Cell Phone Forensics

Cell phone experts at Carney Forensics began recovering text messages and phone contact lists from old flip phones back in 2008. Over a decade and a half has passed, and hundreds of cell phones in our lab have given up their secrets. New powerful cellular phone forensics tools have delivered breakthrough capabilities for evidence recovery from smartphones using iPhone and Android forensics services. Cell phones have become the new DNA with the power to recover compelling, truthful evidence in proof of cases in courts across America.

What is Cell Phone Forensics?

Cell phone forensics is the process of recovering, analyzing, and producing digital evidence from modern smartphones like iPhones and Androids, but also legacy devices like BlackBerry and Windows Phones. It also applies to old feature phones, flip phones, and burners. Cellular forensics involves using specialized tools and forensically sound methods to perform phone imaging, including handset memory, network data from physical or electronic SIM cards, and external storage media on microSD cards.

Cellular phone forensics aims to recover and preserve relevant, even material, evidence from mobile devices. It does so in a forensic manner compliant with the rules of evidence such that it becomes admissible in a court of law and can assist juries and judges in criminal and civil litigation. The forensic cell phone data analyzed to develop probative findings may be live or deleted, including information fragments or trace evidence.

An essential difference between cell phone forensics and traditional computer forensics is the devices and their evidence are no longer stationary, isolated, and static. Cell phone evidence is dynamic and mobile because the devices reach out to the world’s cell towers, low earth orbit GPS navigation satellites, Wi-Fi networks, and the public Internet. They also connect with other devices through nearby Bluetooth and Near Field Communication signals. When powered on, they receive and process information from multiple external sources and use hundreds of mobile apps to prepare it for the cell phone user’s consumption.

Cell phone forensics is evolving at an accelerating pace and continues to change with cellular and communications technology advancements. New cellular devices, operating systems, mobile apps, cybersecurity, and encryption features are introduced for the user’s safety and privacy. Cellphone forensics experts must adapt to these advancements and learn new tools and forensically sound methods to move forward quickly and keep up with the technology.

What Evidence Can Cell Phone Forensics Recover?

Our cell phone investigators recover, analyze, and produce evidence of many types, including these categories:

Four Types of Cell Phone Evidence Starting with Phone Contacts List

Cell phone evidence is digital evidence recovered forensically from smartphones and tablets. Think Apple’s iPhones, iPads, Android smartphones, and tablets from manufacturers like Samsung, Motorola, and LG. The phone contacts list is basic cell phone evidence. A decade ago, feature phones, sometimes called flip phones, contained a trivial amount of contact evidence. Those phone contacts lists contained a person’s name, a cell phone number, and usually nothing else.

Today’s smartphones provide rich information about the phone user’s contacts. These contacts can be complex, containing a person’s name and aliases, credentials, phone numbers, email addresses, website addresses, social media accounts, street addresses, employment information, etc. The phone contacts list becomes a directory of actors and players for use by the lawyer and his or her cell phone forensic expert during the pendency of the case.

Call Logs

Call log evidence is a record of phone call metadata, not a voice audio recording. It contains phone numbers to and from the smartphone, often with a user’s name matching the phone number taken from the phone contacts list.  It also includes a date and time stamp and the duration of the phone call in minutes and seconds.

Voice Messages

When a phone user checks his or her voice messages, those messages are downloaded to the smartphone from the cell phone service provider.  They are stored in the smartphone’s file system as live evidence, and when deleted by the phone user, they are often still recoverable. Sometimes, the smartphone transcribes voice message recordings accurately and produces a readable, textual record. When cases go to trial, our cell phone expert witnesses play admissable voice message audio, which is often persuasive in the courtroom, especially if deleted.

Device Locations

Device locations are important geolocation evidence. GPS data containing latitude and longitude coordinates sourced from navigation satellites and stored in the smartphone often include elevation and, occasionally, speed or velocity. This evidence is essential to show vehicle paths in motor vehicle and truck accidents. It is also useful in criminal justice cases to establish proof at a crime scene or an alibi.

Cell phone investigators find GPS device locations embedded in photographs, videos, and Wi-Fi networks. They can also be found in navigation apps like Google Maps or Apple Maps and social media apps like Facebook, Snapchat, and Foursquare. One of our best mobile device forensic tools effectively recovers vast quantities of live and deleted device locations from the memory of Android smartphones and the file systems of iPhones.

Carney Forensics develops maps and other visual exhibits of geolocations using Google Earth and Google’s Timeline as pictured below.

Cell Phones are Our Specialty

Our cell phone experts use forensic cell phone tools to recover evidence from over 39,000 mobile device makes and models. We decode text messages, chats, and other evidence from over 902 unique mobile apps from our client’s iPhone or Android smartphones. We recover deleted and hidden evidence on every phone we examine. As a result, we have become experts at spoliation and fraud cases involving willful, intentional destruction of evidence.

