Digital forensics unlocked

Last updated 20 Oct 14 @ 11:56 |
A- A+ A

With courts still failing to take advantage of mobile digital forensic evidence, Yuval Ben-Moshe argues legal systems must accommodate and embrace this data to successfully investigate and prosecute terrorists
The use of mobile forensics has the potential to transform traditional methods of profiling criminal and terrorist offenders and build a comprehensive picture of suspects. By extracting evidence from mobile devices, police are now using traditional investigative methods to analyse the data; data which can place people at the scene of a crime, and provide or break down an alibi. Some argue that mobile phones have become such a personal tool they can offer more to investigators than fingerprint evidence. DNA was accepted as a formal method of evidence in the late 1980s, and mobile forensics must be embraced in the same way in 2014. The legal system must therefore embrace the evidence that can be provided by such methods of forensic detection.

Ian Huntley’s conviction for the murder of Holly Wells and Jessica Chapman was the first high profile case to be based partly on crucial mobile phone evidence in 2002. Over a decade on and it’s not just calls and text messages that can link a suspect to a range of different crimes or terrorist behaviour. GPS tracking, social media applications such as Facebook, Twitter and Instagram, emails, online transactions and even mobile banking can now offer forensic investigators critical evidence that can determine the route a criminal case takes, from petty crime, such as minor thefts, right through to more serious cases and even terrorist threats.

Social data retrieved from mobile apps is fast becoming a major source of evidence in not only building up the profile of the suspect but also in establishing or demolishing a witness’s credibility. Recent research from Cellebrite revealed that 77 per cent of its customers believe mobile applications are a crucial data source in criminal investigations. The value to both prosecuting and defence counsels in a court of law makes the neglect of such data a potentially severe barrier to solving a case.

Social data can provide highly important evidence for terrorist investigations in particular. Extremists plotting potential attacks are continuing to use sophisticated digital methods, and it is essential that investigators, as well as criminal courts throughout the world, are one step ahead. If plots aren’t thwarted, courts should have the tools at their disposal to fully embrace the evidence built up through detailed investigations. This evidence may not only come directly from suspects’ activity, but also from witnesses to the crime. The investigation of the 2013 Boston Marathon bombing, in which three people were killed and an estimated 264 were left injured, made use of crowdsourcing to collect photos and video from mobile phones. The data was made public within 72 hours and arrests were made 29 hours after, thanks to the evidence which was shared widely by bystanders.

In today’s world, the technology to extract valuable and accurate evidence from devices has evolved, and the criminal legal systems are only now starting to grasp its full extent and implications. Around 85 per cent of people in Britain own at least one mobile phone, and because they fit into a pocket or bag users carry them for the vast majority of their day. Even if the device isn’t used or no direct contact is made with it when committing or planning a crime, it can still offer vital evidence.

Location data via GPS tracking can identify abnormal travel patterns of a suspect, which may provide important insights. It is now time that this information is widely used as vital evidence in cases. Digital data that shows a defendant or victim was in a certain place at a specific time is harder evidence than having to take a witness’s word for it. Both prosecution and defence counsels should be using it in a similar fashion to evidence obtained from CCTV footage.

It’s not just the complex nature of mobile devices that is giving the criminal courts a more pessimistic view of digital evidence, however. Concerns over privacy are heightened by the personal nature of mobile devices, and data ownership is a regular barrier. Take data on a Facebook application, for example. There are always problems over the physical ownership of potential evidence and who you need to approach to get the evidence. Most legal systems are yet to be provided with solid answers or case law to answer these important questions. Investigators are therefore having to go for a traditional approach, which is based on the physical location, and serving a court order or warrant to Facebook for the data, which can be a very long and drawn out process. Traditional systems are connecting the physical location of the data with its ownership and control while, in this all-connected world, the server may reside anywhere in the world and serve any point on earth. This is an adjustment legal systems need to make.

If well thought out and prepared for in advance, forensic evidence from mobile devices can make all the difference to criminal court cases. The technology is there for investigators to be working with forensic examiners and prosecutors who, to save time and improve the cases they build, should be working together to determine standard operating procedures and best practices around obtaining the evidence. It’s quite alarming that, when there are 6.8 million mobile phones worldwide, only in the last few years have some legal systems started to adapt to accept digital evidence. When such evidence can build profiles and support or refute alibis in minor cases, murder trials and terrorist attacks alike, it is imperative that it is taken seriously.

Hopefully, as courts across the world become more aware of the latest mobile phone technology and its capabilities, advances in social media and privacy issues, they will be better equipped to make decisions about the legal ramifications of search and seizure, acquisition and analysis. Legal systems need to not only accept mobile forensics but embrace and alter their approach to accommodate the technology that will ultimately pose a major benefit to criminal cases.

Case study: British ISIS suspect arrested on suspicion of recruiting jihadists to fight in Syria

At the end of September, a young British man was arrested in Bangladesh on the suspicion of recruiting potential jihadists to fight for ISIS in Syria. His alleged recruiting vehicle was social media.

The suspect is reported to have used social media sites, such as Facebook, to recruit combatants wishing to fight for ISIS in the Middle East, according to police in Bangladesh. Although the suspect has not been charged, it showcases the value and importance of social media data when it comes to investigating, profiling groups and individuals, and breaking down terrorist activity.

Social media data offers a different yet complementary sort of analysis than the more traditional forms of forensic evidence can. In the case of suspected terrorism, social media platforms and applications can be used for mass communication. Whether for a recruitment drive or to plan an attack, social media can be a highly effective – and therefore potentially dangerous and powerful – communication tool.

This highlights and embellishes the importance of digital forensics when considering social media data as an evidence source, a fact which needs to be recognised. It is not just about a potential conviction – it is also about preventing and neutralising any threats to national or international security.

Investigators have to identify and study every potential evidence source, particularly when it comes to a nationwide threat. For more than a decade, phone records and messages have been key to unlocking evidence in investigations and still are to this day. But there has to be recognition of social media data, from sites such as Facebook, Twitter and Instagram, it is fast becoming a primary communication tool that criminals and terrorists use to negotiate their activities and commit potentially catastrophic crimes.

Yuval Ben-Moshe is the Senior Director of Forensic Technologies at Cellebrite, a provider of forensic solutions for mobile devices including smartphones, tablets and portable GPS devices. In this role, he acts as a subject matter expert for the company and a central knowledge hub, assuring the company’s tight and intimate connection with the forensics community of law enforcement agencies worldwide.