Last night I spent some time watching some testimony in the case of Holly Bobo, the trial took place in 2017, the data from the cell phones was from 2011 when she was murdered. The technology has changed of course.. The man on the stand was titled a "cell phone expert" Michael Frizell, His official title was, an Assistant Special Agent in charge with the Tennessee Bureau of Investigation, as part of the Technical Services Unit, he is also assigned to the FBI as a Task Force Officer on the Child Sexual Exploitation Task Force, and a member of the CAST team which is the Cellular Analysis Survey Team for the FBI.
He picks through the data provided by cell phones which may be used, or support evidence used, in a crime. Part of the duties include looking at call detail records, records produced by the telephone.
He explained how his work is done, in great detail. Forgive my awkward synopsis please.
Basically the calls are all logged and labeled by times, providers, towers, user accounts, callers etc. using alpha numeric codes, which he has the knowledge to read/decipher. Using this data his team is able to match the times etc, up with a map. Each tower marked on the map, that would have been used during a time frame, ie. 3:09 pm to 7:00 pm, has a radius, during any call your phone may be bouncing off of different towers. In Urban areas there are more towers, so more data, more precise pinpointing on the map. In the country you may be using one tower, or possibly 3 during a call. Some remote areas just do not have service, no towers.
There are a number of “do’s and don’ts” that must be followed to properly recover and preserve cell phone evidence. As a general rule it is recommended that the phone be left in the state it was found. If the phone is on do not turn it off. If it was off leave it off. It is important to resist the urge to perform any functions on the phone to look for evidence such as the last number called, visible text messages, etc. as this may alter data or corrupt data integrity and jeopardize the evidence recovery and investigation. If it is on, make every attempt to keep it charged until it is properly evaluated. It is also recommended that facilities make several low cost purchases such as bags that prohibit the phone from receiving and transmitting, evidence tags or labels designed specifically for phone recovery, and universal-charging kits for the most frequently used phones. While these are general guidelines in most scenarios, there are many factors that dictate the proper action to take. It is imperative that staff be officially trained on the accepted industry standards.
So you “erase” your data, but what really happens to those “deleted” files? Avast’s report regarding the eBay phones states, “When a file is deleted, the operating system merely deletes the corresponding pointers in the file table and marks the space that is occupied by the file as free. The reality is that the file is not deleted and the data it contained still remains on the drive or storage card.”
The amount of personal data we retrieved from the phones was astounding. We found everything from a filled-out loan form to more than 250 selfies of what appear to be the previous owner's manhood,” McColgan stated. “The take-away is that even deleted data on your used phone can be recovered unless you completely overwrite it.”
Avast’s forensic analysis report covers the three main methods the researchers used to recover deleted data: mass-storage mount, logical analysis, and low-level analysis.
Since some of the previous owners did not store their data on removable micro SD cards or internal storage devices, simply attaching the smartphone via USB cable to a computer was enough to mount
n the following example, Avast used “FTK Imager to mount the image of a partition containing user data.”
“The seller of this HTC Sensation smartphone thought that his personal data was removed,” wrote the researchers, but “we managed to dump 251 blocks of unallocated data and to recover ‘deleted’ messages from a Facebook chat.”
If the phone doesn’t support mass storage mounting, Avast said it could be rooted, a mass storage app installed, and then use Media Transfer Protocol to pull off the personal data and transfer it to another portable device.
However, a smartphone does not need to be unlocked or rooted before backing up data using Android Debug Bridge. The backup can be converted to a .tar archive with Android Backup Extractor. That archive contains a directory structure with all currently installed applications and may also contain directories.
“The Db directory (if it exists) contains SQLite database files, which may be viewed for example by SQLite viewer,” Avast said of this logical analysis approach. The following example was personal data left behind after a factory reset and then snagged from a Samsung Galaxy S4:
If those two methods failed to recover “wiped” data, the researchers used low level analysis to create a “bit-to-bit copy” of the user’s data. After several steps including rooting the device, the researchers extracted Facebook chats, photos and Google search keywords.
Avast forensic researchers concluded:
The combination of the methods mentioned above helped us to discover a lot of personal data, and also helped us to reconstruct several personal stories. Although at first glance the phones appeared thoroughly erased, we quickly retrieved a lot of private data. In most cases, we got to the low-level analysis, which helped us recover SMS and chat messages.
