By: Robert B. Fried, Senior Vice President, Forensics & Investigations, Sandline Global
(Licensed Private Investigator in MI, NY, SC)
Evidence from mobile devices is important in civil and criminal matters. Recently, a jury in South Carolina found Alexander Murdaugh guilty for the murder of his wife, Maggie, and son, Paul. The courtroom proceedings were broadcast worldwide, providing the public with a front-row seat to testimony, including expert witnesses who discussed how they handled (including the use of faraday bags), documented (initiating chain of custody, photographing the devices), and subsequently accessed, acquired, and examined the victims’ mobile devices.
In the Murdaugh trial, mobile device evidence was a primary focus, with a spotlight on gaining access to locked devices, call logs, text messaging, device activity (i.e., display status, device orientation, movement, camera usage). When we think of the types of data that is stored on mobile devices, we often focus on communication and multimedia data; the Murdaugh trial highlights how crucial data associated to device activity can be to an investigation. In an investigation these devices can uncover a treasure-trove of information, that can help establish a timeline, and either corroborate or discredit other evidence or information obtained. If passcodes / passwords are known, data from devices can be immediately accessed; if not, the process to unlock a mobile device can take time – even years.
Mobile devices store a lot of information. Forensic acquisition tools assist in generating a defensible copy of the local or cloud-based data. There are multiple acquisition methods that may be utilized, including a logical extraction (including: text messages, contacts, call history, multimedia) or an advanced logical extraction (also includes: applications, device information, partial file system). A forensic examiner can then use forensic analysis tools or other methodologies to parse the various database files that store data about device settings, configurations and installed apps.
The presentation of mobile data can be as important as the data exported. Depending on the matter, mobile device data may need to be forensically examined, reviewed, and produced in court. It is best to understand what the goal is and identify at the onset how it will be used, and the best way to present it.
Sandline’s team of experts can assist with the acquisition, examination, review, production, and presentation of mobile device data. For more information contact us.