Mobile devices are more common today than computers, with over a 100% saturation rate in the U.S. Many crimes are committed either directly by using a mobile device or are facilitated by a device. These devices can contain a wealth of evidence that will play into your investigation. But to conduct a thorough investigation, you need to know how to retrieve the digital data and then how to properly analyze it. Let us show you the tools and teach you the skills needed to successfully recover digital data and evidence from a mobile device. This course covers all angles of the investigation, including seizure, evidence recovery, and how to obtain relevant information from service providers. We demonstrate the importance of device manuals, and show you the role they play in your device research.
Audience: Law enforcement officers, investigators, analysts and forensic examiners
Prerequisites: Complete The Investigation of Computer Crime course. (Recommended)
Length: 3 days
Mobile Device Data Recovery Considerations
There is a serious need for this course, and we tell you why. We show how mobile device use by youngsters makes them prime targets for exploitation. We cover some of the capabilities of mobile devices and demonstrate some of the more popular apps for texting, chatting, photos, and file sharing. As an investigator, you will need to know how to find and analyze the data that is held within each of these mobile device features.
Mobile Device Seizure
We begin this block by showing you how to prevent data from being lost (by you) or destroyed remotely (by the suspect). Then we move into other seizure issues, like how to remove a device from a network. You’ll learn what can be recovered from a mobile device and the legal issues that you must consider. We show you how to work with a password-protected phone and demonstrate the tools that can help you get inside. We talk about vault apps—the forms they take and how to bypass them. You’ll learn how to determine a device’s IP address; this will lead you to the cellular provider. We show you how to prepare a preservation order to get information from the provider. We take a deeper dive into mobile device tracking and tower information as we show you how mobile device tracking works and talk about cell coverage and towers. We introduce you to the hardware and software tools that you’ll need to use for your mobile device investigations.
Mobile Device Data Recovery Resources
With so much information just a click away, it’s often hard for an investigator to know where to start. We show you how to download some of our favorite Firefox Add-ons that will help in your investigations. We also introduce you to the SEARCH Toolbar, another free and indispensible download. You’ll learn how to organize the information you discover about a device and how to document each step in your investigation. We show you other resources you can download to retrieve phone information and access device manuals. We introduce you to the online groups and list serves that law enforcement investigators frequent. You’ll see the types of information that can be gleaned from digital photos and learn the ins and outs of retrieving, viewing and mapping this exif data.
Cellebrite UFED Logical
As we have already established, there are many tools and resources available for mobile device investigation. One of our favorite tools for law enforcement investigators is the Cellebrite UFED (Universal Forensic Extraction Device). We demonstrate how the device works and show how you can use it to extract vital information such as phonebook, photos, videos, ringtones, SMS (text messages), calendar and more from a mobile device.
Secure View 3
After a quick review of what we covered yesterday, we launch into a full day of showing you more tools that will enhance your investigations. This time we explore a product called Secure View 3, made by Susteen. We show you how to use Secure View 3 to acquire and analyze data from many types of mobile devices, including Apple products and pre-paid cell phones. You will see how using this device can save your agency time and money by automating many of the tasks you likely do now by hand, like downloading call logs and contact lists. We also show you how the svProbe feature allows you to analyze the data contained on a mobile device.
We realize that some of the products we demonstrate in our classes might be cost-prohibitive for some agencies. That’s why we also provide examples of free resources. BitPim is an open source, free software tool that you can use to view data on a mobile device. We walk you through the steps of downloading BitPim and show you how to use it to get information from a device’s phonebook, calendar, wallpaper, ringtone, memo, text messages, and call history fields. We show you how to use the tool to retrieve file system information that can later be parsed with a forensic utility. BitPim, while limited to non-smartphone CDMA devices, performs great for “throw-down” cell phones from carriers such as MetroPCS and Cricket, which oftentimes show up in investigations and have limited support from other mobile device data recovery tools.
We move forward with yet another tool demonstration—Device Seizure, from the Paraben Corporation. This tool offers logical and physical data extraction of user data such as call logs, text messages, contacts and photos. We also show you how to get to the file system and deleted data. You’ll see how the tool can extract user passwords and GPS data points. Lastly, we show you how to generate reports that will help you to make sense of the data.