But don’t be silly like me and get hung up on what phones from what carriers revealed the most personal info even after previous owners had performed a factory reset or a “delete all” operation. The blame for Androids not deleting this data starts with Google. Avast analysts explained, “It’s not a question about the carriers, whether the factory reset works well or not. It’s a mix out of different aspects: The factory reset is implemented by Google. The strength of the factory reset does, however, also depend on the phone’s chip manufacturer.”
“As for the platform, different Android versions were present, most of the phones had Android version 4 (different versions), others had Android version 2.3.x (Gingerbread),” added Ziegler. In case you are curious, Google just released new Android platform distribution numbers, based on what platforms accessed the Play Store for a seven-day period ending on July 7, 2014: 56.5% of Androids were running Jelly Bean, KitKat was on 19.9% and 15% were running Ice Cream Sandwich.
Avast is not the first security firm to say that even if you follow the manufacturer’s directions to wipe your phone, it’s nearly impossible to get rid of personal information on some Android devices. In 2012, after McAfee's Robert Siciliano bought 30 mobile phones and laptops from Craigslist, he recovered personal data from 15 devices. "What's really scary is even if you follow protocol, the data is still there,"
he said. BlackBerry and iPhone did a good job of deleting personal data, but Siciliano advised against selling your old Android and Windows XP devices. "Put it in the back of a closet, or put it in a vise and drill holes in the hard drive, or if you live in Texas take it out into a field and shoot it. You don't want to sell your identity for 50 bucks," he said.
So in short files that are not stored on a removable SD card or encrypted or deleted, they are readily accessible to download to another device for forensics. If they files have been deleted it could take a bit by bit copy to retrieve all data that has not been overwritten.
Did Hunter delete his text messages or photos from that day or before. Why does LE still have his phone in evidence?
https://www.fbi.gov/news/stories/investigating-child-abductions1
CARD team investigators are seasoned veterans of crimes against children cases—especially child abductions—and have received extensive training. While some local law enforcement agencies may only work one or two child abduction cases a year, CARD team agents work these kinds of cases all the time, keeping their unique skill set honed.
They often deploy to the abduction site with FBI behavioral analysis experts and technical specialists in tow. CARD team agents also work closely with National Center for the Analysis of Violent Crime coordinators, members of the regional FBI-led Child Exploitation Task Forces, and representatives from our Violent Crimes Against Children Section at FBI Headquarters.
What exactly does the CARD team bring to the table? In addition to being on the scene within an hour or two to augment local resources, these agents can quickly establish on-site command posts to centralize investigative efforts. They also help map registered sex offenders in the area, handle national and international leads, guide investigative efforts using the protocols from the FBI’s child abduction response plan, coordinate forensic resources as needed, and incorporate the Bureau’s technical assets—which play an increasingly larger role in investigations where every minute counts.
But the true measure of the CARD team’s impact is how often these kids are found safe. Here are a few recent examples where that’s happened:
A newborn kidnapped from his Wisconsin home in February 2014 was found by law enforcement the following day—alive—in a plastic storage crate outside a gas station in Iowa. The alleged kidnapper has been charged.More
In August 2013, a San Diego County teenager abducted by a family friend was located and rescued by law enforcement a week later in the Idaho wilderness. Her kidnapper, killed during the rescue, was believed to have been responsible for the deaths of her mother and 8-year-old brother. More
A 6-year-old girl, abducted from her Mississippi school in April 2013, was released the following day. The mastermind of the kidnapping received a 25-year prison term, while five other co-conspirators have also been sentenced. More
While the FBI necessarily focuses on terrorism and other national security issues and major criminal threats, we will always place a premium on the safety and well being of our nation’s children.
FBI Jurisdiction in Child Kidnappings
In the public eye—and even in some state and local law enforcement circles—there are common misconceptions about when the FBI can get involved in child kidnappings. That there has to be evidence a victim has been taken across state lines. Or that a ransom demand has to be made. Or that 24 hours must pass.
All are false.
Whether the case ends up being investigated and prosecuted at the local level or at the federal level, the Bureau will always leverage our investigative resources and technical assets to work hand in hand with state and local law enforcement agencies on cases involving the mysterious disappearance of a child. Our role is to help investigate the disappearance, recover the child, and apprehend the person or persons responsible.
And that role begins as soon as we’re notified.