We have learned to avoid reliance on just one forensic cell phone tool to recover essential mobile evidence. Cell phone forensic tools are diversified and operate independently from one another. Even the best tools have material strengths and weaknesses. As a result, dramatic differences in recovery performance and outcomes are common and expected in mobile forensic examinations. One tool may excel at recovering deleted text messages, another may have an angle on email, yet another may recover the most photographs and their metadata.

No single cell phone forensic tool can recover all the evidence from every device or every mobile app on that device. Based on our experience reviewing opposing counsel experts’ work product, we have noticed many cell phone investigators using just one tool. But, one tool is never enough! You don’t want to fail to recover the smoking gun evidence, which may settle or win your client’s case because your expert didn’t take the time to use the best tools in the lab.

When cell phone experts accept the industry maxim that “One tool is never enough” for all the good reasons stated above, they train and become certified in a variety of cell phone forensic tools. Putting multiple tools into practice in their labs qualifies them to begin using cross validation. It’s a best practice in which the expert performs artifact and metadata recovery comparisons across multiple mobile device forensic tools. A superior understanding of mobile evidence is the result.

Cross validation also has value in determining “best evidence” for production. Ask yourself which tool has recovered a greater quantity of deleted artifacts? Which tool has recovered the most relevant metadata, possibly date and timestamps, to construct the most complete timeline? Or, GPS device locations for the applicable geography on the date of the incident? Carney Forensics uses cross validation examples like these and more for best evidence production.

So, our cell phone experts use the most effective cell phone forensic tools on the planet. They have numerous strengths in examining each cell phone that enters our lab to recover and decode the digital evidence on which your case may turn. If one tool can’t find it, another will.

Best Practices for Digital Forensic Examinations

Following a set of best practices ensures that the forensic examination of devices is effective and legally sound.

1. Maintain Chain of Custody

A chain of custody is a record that documents the handling of evidence from the moment it is collected until it is presented in court. Maintaining a meticulous log of who has had access to the evidence, what processes have been performed, and any changes that have occurred is essential. This safeguards against claims of tampering or mishandling, which could render the evidence inadmissible.

2. Obtain Legal Authority for the Examination

Forensic investigators must understand and comply with legal requirements, such as search warrants, subpoenas, consent authorizations, or court orders. Any evidence obtained without the proper legal authority can be challenged and potentially suppressed in legal proceedings. Ownership of the cell phone and its user’s right to and expectation of privacy must be considered by the examiner before proceeding with the examination.

3. Acquire Data Safely

Data acquisition from a device should be done using methods that don’t alter the data. Forensic experts typically use Faraday bags and airplane mode and remove SIM cards to prevent device data changes during acquisition. They also disable Wi-Fi, Bluetooth, Near Field Communications, and Location Services for good measure.

4. Validate Tools and Processes

Before using any tools for forensic examination, it’s important to validate them to ensure they function correctly and produce reliable results. Validation involves testing the tools in controlled conditions and documenting the results for future reference.

5. Document Everything

Thorough documentation is crucial throughout the forensic examination process. Every step taken, from initial device handling to the final report, should be documented in detail. This includes software versions used, device information, and any anomalies encountered during the examination.

6. Preserve Original Evidence

The original evidence should be preserved in its unaltered state as much as possible. Investigators should work with copies of the digital evidence to maintain the integrity of the original data.

7. Handle Devices Appropriately

Devices can be sensitive to static electricity, magnetic fields, and physical shocks. Proper handling techniques should be employed to avoid damage. Storing devices in secure and environmentally controlled conditions is vital to prevent data degradation.

8. Use a Systematic Approach

A systematic approach to forensic examination helps ensure consistency and completeness. This includes having protocols or a standard operating procedure for different types of devices and scenarios, which guide investigators through the examination process.

We Specialize in Advanced iPhone Forensics

America’s most popular iPhone smartphone has become a materially important source of best evidence for civil and criminal litigation. However, the effectiveness of iPhone forensics in recovering probative evidence declined for a decade until a significant transformational advance was introduced in 2020, which marked the return of iPhone forensics.  This new cell phone imaging capability enables the recovery of vastly greater quantities of live and deleted iPhone evidence. It includes new forms of deeply probative evidence we have come to understand and apply successfully in court cases.

The cell phone expert must diligently find and produce the most probative extraction available to position the iPhone for optimal evidence recovery. The phone investigator must extract a deeply probative iOS full file system from the iPhone. No inferior iTunes backup extraction or an encrypted iTunes backup will be enough. The phone expert must also extract an iOS keychain from the iPhone to decrypt mobile app data recovered in an encrypted state.

Carney Forensics has invested heavily in several cellphone forensics tools to extract iOS evidence from the broadest range of iPhone and iPad models. Imagine how you might use breakthrough iPhone forensics to discover messages, email, documents, media, fitness and health data, Google searches, ScreenTime, and pattern of life evidence for advocacy in your next case.