SIM (Subscriber Identity Module) cards are those small, portable memory chips that are used mostly in mobile devices that operate on the Global System for Mobile Communications (GSM) network. They hold the personal information of the account holder, including phone number, address book, text messages, and other data. All of this is vital information for any investigation and you need to know how to access it. In this discussion we show you how to analyze a SIM card and document your findings to build your case.
Manual Data Extraction
Sometimes even technology isn’t enough. You may run into instances where data cannot be retrieved with automated data recovery software. Or the software may not be accessible. At times like these, you need to rely on “old-school” methods like taking notes or photos or videos. We walk you through the steps you should take to do a manual data recovery, and advise you of the pitfalls you’ll want to avoid. We demonstrate the video camera method using Windows Movie Maker, a free tool that saves time and energy over the traditional methods of taking photographs.
We bring the course to a close by giving you the opportunity to put your newfound skills to the test. We challenge you to work your way through some hands-on, real-world examples that will allow you to demonstrate that you have grasped the course content. You also have the option of bringing in an evidence phone from an active case and conducting an analysis of it.
Mr. Andrew T. Owen is Director of Information Sharing Programs for SEARCH, The National Consortium for Justice Information and Statistics, where he oversees SEARCH initiatives to support justice and public safety information sharing nationwide. These initiatives focus on providing direct assistance to federal, state, local, and tribal organizations to improve their use of technology, information sharing, and communications interoperability in mission-critical projects. Initiatives include consultation and facilitation, strategic planning for information sharing and technology deployment, architecture development, business process modeling and analysis, service specification development, performance management, voice and data integration planning, application of technology standards, and developing effective governance and funding models.
Since joining SEARCH in 2006, Mr. Owen has worked on multiple projects focused on integrated justice information systems planning and implementation, including the National Information Exchange Model (NIEM), the Global Reference Architecture (GRA), and the Justice Information Exchange Model (JIEM®). He has provided programming and configuration assistance, consultation on implementation architecture, training, technical assistance, and research to jurisdictions nationwide in planning and implementing information sharing solutions, as well as developing information sharing standards and technical architecture. He has also played a key role in supporting members of the Open Justice Broker Consortium (OJBC).
Mr. Owen formerly was Lead Systems Analyst for the National Law Enforcement and Corrections Technology Center–Northeast (NLECTC-NE). In this role, he provided information sharing technical assistance and consulting services to many state and local law enforcement, courts, and corrections agencies.
Mr. Owen is experienced with JIEM, NIEM, and the IEPD development process. He has supported a number of Global and NIEM efforts, including developing corrections-related reference IEPDs, the New York State in-state Rap Sheet IEPD, California Courts IEPDs, , and several incident reporting projects that leverage the FBI’s Law Enforcement National Data Exchange (N-DEx) IEPD. Mr. Owen regularly serves as a presenter at conferences to discuss information sharing approaches and methodologies and has authored technical briefs on JIEM, NIEM, Web Services, XML, and related topics. He has led the policy and technology aspects of establishing identity management federations, using the GFIPM (Global Federated Identify and Privilege Management) guidelines and open source software, at the state level, allowing integrated justice initiatives to improve security while providing practitioners with seamless access to information.
Mr. Owen also has provided support to the U.S. Department of Justice’s Global Justice Information Sharing Initiative (Global). He participated on the Global Tech team and its XML Structure Task Force (XSTF), is actively involved in NIEM curriculum development, and is a NIEM training instructor. He has developed training materials, provided training to local and state justice agencies, and instructed at NIEM “train-the-trainer” events. In 2011, he was appointed co-chair of the NIEM Technical Architecture Committee (NTAC), representing state, local, and tribal organizations. Since becoming co-chair, he has played a lead role in establishing a Unified Modeling Language profile for NIEM and in developing the NIEM 3.0 technical architecture.
