June 04 2019
At Keith Borer Consultants we aim to make it as easy as possible to instruct an expert but when it comes to instructing a mobile telephone expert there are a number of questions we usually need answering before we estimate.
What is the make and model of the handset to be examined?
There are a huge number of different makes and models of mobile telephones in operation and we examine a wide variety each year, from basic ‘burner’ phones to the latest flagship devices from the likes of Apple and Samsung. We employ a range of forensic software packages which support a wide variety of mobile telephones, however, as mobiles rapidly evolve, the support may not be added as quickly as you might expect (as it can require intensive development by the software providers). Support may also be patchy in places, with support claimed for a particular handset when the tool is only able to extract a small subset of the information the telephone may store.
Given these factors it is critical to know the make and model so we know what forensic tools will work, how long it might take and whether more advanced and bespoke techniques are needed. All make a substantial difference to an estimate.
Have the Police examined the handset? Is a report available?
The reason for this question is two-fold. Firstly if the Police have examined the handset then it is likely the handset has been retained as an exhibit. This may change where an examination will take place and what that will involve.
Secondly, if the Police have completed an examination it may not be necessary to re-examine the handset, but rather review the raw extracted data they created. This can be a cost and time effective way to fulfil your instructions.
The Police report may provide information such as the make and model of the handset examined, unique identifiers of the exhibit and components as well as indicators as to the tools used and how the examination has been completed. All of this allows us to advise on the most probative approach.
Is the data known to be deleted or is it ‘live’ on the handset?
To look for deleted data usually requires an in-depth ‘low-level’ examination of the telephone. This can be time-consuming which affects the estimate. We may also need to conduct testing with a handset of the same make and model to establish a method of extraction for the handset’s memory.
Which data are you interested in?
In 2007 when I joined Keith Borer Consultants mobile telephones were typically small in capacity and with very limited abilities. Calls, text messages and phonebook entries were often the extent of the user’s data. The same year the original Apple iPhone was released and the capabilities and storage capacities of mobile telephones have increased ever since.
There are now a huge number of applications available for smartphones with varying degrees of support offered by the forensic software. It is therefore important to establish which applications or data types are of interest. The method for extracting this data may vary.
We also employ manual verification checks to ensure the data extracted is complete and accurately portrays the data stored by the telephone. Fully-automated approaches taken by some experts are known to often miss critical detail.
We are often requested to extract all data from a mobile telephone. Back when I started this was feasible, but with the capacities of modern smartphones it is not uncommon for the extractions to exceed the size of DVD discs and full extraction reports running to thousands of pages compiled using different methods. Even with this, a ‘full download’ may not actually contain all of the relevant information. By reducing the scope of an examination to just the information required, our reports can focus on your key issues and be more usable by Counsel and jury members.
When were the connections of interest?
If the data of interest is calls, text messages or MMS (multimedia messages) and the content of the messages is not of importance than an examination of connection records retained by the mobile telephone network operator (for example o2, Vodafone, EE, etc) is an option.
Connection records provide a fully itemised list of successful calls as well as SMS (text) and MMS messages along with accurate timing. As this information is retained by the network it is not affected by users deleting data on the handset, swapping, damaging or losing a handset.
In the UK, network providers are legally obliged to retain connection records for a period of 12 months. In the Republic of Ireland they are obliged to retain them for 24 months.
Is the mobile telephone available for examination?
This may seem an unusual question but in some circumstances a mobile telephone may have been returned, damaged, thrown away, sold or lost. Other examination avenues exist, such as connection records or cloud-based backups such as Apple iCloud. These may allow us to fulfil your instructions without the handset being required.
I hope this helps understand why we ask these questions at estimating stage. As with all our services we aim to help as far as possible, in a cost-conscious manner and provide usable and helpful reports. Our experts are always available to discuss all of these issues with you. By addressing the requirements upfront we are in a better position to advise you of the best approach and estimate accurately for the work required, rather than needing to request further funding from the LAA once the issues become apparent.