By Adv Jacqueline Fick
The world around us is evolving at a rapid pace. Technology has not only given rise to a new way of doing business, but also to how crime is committed - be it traditional or new types of crime.
When conducting an investigation in modern times, there is no better place to start at than with cellphone analysis. A cellphone is equivalent to a computer and in some cases, it contains more information than what we store on our computers. Yet, investigators might wonder how a cellphone can provide them with vital evidence in a murder or a robbery case and the like. This article aims to provide practical advice on how to deal with cellphone evidence as part of an investigation.
Distinguishing the types of information
For starters we need to distinguish between the information that can be obtained from mobile network operators (MNOs) and that which can be gathered from the cellphone itself. It is also important to note that not all the information that is stored on the cellphone can be requested from MNOs. A common misconception is that MNOs store the content of WhatsApp conversations. WhatsApp conversations and calls are data transactions which have end-to-end encryption, and all an MNO does is to provide the “pipe” through which the communication is passed from one device to another. MNOs also do not store the content of SMSes and therefore the content of these messages will not be available when you request the call data records (CDRs) for a specific cellphone number or as referred to by the MNOs, a MSISDN (Mobile Subscriber Integrated Services Digital Network).
The evidence that is contained on a cellphone will be classified as digital evidence. ISO/IEC 27037:2012 is an international standard that provides guidelines for specific activities in handling digital evidence, which are the identification, collection, acquisition and preservation of digital evidence that may be of evidential value. This standard provides the benchmark for dealing with among other things, digital evidence on cellphones and other mobile devices (https://www.iso.org/standard/44381.html).
Not all investigators are fortunate to have an investigator skilled in digital forensics present at each arrest. Investigators are advised to consider not booking a cellphone in as personal property when they arrest a suspect, but to book it as evidence and to follow the correct procedures when doing so. As with all evidence, there is a best practice for handling and ensuring a proper chain of custody. As much as it is commonly accepted that a firearm should be made safe before sealing it as evidence - a cellphone must also be made “safe”.
As a rule, the investigator should put the cellphone on flight mode, remove the SIM card or ideally, the battery should be removed (when possible) to prevent remote wiping of the phone. Remote wipe is a feature that allows a user to remove all data from your cellphone should the phone ever get lost or stolen. What criminals often do when their cellphones are seized, or when they know that some of their co-conspirators have been arrested is to remotely wipe the cellphone. If the cellphone is powered off or on flight mode, the remote wipe cannot be effected until the device is powered back on again or flight mode is deactivated. Therefore, the cellphone should only be activated by a trained digital forensic professional.
When processing the cellphone into evidence, be sure to note the cellphone, SIM card and even memory card as individual items. Each of these individual items holds different information which could be key to the investigation.