Cell phone experts at Carney Forensics began recovering text messages and phone contact lists from old flip phones back in 2008. Over a decade and a half has passed, and hundreds of cell phones in our lab have given up their secrets. New powerful cellular phone forensics tools have delivered breakthrough capabilities for evidence recovery from smartphones using iPhone and Android forensics services. Cell phones have become the new DNA with the power to recover compelling, truthful evidence in proof of cases in courts across America.
What is Cell Phone Forensics?
Cell phone forensics is the process of recovering, analyzing, and producing digital evidence from modern smartphones like iPhones and Androids, but also legacy devices like BlackBerry and Windows Phones. It also applies to old feature phones, flip phones, and burners. Cellular forensics involves using specialized tools and forensically sound methods to perform cell phone imaging, including handset memory, network data from physical or electronic SIM cards, and external storage media on microSD cards.
Cellular phone forensics aims to recover and preserve relevant, even material, evidence from mobile devices. It does so in a forensic manner compliant with the rules of evidence so that it becomes admissible in a court of law and can assist juries and judges in criminal and civil litigation. The forensic cell phone data analyzed to develop probative findings may be live or deleted, including information fragments or trace evidence.
An essential difference between cell phone forensics and traditional computer forensics is the devices and their evidence are no longer stationary, isolated, and static. Cell phone evidence is dynamic and mobile because the devices reach out to the world’s cell towers, low earth orbit GPS navigation satellites, Wi-Fi networks, and the public Internet. They also connect with other devices through nearby Bluetooth and Near Field Communication signals. When powered on, they receive and process information from multiple external sources and use hundreds of mobile apps to prepare it for the cell phone user’s consumption.
Cell phone forensics is evolving at an accelerating pace and continues to change with cellular and communications technology advancements. New cellular devices, operating systems, mobile apps, cybersecurity, and encryption features are introduced to enhance user safety and privacy. Cellphone forensics experts must adapt to these advancements and learn new tools and forensically sound methods to move forward quickly and keep up with the technology.
What Evidence Can Cell Phone Forensics Recover?
Our cell phone investigators recover, analyze, and produce evidence of many types, including these categories:
What are the four types of cell phone evidence, starting with phone contacts?
Cell phone evidence, including the phone contacts list, is digital evidence recovered forensically from smartphones and tablets like Apple’s iPhones, iPads, Android smartphones, and tablets from manufacturers like Samsung, Motorola, and LG. The phone contacts list, a basic form of cell phone evidence, has evolved significantly. A decade ago, feature phones contained trivial contact evidence, usually just a name and number. Today’s smartphones provide rich information about contacts, including names, aliases, credentials, phone numbers, email addresses, website addresses, social media accounts, street addresses, and employment information. This makes the phone contacts list a comprehensive directory of actors for legal use.
Today’s smartphones provide rich information about the phone user’s contacts. These contacts can be complex, containing a person’s name and aliases, credentials, phone numbers, email addresses, website addresses, social media accounts, street addresses, employment information, etc. The phone contacts list becomes a directory of actors and players for use by the lawyer and their cell phone forensic expert during the pendency of the case.
What information can be found in call logs?
Call log evidence is a record of phone call metadata, not a voice audio recording. It contains phone numbers to and from the smartphone, often with a user’s name matching the phone number taken from the phone contacts list. It also includes a date and time stamp and the duration of the phone call in minutes and seconds.
How are voice messages recovered and used as evidence?
Voice messages, when checked by a phone user, are downloaded to the smartphone from the cell phone service provider and stored in the smartphone’s file system as live evidence. Even when deleted by the phone user, these messages are often still recoverable. Smartphones can also accurately transcribe voice message recordings, producing a readable, textual record. In trials, our cell phone expert witnesses can play admissible voice message audio, which is often persuasive, especially if the messages were deleted.
How are device locations used as forensic evidence?
