Basic Concepts in Mobile Device Forensics Part 4 - Evidence Fundamentals

Evidence Fundamentals

Evidence is the foundation on which a case is prosecuted. Without evidence or proof an event occurred, there is really no way to establish the who, what, when, where, how, and why. As you will see in the following section, evidence proves or disproves an allegation and comes in many different forms. Handling evidence is critical to a successful resolution and in some cases prosecution of criminal acts.

Evidence will be the foundation on which a case is prosecuted. Evidence proves or disproves an allegation and comes in different forms, such as real evidence, testimonial evidence, and demonstrative evidence.

Forms of Evidence

Real evidence is something you can touch and is often referred to as physical evidence. An example of physical evidence would be a cell phone or a computer.

?Testimonial evidence is when a witness takes the stand, is placed under oath, and answers questions asked by the prosecution and defense. Forensic examiners may need to give testimony as an expert witness. Qualifying as an expert witness allows you to provide your opinion as an expert witness in court.

Demonstrative evidence demonstrates something to the jury such as graphic aids. Forensic examiners may need to assist legal counsel in developing demonstrative material.?

Types of Evidence

Direct evidence proves a fact directly without drawing a conclusion or inference about what the evidence indicates. Direct evidence typically comes from what a witness sees, touches, tastes, smells or hears. An example of direct evidence presented in court would be, “Can you tell us what you saw on the defendant's phone?”

Circumstantial evidence, also known as indirect evidence, proves a fact indirectly through an interpretation, reasoning, or conclusion. Physical evidence that suggests criminal activity is circumstantial evidence. Circumstantial evidence is oftentimes more reliable than an eyewitness.

The evidence extracted from a mobile device is circumstantial evidence. Threatening comments made towards an individual before a crime is committed is an example of circumstantial evidence. An utterance of words does not prove guilt. When an examiner finds evidence on a mobile device, defense counsel may argue that the existence of electronic evidence on a mobile device does not necessarily mean that the defendant was or is the author or recipient, and thus does not tie him or her directly to the crime.?Forensic images, discussed in lesson 4, are created from physical evidence. These images become what are known as best evidence in the event the original evidence is not available or damaged.

Relevant Evidence

Relevant evidence is any form or type of evidence that proves or disproves an element of the crime, substantiates or contradicts a defense, and/or supports or challenges the believability of a witness. In order for evidence to be admitted in court proceedings, it must be deemed relevant. Examiners will need to know what determines relevant evidence for their case. If evidence uncovered during an examination proves or disproves a fact in question, it is relevant.

The collection, preservation, and presentation of evidence are fundamental to ensuring relevance and, ultimately, admissibility. A mistake can lead to critical evidence being deemed inadmissible in court proceedings, no matter how important or prevailing the evidence may be.

Federal Rules of Evidence

For a judge to administer every proceeding impartially, the United States Federal Rules of Evidence (FRE) were adopted by order of the United States Supreme Court in 1972, conveyed to the US Congress by the Chief Justice on Feb. 5, 1973, and became effective on July 1, 1973. These rules apply only to trials, not hearings. A hearing is conducted to determine whether there is enough evidence to go to trial. Trials are held to determine guilt. Trials typically have a jury and hearings are heard in the presence of a judge. An example of the FRE is FRE Rule 401, Test for Relevant Evidence:

Evidence is relevant if it has any tendency to make a fact more or less probable than it would be without the evidence and the fact is of consequence in determining the action.

The Federal Rules of Evidence have been customary to provide guidance on what is evidence and what is not evidence. A judge will apply the Federal Rules of Evidence to determine whether to admit or not admit the evidence. If evidence is admitted, the jury decides what to do with the information and how much power to give it.?

Note: Defendants in the United States have a right to trial by jury. In some cases, the parties agree to a jury-less trial, called a “bench trial,” in which the judge manages the proceedings and weighs the evidence, deliberates, and renders the verdict. In this case, the judge plays the role of the jury in deciding what evidence to consider and what weight to give it.

Rules of evidence will vary internationally.?Although the focus of this chapter has been on the laws in the U.S. many other countries have similar rules for the admissibility of evidence.

Mobile Devices as Evidence

?A mobile device is a small, portable, wireless device that is used while on the go and is small enough to hold in your hand. Today, the list of mobile devices has expanded from basic cell phones to smartphones, tablets, e-readers, portable media players, GPS units, and wearable technology such as the Apple watch.?

Tablet Computers

Tablet computers are handheld computers that utilize touchscreen technology to input information directly onto an LCD screen versus using a keyboard or mouse. A tablet computer is a mobile writing pad computing device, larger than a Smartphone in size. The first tablet computers were introduced in the 1990s as Personal Digital Assistants (PDAs) with touch screens, handwriting recognition, and storage for contacts and calendar information.?

As technology advances, these devices have developed more capabilities and resemble some of the same features as laptop computers. Apple released the iPad in 2010, which started a boom in tablet computing. Some of the most popular tablets on the market today include:?

