NACDL - National Association of Criminal Defense Lawyers

This article offers a brief tour of smartphone forensics, including some fundamentals about how the devices work, as well as forensic tools and capabilities. This is not a discussion about cellular signal triangulation or cellular tower pings — others have covered those topics already. Rather, the focus is on the “smartness” of smartphones: the traits these devices have in common with general-purpose computers and their implications from a digital evidentiary perspective. Most importantly, however, a smartphone is not just a device — smartphones exist in a complex ecosystem of networks, application providers, and other portable devices, all of which create records and other evidence.

I. Forensic Acquisition of Digital Information

Obtaining Evidence from Smartphones and Cloud Storage

How information is extracted from a device depends on both the physical media from which the extraction takes place and the way the media is being used. In all cases, the goal is to make a forensically sound copy. As a general rule, the original media will be stored in an evidence locker or other secure storage area, and all analysis will be done on copies. Ideally, a forensically sound extraction will have the following properties:

• the extraction process does not alter the contents of the original media;
• the extraction process produces a complete and accurate duplicate of the original media’s contents; and
• it is possible to prove that the contents of the original and the copy match exactly.

It is not always possible to get all these things, and this can be a problem. Equally as important, however, it is critical not to alter evidence before extraction can take place. This is a subtle point: booting or shutting down a system can alter its contents, but so can leaving it running. When contemplating extraction of data from a device, it is worthwhile to consult with an expert about the state of a system and establish a protocol for preserving the evidence.

1. Hard Drives 

Although very few smartphones these days have actual hard drives, we begin by discussing them because it is easier to understand hard drives first before diving into the most common form of smartphone storage. Historically, forensic imaging of hard drives has been the most prevalent type of digital forensic extraction, although solid-state drives, discussed below, are taking over. Forensic imaging of a hard drive is generally accomplished by removing the hard drive from the system, connecting it to a write-blocking device (i.e., a device that allows information to be read from the hard drive but prevents information from being written to the hard drive), and using a forensic imaging tool (e.g., FTK Imager, EnCase Acquisition, dd, or some other such utility).

The integrity of the resulting forensic image is then verified using a cryptographic hash algorithm. A hash function is just a mathematical function of the form F(x)=y such that someone who knows F and y cannot guess the value of x. Commonly used hash functions include MD5 and SHA, which are names for mathematical functions that can be used to prove two pieces of data are identical. The forensic software calculates a set of hash values based on the contents of the original media and the forensic image — if the values match, this verifies that the contents are the same. This means that forensic images are tamper-evident: if any part of the image changes, it will no longer “verify” (i.e., the hash value calculations will no longer produce the same values). This is what enables a forensic examiner to work with copies of the evidence instead of the original materials: the copies can be proven to have the same contents as the originals.

2. Flash and Solid-State Drives 

Solid-state drives are commonly found in phones, tablets, other mobile devices, and high-end laptops and computers. Unlike hard drives that use spinning platters of magnetic media to store information, solid-state drives use flash memory chips. They are faster, smaller, more shock-proof, and consume less power than hard drives, so they are well-suited for use in compact devices. They are also more expensive to produce, per megabyte of storage, but their superior speed makes them desirable as storage devices in ordinary computers as well.

Because solid-state drives differ in the way they store information, their properties are different from a forensic perspective as well. In a solid-state storage device, available space is divided into “blocks.” Blocks are further subdivided into “pages.” It is possible to write information to pages, but erasure of information is only done at the block level. Over time, partially used blocks accumulate, and there is a need to consolidate them to make room for additional data. The solid-state device has a built-in mechanism for accomplishing this, known as “garbage collection.” The storage device continuously reviews its own utilization, and when it detects an opportunity to copy the contents of one partially occupied block into the free pages of another partially occupied block, it does so, and then erases the first partially occupied block to free it up for future use. Generally speaking, if the device is powered on, garbage collection is taking place.

Garbage collection has consequences for forensic acquisition. First and foremost, the contents of solid-state storage may be changing as acquisition takes place, regardless of whether a write-blocking device sits between the forensic analyst’s computer and the solid-state device. Second, it may not be possible, using traditional means of acquisition, to obtain a verifiable image of the original. Third, it may not be possible to recover deleted data because of garbage collection; deleted files may be overwritten or multiple fragments of files might linger on, depending on how active the garbage collector has been. Some forensic techniques allow for extraction of data while a device is powered off, so that no garbage collection takes place. Many of these, however, involve highly specialized equipment and expertise, and also result in the destruction of the original. Moreover, these techniques are ineffective if the solid-state drive is using built-in encryption.

