Courts Cast Wary Eye on Evidence Gleaned From Cell Phones

The afternoon of Sept. 18, 1993, someone set fire to a notorious Los Angeles drug house near the University of Southern California, killing an addict. Four years later, R&B singer Waymond Anderson was convicted of the murder, based on the shaky testimony of two eyewitnesses, and on a third, silent witness whose implacable digital testimony the defense didn’t dare challenge: Anderson’s cell phone…A police forensics expert told the jury that call logs proved Anderson was in the neighborhood at the time of the murder, and that he even made a phone call through a cell tower located just a quarter-mile from the blaze. Anderson’s lawyer didn’t attempt to question what was then bleeding-edge scientific evidence. “Nobody challenged the officer in the investigation,” says David Bernstein, Anderson’s new attorney. “Probably because cell phones were such a new technology.”

Now down 13 years on a life sentence, Anderson has his first shot at freedom. The two eyewitnesses have recanted. And using information about cell-phone tower locations with some sleuthing on MapQuest, Bernstein recently showed an appeals court that Anderson’s cell phone was in a car driving away from the site of the crime at the time the arsonist was splashing gasoline around the converted garage. The closest transmitter the phone passed was a mile away from the crime, not a quarter-mile as the police claimed; and by the time the fire was hurling black smoke into the south Los Angeles sky, Anderson’s phone was linking with a different transmitter six miles away, in Chinatown.

Based on this new information, a three-judge panel of the California 2nd District Court of Appeal ordered the case reopened last month, and gave the Los Angeles court that convicted Anderson until August to hold hearings on the new evidence, or release Anderson.

The Anderson appeal may be the first chink in the formerly invincible armor of cell-phone forensics at trial. Over the past decade, law enforcement at all levels has been turning to mobile gear for crucial evidence in criminal and civil investigations. “One of the first things that’s looked at is a cell phone now,” explained National Institute of Standards and Technology researcher Wayne Jansen. But with unclear forensic standards for gathering such evidence, and investigators often resorting to ad hoc tools and procedures, cell data seems likely to face new hurdles in the courtroom.

It’s easy to see the appeal of cell-phone evidence. The memory cards in the phones are packed with useful information: everything from contact lists and SMS messages – including deleted text – to call logs, and data about locations where the phone has been, all of which can be readily accessed with the right software and a court order. And with the advent of camera phones capable of snapping photos and saving short video snippets, the cell phone is morphing into a one-stop multimedia evidence kit.


Get The Latest DFIR News

Join the Forensic Focus newsletter for the best DFIR articles in your inbox every month.


Unsubscribe any time. We respect your privacy - read our privacy policy.

“People seem to take joy in recording their crimes to their mobiles,” said Lester Wilson, managing director of Crownhill, a company that makes a forensic tool for snarfing evidence off SIM cards in cell phones. “Anything you can think of – street robbery, kidnapping, sex crimes – they’re taking pictures,” said Wilson, whose work for the London police has required him to extract data from SIM cards “covered in blood, or bitten.”

In 2005, two high-profile murder cases were solved with cell evidence. Piper Roundtree was convicted of killing her ex-husband after examination of her phone placed her in his vicinity at the time of the murder; and Daryl Littlejohn, a New York City bouncer, was convicted of murdering student Imette St. Guillen after his cell showed that he’d made a call on the night of the murder near the spot where police later located the body. And it’s not always the perp whose phone holds the evidence, said Wilson. “Say you find a dead body in a river. Using forensic techniques on their mobile, you can locate where they were thrown in the water, because that’s probably the moment the phone stopped working.”

According to the GfK Group, an international market-research organization, 1 billion cell phones were sold worldwide in 2006 – up from 812 million in 2005. Shadowing that growth is a niche industry specializing in selling mobile-forensics tools to police and others. Amber Schroader, CEO and chief architect at Utah-based Paragen said her company’s most popular product is such a tool, called Device Seizure. “We sell hundreds of units per month, mostly to law enforcement,” she said. Using Device Seizure, or dozens of other software packages like it, law enforcement officers can instantly drag and drop data from phones into tamper-proof evidence files.

But many of the tools that investigators use to extract evidence are not designed to be forensically sound; put simply, they don’t always have built-in features to prevent evidence tampering. Oxygen’s Mobile Phone Manager is a phone-syncing tool that was used for at least two years by law enforcement to gather evidence. But it wasn’t until April that the company released a tamper-resistant “forensic” version of the software that saves a cryptographic hash of the data it sucks from a cell phone, allowing investigators to later verify that nothing’s changed.

