Spotlight May/June 2007 – Mobile Investigation

Everyday, more and more cell phones are confiscated in correctional facilities. It’s a recurring problem that the industry continues to battle, but the number of devices recovered is increasing significantly. The situation is likely going to become more pervasive before it gets any better.


Corrections professionals are in a race against technology as cell phones become equipped with more sophisticated features and new mobile communication technologies present increasing opportunities for inmates to communicate with the outside community.


The good news is, cell phone detection technologies are emerging and systems are being tested throughout the United States .


However, finding the phone is only the first step. A wealth of useful information can be obtained from the devices for investigative purposes


Contraband That Gives Back


Correctional officers can mine cell phones for information that could help eliminate criminal activity behind bars and in the public. In addition to records of whom the inmate spoke with, officials can track text messages and images.


In the prison environment, seized cell phones present a unique opportunity to obtain potentially valuable information and insight into what is happening within and outside of the facility.


A relatively new field of digital forensics, cell phone forensics is the practice of recovering data from mobile devices without altering the device or original data. Like computer forensics, examiners follow proper evidence-handling procedures and use software and hardware tools to extract the information for analysis.


Unlike personal computers, which generally use one of three operating systems, cell phone operating systems vary largely by manufacturer and technologies continue to change. This poses a challenge for investigators, as there is no one-size-fits-all tool for examining the majority of phones on the market. Therefore, cell phone forensic tools have varying levels of support and examiners looking to get the most data from the most phones have to either build a suite of forensics tools or outsource the work to a government or private laboratory.


While the idea of building a cell phone forensic laboratory may seem intimidating to some, today’s software and tools for extracting data from phones is easy to use, extremely secure, and generally very effective.


With proper training in the use of the tools and procedures for handling the devices, prison officials can unlock important information that they otherwise would have never known.


For corrections officials that are already confiscating a high volume of phones — and expecting to confiscate more as locater technology advances — outfitting facilities with a suite of investigative tools, and training their personnel could be the most efficient and cost effective option.


However, outsourcing seized phones for analysis could also be an appropriate option as the necessity of investigating devices varies and in many ways it is still largely a new concept for many in the correctional community.


There are a handful of state and private laboratories that are analyzing phones, but many are increasing their offerings and training staff to accommodate demand. But, even with the best tools, some phones are difficult to mine for information, no matter who is working with them.


Preserving the Evidence


To ensure the most data is retrieved from a phone and the device is handled properly, officials should educate themselves about how to best handle the devices that have been found.


As with any evidence, the procedure for collecting cell phones and preserving the information can be paramount to the success of the investigation. The National Institute of Standards in Technology recently published guidelines that serve as an excellent reference for examiners working with phones:


http://csrc.nist.gov/publications/drafts/Draft-SP800-101.pdf


If a phone is turned on when it is confiscated, try to leave it on and powered up, while protected from the network’s signal. This may be difficult without a battery charger, but if a device is turned off investigators could be locked out of the phone if the phone requires the entry of a PIN code to access it. If the code cannot be obtained from the phone’s owner, typically, only the network operator can unlock codes. A phone that is turned off should remain off until it is in a protected environment for analysis.


Investigators must use a faraday bag or another type of container that does not allow signals to penetrate to protect the phone from the network’s signal. Since many networks can remotely disable a phone, it is possible for an inmate whose phone has been discovered to have someone else report the device as stolen and have it disabled.


GSM phones — major GSM carriers in the United States are Cingular and T-Mobile, among others — contain a Subscriber Identity Module card, which is a small removable chip that can contain relevant information about the phone’s user, outgoing call numbers, phonebooks and text messages. These chips are easily removed from devices, and it is not uncommon for criminals to use several SIM cards to make calls and elude investigators. When searching for phones in correctional facilities it is always good practice to search for additional SIM cards for analysis. Nextel phones do not operate on the GSM network, but they do contain SIM cards with potentially relevant data.


Pre-Paid Phones


While pre-paid phone services, such as Tracfone and Boost, are often difficult to trace back to an owner, and subsequently are used regularly by terrorists and criminals, data can be obtained from the phones.


Tracfone operates on either a CDMA network — major operators in the United States include Verizon, Sprint and U.S. Cellular — or a GSM network. This means that in many of the phones there are SIM cards that can be analyzed, along with other data saved on the phone. Boost Phones operate on the Nextel network and always have SIM cards that can be analyzed.


Stay Tuned


Stopping cell phone use in prisons is a dynamic challenge for prison officials and the problem is not going to completely stop with the introduction of detection systems.


As phones become more prolific, so do the means of transmitting information over the air. Today, cellular communication (CDMA, GSM, iDEN) and WiFi are the popular long-range wireless communication standards. Tomorrow, there will be more signals passing through prisons and new technologies to enable communications, such as 3G and WiMax.


Crafty hackers and criminals are finding ways to extend existing short-range wireless communication systems to communicate covertly long-range. Only a proactive approach will help maintain safety and security at correctional facilities.