Going Mobile: Mobile Device Data in Criminal Investigations

In our last post, we discussed the data about the data – the metadata – which can be important to authenticate evidence on a mobile device. Metadata helps to determine if evidence has been tampered with and provides additional context about that evidence.

While data from mobile devices is more frequently responsive in civil litigation than ever before, “true crime” aficionados know it’s routinely useful in criminal investigations. We take our devices with us and use them everywhere, creating a trail of evidence. From capturing incriminating photos and videos to tracking locations and analyzing online activities, mobile devices have become one of the most common sources of evidence that law enforcement uses to solve crimes. In this post, we’ll discuss how investigators use mobile devices in their investigations, privacy considerations associated with mobile device investigations, and provide a couple of real-world examples, including the investigation into the U.S. Capitol insurrection on January 6, 2021.

How Investigators Use Mobile Device Data

There are several ways in which investigators can use and capture mobile device data to aid in criminal investigations. Here are some examples:

• Digital Evidence: Mobile devices can contain a wealth of information that may be used as digital evidence in court. This includes text messages, phone logs, and chat application data, which might contain evidence regarding a suspect’s intent, whereabouts at the time of a crime, and relationships with other suspects.
• Forensic Tools: Investigators use specialized collection tools designed for mobile devices to extract various types of data such as call logs, text messages, emails, photos, videos, browsing history and system level operations.
• Bypassing Security: Depending on the configuration, forensic investigators can sometimes bypass security codes on locked mobile devices to access data.
• Tracking Movements: Location-based information stored on mobile devices can be used to reconstruct a person’s movements.
• Recovering Deleted Data: Even if data like text messages are deleted, they may still be recoverable using forensic tools.
• Cybersecurity: Mobile devices can also be entry points for cybercriminals and forensic analysis can help to understand these security breaches.

That last example illustrates that it’s not just criminal suspects whose data may be important in criminal investigations – it’s also data from victims or friends and colleagues who interact with those suspects. The digital footprint that we all carry around with us daily is often key to putting together the puzzle pieces to determine who did what and when they did it. And it may often be just as telling when a suspect has no mobile device data at the time an incident occurred, as that may indicate an effort to conceal their actions.

Here’s one example of a crime that was solved through the mobile device data of the suspect’s girlfriend. As discussed in an episode of 48 Hours, after her boyfriend had previously cheated on her, the girlfriend began tracking and saving the suspect’s location through Snapchat. In one of those instances, she captured a screenshot of a location 25 miles from home, which turned out to be where he buried one of his victims. Location tracking is one of the most common ways to put suspects at the scene of a crime to help solve criminal investigations.

Privacy Considerations for Investigations

Of course, there are privacy considerations associated with law enforcement investigations of mobile devices. Unless the party willingly provides their mobile device for examination, law enforcement must often get a warrant to search a suspect’s mobile device. In the landmark case Riley v. California, the Supreme Court ruled unanimously (9-0) that the police generally need a warrant to search digital information on a cell phone seized from an individual who has been arrested.

There are at least a couple of exceptions to the warrant requirement:

• Border Searches: Devices coming into the U.S. border typically don’t require a warrant to be searched.
• Exigent Circumstances: Warrants can be waived where there is an immediate need to act to prevent the destruction of evidence, prevent escape, or protect the safety of law enforcement officers or others.

The January 6 Insurrection Investigation

Here’s an example of an investigation that has been in the news a lot over the past few years – the January 6th Capitol insurrection. Mobile data was extensively used in the investigations of the January 6 Capitol riot. Here’s how it contributed to the process:

• Location Data: Investigators used geofence warrants served on Google to obtain a trove of cell-tower data, along with information from nearby Wi-Fi routers and Bluetooth beacons. This helped to pinpoint phones to within about 10 meters, identifying 5,723 devices in or near the Capitol during the riots.
• Facial Recognition: Technologies like facial recognition from images were employed to identify individuals from the riot footage and match them with location data from their phones. While the use of facial recognition has raised questions about bias, misidentification, and the rise of the surveillance state, the technology has nonetheless been effective in helping identify many participants in the January 6th attack.
• Social Media Analysis: The digital footprints left on social media platforms were scrutinized, as many involved in the Capitol attack had planned and coordinated their actions through these channels.
• Digital Evidence: The digital evidence collected included detailed timelines reconstructed from suspects’ behavior before, during, and after the siege, using various digital records such as payments for goods and services that placed individuals at specific locations at specific times.
• Automated Technology: The investigations have become more streamlined and digital over time, with databases and automated technologies generating more criminal charges, enabling law enforcement investigators to manage such a large-scale investigation efficiently.

The use of mobile data in the January 6 investigations showcases the growing role of applying investigative techniques to mobile device data in modern law enforcement.

Conclusion

Just about any episode of a true crime show these days has a mobile device data component to the investigation. Our mobile devices are so ubiquitous, and they track more and more of what we do every day. Just as the data available on these devices continues to evolve and expand, so do the investigative techniques that forensic investigators apply to locate and identify the data that may be useful in resolving an investigation.

In case you missed the previous blog in this series, you can find it here or head back to the beginning of this series to explore how discovery of data from mobile devices has become more important, while also one of the most challenging forms of ESI to preserve and collect. Next time, we’ll discuss recent case law regarding mobile device discovery and lessons learned from those cases.

For more regarding Cimplifi forensics & collections capabilities, click here