Device locations are necessary geolocation evidence. GPS data containing latitude and longitude coordinates sourced from navigation satellites and stored in the smartphone often includes elevation and, occasionally, speed or velocity. This evidence is crucial for demonstrating vehicle paths in motor vehicle and truck accidents. It is also useful in criminal justice cases to establish proof at a crime scene or an alibi.
Cell phone investigators find GPS device locations embedded in photographs, videos, and Wi-Fi networks. They can also be found in navigation apps like Google Maps and Apple Maps, as well as social media apps like Facebook, Snapchat, and Foursquare. One of our best mobile device forensic tools effectively recovers vast quantities of live and deleted device locations from the memory of Android smartphones and the file systems of iPhones.
Carney Forensics develops maps and other visual exhibits of geolocations using Google Earth and Google’s Timeline, as pictured below.
Why are Carney Forensics experts specialized in cell phone forensics?
Carney Forensics experts specialize in cell phone forensics by using advanced forensic tools to recover evidence from over 39,000 mobile device makes and models, decoding data from over 902 unique mobile apps, and recovering deleted and hidden evidence. We are experts in spoliation and fraud cases. Our approach avoids relying on a single tool, recognizing that each has strengths and weaknesses, and instead employs multiple tools and cross-validation—a best practice for comparing artifact and metadata recovery across multiple mobile device forensic tools. This ensures a superior understanding of mobile evidence and the production of 'best evidence' for litigation, such as greater quantities of deleted artifacts, relevant metadata, and GPS device locations.
We have learned to avoid relying solely on a single forensic cell phone tool to recover essential mobile evidence. Cell phone forensic tools are diversified and operate independently from one another. Even the best tools have material strengths and weaknesses. As a result, dramatic differences in recovery performance and outcomes are common and expected in mobile forensic examinations. One tool may excel at recovering deleted text messages, another may excel at recovering emails, yet another may retrieve the most photographs and their metadata.
No single cell phone forensic tool can recover all the evidence from every device or every mobile app on that device. Based on our experience reviewing the work product of opposing counsel’s experts, we have noticed that many cell phone investigators use only one tool. But one tool is never enough! You don’t want to fail to recover the smoking gun evidence, which may settle or win your client’s case, because your expert didn’t take the time to use the best tools in the lab.
When cell phone experts accept the industry maxim that “One tool is never enough” for all the good reasons stated above, they train and become certified in a variety of cell phone forensic tools. Putting multiple tools into practice in their labs qualifies them to begin using cross validation. It’s a best practice in which the expert performs artifact and metadata recovery comparisons across multiple mobile device forensic tools. A superior understanding of mobile evidence is the result.
Cross validation also has value in determining “best evidence” for production. Ask yourself which tool has recovered a greater quantity of deleted artifacts? Which tool has recovered the most relevant metadata, possibly date and timestamps, to construct the most complete timeline? Or, GPS device locations for the applicable geography on the date of the incident? Carney Forensics uses cross validation examples like these and more for best evidence production.
Our cell phone experts utilize the most effective cell phone forensic tools available. They possess numerous strengths in examining each cell phone that enters our lab, recovering and decoding the digital evidence on which your case may turn. If one tool can’t find it, another will.
Best Practices for Digital Forensic Examinations
Following a set of best practices ensures that forensic examinations of devices are effective and legally sound.
1. Maintain Chain of Custody
A chain of custody is a record that documents the handling of evidence from the moment it is collected until it is presented in court. Maintaining a meticulous log of who has had access to the evidence, what processes have been performed, and any changes that have occurred is essential. This safeguards against claims of tampering or mishandling, which could render the evidence inadmissible.
2. Obtain Legal Authority for the Examination
Forensic investigators must understand and comply with legal requirements, including search warrants, subpoenas, consent authorizations, and court orders. Any evidence obtained without the proper legal authority can be challenged and potentially suppressed in legal proceedings. Ownership of the cell phone and its user’s right to and expectation of privacy must be considered by the examiner before proceeding with the examination.
3. Acquire Data Safely
Data acquisition from a device should be done using methods that don’t alter the data. Forensic experts typically use Faraday bags, enable airplane mode, and remove SIM cards to prevent changes to device data during acquisition. They also disable Wi-Fi, Bluetooth, Near Field Communications, and Location Services for good measure.