How did Oxygen’s law enforcement users secure the chain of custody in data before Oxygen Forensic? Company spokesman Oleg Fedorov wrote in e-mail, “I can’t say precisely how they protected data from tampering. I can only suggest they didn’t change any information and didn’t press the ‘Write’ button.”

Another problem is that the market is glutted with so many different types of cell phones, so there will always be some models for which no existing forensic tools work. In that case, “Sometimes the best tools are hacker tools, as long as they’ve been thoroughly examined and reverse-engineered,” said Jansen, who helped write NIST’s official recommendations (.pdf) for do*****enting the chain of evidence and creating tamper-proof files when searching a cell phone.

Even the best forensic practices will face a daunting challenge as more complex mobiles become vulnerable to tampering before they’re seized as evidence. It’s relatively easy for an adversary with a bluetooth device to plant new addresses in a bluetooth-enabled phone’s contact list, or even place bogus calls from the phone. Keith Thomas, a cell-phone forensics expert with First Advantage Litigation-Consulting, said this is where the real problem for investigators will begin – when courts start to realize that evidence from cell phones isn’t any more foolproof than what’s found on computers.

“There is always a question about who put stuff on your computer,” Thomas said. “But on a cell, it’s nothing but personalized – you can get the telephone numbers the person called and verify when that person was on the phone. For right now there are less questions about who had access to the phone.” But, he acknowledged, there will be more, “as soon as people realize there are other means of putting data on the phone.”

Leave a Comment

Latest Videos

In this episode of the Forensic Focus podcast, Si and Desi explore how artificial intelligence is being leveraged to uncover crucial evidence in investigations involving child sexual abuse material (CSAM) and examine the importance of exercising caution when implementing these tools. 

They also discuss a recent murder case in which cyber experts played a vital role in securing a conviction, and explore the unique challenges associated with using digital evidence as an alibi.

Show Notes:

A Practitioner Survey Exploring the Value of Forensic Tools, AI, Filtering, & Safer Presentation for Investigating Child Sexual Abuse Material (CSAM) - https://dfrws.org/wp-content/uploads/2019/06/2019_USA_paper-a_practitioner_survey_exploring_the_value_of_forensic_tools_ai_filtering_safer_presentation_for_investigating_child_sexual_abuse_material_csam.pdf

Man charged with NI murder ‘faked live stream to provide alibi’ (The Guardian) - https://www.theguardian.com/uk-news/2023/feb/02/man-charged-with-ni-faked-live-stream-to-provide-alibi

A YouTuber accused of murder faked a 6-hour livestream to produce an alibi (Sportskeeda) - https://www.sportskeeda.com/esports/news-a-youtuber-accused-murder-faked-6-hour-livestream-produce-alibi

European Interdisciplinary Cybersecurity Conference (EICC) 2023 - https://www.forensicfocus.com/event/european-interdisciplinary-cybersecurity-conference-eicc-2023/#more-493234

YouTuber reportedly faked GTA livestream to have an alibi while he committed murder (Dexerto) - https://www.dexerto.com/entertainment/youtuber-reportedly-faked-gta-livestream-to-have-an-alibi-while-he-committed-murder-2052974/

Forensic Europe Expo - https://www.forensicfocus.com/event/forensic-europe-expo/#more-493225

In this episode of the Forensic Focus podcast, Si and Desi explore how artificial intelligence is being leveraged to uncover crucial evidence in investigations involving child sexual abuse material (CSAM) and examine the importance of exercising caution when implementing these tools.

They also discuss a recent murder case in which cyber experts played a vital role in securing a conviction, and explore the unique challenges associated with using digital evidence as an alibi.

