pornography and molesting children in South Carolina, for which he had served time. But the question remained: Did he commit this crime and could they prove it?
“Young kids don’t always make the best witnesses in trials, and they didn’t have a lot of evidence,” explains Josh Fazio, a forensics investigator at private firm 4Discovery, who helped police with the investigation. It would be up to detectives to build a case.
The phone was sent to the Illinois State Police lab for analysis, but the process stalled. The phone “sat there for a few months,” Fazio says, because there are not enough law enforcement personnel trained in mobile forensics, causing a backlog of evidence at regional crime labs.
But even when they did get to the evidence, they were not successful in obtaining any information. Law enforcement finally concluded they were unable to extract evidence from the phone because the SIM card had been damaged—broken into pieces—before the phone had been confiscated, most likely in an attempt to thwart the investigation. Each time they tried to extract data from the device, it kept generating error messages, prompting them to insert the SIM card. That’s when state police called in Fazio, who had a higher level of expertise in extracting data forensically from mobile devices.
At first, Fazio tried to put the SIM card back together, which sometimes works, but it was too badly damaged. He then decided to try a technique he was familiar with to possibly extract photos from the phone. “We created what was called a manufactured SIM. It basically tricks the phone into thinking it has its original SIM card. We made that, we put it in the phone, and it booted up, and we were able to pull off the images that this guy had taken [of himself] sexually assaulting this little girl,” he says.
Fazio says in this particular case, the mobile digital evidence was critical to the child molester’s conviction. “Basically, without those images, that case was pretty much dead in the water,” he notes. “He got [sentenced to] natural life without the possibility of parole, so that guy won’t be out bothering kids ever again.”
Extracting digital evidence from mobile devices is becoming a key aspect of forensic investigations for law enforcement. “In my own practice, I’ve definitely seen an uptick in smart device forensics requirements versus just a year or so ago,” said Paul Henry, senior course instructor at the SANS Institute, who spoke on the topic in a mobile forensics webinar.
The proliferation of apps requires that forensic investigators stay current because each app will have its own peculiarities and secret places where data can reside. “Many third-party apps installed on mobile devices leave forensically relevant artifacts for inspection; you simply have to know what to look for and where to look for it,” noted Henry, saying that along with those opportunities come challenges. “Current mobile forensic software tools typically address the normal telephonic data: SMS messages, contact lists, call logs, and voicemail messages. Very often [investigators are] overlooking this in-depth analysis of the information that’s saved in the third-party applications that may reside on the device,” he says.
For example, many people use third-party applications to communicate over the Internet via programs like SnapChat and Skype. When using such programs, people often freely type out conversations about crimes they have committed, not realizing that investigators will be able to see those conversations by using forensic tools, such as MagnetForensic’s Internet Evidence Finder or AccessData’s Mobile Phone Examiner (MPE) Plus.
In one homicide case, police had reason to believe that a suspect’s phone had incriminating text messages sent between him and another party, but when the suspect’s phone was confiscated and analyzed, the SMS data contained nothing of significance to the case, says Lee Reiber, director of mobile forensics at AccessData. On the theory that the messages resided in another application, his company assisted the police in getting third-party application information from the phone. “The automated tool failed to locate this information,” Reiber explains. “It was not until using our MPE Plus tool and its analysis tools for SQL databases that the application data was uncovered. We went into the level where the applications were stored; utilizing our tool, we were able to go in and pull out from these database files the chat, and it was actually occurring on Google Plus,” he says.
“[The suspect] was sending messages to another party detailing the crime and also where the homicide actually occurred. More in-depth forensic work was needed, without which this information would have remained hidden,” Reiber adds. There is a limit to what an automated tool can do. That’s where the training of the forensic experts really matter.
One technique often used is exposing the motherboard of the phone and soldering wires to a machine that runs on software to extract more data, a process requiring more than just the everyday mobile forensics tool, and usually conducted in a lab.
In his former career, Reiber was a law enforcement officer in Boise, Idaho, where he also conducted mobile forensic investigations. He says there was one case where a suspect freely turned in his phone, thinking his deleted text messages could not be viewed. But the forensic lab was able to retrieve incriminating texts that put him at the scene of the home burglary he was suspected of carrying out. The texts included statements such as one where he said that the police were looking for him and another where he said where he hid the stolen goods. That led to recovery of the items, which, combined with his admissions in the other texts, was enough to convict him.
And it’s not just the suspects’ mobile devices that are being examined to confirm or disprove events under investigation. “We’re able to process victims’ phones now to help corroborate their statements and things that they’re telling us,” says Dave Anderson, a detective with the Washington County Sheriff’s office (WCSO) in Oregon, who works in mobile forensics. “So maybe we’re not able to get the damning evidence off the suspect’s phone, but just that corroboration through a victim’s phone can be just as valuable, and [that] wouldn’t be something we would have normally sent off to a computer lab in the past.”
WCSO has been at the forefront of digital forensics efforts in the law enforcement community, especially in the northwest United States. In 2005, it joined with the FBI and several local agencies to start the Northwest Regional Computer Forensics Laboratory (NWRCFL), where any law enforcement agency with jurisdiction in Oregon and southwest Washington State may submit digital evidence to be processed. The first FBI regional computer forensics lab was established in San Diego in 1999. “NWRCFL are the big guns when it comes to digital evidence,” says Anderson. “They receive an incredible amount of training and have state-of-the-art equipment to recover and carve data from digital devices.”
But the NWRCFL is having trouble keeping up with the demand for its services, and cases get backlogged. In 2001, a computer forensics examiner position was created at WCSO. Through that role, the sheriff’s office began training its own investigators to use tools available on the market to lessen the burden on the workers at NWRCFL. “Our office has several members of our child-abuse investigation team trained to recover evidence from their suspects’ computers. Several investigators were also identified to become trained in recovering data specifically from cell phones and tablet computers,” he says.
Other agencies are doing likewise, says Anderson. Everyone sees that “every case has some kind of digital evidence connection,” he notes.
Overall, Anderson says WCSO has greatly benefited from the resources it’s invested in mobile forensics. “This training and supporting equipment has greatly increased the number of cases investigators can pursue in a timelier manner. It seems that we are getting more plea agreements with this kind of evidence on our side,” Anderson says. “That saves court time, money, and spares the victims from additional trauma.”