Mr. Owen has a bachelor’s degree in Applied Networking and Systems Administration from the Rochester Institute of Technology, New York. He has achieved SEARCH JIEM certification and is a Certified ScrumMaster® (CSM).
Mr. Timothy Lott is Director of the High-Tech Crime Training Services Program of SEARCH, The National Consortium for Justice Information and Statistics. He oversees a national program that provides expert technical assistance and training to local, state, and federal justice and public safety agencies on successfully conducting electronic crimes investigations.
These courses focus on teaching how to investigate Internet and computer crimes, online child exploitation, cellular devices, and social networking sites, and the proper search and seizure of home and small office networks. The High-Tech Crime Training Services team led by Mr. Lott also provides hands-on assistance in systems security and computer forensics.
Mr. Lott joined SEARCH in 2010 as a High-Tech Crime Training Specialist. He coordinated and provided training on high-tech crime investigations and forensics; provided technical assistance to law enforcement agencies in active cases; prepared training curricula; and presented at conferences throughout the United States. He was promoted to his current position in 2011.
Mr. Lott previously worked for 6 years as a Deputy Probation Officer for the Sacramento County (California) Department of Probation, and another 2 years as a Probation Assistant. He was assigned to the Sacramento Valley Hi-Tech Crimes Task Force, and helped conduct multijurisdictional investigations involving white-collar crime, organized crime, crimes against persons, and fraud when high-technology or identity theft is a factor. He also supervised a caseload of adult and juvenile probationers.
His assignment on the Task Force required him to conduct probation compliance checks on offenders who had been convicted and placed on probation for offenses involving the possession of child pornography, stalking via social networking sites or cell phones, and identity theft. In August 2009, Mr. Lott was cross-designated as a Special Deputy United States Marshal.
Mr. Lott is a member of the American Probation and Parole Association, American Criminal Justice Association, and High Technology Crime Investigation Association. He earned a bachelor’s degree in Criminal Justice from California State University-Sacramento. He is a certified Instructor through the California Commission on Peace Officer Standards and Training (POST), Robert Presley Institute of Criminal Investigation / Instructor Development Institute (ICI/IDI).
Mr. Justin Fitzsimmons is a Program Manager in the High-Tech Crime Training Services (HTCTS) department of SEARCH, The National Consortium for Justice Information and Statistics. He helps coordinate training with law enforcement agencies, prepares budgets, oversees the HTCTS project staff, and develops high-tech crime training projects for justice, public safety, and homeland security agencies nationwide. He also conducts legal, policy, and regulatory research, prepares white papers, and provides assistance and instructional services to justice, public safety, and homeland security agencies, particularly in digital evidence recovery, investigation, and prosecution.
Mr. Fitzsimmons is conducting a national research effort to determine the current capabilities of law enforcement to investigate crimes with digital evidence and make recommendations to decision-makers about resources to assist law enforcement. He also presents at conferences and trainings, participates on advisory committees and task forces, and supports agencies and jurisdictions as they create and implement effective procedures, practices, and technology applications that seek to combat high-tech crime and recover digital evidence.
Before joining SEARCH in 2012, Mr. Fitzsimmons worked for the National District Attorneys Association, where he was Senior Attorney for its National Center for Prosecution of Child Abuse beginning in 2009. He responded to requests for assistance in child sexual exploitation cases from prosecutors and law enforcement around the United States, designed and presented training seminars, and published articles on emerging technological issues in child sexual exploitation. From 1998–2009, he was an assistant state’s attorney (ASA) in the State’s Attorney’s Offices for Kane and DuPage Counties, Illinois, where he prosecuted cases involving sexual exploitation and digital evidence. As an ASA for Kane County, he supervised the Special Prosecution Unit, responsible for investigating and prosecuting felony cases, including Internet crimes against children. He was also assigned to a Child Advocacy Center team that investigated and prosecuted cases of severe physical and sexual abuse against children, crimes of Internet solicitation of children, and child pornography. As an ASA for DuPage County, he worked in the Criminal Prosecutions Bureau and the Felony Domestic Violence Unit.
