In a previous column, “9 Questions About LE Use of Cell Phone Videos,” I compared a mobile device to a crime scene, stating that a mobile phone that has passed through multiple hands before yours was not unlike civilians trampling all over an unsecured crime scene.
This scenario is likely in two cases: when a cell phone has been lost and its finder has made an effort to determine its owner by scrolling through its contents; and/or when it is “searched” by one or more third parties because they suspect it contains evidence.
By the time it gets to you, the possibility is very real that volatile digital evidence has been, at least to some extent, compromised. How can you preserve what’s left so that forensic examiners have a shot at building a good case?
The lost cell phone
Lost cell phones are commonplace. They’re small, lightweight and easy to misplace when they slip out of a jacket pocket or bag, get left on a messy restaurant table or seat back pocket, or even in a shopping cart.
And, they’re not like other pieces of lost property. You can’t simply bag and tag them and bring them to the property room. They’re expensive and contain personal data, so finding their owner becomes important.
So what do you do when the personal data turns out to be evidence of criminal activity? In one Fort Lauderdale (Florida) case, officers found child pornography images on a Samsung cell phone that had been turned into the Broward County Sheriff’s Office that had been found on a public bus.
They turned it over to the Internet Crimes Against Children task force for forensic processing. That examination recovered not just the full extent of pornographic images, but also the name of the phone’s owner, whom detectives then tracked down through mobile subscriber data.
From a legal standpoint, scrolling through a lost phone’s contents cannot be considered a “search” because there is no expectation of privacy attached to abandoned property—at least, until evidence of a crime is located, at which point the search must stop and a search warrant obtained.
Either way, it is important to preserve the evidence. Don’t risk deleting personal data or evidence, or leaving an unshielded device powered on. This leaves it vulnerable to being remote-wiped, or having new data added.
The third-party “search”
In a similar found-phone story from Fargo (North Dakota), the phone was turned into a Sprint store instead of police. As in Broward County, the store employee found child pornography when he went through the phone; then he called police.
But a third-party “search” may come into play even when a device isn’t lost. Police may receive calls from parents or school officials who have searched a minor’s cell phone because they suspect the child is involved in some type of criminal activity -- drug dealing, for example, or contact with a sex offender.
In this case, the phone may pass through multiple hands: more than one parent, school official, first responder, or even the suspect.
What to do with lost or compromised evidence devices
Basic steps to take are the same as for other types of cell phone seizures:
- Isolate the phone from the cellular network. Use a Faraday bag or other shielding device to prevent signals from going in or out. This will prevent potential remote wipe and/or other changes to evidence. If no Faraday device is available, place the device in Airplane Mode or remove its battery.
- Photograph the device and document its condition. If it’s damaged, describe the damage in your report.
- If the device is off, remove its battery and photograph the inside of the phone. Document the device information found underneath the battery.
- If the device is on and evidence is in plain view on the screen, photograph the image, text-message or other evidence—and stop your search there until you obtain a search warrant.
- If you suspect evidence has been deleted -- for instance, incriminating content deleted by a juvenile suspect -- document that so that the forensic examiner knows to conduct a physical search.