Roadside cell phone data extraction
The Cellebrite UFED makes it a fast, easy process
The Michigan State Police (MSP) made news this month when the American Civil Liberties Union (ACLU) made public its attempts to obtain information the MSP had extracted from cell phones. The first reports implied that MSP troopers were seizing phones of people stopped for various reasons and “dumping” the information from their cell phones without probable cause. A few days later, the MSP http://www.michigan.gov/msp/0,1607,7-123-1586-254783--,00.html made it clear they were seizing cell phone data only after obtaining a search warrant for the phone or consent of the phone’s owner.
The ACLU filed Freedom of Information Act requests for the seized cell phone data itself, rather than an explanation of why the information was being seized. It’s unclear why the civil rights advocate organization wanted this data. In any event, they didn’t get it, as the MSP told the ACLU they would have to pay the cost of copying the relevant documents, to the tune of over half a million dollars.
Many cell phones, especially smartphones such as the iPhone and various Android models, are as powerful and have as much storage capacity as desktop computers of a few years ago. They contain photographs, video, calendars, contact lists, and in the case of the iPhone, an index of everywhere the phone has been for up to a year. If that information belongs to a law-breaker, it’s the sort of thing that police find very useful.
The device used by the MSP and many other law enforcement and military organizations is the Cellebrite UFED (Universal Forensic Extraction Device). There are several models of UFEDs, varying mainly in form factor and degree of ruggedness for field operations. All of them fit into a small carrying case that also holds peripheral gear like connector cables, chargers, and USB flash drives for storage of the extracted information.
Operation of the UFED is very straightforward. The investigator first needs to know the brand and model of the phone to be examined. More than 1,800 models are supported, and the list is updated at least once per month. Checking an index of supported models will indicate the data cable the investigator needs to use from the 80 supplied with the device. Connect the phone to the UFED using the appropriate cable (it’s also possible to get the data via Bluetooth or IR port with some phones, but the data cable is the preferred method), tell the UFED what model phone it’s examining, check the boxes alongside the types of information (phonebook, text messages, dialed numbers, photos, videos, etc.) to be retrieved, and press “OK.”
The entire process takes only a few minutes.
The data is recorded to a USB flash drive, a SD memory card, or direct to a connected PC, all nicely separated into labeled folders. Multiple extractions can be written to the same storage device, subject to the capacity of the device. The low-end iPhone 4 has 16GB of storage capacity, so ensuring you have enough space on the output device is a critical consideration. Most flash drives have storage capacity of 8GB or less.
Information can be extracted from the cell phone’s internal memory, any memory expansion cards, and the phone’s SIM card, if it has one. Phones that work on the GSM network, such as the AT&T iPhone, use SIM (Subscriber Identity Module) cards that determine the phone’s number, the networks it can access, and what features of those networks it can use. Cell phone users in the U.S. don’t change out SIM cards frequently, but SIM cards are big business overseas. They’re sold from sidewalk kiosks and in food stores. By purchasing a SIM card and installing it in your phone in a foreign country, you obtain a local phone number and an allotment of airtime minutes that can be replenished with a credit card. The cards themselves are inexpensive enough to throw away when you’re done with them. SIM cards can also store phonebook lists and other data. The UFED has a port for reading SIM cards without their “host” phone.
A CD supplied with the UFED contains a software application for generating reports from extracted cell phone data. Reports are customizable to include or omit categories of data and to add information useful to the agency compiling the report, such as officer’s name, ID number, case number and so on. This interface is useful for printing out extraction data to be included with a case report.
Cellebrite’s web site includes some video tutorials that cover the device and its operation in about 12 minutes. This is a tool every law enforcement agency ought to have. You might even be able to pay for it by selling half-million dollar reports to the ACLU.