Mr. Fitzsimmons frequently presents and teaches at international, national, and regional conferences, workshops, webinars, and training courses on digital evidence collection, computer forensics, crimes against children, cybercrime, and human trafficking. He has published articles on digital evidence authentication, computer forensics for prosecutors, child sexual exploitation, and more. In addition, he has drafted legislation that was signed into law in Illinois on several technology-facilitated child sexual exploitation issues from 2006–08.
Mr. Fitzsimmons was a member of the U.S. Department of Justice (DOJ) National Strategy Working Group on Child Exploitation and co-chaired its Training Subcommittee. He also participated in the DOJ Office for Victims of Crime Working Group on Restitution for Victims of Child Pornography, the FBI Innocence Lost Working Group, and the Internet Child Exploitation Task Force. He has served as faculty of the National Children’s Advocacy Center, Huntsville, Alabama, and for the North-East Metropolitan Regional Training Center, Police Training, Aurora, Illinois.
Mr. Fitzsimmons is a graduate of the Illinois Institute of Technology’s Chicago-Kent College of Law, and earned a bachelor’s degree from Wittenberg University in Ohio.
Mr. Armstrong is a High-Tech Crime Training Specialist in the High-Tech Crime Training Services department of SEARCH, The National Consortium for Justice Information and Statistics, where he coordinates and provides training on high-tech crime investigations and forensics to local, state and federal justice agencies. He provides technical assistance to law enforcement agencies in active cases, prepares training curricula, teaches SEARCH investigative courses and speaks at conferences throughout the United States.
Before joining SEARCH in 2008, Mr. Armstrong was a System Specialist at Fox Valley Technical College, where he assisted with the management of the Internet Crimes Against Children (ICAC) International Database Network.
Mr. Armstrong retired from the San Diego (California) Police Department in 2006 after more than 27 years of service. When he retired, he was Lead Investigator for the ICAC grant in San Diego County. In this role, he was involved in both proactive and reactive investigations, forensic investigations, computer maintenance, office network and networking hardware, and grant financial planning. Immediately prior to his ICAC assignment, he spent 6-plus years as a Child Abuse Investigator, investigating every type of child abuse, up to and including child homicides. In 2007, Mr. Armstrong was the recipient of the United States Attorney General’s Special Commendation Award for a San Diego Police investigation.
Mr. Armstrong has taught numerous high-tech crime and law enforcement courses, to include Child Abuse Investigation, Sex Crimes Investigation, and Trends in High-tech Crime for universities, colleges in San Diego County, as well as the San Diego Police Department and the San Diego Regional Law Enforcement Academy.
Mr. Armstrong has earned certifications in White Collar Crime, Child Abuse Investigation, and Auto Theft Investigation from the California Commission on Peace Officer Standards and Training (POST), Robert Presley Institute of Criminal Investigation (ICI), and is a certified Instructor from the ICI’s Instructor Development Institute. He attended National University, where he studied Administration of Justice; the Basic Law Enforcement Academy at Miramar Community College; City College of Chicago, where he became a Nationally Registered Emergency Medical Technician; and Grossmont Community College, where he received his Associate’s degree. He served as a Military Police Officer in the U.S. Army, and after completion of Officer Candidate School, as an Officer in the California Army National Guard, Armor Branch.
Mr. Lewis is a High-Tech Crime Training Specialist in the High-Tech Crime Training Services department of SEARCH, The National Consortium for Justice Information and Statistics, where he coordinates and provides training on high-tech crime investigations and digital forensics to local, state, and federal justice agencies. He provides technical assistance to law enforcement agencies in active cases, prepares training curricula, and speaks at conferences nationwide.
Before joining SEARCH in 2012, Mr. Lewis served for 23 years with the Lakewood (Colorado) Police Department, most recently as its Forensic Computer Analyst. He ran its forensic computer lab and was responsible for all aspects of digital evidence, from collection through analysis. He also was a Police Imaging and Technology Specialist, which involved analyzing images and creating imaging policies. He was a Police Photo Technician/Criminalist, operating and managing the department’s photo lab and conducting forensic imaging for its crime lab. He was also System Administrator of the department’s Mugshot System.