The forensic world is doing its best, but data extraction from solid-state storage lacks the maturity and forensic soundness of extraction from hard drives.

3. Cloud Storage 

The best definition of “the Cloud” is probably just “someone else’s computers.” From a purely technical perspective, there is nothing special about cloud computers: they are just ordinary computers housed in a data center somewhere. Extracting information from cloud storage generally poses more of a legal and organizational challenge than a technical one. Complicating factors include the following:

• Who owns the computers?
• Who owns the data on the computers?
• Are the computers dedicated to a single customer or is it a shared environment?
• Where are the computers located (i.e., what laws apply)?
• What kind of data is at stake? (e.g., European Union law on privacy of personal records is different from U.S. law)
• What kind of access do we need in order to do the extraction? For many cloud-based services, but not all, it would be sufficient just to obtain a copy of the data stored, rather than a full forensic image.
• Under what authority is the data sought?

Generally speaking, most “extractions” of data from cloud-based facilities take the form of subpoenas, not technical efforts.

4. Server-Based or Network-Attached Storage 

Servers are worth mentioning in this discussion because apps connect to them, and because they are the systems that make up “the cloud.” Server systems, meaning computers that are used to provide services for multiple individual users, can present their own challenges. First, there is the challenge of capacity: a file server may house dozens or even hundreds of terabytes of storage; the time and media required to make a complete forensic image may render the task impractical.

Servers also tend to use their storage media differently than standard computers. Whereas a typical desktop has a single hard drive, servers will aggregate multiple physical drives into a single logical pool. This is done to increase capacity, speed up storage and retrieval (since multiple reads and writes can take place simultaneously), and provide redundancy (each piece of information is stored on more than one drive, so that in the event of a drive failure, there is no loss and replacement is simple). This storage strategy is known as RAID (Redundant Array of Inexpensive Disks), and it has obvious implications for forensic imaging.

5. Encryption 

Encryption of information does not prevent the creation of a forensic copy, but it does mean that the copy is useless without the proper decryption tools and key. Many mobile devices have built-in tools for encrypting their storage, and this should be factored into any plan to extract information. Knowing a passcode for a device may not be enough: the passcode is not the decryption key itself, and it tells you nothing about the cipher used for the encryption.

Encryption is generally quite effective, as well. As evidence of this, note that there are battles in a number of jurisdictions right now over whether suspects can be compelled to divulge their decryption secrets. For example, consider iPhones, which can be unlocked with either a fingerprint or a passcode. In some jurisdictions this distinction is meaningful: law enforcement is empowered to collect fingerprints, but divulging a passcode might be considered testimonial and therefore implicate Fifth Amendment issues. If encryption were easily bypassed, these fights would be unnecessary.

This is a good time to remember that not all government bodies are the same. An encrypted phone is probably safe against state and local authorities. In some cases it may not be: commercial vendors such as Cellebrite have begun offering “pay-to-unlock” services, and a law enforcement agency willing to invest the money could avail itself of them. These techniques probably do not work on all versions of all phones, with older phones and older operating system versions more likely to be vulnerable. A national intelligence agency, on the other hand, particularly in matters where national security is implicated, may be able to bring other resources to bear. For an example of this, review the story of the iPhone belonging to one of the San Bernardino shooters.

6. Memory Extraction 

Nearly all data extraction is performed on “persistent storage”: storage whose contents remain after the system is powered off. In some cases, it may be possible to extract portions of the system’s RAM: the live working memory whose contents would be lost if the system is shut down or rebooted. Techniques for extraction from memory are finicky and highly dependent on the characteristics and state of the system on which the extraction is to be performed. Live memory extraction is relatively rare, but may be an issue if systems are seized by federal agencies.

B. Gathering Emails

Emails are ubiquitous and can contain everything from time-stamped records of who is communicating with whom to complex attachments of all sorts. As a result, they are essential to discovery efforts. One of the most confounding aspects of emails, however, is that they may exist in so many places. When speaking of gathering emails, “Gather them from where?” is a reasonable threshold question. “For what?” is a second question.

Gathering emails in order to determine the content of communications is a different endeavor than gathering emails to trace the dissemination of a message. This observation is not specific to emails, but any effort to round up information will be improved by clarity of purpose from the beginning. Having said that, emails are usually obtained via extraction from clients, from servers, or from the cloud.