4. Validate Tools and Processes
Before using any tools for forensic examination, it’s essential to validate them to ensure they function correctly and produce reliable results. Validation involves testing the tools in controlled conditions and documenting the results for future reference.
5. Document Everything
Thorough documentation is crucial throughout the forensic examination process. Every step taken, from initial device handling to the final report, should be thoroughly documented. This includes software versions used, device information, and any anomalies encountered during the examination.
6. Preserve Original Evidence
The original evidence should be preserved in its unaltered state whenever possible. Investigators should work with copies of the digital evidence to maintain the integrity of the original data.
7. Handle Devices Appropriately
Devices can be sensitive to static electricity, magnetic fields, and physical shocks. Proper handling techniques should be employed to avoid damage. Storing devices in secure and environmentally controlled conditions is vital to prevent data degradation.
8. Use a Systematic Approach
A systematic approach to forensic examination helps ensure consistency and completeness. This includes having protocols or a standard operating procedure for different types of devices and scenarios, which guide investigators through the examination process.
What advanced iPhone forensics services does Carney Forensics offer?
Carney Forensics offers advanced iPhone forensics services, specializing in recovering vastly greater quantities of live and deleted iPhone evidence, including new forms of deeply probative evidence for civil and criminal litigation. This capability stems from significant transformational advances introduced in 2020. Our experts diligently extract deeply probative iOS full file systems and iOS keychains from iPhones to decrypt mobile app data, going beyond inferior iTunes backups. We have invested heavily in cell phone imaging tools to extract iOS evidence from a broad range of iPhone and iPad models, enabling the discovery of messages, email, documents, media, fitness and health data, Google searches, ScreenTime, and pattern of life evidence.
The cell phone expert must diligently find and produce the most probative extraction available to position the iPhone for optimal evidence recovery. The phone investigator must extract a deeply probative iOS full file system from the iPhone. No inferior iTunes backup extraction or an encrypted iTunes backup will be enough. The phone expert must also extract an iOS keychain from the iPhone to decrypt mobile app data recovered in an encrypted state.
Carney Forensics has invested heavily in several cell phone imaging tools to extract iOS evidence from the broadest range of iPhone and iPad models. Imagine how you might use breakthrough iPhone forensics to discover messages, email, documents, media, fitness and health data, Google searches, ScreenTime, and pattern of life evidence for advocacy in your next case.
What advanced Android forensics services does Carney Forensics offer?
Carney Forensics offers advanced Android forensics services, including bypassing most passwords and pattern locks, defeating encryption using advanced cell phone imaging tools for deeply probative extractions (superior to Android backups), and recovering abundant deleted evidence and new databases that expose pattern of life and Digital Wellbeing evidence. We have invested heavily in tools to extract Android evidence from a broad range of Samsung, LG, Motorola, OnePlus, and Google Pixel models, as well as cost-reduced Androids (burner phones). These cutting-edge techniques allow for the recovery of messages, emails, documents, media, fitness and health data, Google searches, and other crucial evidence.
Carney Forensics has invested heavily in cell phone imaging tools to extract Android evidence from the broadest range of Samsung, LG, Motorola, OnePlus, and Google Pixel models. We also support cost-reduced Androids, today’s burner phone.
How might you use cutting-edge Android forensics to recover messages, emails, documents, media, fitness and health data, Google searches, and other evidence to settle your next case and avoid trial?
How does Carney Forensics handle damaged or locked cell phones for forensics?
Carney Forensics handles all types of cell phones, including those with glitches, by performing cell phone imaging on legacy smartphones (BlackBerry, Windows Phone, feature phones, flip phones, burners) and forensically repairing unresponsive, damaged (cracked screen), or faulty (data/charging port) devices, even waterlogged ones. We possess the tools and expertise to unlock, recover, or bypass most passcodes and Android pattern locks using advanced hardware techniques like JTAG, chip-off, ISP, and dictionary attacks for iPhone/iPad passcodes. We also utilize advanced cybersecurity software and password exchanges, and address encryption challenges, sometimes seeking help from device manufacturers.
