Setting the stage: Mobile Forensic / Techno Security Conference 2012 is being held at the Marriott Grande Dunes resort in Myrtle Beach, SC. With about 500+ attendees from various government agencies, law enforcement jurisdictions, private consulting firms, and corporations the variety of knowledge and experience was endless. I feel it is safe to say that the majority of attendees were public servants in some capacity. I had the pleasure of meeting one on Sunday, Peter Buchan of HSI. Sunday we shared the experience of the 1st annual Conference golf outing hosted and sponsored by CRU Data Port. (They did a great job and I hope more people join in next year!) Needless to say we enjoyed our 18 holes and even swapped a few war stories. I must throw this in here and mention that our 3 sum wound up winning custom Adidas golf shoes! So a big shout out to Peter and Dan (from CRU Data port) on a job well done.
Okay, now back to the conference!
The first session this morning was a keynote type session. Kieth Lyon, eCrime Prosecutor from the California Attorney Generals Office, offered up his experiences and knowledge of the side of digital forensics that I hardly see. Sitting a room with a bunch of law enforcement agents/ officers, I’m sure Keith knew he was in for a TON of questions. I thoroughly enjoyed Keith’s presentation and hope to grab a copy of it soon (we were unable to get through it all).
Digital evidence was the main focal point of the presentation and it began with the evolving laws regarding collection and analysis of digital media. When an arrest is made, law enforcement officials are able to obtain any type of evidence that is Incident to Arrest. Governing laws that have evolved around Incident to Arrest are first Chimel followed by Belton and than Gant.
Chimel rule was established in the Chimel v. California (1969).
Belton was an extension of the Chimel rule from the New York v. Belton (1981)
Gant stemmed from Arizona v. Gant (2009)
Of course neither of these have actual verbiage of digital media containers since they were created before the wide usage of mobile devices. Back in 2008, in US v. Finley, a cell phone was ruled as a container and fell into the verbiage of “a container, is a container, is a container”.
Soon after this case in 2008 the argument over the type of container a cell phone is arose and so did the debate of virtual v. spatial containers. The argument is that there is a reasonable assumption of privacy with a cell phone. Since our devices can now hold up to 32gb of data the cell phone is now more than ever like a computer.
Until State (Ohio) v. Smith (2009) their had not been rulings on the virtual v. spatial argument. A cell was was examined for pictures and call logs to assist in the investigation. The courts ruled that this fell in to the Virtual v. Spatial argument and there is a reasonable expectation of privacy with a cell phone. The courts discussed that the same information was available through the phone carrier. I would have to strongly disagree with this assumption by the courts. We can obtain call logs and message logs from the carrier, but does the carrier give us the actual text with those messages, or give us pictures taken directly from the phone? Without a doubt the logs from the carriers can, at best, corroborate the evidence found through a forensic examination.
These evolving rules for collection and analyzing critical evidence is not indication of the “bad guys” winning. Mr. Lyons explained that the proper evidence collection processes need to be taken. The argument of “exigency” is strong in the world of digital media and evidence. Digital data can be destroyed or lost if not collected right away. Phones can be wiped remotely or even overwrite old data when new data is being stored. Use of “exigency” properly can prove to the judge that collecting the cell phone was indeed imperative to protecting evidence that could be lost forever if left in the hands of the suspected criminal.
Mr. Lyon’s made a point to discuss the fact that preserving digital evidence does not fall under actual searching of that device. Once an arrest is made the process of obtaining a forensic image can start. (As long as you do not look at the data!! You are simply using “exigency” and allowing the judge to ALLOW or DENY your claim before any data is EVER put into forensic analysis tools.) You have until the suspect is leaving booking or makes bail to obtain this copy. If you do not have this done when the suspect is leaving you are officially interfering with possessory of interest.
Once you have the forensic image of the device you can ask for a search warrant from the judge to examine the evidence you collected (but did not look at). If the judge allows it then you are clear to go. If the judge denied this warrant you have an obligation to never look at it until you can find corroborating evidence to make your search warrant request stronger. This process is not law, but the US v. Flores (2012) gives your argument backing from a ruling allowing this process.
There have been cases from 2012 that begin to start discussing the evidence of cellphones and other digital media. One to look at would be US v. Smith (2012).
In no way am I an expert on how to obtain evidence from a suspect of crime scene. This blog post was simply a relaying of verbiage from the keynote speaker at the Mobile Forensic/Techno Security Conference. Any processes should be run by your superior or prosecutor.