So-called “Client-Server” architecture is a common strategy for sharing a central IT resource among multiple simple endpoint systems. With respect to email, the client is the thing used to read and compose email; the server is the thing that handles storing, delivering, and receiving email. Here is a basic email transaction: User 1 at Office A sends a message to User 2 at Office B. This example (below) shows us an interesting aspect of digital data: when someone sends an email, it does not actually “leave” its point of origin in any meaningful sense — rather, a copy is transmitted to the next hop along the delivery path.

This example is pretty good, but it is not one-size-fits-all. There are variations, most notably web-based email. It is also worth taking note of who runs the email servers involved in a given transaction: Is it a corporation involved in the matter at hand? An internet service provider? A cloud provider? A private individual or organization?

How do smartphones work? First, there is the physical hardware, obviously. Hardware comes in many different forms: different manufacturers, different components, different generations of gear, and different capabilities. Nevertheless, most users can figure out how to use multiple different features of more or less any given smartphone (making calls, taking pictures, web browsing, email, etc.). The programs that provide those services may not be written by the same authors, and thus they will not know how to interact, for example, to share space on the touchscreen. When writing a social networking program, the programmer wants it to run on as many phones as possible, not just ones with the same screen, camera, and solid-state drive that the programmer has.

An Operating System (such as IOS or Android) solves these problems: it manages interactions between software applications and the hardware. When an application, such as an email client, needs to take an action such as sending a message, accepting user input, or putting an alert on the screen, it calls upon the Operating System to handle the task. The Operating System accepts the request (i.e., to create a file with certain contents or to paint a window on the screen with certain dimensions and features), and works through specialized pieces of software called “drivers” to take the requested action. This solves one of the big problems in consumer computing: how can a software application run on a system designed by a company the application’s authors never heard of, and communicate via a network that the phone’s designers never heard of? The answer is that this functionality is divided into layers: applications do whatever specialized computing they are designed for, but rely on the operating system for interacting with the physical hardware itself. The operating system provides a uniform set of features to applications (the Application Programming Interface or API), and relies on drivers from the hardware manufacturers to interact with each component. Each layer handles its own task, and the result is a relatively seamless whole. Anyone who wants to write programs that will run on an Android phone can develop whatever custom functionality they want, and rely on the API for basic services (accepting touch-screen input, playing sounds, allocating and de-allocating memory, reading from and writing to files, etc.). The result would be the same for IOS, Blackberry, and others.

For the purposes of the present discussion, the most important feature of operating systems is that they organize the storage of files and data. The organizational scheme they use is called a “filesystem.” Most operating systems support multiple filesystems (e.g., for hard disks and for USB media).

How do files work? A file has three important aspects:

• its contents: the words, pictures, music, etc., that make up the file itself;
• information about the file that is maintained by the application that created it (e.g., a photo might contain information about the camera that took it; a music file might contain information about who the performer is, what CD the song is from, and so on); and
• information about the file that is part of the filesystem such as the file’s name, the date it was created, and where it is located on the storage media. Such information is generally stored in a big index file (under Windows, this is called the Master File Table).

Generally speaking, deleted files are not really gone: all that happens is that they are removed from the filesystem’s master index. Their data and internal metadata are still present on the media until they are overwritten by something else (recall the previous discussion of solid-state drives).

Back, then, to the question of obtaining emails. If one is obtaining emails from client devices, the problems to be solved are basically:

• identifying which client devices house the emails being sought;
• obtaining access to those devices;
• making forensic images of them; and
• analyzing those images to locate and recover email.

Nothing is unique about email in this sense. Those are the same steps that would be required in order to obtain virtually any other type of digital information from end-user systems.

With respect to servers, the task can be somewhat simpler. In the first place, the systems stay put and their location is known. Second, the information sought is likely to be better organized — one of the essential functions of a mail server, after all, is to store and retrieve email. If a forensic image is required, however, the task can be tougher. First, it is tougher for the technical reasons discussed earlier in the section on server disks. Second, it is more difficult because making an image of the server may involve taking the system offline for a time, which can be problematic if it is in continuous use. On the other hand, a server is likely backed up, and it may be possible to get the information sought from the backups.

Cloud-based email services are a different animal altogether. The data they manage may cross national boundaries, and they are often run by massive companies with significant legal capabilities. It will be difficult, if not impossible, to make forensic copies of anything: the storage that underlies the cloud servers is almost certainly shared among many customers, who have their own legitimate interests in the confidentiality of their emails. For these reasons, as mentioned above, acquisition of emails from cloud service providers is generally accomplished via subpoena.