Mr. Lewis earned an associate’s degree in photography from Colorado Mountain College and a Computer Forensics Certificate from Marshall University (West Virginia). He is also a certified Instructor through the Colorado Peace Officer Standards and Training Board (POST). He has undertaken multiple computer forensics trainings, including forensic photography and technology, crime scene investigation, digital imaging, electronic/digital examination, data recovery and analysis, and computer crime investigations.
Mr. Lewis has taught numerous Lakewood Police Academy classes and at the Colorado Law Enforcement Training Academy in the Crime Scene Investigators course series. He also has taught law enforcement video analysis courses at Central Piedmont Community College (North Carolina), teaches cellphone forensics at the University of Colorado in the Master’s Program for the National Center for Media Forensics, and is an adjunct instructor for the Computer Science Program at the Community College of Aurora (Colorado), teaching computer forensics.
Mr. Lewis has provided consulting and training to agencies nationwide on techniques and procedures for conventional and digital imaging and analysis. He is a frequently published author on computer and digital forensics topics, and has presented at conferences, cybercrime summits, and trainings held by forensic sciences, computer evidence, and identification organizations. He writes a Forensic Bytes column for Digital Forensic Investigator News. In addition, he has been a court-qualified expert in forensic photography, video analysis, and computer and cell phone analysis for district courts in Jefferson County, Colorado, since 2002.
Mr. Lewis is a member of the International Association for Identification (IAI); the National Technical Investigators Association (NATIA); and the Digital Evidence Committee of ASTM International, a global standards organization. He is Past President of the Colorado Association of Computer Crimes Investigators (CACCI). He is also an appointed member of the FBI’s Scientific Working Group for Digital Evidence (SWGDE), which fosters cooperation among law enforcement agencies and recommends national standards and procedures within the forensic community. He has served as its Vice-Chairman and has chaired its Forensic Committee.
Ms. Elizabeth Tow is a High-Tech Crime Training Specialist in the High-Tech Crime Training Services department of SEARCH, The National Consortium for Justice Information and Statistics, where she coordinates and provides training on high-tech crime investigations and forensics to local, state and federal justice and public safety agencies. She provides technical assistance to law enforcement agencies in active cases, prepares training curricula, teaches SEARCH investigative courses and speaks at conferences throughout the United States.
Before joining SEARCH in 2010, Ms. Tow spent five years in local law enforcement in two states, as a Public Safety Dispatcher for the Grass Valley (California) and Helena (Montana) Police Departments. She gained experience in curriculum development and training and Internet Crimes Against Children peer-to-peer investigations. She is a Certified Trainer in the California Law Enforcement Telecommunication System (CLETS) and Department of Homeland Security (DHS) National Incident Management System/Standardized Emergency Management System (NIMS/SEMS). She is a Peace Officer Standards and Training-certified Public Safety Dispatcher in both California and Montana, and has received POST training in such areas as law enforcement response to terrorism, child abduction intervention and resource training, and domestic violence and sexual assault for dispatchers.
While working for the Grass Valley Police Department, Ms. Tow served as the CLETS Operational Trainer, the Communications Center CLETS Coordinator, and the Communications Training Officer. She also served on the department’s Recruitment and Retention Committee and Organizational Excellence Committee, and was a member and agency representative to the California CLETS Users Group.
Ms. Tow has additional experience as a Finance Assistant and Parks and Recreation Supervisor with the City of Grass Valley, in addition to a great deal of conference and training-related experience in the private sector beef industry from 1988–2005. She earned a bachelor’s degree in Criminal Justice Management from Union Institute and University and also studied Animal Science at Montana State University. In 2013, she earned a Masters of Forensic Psychology from Argosy University.
Ms. Tow is a certified Instructor through the California Commission on Peace Officer Standards and Training (POST), Robert Presley Institute of Criminal Investigation / Instructor Development Institute (ICI/IDI).