We perform cell phone imaging on legacy smartphones like BlackBerry, Windows Phone, and older Windows Mobile phones. We also support previous-generation feature phones like the Motorola RAZR and Nokia models. We image phones and recover evidence from old flip phones and classic burners with their prepaid plans.
At Carney Forensics, we go beyond traditional cell phone forensics. If your cell phone is unresponsive, damaged with a cracked screen, or has a faulty data or charging port, we can forensically repair it before moving forward with cell phone imaging. We’ve even mastered the art of repairing waterlogged iPhone and Android devices using advanced techniques, a service that sets us apart in the industry.
At Carney Forensics, we possess the tools and expertise to unlock, recover, or bypass most passcodes and Android pattern locks that secure smartphones. We use advanced hardware techniques like JTAG, chip-off, and ISP. We even employ dictionary attacks to brute-force iPhone and iPad passcodes. Unheard of just a few short years ago, these methods may take a few days or weeks for stronger, longer passcodes, but our commitment to unlocking your device remains unwavering.
Cell phone experts also utilize advanced techniques and cybersecurity software, including password exchanges, which provide access to lists of passwords discovered by experts worldwide, offering them as an advanced dictionary to enhance the chances of finding strong passwords. Dictionary and brute-force methods, utilizing GPU acceleration and distributed computing, can also expedite passcode recovery times.
Encryption can make accessing data on a device extremely difficult and is a significant hurdle in modern-day digital forensics. Device encryption can defeat the advanced hardware techniques mentioned above when the decryption code is unavailable. Sometimes, cell phone experts must seek help from device manufacturers to access encrypted data.
What are the alternative evidence sources if a cell phone is lost or destroyed?
If your cell phone has been lost, catastrophically destroyed, or traded in at the phone store for a new model, we have a long list of alternative evidence sources to discuss with you as we develop a “Plan B” for proving your case. Carney Forensics collects evidence from web-based, online, or “cloud” accounts to replace smartphone evidence. For instance, an Apple iCloud account can produce much of the same evidence as an iPhone. Similarly, a Google or Samsung account can provide a good amount of evidence, usually recovered from an Android device. Backups of smartphone data from the cloud, when forensically recovered, can save your litigation.
You can obtain a subpoena return containing data from these three Internet Service Providers (ISPs) using a subscriber consent authorization form supplied by their Subpoena Compliance organization in their legal departments. Carney Forensics uses cloud forensics tools to parse and decode the cloud evidence returned for your review.
Vehicle Systems Forensics provides a “Plan B” by recovering evidence from an automobile or truck infotainment system to which the smartphone was synchronized using a USB cable or Bluetooth connection.
Cell phone service provider business records, such as those from Verizon, T-Mobile, or AT&T, can be obtained through a subpoena or a subscriber’s consent authorization. These accurate records include call logs, text message logs, and records of 4G LTE and 5G data usage. They are sourced from the cell towers and base stations where cell phones communicate and exchange data.
Last, if text message recovery is the goal of the forensic examination, the correspondent’s smartphone may be obtained by court order during discovery. Taking possession of this critical device from a third party or adversary can provide a last chance for an independent mobile device forensic examination. It effectively replaces the custodian’s lost or destroyed smartphone in a quest to find the same messages on another device.
Why is material evidence crucial for settlement talks or trial?
Because mobile evidence has the power to impact civil or criminal investigations and trials, effective evidence recovery is essential. Seasoned phone experts with decades of experience using the best forensic tools on the planet ensure the digital evidence they produce for your matter is forensically sound and admissible in court.
Our digital forensic experts are specialists in the field who have developed unique protocols for conducting examinations in several narrow practice areas. Good examples include motor vehicle and trucking accidents, wrongful death, trusts and estates, defamation and harassment, theft of intellectual property or proprietary data, and critical civil rights cases. Carney Forensics works hard to discover the findings that go to the heart of your case and produce the evidence on which the verdict will turn.