Some Useful Resources

Reviewing and clearing cookies: https://kb.iu.edu/d/ajfi
Look up American IP address ownership: http://www.arin.net
Look up IP address location: https://www.maxmind.com
The internet “wayback machine”: https://archive.org/web
Look up phone carriers by phone number: http://www.textmagic.com/free-tools/carrier-lookup 

C. Web Browsers, Cookies, and Web History

One of the challenges that the developers of web applications face is the fact that the Hypertext Transfer Protocol (HTTP) — the set of rules by which web browsers communicate with web servers — is a connectionless protocol. Simply put, this means that when a web browser requests a web page from a web server, no connection persists after the response is sent. When the user clicks on a link to fetch another page from the same site, the browser initiates a new transaction, which is also closed out when the follow-up page is delivered. This characteristic has major implications for the developers of web applications: how is an online store to remember what is in a given user’s shopping cart? How is an online survey to know how many questions a given user has answered? How is a web-based email system to know which of its many logged-in users just clicked to view their inbox?

To solve this problem, developers use a feature called “cookies.” A cookie is simply a blob of information — usually a long number — that the web server generates and furnishes to a web browser as part of the response to the web browser’s request. When the web browser makes subsequent requests, it includes the cookie along with the request. Because the web server never issues the same cookie to two users simultaneously, the application running on the server (such as online banking, social media, a game) can identify the particular web browser that made the request by examining the cookie and associate it with a record of prior transactions (including which email user is associated with this browser, which shopping cart is associated with this browser, and which bank account is associated with this browser).

Cookies are generally named after the domain of the web site that issued them (e.g., a cookie issued by a web server at www.cnn.com would most likely be named “cnn.com”). For the sake of this discussion, it is sufficient to say that cookies contain a variable name and value (e.g., “SessionID=348932839205”), along with some other attributes such as an expiration date. Most browsers store standard cookies in a file. As a result, forensic analysts may be able to reconstruct aspects of a user’s web browsing from cookie records — what sites they visited, possibly the timing or order of visits, and perhaps even some aspects of what the user did at the websites.

Web browsers store a great deal more history information than just cookies, however. The richest resource for reconstructing web usage is generally the browser’s “cache.” When a web browser requests a complex resource as part of a web page — for example, a picture — the browser stores the file for later reuse, so that it does not waste the user’s time and network bandwidth downloading the same large file multiple times. Thus, for example, when one clicks the “back” button in a web browser, the web browser generally does not download all parts of the preceding page from scratch, but rather checks to see whether any of its components have been changed since the last visit.

Browser cache can reveal a great deal about what the user has been up to. It is often possible to reconstruct usage patterns, or even specific web-browsing sessions. Some web browsers additionally store search history or screenshots of user activity. Most web browsers keep lists of bookmarked sites, and auto-complete databases for forms, including stored usernames and passwords for various login pages. As a general rule, unless the user takes steps to obscure or remove these pools of information, they will all be recoverable.

D. Other Sources of Internet Evidence

Internet evidence does not exist only on end-user systems like smartphones. Evidence of internet activities can be found on servers (e.g., a web server logs what systems have connected to it), in web-based applications (e.g., Snapchat logs the metadata of messages its users send), in network infrastructure gear (e.g., firewalls may log inbound and/or outbound connections), and so on. It is important not to have blinders on when considering internet evidence. If one source of information is not available, another might be. From a different perspective, when considering preservation of internet evidence, it is equally important to think in terms of the big picture: personal devices are replaced, and log files are overwritten. If the need to preserve evidence arises, it is critical to be alert to all of the places where it might exist. This means consulting with someone familiar with the computing environment within which the evidence was created.

E. Obtaining and Using Deleted Internet Evidence

On systems with hard drives, deleted information persists, and can be recovered, until it is overwritten with something new. Filesystem metadata is lost when a file is deleted, but the contents of the file remain and can be recovered. The analyst will likely be unable to determine the file’s name, what folder it was in, or when it was first saved to disk, modified or accessed, but the file’s data will be accessible.

With respect to other media — most notably solid-state storage devices — the ability to reliably recover deleted evidence is diminished, but it may still be possible.