Show Notes:

A Practitioner Survey Exploring the Value of Forensic Tools, AI, Filtering, & Safer Presentation for Investigating Child Sexual Abuse Material (CSAM) - https://dfrws.org/wp-content/uploads/2019/06/2019_USA_paper-a_practitioner_survey_exploring_the_value_of_forensic_tools_ai_filtering_safer_presentation_for_investigating_child_sexual_abuse_material_csam.pdf

Man charged with NI murder ‘faked live stream to provide alibi’ (The Guardian) - https://www.theguardian.com/uk-news/2023/feb/02/man-charged-with-ni-faked-live-stream-to-provide-alibi

A YouTuber accused of murder faked a 6-hour livestream to produce an alibi (Sportskeeda) - https://www.sportskeeda.com/esports/news-a-youtuber-accused-murder-faked-6-hour-livestream-produce-alibi

European Interdisciplinary Cybersecurity Conference (EICC) 2023 - https://www.forensicfocus.com/event/european-interdisciplinary-cybersecurity-conference-eicc-2023/#more-493234

YouTuber reportedly faked GTA livestream to have an alibi while he committed murder (Dexerto) - https://www.dexerto.com/entertainment/youtuber-reportedly-faked-gta-livestream-to-have-an-alibi-while-he-committed-murder-2052974/

Forensic Europe Expo - https://www.forensicfocus.com/event/forensic-europe-expo/#more-493225

YouTube Video UCQajlJPesqmyWJDN52AZI4Q_7QiFTiuY7Vw

AI In CSAM Investigations And The Role Of Digital Evidence In Criminal Cases

Forensic Focus 22nd March 2023 12:44 pm

Throughout the past few years, the way employees communicate with each other has changed forever.<br /><br />69% of employees note that the number of business applications they use at work has increased during the pandemic.<br /><br />Desk phones, LAN lines and even VOIP have become technologies of the past workplace environment as employees turn to cloud applications on their computers and phones to collaborate with each other in today’s workplace environment.<br /><br />Whether it’s conversations in Teams, file uploads in Slack chats, or confidential documents stored in Office 365, the amount of data stored and where it is stored, is growing quicker than IT and systems administrators can keep up with.<br /><br />Corporate investigators and eDiscovery professionals need to seamlessly collect relevant data from cloud sources and accelerate the time to investigative and discovery review.<br /><br />With the latest in Cellebrite’s remote collection suite of capabilities, investigators and legal professionals can benefit from secure collection with targeted capabilities for the most used workplace applications.<br /><br />Join Monica Harris, Product Business Manager, as she showcases how investigators can:<br /><br />- Manage multiple cloud collections through a web interface<br />- Cull data prior to collection to save time and money by gaining these valuable insights of the data available<br />- Collect data from the fastest growing cloud collaboration applications like Office365, Google Workspace, Slack and Box<br />- Login to a single source for workplace app collection without logging into every app and pulling data from multiple sources for every employee<br />- Utilize a single unified collection workflow for computer, mobile and workplace cloud applications without the need to purchase multiple tools for different types of collections – a solution unique to Cellebrite’s enterprise solution capabilities

Throughout the past few years, the way employees communicate with each other has changed forever.

69% of employees note that the number of business applications they use at work has increased during the pandemic.

Desk phones, LAN lines and even VOIP have become technologies of the past workplace environment as employees turn to cloud applications on their computers and phones to collaborate with each other in today’s workplace environment.

Whether it’s conversations in Teams, file uploads in Slack chats, or confidential documents stored in Office 365, the amount of data stored and where it is stored, is growing quicker than IT and systems administrators can keep up with.

Corporate investigators and eDiscovery professionals need to seamlessly collect relevant data from cloud sources and accelerate the time to investigative and discovery review.

With the latest in Cellebrite’s remote collection suite of capabilities, investigators and legal professionals can benefit from secure collection with targeted capabilities for the most used workplace applications.

Join Monica Harris, Product Business Manager, as she showcases how investigators can:

- Manage multiple cloud collections through a web interface
- Cull data prior to collection to save time and money by gaining these valuable insights of the data available
- Collect data from the fastest growing cloud collaboration applications like Office365, Google Workspace, Slack and Box
- Login to a single source for workplace app collection without logging into every app and pulling data from multiple sources for every employee
- Utilize a single unified collection workflow for computer, mobile and workplace cloud applications without the need to purchase multiple tools for different types of collections – a solution unique to Cellebrite’s enterprise solution capabilities

YouTube Video UCQajlJPesqmyWJDN52AZI4Q_g6nTjfEMnsA

Tips And Tricks Data Collection For Cloud Workplace Applications

Forensic Focus 20th March 2023 12:00 pm

This error message is only visible to WordPress admins

Important: No API Key Entered.

Many features are not available without adding an API Key. Please go to the YouTube Feed settings page to add an API key after following these instructions.

Latest Articles

Share to...