Ms. Lauren Wagner is a High-Tech Crime Training Specialist in the High-Tech Crime Training Services department of SEARCH, The National Consortium for Justice Information and Statistics, where she coordinates and provides training on high-tech crime investigations and forensics to local, state and federal justice and public safety agencies. She provides technical assistance to law enforcement agencies in active cases, prepares training curricula, teaches SEARCH investigative courses and speaks at conferences throughout the United States. She has also authored and coauthored various high-tech crime investigative guides, which have been published by SEARCH.
Ms. Wagner previously worked as a Research Analyst for SEARCH, focusing on research and development projects on integrated justice information systems planning and implementation using the Justice Information Exchange Model (JIEM™) tool. She also worked on managing the online state and local integration profiles as part of SEARCH’s justice and public safety Information Sharing Initiatives program.
Ms. Wagner first joined SEARCH in 2005 as a student intern. She holds a bachelor’s degree in Physics from Allegheny College, a master’s degree in Forensic Science from the University of New Haven (UNH), and a master’s certificate in Forensic Computer Investigation from UNH.
She also has her Network Plus Certification, and is a certified Instructor through the California Commission on Peace Officer Standards and Training (POST), Robert Presley Institute of Criminal Investigation / Instructor Development Institute (ICI/IDI). In 2009, Ms. Wagner was awarded the California POST ICI Award for Excellence in Instruction. In 2011, she completed and was certified in the Intermediate Level (Level II) of the California POST IDI Master Instructor program. She then completed and was certified in the Advanced Instructor Development Level (Level III) of this Master Instructor program in 2012.
Dean C. Chatfield
Mr. Dean Chatfield is a High-Tech Crime Training Specialist in the High-Tech Crime Training Services department of SEARCH, The National Consortium for Justice Information and Statistics. He coordinates and provides training on digital evidence investigations and forensics to local, state, and federal justice agencies. He also provides technical assistance to justice agencies in active cases, prepares training curricula and other resource materials, teaches SEARCH investigative courses, and speaks at conferences throughout the United States.
Before joining SEARCH in 2013, Mr. Chatfield worked for the National White Collar Crime Center (NW3C) for 14 years, first as a computer crime specialist, then as a Supervisory Computer Crime Specialist. He presented basic and advanced cyber investigative and computer forensic courses to local, state, federal, military and international law enforcement agencies; researched computer forensics issues; and provided advice to law enforcement agencies in computer seizure and analysis. As Supervisor of the NW3C Computer Crime Section, he managed 26 computer crime specialists and 7 support staff and developed curriculum for 16 cyber and forensic courses. He researched existing and new technology to enhance the courses and managed software development of NW3C products, including PerpHound™. He was NCW3C’s liaison with Microsoft’s Digital Crimes Unit on various projects, including programming of MS COFEE versions 1.1.2 and 2.1 (Computer Online Forensic Evidence Extractor).
Mr. Chatfield has 25 years of experience in law enforcement. He was a Criminal Investigator for the Maricopa County (Arizona) Attorney’s Office for 13 years, where he conducted major felony investigations, including criminal enterprises, financial crimes, political corruption, and analysis of computers and computer-generated data. He also was Chief of the Mancos (Colorado) Police Department for 6 years, and began his law enforcement career as a Police Officer and Field Training Officer for the Phoenix (Arizona) Police Department.
Mr. Chatfield is a lifetime member of the International Association of Computer Investigative Specialists (IACIS), a nonprofit organization of volunteer computer forensic professionals dedicated to training and certifying practitioners. He has served on its Board of Directors, as well as its elected President and Vice President. As an IACIS instructor for 5 years, he developed training courses on computer crime investigations and the methodology for seizing and analyzing computer-based evidence. He is a Board member of the American Society of Digital Forensics and eDiscovery (ASDFED) and has been an associate member of the Scientific Working Group for Digital Evidence (SWGDE) since 2005.
Mr. Chatfield was the first person certified as a Computer Forensics Expert by IACIS in 1992. He was selected to train the Commercial Crime Bureau of the Royal Hong Kong Police Force and NATO Intelligence organizations on computer forensics. He also represented state and local law enforcement on the NIST Computer Forensic Tool Testing committee.