Deleted internet evidence on smartphones is nothing special in this regard: cookies, bookmarks, and cache entries are all files like any other. Server-side information is more complex. First, there may be backups that contain the information sought. Second, the data may not have been a simple file in the first place, but rather some other type of entity in a database. For example, when a user “deletes” one of his or her pictures on Facebook, it is no longer accessible to other users, but it is unlikely that Facebook has purged all copies of it.

II. Retrieving Evidence from Smartphones

A. The Basic Methods

Modern phones are more or less like general-purpose computers. They can store vast amounts of information and run all kinds of software, but they also have multiple cameras, SIM cards, GPS, accelerometers, and cellular radios. They have solid-state storage, and thus what was said earlier about recovery of information from solid-state devices applies to them. But whereas most computers are built out of interchangeable components, each smartphone model has more or less unique hardware, and that can make forensics challenging.

There are four ways to acquire evidence from smartphones, and none is perfect:

1. If the phone is unlocked, one can browse through its contents and send copies of any materials of interest via any available messaging platform. This method is the least sound from a forensic perspective—it does nothing to preserve the evidence, and what is obtained is highly dependent on the whim of the person doing the investigation.

2. Logical acquisition: connect to the phone’s plug-in interface and request the desired information using the phone operating system’s API. This is better than the first method because it allows more thorough acquisition of information, but it is limited to information accessible via the API. It would not recover anything from “slack” storage, and it would give only very limited access to apps installed on the phone. Freely available tools such as iFunBox for IOS phones can accomplish this task.

3. Physical acquisition: connect to the phone’s plug-in interface and dump information using the phone’s debugging capabilities. This is by far the most common means of acquisition from smartphones and can yield relatively complete information, except for the fact that the phone must be powered on, and therefore garbage collection is most likely taking place. Cellebrite is the most prominent tool for this type of acquisition.

4. Direct acquisition: disassemble the phone either partially or completely, and read the contents of memory chips directly. This is a far more costly endeavor than any of the other methods, but it works without powering up the phone and can recover information even if parts of the phone are damaged. The main methods are (a) JTAG (Joint Test Action Group) — partial disassembly of the phone and soldering on of probes to test access ports; and (b) Chip-Off — removing chips from the phone’s circuit board (which destroys the phone). For chip-off data recovery, the exact method depends on the physical profile of the chips involved: (1) Thin Small Outline Package (TSOP); or (2) Ball-Grid Array (BGA).

None of these methods will yield useful information if the phone is locked and encrypted.

B. Texts, Instant Messages, and Voice Messages

Any of the methods discussed above will give access to text messages, instant messages, and voice messages. The last two have a good chance of recovering at least some deleted materials, but the chance of getting a complete recovery wanes as time passes from the moment of deletion.

Even if messages are deleted and cannot be recovered, however, there might still be evidence of their existence in log files, whether on the phone, with the cellular provider, or (in the case of messaging applications) with the application provider.

C. Collecting Evidence on Apps

Collecting evidence about applications can be relatively straightforward. The main things to look at are materials stored and managed by applications (these may be in database format, and additional software may be required to read them), and operating system settings governing what the application can do (e.g., Can it access location services? Can it access the photo library? Can it push notifications to the screen?). The problem is that with many apps, the most interesting information may not be stored on the phone, but rather at the application provider. Depending on the application (e.g., Snapchat), it may be possible to recover ostensibly deleted or hidden materials.

Applications such as Facebook do not store the bulk of their users’ information on the user devices: it is all up at Facebook. Collecting this sort of evidence means serving a subpoena on the application provider.

D. Collecting Audio and Video

Generally speaking, audio and video will be kept in files on the phone’s filesystem. Both should be recoverable just like any other information. Alternatively, if they have been uploaded to audio or video sharing sites such as LiveLeak, Worldstar, YouTube and Soundcloud, it may be possible to recover them from the sites by subpoena.

E. Geo-Tagging

Some applications may use the smartphone’s location services to embed GPS coordinates in the metadata of the files they store. The most notable of these is the smartphone’s camera: some generations of phones have this behavior turned on by default, which means that photos and videos may provide a record of where they were taken. Most social media sites where photos are shared will scrub this metadata from the images they distribute, but the tags may still be present in the copies on the camera (or backups thereof).

Other applications allow users to “check in” with their location: Facebook and Foursquare are notable examples. Likewise, map or fitness applications may have records of destinations and routes traveled.