·?????Apple iPad Air

·?????Microsoft Surface Pro

·?????Samsung Galaxy Tab

·?????Sony Xperia Z2 Tablet

·?????Amazon Kindle Fire HDX

Tablet computers offer a large touch screen, portability, battery power, lightweight, WiFi or cellular data capabilities, and utilize a mobile operating system such as iOS or Android, or (for Microsoft devices), a mobile version of Microsoft Windows.

Tablet Computer Evidence Types

Common evidence types found on tablet devices are device information, contacts, messages, notes, calendars, internet history, Wi-Fi connections, images, videos; Bluetooth devices email accounts, and other application data.

Electronic Readers

Electronic readers (e-readers) are portable, handheld devices used for reading electronic versions of books, newspapers, and magazines. The data is displayed as electronic paper and is typically monochrome, black, and white. E-readers can support a wide range of text-file formats and can also act as external USB storage devices. Some e-readers run the same operating systems as tablet devices. E-readers typically have less processing power than a tablet and do not have a touch screen. E-readers are not capable of running third-party applications such as those found on the more powerful tablet computers and smartphones.

E-reader Evidence Types

The original e-readers (Amazon Kindle and the Barnes & Noble Nook) run on their own proprietary operating system and were designed to utilize electronic paper or other monochrome display technologies. The operating system does not offer a wide range of capabilities beyond the core reader itself meaning the risk of little to no evidence found on these devices. If the device is capable of being utilized as a USB storage device, forensic examiners should examine the file structure of the device, attempting to identify saved data.

GPS Devices

The Global Positioning System (GPS) is a satellite-based navigation system owned by the U.S. Department of Defense. GPS is made up of a network of 24 satellites orbiting the earth. A GPS device uses broadcasted timing and location information from at least four satellites to calculate its own location. GPS data can be found on many mobile devices such as smartphones, cell phones, and the Apple Watch, as well as dedicated handheld and car GPSs.

The first GPS satellite, Navstar, was launched in 1978 and was originally intended for military applications. The Magellan Corporation introduced the first handheld GPS receiver in 1989 and by 1995 the Air Force announced the GPS had achieved full operational capability, placing the 24th satellite into orbit. In 1996, President Bill Clinton made the system available for civilian use.

GPS Evidence Types

Common evidence types found on GPS devices are device information, favorite locations, notes, waypoint data, previous destinations, images, Bluetooth devices, and text/call logs. These evidence types can be helpful if your investigation focuses on where a suspect has traveled.

Portable Media Players

Portable media players are specialized devices that play audio and video files. In the late 1990s, the first production-volume portable digital audio player was introduced. This device allowed users to store and play digital media such as MP3s, eliminating the need for a CD player. Today, these devices are still available on the market. They have expanded their use from just playing MP3 format files to allowing users to play video games, display videos, and photos, and store data such as contacts and calendar information. Advanced media players, like the Apple iPod Touch, have capabilities similar to the iPhone and the iPad. The iPod and similar devices are capable of running applications, recording audio, and video as well as taking photos.?

Portable Media Player Evidence Types

Common evidence types found on GPS devices are device information, contacts, messages, notes, calendars, Internet history, Wi-Fi connections, images, videos, Bluetooth devices, email accounts, and other application data. Portable Media Players can be used as an external storage devices meaning they can contain any type of data.

Cell Phones

Cell phones, known by other names such as mobile phone or mobile, enable communication while on the go. A cell phone uses radio links to make and receive calls while connected to a cellular network. These mobile devices enable text messaging, e-mail, Internet access, and many other applications such as games and photography. Cell phones have significantly evolved over the past decade from 1G analog devices that were only used for voice to 5G Ultra Wideband digital smartphones that can do almost everything a computer can do and transmit data at high speed.

Cell Phone Categories and Simple Phones

Cell phones can be divided into three general categories: simple cell phones, feature phones, and smartphones. Simple cell phones, also known as conventional phones, are designed primarily to make and receive phone calls like traditional desk phones; they may also provide other capabilities like voice mail and call waiting and may provide text-messaging services. Normally, they include an address book, calendar, alarm clock, and other basic tools for productivity. As you add more features to the phone, you move up into the feature phones category.

Feature Phones

Feature phones have increased functionality allowing multimedia capabilities such as playing video games, playing music, taking photos and videos as well as connecting to the Internet. Feature phones may also have the ability to support applications such as GPS and social media applications. Some feature phones have the capability to expand data capacity with removable data storage, like MicroSD cards.

Smartphones

Smartphones combine the features of a portable digital assistant (PDA) with voice, data connectivity, and applications. Advances in technology have allowed simple cell phones to transform into smartphones. Smartphones have unlimited potential as their processing power increases to rival desktop computers. This advanced technology has allowed users the ability to connect to the Internet, conduct word processing on the device and in the cloud, store and stream music, utilize GPS and display high-definition video.

Smart Phone Evidence Types

Common evidence types found on smartphones are: device information, contacts, messages, notes, calendars, Internet history, Wi-Fi connections, images, videos, Bluetooth devices, email accounts, and other application data.

This completes Lesson 1, Basic Concepts in Mobile Device Forensics. In Lesson 2 we will implement best practices in mobile device seizure.

Are you getting value from this information? Let me know in the comments.