Mobile Device Lab – Defence Case Examination

Remit of Case
A client who was charged with terrorism offences had his mobile phone examined by a law enforcement agency. A timeline of alleged incriminating activity on this phone had been produced which merged activities across multiple applications (web browsing history, photographs/videos taken, notes created, messaging applications). The defence required CCL to review the timeline, containing some 300 events, and provide comment on the accuracy of the assertions made against their client in the case papers.

Examination
CCL were provided with the timeline document and a ‘logical’ extraction of the phone by the prosecution law enforcement agency. A ‘logical’ extraction being a copy of only data that the phone is ‘willing’ to give up when extracted to a PC. This contained only a small portion of the full extent of the device data. For some mobile phones the logical extraction is the most exhaustive extraction possible, so it is accepted this is the best evidence to work from in some cases. It was ultimately extremely important to have a technical understanding on the extent that mobile devices can be extracted. There were several reasons that CCL thought to challenge the extraction that had been provided to them:

1. The make/model of device was supported for a full ‘physical’ extraction using standard off-the-shelf forensic tools at the time of the prosecution examination
2. The timeline document made reference to third party applications and inaccessible files which would not be recovered from the phone using a ‘logical’ extraction protocol

CCL informed the defence solicitors that they may not be in possession of a full dataset to conduct their examination. It transpired that a full extraction of the phone had been conducted but in error this had not been supplied to us. Once a full ‘physical’ extraction was obtained CCL were happy to conduct their examination on the comfortable footing that they had the full picture to review.

WhatsApp
It was apparent the user was a regular WhatsApp user. This was consistent with modern mobile phone usage; more instant messages (using services such as WhatsApp) are sent per year than standard SMS and MMS messages.

The prosecution had drawn attention to several PDF documents and had stated the suspect “had downloaded this material”. CCL looked to challenge the deliberate act of downloading message attachments received via WhatsApp. Attachments can be automatically downloaded depending on user settings, which can even be varied for attachment types (a different setting is available for pictures, videos, audio and documents). CCL reviewed the raw system artefacts that make up the WhatsApp application to check the automatic download settings. It was found the automatic download setting for documents was switched on. This was not conclusive in confirming the user may not have deliberately downloaded the document in question. CCL testing of the WhatsApp application has shown that the thumbnails of message attachments behave differently depending on what the attachment is e.g. picture thumbnails are not generated on the phone until the picture is downloaded (whether automatically or deliberately) and document thumbnails are generated on the phone regardless of the automatic download setting for document attachments.

The fact that document thumbnails can be populated on a handset without the user’s knowledge was a significant point to suggest reasonable doubt that the user knew of the existence of this document on his phone.

ColorNote
The third party note-taking application ColorNote was also subject to disagreement between the prosecution and defence examinations. The prosecution alleged that the user had deleted a note in an attempt to obfuscate incriminating material.

CCL’s examination of the ColorNote application showed the note was in fact a live note within the application and would have been accessible to a standard user. It was apparent that the prosecution examiner had used a forensic tool which had recovered the data from this application incorrectly. Basic manual verification checks between the extracted data and the device itself would have made this error in the tool capability very apparent. It was therefore indicative that the analyst had not conducted appropriate manual verification of the data extracted from the suspect’s phone.

Web Cache
A small number of web cache pictures were used to suggest the suspect had links to, and interest in terrorist organisations. The forensic implications of this data were not stated in the prosecution report, therefore had this material been presented to a jury in its current form this may have led to misleading evidence being heard in Court. CCL reported the implications of web cache data in terms of user activity. CCL confirmed that web cache is automatically generated onto a device as a result of web browsing activity. Pictures displayed on a web page can be automatically saved to your phone’s memory. This may be from pictures on a website that the user has not necessarily seen.

The relevance to the user is that any subsequent visits to the same web page would be displayed quicker than if the browser had to download the pictures again from the internet. Forensic tools recover these pictures from within web browser cache locations. These locations are not accessible to a standard phone user and therefore to provide this data without the appropriate covering information also required challenging.

ISO17025:2005 Accreditation
Various other typographical and sense-check errors were noted throughout the timeline document which suggested the report had not gone through appropriate quality control procedures. It was investigated further that the prosecution law enforcement agency did not have accreditation to the current ISO17025:2005 standard and Forensic Science Regulator’s Codes of Practice and Conduct. CCL’s commitment to this standard meant we knew the quality procedures that underpin the reporting of reliable digital forensics evidence. There was therefore room to question whether the prosecution examination had been conducted in a forensically sound manner using proven and tested techniques.

Conclusion
As outlined above, there were numerous areas of the prosecution examination whereby the assertions made regarding the suspect and his activity could be challenged. There was a mixture of questionable content:

– Lack of proper testing of application’s features and settings for automatically downloading data
– Lack of effective manual verification checks to provide validity to the accuracy of the data extracted
– Important technical facts excluded from the report providing relevant context to evidence being used
– Neglectful mistakes in spelling, grammar and sense-checks to indicate an effective quality control check had not been conducted

A defence report was supplied to the defence solicitor to enable them to ask reasonable questions of the prosecution examination in order to achieve a fair and balanced trial in court. It was reassuring to know that the disclosure of some potentially pivotal technical points would enable the jury to make an informed decision on the innocence or guilt of the suspect on trial.

Richard Walker
Mobile Device Lab & Cell Site Manager