F. Finding Evidence of a Secret or Hidden Phone

The most common discoveries of secret or hidden phones probably have nothing to do with digital evidence — in all probability, secret phones are most frequently discovered by a failure to properly conceal charges for the second phone, unexplained ringing noises, or the accidental dropping of the second phone in plain view. A security-conscious user of a secret phone could probably keep the device secret: simply purchase a pre-paid phone with cash, keep it turned off and in a safe place when not in use, only use it in private, and do not commingle data between the secret phone and the main phone.

But perfect operational security is hard, and smartphones can leak information about themselves in myriad ways. Does the home Wi-Fi router’s IP address table show a connection from an Android device when the only phones in the home are iPhones? Did someone “check in” via Facebook at some location on a day when that person’s phone was left at home? Do unexplained Bluetooth devices show up in the list of available connections from time to time? Does EXIF metadata in photos sent by a person appear to have been generated by the wrong phone device? Did anyone get a call from the person without the usual caller ID?

No foolproof method exists for finding secret phones: a disciplined and cautious user of a secret phone will probably be able to maintain its secrecy. The best one can do is to be alert for situations in which having a secret phone might be attractive, and to know where to look for clues (whether on the person’s main phone, in the person’s billing records, in the person’s social media or other online activities, or in the network infrastructure where the secret phone might be used).

G. Using Apps to Collect Evidence

As discussed earlier, apps may generate evidence (i.e., by making records of user activity), but this is generally evidence created in the background, without the user even necessarily being aware of it. Apps can be used explicitly to collect evidence, however. First and most obviously, phones can take photos and make video and audio recordings. Phones can also be used to create evidence of location: running and biking apps can create maps of where the phone has traveled. These methods all envision a user who actively engages the phone to collect evidence.

But phones might also be used to collect evidence even without their users’ knowing participation. They already disclose their approximate location by communicating periodically with cellular network towers. An app that periodically fetches new information from the internet (such as an email client, Facebook, or Slack) will reveal a public IP address with each interaction. Speech-to-text software uploads what it hears to internet-based speech-recognition software. An app with access to the microphone or camera could activate these capabilities, either at predetermined times or in response to commands issued remotely. The same is true with location services, and so on.

This is a dicey area because it would generally involve either convincing a user to install a Trojan-horse application, or placing the software on the target phone by exploiting a security weakness in its operating system. Such things are possible, but illegal, and beyond the capabilities of most law enforcement agencies. Well-funded intelligence agencies might have these capabilities, however.

H. Retrieving Deleted Data and Messages

As discussed above, there is no guarantee that deleted data and messages will be recoverable. Assuming they are not recoverable directly from the smartphone, the next step is to search for indirect means of recovering them. Suppose, for example, that an investigator is looking for text messages sent by a person. The investigator has that person’s phone, but the messages have been deleted. The investigator might not be able to recover the messages themselves, but she might be able to see logs of messages sent, whether in the phone’s internal database or via a subpoena to the phone’s carrier. After the investigator has that information, she can contact the recipients and find out whether they still have the text messages in question.

The bottom line is that if something has been deleted from a phone, the best plan is probably to start thinking of other places a copy might be found.

III. Not Smartphones, but Sort of Like Them: Cameras, Wearable Tech, GPS Devices, and More

A. The Internet of Things (IoT)

As internet-enabled devices continue to proliferate, they can be expected to be sources of evidence. A new generation of thermostats, alarm systems, doorbells, home entertainment systems, and other devices is currently making its way into homes and businesses, and these devices are all controllable remotely, via the internet, using apps on smartphones.

Those communications can be monitored, and information can be extracted from the devices themselves. To the extent that these devices have local storage, it will largely be solid-state (there may be exceptions for devices with large-capacity storage needs). Many of these devices also communicate with cloud-based service providers, and this is typically where the bulk of data will be found. A Fitbit watch, for example, uploads telemetry (including pulse, steps walked, and location) to a smartphone, which in turn relays the information to Fitbit for analysis. Likewise, cameras and alarm systems in particular typically link up with remote monitoring facilities.

Privacy advocates have expressed concern over the fact that recent generations of iRobot’s Roomba autonomous vacuum units are internet-connected. Specifically, as the Roomba patrols around, it makes a map of its route. The result is that maps of customer homes (or at least the portions of the homes cleaned by Roombas) are uploaded to iRobot’s data center. Thus far, the main concerns have been related to privacy, but one can easily imagine an evidentiary interest as well (e.g., was the sofa in that same position on the date in question?).

