Lets just say I have a phone that I need data from and it is currently off. After obtaining a Search Warrant the phone should be examined without it being fired up and being allowed to communicate with the network. After I get the information off the phone I was wondering if anyone has ever allowed the phone to communicate with the network to possibly receive additional SMS or MMS and then examined the phone again to retrieve the new data? I guess I would have to make sure I stopped any sort of "kill" code being sent to the phone and I would have to draw a nexus to the incoming content, but I was wondering if this is a common practice?
Thanks!
Ed
Ed -
The best advice I could offer considering your question is to check with your local prosecutor. Search warrant law varies from state to state and is even open to interpretation on the local level. Ultimately, the last word as to what you can do with a search warrant lies with the magistrate who is going to (hopefully) sign it for you. Your prosecutor will know best what is possible and what isn't (i.e. what local judges will approve).
M. W. "Bill" Picone
dba Southwest Digital Forensics
Riverside (CA) Sheriff's Office (ret.)
I would agree with the previous poster, for three reasons. First, dependig upon how the warrant was written, turning the phone on for the purposes of receiving incoming communications could exceed the warrant's scope unless it were spelled out that this was what you intended to do.
Second, related to the first, is that intercepting live transmissions can be considered wiretapping in some jurisdictions. In Pennsylvania, for example, all parties to a communication must consent to the recording of that communication or it is illegal.
Finally, you don't want to risk a claim of evidence tampering which could cause the evidence to be thrown out. The fact is that you already took steps to preserve what was on the phone including not allowing it to receive a signal from the outside. Now you propose to undo that. Why?
Some defense attorney is sure to question you about that.
In my limited experience with LE cases, anything which is not specifically permitted is prohibited, insofar as the seizure of evidence is concerned. If you truly believe that this is important, get the judge to ok it, first and CYA.
That'll make it hard for them to reverse you, later.
Lets just say I have a phone that I need data from and it is currently off. After obtaining a Search Warrant the phone should be examined without it being fired up and being allowed to communicate with the network. After I get the information off the phone I was wondering if anyone has ever allowed the phone to communicate with the network to possibly receive additional SMS or MMS and then examined the phone again to retrieve the new data? I guess I would have to make sure I stopped any sort of "kill" code being sent to the phone and I would have to draw a nexus to the incoming content, but I was wondering if this is a common practice?
Thanks!
Ed
An observation, not a criticism. If I were a Judge I would be pretty annoyed that the person coming before me as a specialist/expert in examining mobile 'phone evidence hadn't bothered to identify in advance alternatives to switching on the handset - particularly as the objective of the Order is seeking leave to sniff out SMS and MMS text messages yet to be received on the handset.
I do like your style though of thinking outside the Faraday bag 'ketchup-with-everything syndrome' box. By inhibiting a mobile 'phone in an RF dampening container it might not be established whether the handset was faulty and/or might not register to the network due to the IMSI being blocked etc etc etc.
Perhaps you may wish to consider the notion of suggesting an alternative that the Judge might consider an Order to seek the network operator to capture a Gold File for any existing and incoming SMS/MMS messages etc and provide a copy.
Just a thought.
Thanks for all the replies. My main question in this is has anyone ever heard of this? "This" being, capturing the data and then allowing the hand set to communicate with the network in an attempt to capture incomming sms or mms? I fully understand that local laws should be the rule and guide for this, but I was just wondering. As It was mentioned someone will argue this was a live transmission. I in turn would try and argue that although it was "quick" it was also delayed.
In my area the only phone company that retains sms messages is Verizon. I have not asked AT&T, Sprint or Nextel, but if they don't save sms content, does that apply to those messages once they are delivered? If I have a hand set off the network and send them a search warrant, I wonder if they can retrieve the messages that have not been delivered?
Anyone?
Ed
My main question in this is has anyone ever heard of this? "This" being, capturing the data and then allowing the hand set to communicate with the network in an attempt to capture incomming sms or mms?
I think that most of us understood the question. In a roundabout way, what we were saying is that the process that you describe opens up a can of worms that for which, I think, there are a number of interesting implications.
In general, there is a difference between a warrant designed to capture static evidence of a crime and a warrant which permits you to monitor an individual's activity for potential future evidence that a crime will be/has been committed.
A warrant which allows me to search your house and, presumably, the contents of your mailbox doesn't give me the authority to to continue to search your house and mailbox until I find more evidence. Similarly, your authority to seize and search the contents of the cellphone does not, in and of itself, give you the authority to repeated search of the cellphone simply because it is capable of receiving additional data.
In addition, there may be possible Fifth Amendment concerns. A suspect is allowed to refuse to speak or answer any questions following an arrest or pickup. A suspect is afforded the right not to incriminate his or her self following his/her apprehension.
Why would that right not extend to communications received by the suspect's cell phone after the point where they had been charged?
What you propose might be a perfectly reasonable course of action for an investigator, but the question is whether it is lawful.
For that, you need a lawyer, not a forensicator.
My main question in this is has anyone ever heard of this? "This" being, capturing the data and then allowing the hand set to communicate with the network in an attempt to capture incomming sms or mms?
… the process that you describe opens up a can of worms that for which, I think, there are a number of interesting implications.
The can of worms in Australia in relation to this is that you are actually intercepting telecommunications, which is a no-no without a surveillance device warrant pursuant to the Surveillance Devices Act. If the SMS / MMS is unread by the individual you may be intercepting the communication, prior to the intended user. I am not sure if this has been tested in an Australian court, but it hasn't been in the jurisdiction in which I work. I can make no comment on US law.
This is a UK perspective hcso1510, so seanmcl etc would be better qualified to understand the legal implications.
capturing the data and then allowing the hand set to communicate with the network in an attempt to capture incomming sms or mms?
Yes I have heard of this.
You would need to demonstrate the purpose you require or occurs needs to/does so because of 'necessity'; that no other course of action could achieve the process or prevent the process you propose.
I wonder if they can retrieve the messages that have not been delivered?
Your question above has at least four parts to it
1) national/local laws regarding data retention
2) the length of time the operator stores data
3) the cellular technology the operator is using
4) the network/device defined parameters for data to be received at the user's device
IMHO, Same type of things the police used to do with pagers. Seize a pager and get all the data from it, and see all the new numbers that come in to build more cases off of. Almost mimics a fruit of the poison tree type situation.
If I have a hand set off the network and send them a search warrant, I wonder if they can retrieve the messages that have not been delivered?
If we assume your warrant was of sufficient scope to search for said stored messages, you are making an assumption that the messages are in fact stored within the entity to which you delivered the warrant. If, for example, the message was originated on a secondary carrier and the target handset was in the powered off mode, the originating carrier SMSC would be the storing device, while the carrier to which the warrant was served simply carrying the notification that messages were waiting on power up.
Cheers,
Steve