Cell Phone Forensics FAQs
Digital evidence on a cell phone can help a trial lawyer develop an effective evidence strategy that may inform their theory of the case and identify persuasive arguments. An expert witness can produce and testify to the cell phone evidence in court. Litigating it successfully can prove the client’s claims and defenses, and win or settle the case to the client’s advantage.
In most legal cases, a cell phone investigator can recover and analyze the cell phone’s evidence, generating forensic tool reports for the legal team’s review at an average cost of $5,000. Each smartphone takes approximately 8 to 12 hours of lab time. Factors that go to cost include how much storage or memory capacity is built into the smartphone. How accessible the smartphone’s evidence is, given possible damage, missing or incorrect passcodes, or data encryption. And how many hours of analysis are needed. Lastly, a critical factor is the number of cell phone forensic tools required to recover and analyze the material evidence upon which the dispute will turn, especially deleted or hidden evidence.
Most of the evidence will be found in the smartphone’s handset memory. Information related to the carrier and its cell tower network will be found in the SIM (Subscriber Identity Module) card. Media evidence, such as photographs and videos, can be found on the microSD card of Android devices. However, often, phone evidence is synchronized or backed up to online cloud accounts, such as Apple iCloud and Google, and can be recovered from there.
Before beginning cell phone imaging, it is essential to isolate the cell phone from signals or incoming data, such as cell towers, GPS satellites, Wi-Fi, Bluetooth, and NFC (Near Field Communication), which is commonly used for mobile credit payments. To do this, the cell phone expert must power off the device, remove its SIM card, and place it in a Faraday bag. These steps ensure the original data is preserved and any data loss is avoided. Once the device is sufficiently isolated, the cellphone expert can properly acquire the digital evidence. Often, airplane mode, also known as flight mode, is used when the device is removed from the Faraday bag and powered on for examination.
Yes, often. Advanced capabilities are available for unlocking most iPhones except for the latest models. The news is even better for Android smartphones. Cellphone forensics tools for Android models use bootloaders, which can often bypass passcodes and extract the phone’s memory. The tools enable cell phone investigators to recover or remove passcodes from many Android models. They employ advanced electronic acquisition techniques, such as JTAG, chip-off, and ISP extractions of phone memory, to bypass passcode protection.
Generally, yes. The type and amount of deleted evidence recovered from a cell phone depend on several factors, including the phone’s make and model, its usage, and the duration since the evidence was deleted.
App evidence recovery from cell phones depends on the make and model of the cell phone and the particular app that is the target of the examination. Every third-party app records the user’s data in different ways. It is challenging for a cell phone expert to determine whether deleted information can be recovered from an app without analyzing the device and the app in question. The more popular the app, the better the chances of recovering the evidence due to increased support from more cell phone forensic tools.
It usually takes just overnight to recover the evidence. If picked up locally, Carney Forensics’ courier can usually return it the next day. If it is delivered to the lab by an overnight carrier, it typically takes one to two days. Please make sure all passcodes are available to the cell phone expert and report any cell phone damage.
Talk to the trial lawyer or phone user to identify the device and then develop a plan of action for recovering its evidence. The attorney typically requires a deeply probative phone extraction to reveal deleted and hidden evidence. In contrast, the phone user needs a quick cell phone imaging outcome, so the device is returned ASAP.
Packaging the phone:
Put the phone into flight or airplane mode.
Power the cell phone off.
To prevent the device from communicating with the network or cell towers, wrap it in 3 to 5 layers of aluminum foil.
Wrap the phone in bubble wrap or foam wrap to protect it during shipping.
What else to include in the box:
If you have the data cable and power charger, send them along with the phone.
Document any passcode or pattern lock for the phone.
Document any damage or missing parts, such as a SIM card or a microSD card.
How to ship the phone:
Ship overnight with a signature required upon delivery to start the Chain of Custody.
Ship with a tracking number so the lab can locate the package in case of delay.