Each make of device is likely to have its own set of challenges from the perspective of forensic analysis, just as each make of smartphone does now. Moreover, new devices are being rolled out at a rapid pace. While smart appliances may contain potentially important forensic evidence, there may not be a practical way to get at it either in terms of cost or in terms of technical capability. Still, the bottom line is that as smart devices become more commonplace, the data they collect will become useful as evidence. To the extent that the devices share information with cloud-based service providers, it can probably be obtained by way of a subpoena.

B. Medical Devices

Like home appliances, medical devices — from equipment in hospital rooms to personal portable devices such as insulin pumps and even implanted pacemakers — are becoming internet-enabled. From a technical perspective, these devices are similar to the IoT devices discussed above, but there are a few salient differences:

• it can be more difficult to update the software on medical devices because of the need for FDA approval;
• much, if not all, of the data these devices store and process may be protected by state privacy statutes and HIPAA; and
• some of these devices are connected to, or embedded within, human beings.

As a result, it may be more challenging, both technically and legally, to get access to evidence from medical devices.

That said, pacemaker data is being used as evidence against Ross Compton, who is accused of arson in Ohio.¹ The data appears to have been obtained through a search warrant, which suggests it was extracted from the pacemaker itself, rather than from a medical records repository.

C. Automotive Devices

Many cars contain devices from which information can be extracted. These include navigation systems, entertainment systems, Bluetooth/Wi-Fi/cellular communications systems, telemetry systems, and black boxes. These may be physically inaccessible without significant disassembly, but they too are basically the same as IoT devices.

D. Wearable Devices

As was the case with automotive and medical devices, wearable technology is essentially a more compact (typically) version of an IoT device. Like medical devices, many wearable devices (such as Fitbit) make physiological measurements of things such as heart rate, steps taken, and so on. Evidence from Fitbit has already been admitted in the trial of Richard Dabate in Connecticut.² 

E. Smart Assistant Devices

The past year has seen a rapid proliferation of internet-connected devices that respond to voice commands. Notable examples include Amazon Echo, Google Home, and Samsung Smart TVs. These devices are similar to personal assistants like Siri, found on Apple products, but they differ in that they are always on. This presumably means that all speech they hear is uploaded to an online speech-recognition facility.

In July 2017, it was widely reported that an Amazon Echo had called law enforcement during an alleged domestic violence incident.³ Amazon denied that this was the case, saying that Alexa does not support 911 calling. However, authorities in Arkansas seized an Amazon Echo in connection with a homicide investigation in November 2017,⁴ which suggests that some information may be recoverable from the device itself. The general theme here is that the proliferation of smart device technology is outpacing forensic practices: analysts on both sides of the fence are figuring things out from scratch (i.e., what information a device collects, how it is stored, how to collect it, and how to interpret it).

IV. Subpoenaing Social Media and Phone Records

A. When to Request, What to Request, and What Will Be Received

Generally speaking, companies such as Google and Apple will respond to subpoenas, but they will do so in a minimalist way. In other words, they will attempt to preserve their users’ privacy to the extent possible. As a result, it is wise to be as specific as possible when requesting records.

Suppose, for example, that a client has received harassing text messages, which the lawyer suspects are from the plaintiff, via an email-to-text gateway. By examining the email headers, the lawyer is able to determine the IP address from which the email was sent (note that this will not always be possible). By looking on the ARIN website, the lawyer can determine that the IP address is assigned to AT&T, so the next step is to send AT&T a subpoena for the following:

SUBSCRIBER INFORMATION, INCLUDING BUT NOT LIMITED TO THE NAME AND ADDRESS OF THE SUBSCRIBER FOR THE IP ADDRESS [REDACTED] FOR THE TIME PERIOD OF [START_TIME] UNTIL [FINISH_TIME].

A subpoena to an ISP usually results in the production of a document, but subpoenas to other entities can yield differing sorts of records. Information may be produced in spreadsheet form, log-file form, or other formats. Depending on the sort of information that the lawyer requests, counsel may need to take steps to ensure that he has the technical means to open and review the information he receives.

The timing of issuing a subpoena will often be dictated by the facts of the case. As a general rule, the earlier one can issue a subpoena, the better. First, earlier is better because the collection and production of certain records may take time, depending on what is sought. Second, to the extent that the subpoena seeks historical data, such as the association between an ISP subscriber and an IP address discussed above, the organization from which the information is sought may not keep its records indefinitely. For obvious reasons, it is important to obtain information before it has been discarded.