We Offer Advanced Android Forensics

What about forensics for Android devices? 2024 has also brought meaningful innovations to Google’s mobile platform, which has been available since 2005. We can bypass most passwords and pattern locks. We can defeat encryption with advanced cell phone imaging to get deeply probative extractions instead of relying on disappointing Android backups. And, like iPhones, cell phone experts can now recover abundant, deleted evidence and new databases using Android forensics, which exposes pattern of life and Digital Wellbeing evidence for judicial review.

Carney Forensics has invested heavily in cellphone forensics tools to image Android evidence from the broadest range of Samsung, LG, Motorola, OnePlus, and Google Pixel models. We also support cost-reduced Androids, today’s burner phone.

How might you use cutting-edge Android forensics to recover messages, emails, documents, media, fitness and health data, Google searches, and other evidence to settle your next case and avoid trial?

We Can Handle Your Cell Phone, Glitches and All

Whatever cell phone your client or opposing counsel may present, the cellphone experts at Carney Forensics can handle it. Device forensics is not without its challenges. The many devices on the market, each with its own set of features and security measures, require a broad knowledge base and adaptability from forensic investigators. Additionally, the variety of devices and operating systems requires forensic experts to be versatile and knowledgeable about many different platforms.

We perform cell phone imaging on legacy smartphones like BlackBerry, Windows Phone, and older Windows Mobile phones. We also support previous-generation feature phones like the Motorola RAZR and Nokia models. We image phones and recover evidence from old flip phones and classic burners with their prepaid plans.

At Carney Forensics, we go beyond traditional cell phone forensics. If your cell phone is unresponsive, damaged with a cracked screen, or has a faulty data or charging port, we can forensically repair it before moving forward with cell phone imaging. We’ve even mastered the art of repairing waterlogged iPhone and Android devices using advanced techniques, a service that sets us apart in the industry.

At Carney Forensics, we have the tools and knowledge to unlock, recover, or bypass most passcodes and Android pattern locks that protect smartphones. We use advanced hardware techniques like JTAG, chip-off, and ISP. We even employ dictionary attacks to brute-force iPhone and iPad passcodes. Unheard of just a few short years ago, these methods may take a few days or weeks for stronger, longer passcodes, but our commitment to unlocking your device remains unwavering.

Cell Phone investigators also use advanced techniques and cybersecurity software, including password exchanges, that provide access to lists of passwords found by experts worldwide, offering them as an advanced dictionary to improve chances of finding strong passwords.  Dictionary and brute-force methods using GPU acceleration and distributed computing can also speed up passcode recovery times.

Encryption can make accessing data on a device extremely difficult and is a significant hurdle in modern-day digital forensics. Device encryption can defeat the advanced hardware techniques mentioned above when the decryption code is unavailable. Sometimes, cell phone experts must seek help from device manufacturers to access encrypted data.

We Have a “Plan B” if Your Cell Phone is Lost or Destroyed

If your cell phone has been lost, catastrophically destroyed, or traded in at the phone store for a new model, we have a long list of alternative evidence sources to discuss with you as we develop a “Plan B” for proving your case. Carney Forensics collects evidence from web-based, online, or “cloud” accounts to replace smartphone evidence. For instance, an Apple iCloud account can produce much of the same evidence as an iPhone. Similarly, a Google or Samsung account can substitute a good amount of evidence normally recovered from an Android device. Backups of smartphone data from the cloud, when forensically recovered, can save your litigation.

You can obtain a subpoena return containing data from these three Internet Service Providers (ISP) using a subscriber consent authorization form supplied by their Subpoena Compliance organization in their legal departments. Carney Forensics uses cloud forensics tools to parse and decode the cloud evidence returned for your review.

Vehicle Systems Forensics provides a “Plan B” by recovering evidence from an automobile or truck infotainment system to which the smartphone was synchronized using a USB cable or Bluetooth connection.

Cell phone service provider business records, such as those from Verizon, T-Mobile, or AT&T, can be obtained by subpoena or subscriber consent authorization. These accurate records include call logs, text message logs, and 4G LTE and 5G data records. They are sourced from the cell towers and base stations where the cell phone communicates and exchanges data.

Last, if text message recovery is the goal of the forensic examination, the correspondent’s smartphone may be obtained by court order during discovery. Taking possession of this critical device from a third party or adversary can provide a last chance for an independent mobile device forensic examination. It effectively replaces the custodian’s lost or destroyed smartphone in a quest to find the same messages on another device.

Material Evidence When It’s Needed for Settlement Talks or Trial

Because mobile evidence has the power to impact civil or criminal investigations and trials, effective evidence recovery is essential. Seasoned examiners with decades of experience using the best forensic tools on the planet ensure the digital evidence they produce for your matter is forensically sound and admissible in court.

Our digital forensic experts are specialists in the field who have developed unique protocols for conducting examinations in several narrow practice areas.  Good examples include motor vehicle and trucking accidents, wrongful death, trusts and estates, defamation and harassment, theft of intellectual property or proprietary data, and important civil rights cases.  Carney Forensics works hard to discover the findings that go to the heart of your case and produce the evidence on which the verdict will turn.