Forensic Investigation of Celullar and Mobile Phones

“In general, the same forensic principles that apply to any computing device also apply to mobile devices in order to enable others to authenticate acquired digital evidence.” (Casey E. at. al. 2011) therefore a forensic investigator should follow the same forensic process as with any computing device. When an acquired digital evidence involves a recovered phone call, the investigation process usually include accessing data collected by the cellular network provider. A number of countries have erected laws to expedite the access of the law enforcement agencies to the client information, such as The Regulation of Investigatory Power Act of 2000 (RIPA) in UK, USA Patriot Act, The Surveillance Devices Bill 2004 in Australia and The Search and Surveillance Powers Bill 2008 in New Zealand. These laws require (telephone and internet) service providers to maintain a log of all communication such as calls, Email messages, SMS (text messages), MMS (multimedia messages), established Internet connection, etc.
With appropriate legal documents (as required), the investigator can obtain information such as customer name, billing name, geographic locations (based on the Base Station Transceiver), list of calls, etc. which could be helpful for the investigation process. More over, while it is generally believed that prepaid cellular phones are cheap enough and difficult to trace (Casey E. at. al. 2011), the device can still contain useful information. In addition, service provider could maintain information such as “credit card numbers used for purchases of additional time or an email address registered online for receipt of notifications” (Jansen W. and Ayers R. 2007).
Due to the diversity in the functionality and capabilities of the mobile devices (cellular phones, smart phones, etc) there is no one single investigation methodology of the cellar phone. In general, the process involves manual review of the information available through the menu such as address book, last call, text messages, etc. Specialized tools are used only when extraction of deleted information or access to “hidden” data (such as Apple iPhone cell towers and Wi-Fi hotspots database) is required (Laureate Online Education B.V. 2009). The potential evidences related to the mobile device include:

• handset identifier - International Mobile Equipment Identity (IMEI)
  
• Subscriber Identifier (SIM)
  
• call register
  
• address book
  
• calendar
  
• photographs
  
• videos
  
• voice mail
  
• passwords such as Internet Mail accounts, desktop (for synchronization), etc.
  
• installed applications
  
• attached peripheral devices and special modification
  
• accessed Wifi hotspots
  
• cell towers
  

Bibliography

• Apple 2011, “Apple Q&A on Location Data” [online]. Available from: http://www.apple.com/pr/library/2011/04/27Apple-Q-A-on-Location-Data.html (accessed: June 2, 2011)
  
• Ayers R., Jansen W., Cilleros N., Daniellou R. 2005, “Cell Phone Forensic Tools: An Overview and Analysis” [online]. National Institute of Standards and Technology. Available from: http://csrc.nist.gov/publications/nistir/nistir-7250.pdf (accessed: July 1, 2011)
  
• Casey E., Turnbull B. 2011, “Digital Evidence and Computer Crime 3^rd Edition” [online]. Elsevier Inc. Available from: http://www.elsevierdirect.com/companions/9780123742681/Chapter_20_Final.pdf (accessed: July 1, 2011)
  
• CBC News 2009, “Internet surveillance laws in Canada and around the world” [online]. Available from: http://www.cbc.ca/news/canada/story/2009/06/19/f-internet-cellphone-wiretap-surveillance-law.html (accessed: July 2, 2011)
  
• Jansen W., Ayers R. 2007, “Special Publication 800-101: Guidelines on Cell Phone Forensics” [online]. National Institute of Standards and Technology. Available from: http://csrc.nist.gov/publications/nistpubs/800-101/SP800-101.pdf (accessed: July 1, 2011)
  
• Laureate Online Education B.V. 2009. “Seminar 5: Investigating UNIX, Macintosh, and Handheld Devices”.