B. Issuing Subpoenas to Websites or Parent Companies

Nothing is particularly unique about subpoenas issued to websites or parent companies: they have the same duties to comply with laws as all other business entities. Some additional considerations are worthy of attention, however:

• Policies. Many websites have policies about what data they collect—this can affect what data they are able to furnish. Almost every U.S. website privacy policy contains a statement to the effect that the company will provide information subject to a court order, but if the information was never collected in the first place, it cannot be provided.
• International issues. If a parent company is not U.S.-based, it may not consider itself bound by U.S. law, or it may have restrictions on what it can do by virtue of laws in other countries. Consider, for example, the Chinese e-commerce company Alibaba Group Holding Limited. Alibaba has a number of subsidiaries, and is accessible worldwide. It would likely be difficult to compel the release of information from a purely Chinese Alibaba entity. Likewise, a European-based company may consider itself unable to comply with certain foreign subpoena requests because of EU privacy law. Finally, the information furnished may not be in English.
• Custody of information. When dealing with parent-subsidiary relationships, it is important to know which entity has custody and control over the information sought, so that the subpoena is directed to the appropriate party.

C. Using Subpoenas for Social Media Records

From a technical perspective, social media records are no different from any other type of online information, except that they may contain different media types (images, sounds, videos, etc.). The same logistical concerns identified in section IV.A, above, pertain.

It is worth bearing in mind that a subpoena may not be the most desirable vehicle for lawyers to obtain what they need. For example, Twitter does not preserve records of deleted tweets. It is possible, whether through subpoena, a paid subscription service, or just by following a target user’s twitter account, to obtain copies of a user’s tweets, but the only reliable way to get copies of deleted tweets is by following the user’s feed and preserving tweets as they are made, before they are deleted. Similar things may be true for other social networking platforms, but it is also important to be attentive to the rules of professional conduct, and how they apply to “friending” or otherwise connecting to adverse parties for the purposes of investigation.

D. Subpoenaing Phone Records

Subpoenaing phone records is nothing new. In the era of smartphones, however, it can be difficult to know to whom the subpoena should be sent. Online services, such as TextMagic, can tell you the carrier associated with a given phone number. Additionally, the phrase “phone records” might encompass a variety of points of interest:

• Subscriber identity information.
• Calls made.
• Calls received.
• SMS/MMS messages sent.
• SMS/MMS messages received.
• Data transfer utilization.
• Cell tower activity.
• IP address allocation.

Most cellular carriers will track these items, and not all records will be preserved indefinitely.

V. Final Thoughts

Smartphones present a complex challenge: they are ubiquitous, and they can create a surprisingly detailed record of what their users have been up to. Investigators need to think about these devices holistically: doing a good job with smartphone evidence often involves synthesizing records from the phone itself, from Internet Service Providers, from application providers, from cellular network providers, and sometimes from other portable devices. This article has scratched the surface of these areas and given defense attorneys the orientation needed to deal effectively with a species of evidence that will only grow larger and more detailed.

© Peyton B. Engel, 2018. All rights reserved.

Notes

1. Deanna Paul, Your Own Pacemaker Can Now Testify Against You in Court, WIRED.com, July 29, 2017, https://www.wired.com/story/your-own-pacemaker-can-now-testify-against-you-in-court.
2. Dave Altimari, More Evidence Turned Over in Fitbit Murder Case, COURANT.com, Jan. 19, 2018, http://www.courant.com/news/connecticut/hc-news-dabate-fit-bit-murder-continued-20180119-story.html.
3. Carma Hassan, Voice-Activated Device Called 911 During Attack, New Mexico Authorities Say, CNN.com, July 10, 2017, https://www.cnn.com/2017/07/10/us/alexa-calls-police-trnd/index.html.
4. Colin Dwyer, Arkansas Prosecutors Drop Murder Case That Hinged on Evidence from Amazon Echo, NPR.org, Nov. 29, 2017, https://www.npr.org/sections/thetwo-way/2017/11/29/567305812/arkansas-prosecutors-drop-murder-case-that-hinged-on-evidence-from-amazon-echo.

About the Author

Peyton B. Engel is an Associate in Hurley Burish’s civil litigation practice. In addition, Engel represents attorneys, doctors, and other licensed professionals in disciplinary matters. Before joining the firm, he worked in the information technology field, including 16 years specializing in network and information security.

Peyton B. Engel
Hurley Burish, S.C.
Madison, Wisconsin
608-257-0945
pengel@hurleyburish.com