January 6, 2023

Case Work: Mobile forensics examination for a family law solicitor

The first in a regular series that will feature the everyday work of the CCL forensics team, showcasing the expertise, experience and care that goes into each job, while highlighting the range of requests and remits coming into the UK's largest ISO 17025 accredited lab.

Case background

CCL’s client – a Family Law solicitor – required a forensic examination of their client’s mobile device with the aim to prove or disprove extra-marital activity which had allegedly taken place and would impact on the settlement of the case.
Following an initial scoping call between CCL and the solicitor, CCL produced a bespoke quotation outlining the framework for achieving the investigation requirements, costs and confirmation of the 5-day turnaround time.
The quote included which areas of data would be of primary interest: communications messages, emails, call logs and web data (searches, history and bookmarks) and how CCL might identify any further evidence that might be relevant to the Court.
A thorough and focussed search across the data was enabled via a keyword search list. This was agreed with the client to enable searching across and within many thousands of data records automatically.
The client provided: 

• Website URLs

• Names of dating applications suspected of having been used by the subject

• Names and mobile phone numbers of persons suspected to have been involved in the extra-marital activities

• Date ranges of suspected activity

There were multiple options available for the extraction of the device: 

1. Extraction at a neutral location and immediate return of the phone to the owner after extraction (less impactful on the owner but phone isn’t available to CCL for any missing data recovery or further analysis)

2. Phone delivered to CCL offices and remains throughout the examination until completion (phone is in CCL’s possession for longer but is available for missing data recovery or further analysis requirements)

3. Extraction of cloud storage areas (least impactful on device owner but would only recover certain live data)
The client elected for the phone to be delivered to CCL offices. 

CCL at work 
Initial Inspection and Data Acquisition

The mobile device was delivered to CCL’s lab in Stratford-upon-Avon and assigned to a member of the Mobile Device Laboratory Preparation and Extraction team. The analyst inspected the device which as standard includes: 

• Checking for SIM and memory cards which might have separate data stored.

• Photographing device condition and serial numbers.

• Switching on the phone in secure, radio shielded environment to preserve evidence.

• Entering PIN code to unlock the device.

• Preserving connectivity settings and isolating the device from the mobile phone network (preventing any changes being made to evidence and further (what would be illegal) Interception of Communications). This would also protect the evidence from any remote wipe commands which can be used by device owners (more common with suspect’s devices) to attempt to destroy evidence.

• Vulnerable data checks to save the device automatically wiping emails, messages, notes and images (e.g. Recently Deleted).

• Investigation for any hidden media albums, secure folders/spaces and any data hiding applications that may be relevant.
The analyst performed a full extraction of the device ie the fullest extraction recoverable with forensic tools. No forensic tool can recover ‘all data’ from a digital device and verification checks are important to see what live data the tool has and has not recovered. Keyword searches were run over the extracted data, highlighting any instances of matching criteria, and thereby saving examination time (and cost) of significant manual data review.  

Forensic Analysis and Reporting

Data was reviewed in Cellebrite’s UFED Physical Analyzer software. This enables the analyst to examine recovered data, filter, sort and tag important items for client review. Evidence recovered appeared to suggest: 

• Messaging contact with some of the subjects of the alleged extra-marital activities. Message conversations were tagged for reporting to the client. Message threads included participant’s saved names, contact numbers, emails, notes and where tagged as a ‘favourite contact’. Message content of a sexual nature and arranging meetings was noted.

• Messaging transcended across messaging platforms, Facebook, Snapchat and WhatsApp.

• Evidence within the phone Notes/Memos application with lists of hotels and last modified dates corroborating when suspected activity was occurring.

• User Accounts showing owner setting up and configuring dating applications. Login details were also saved in a passcode-protected Notes application, which we circumvented.

• Sexual communications with other unknown parties. One noted to have been saved as a contact ‘NHS-NoReply’, seemingly for obfuscation.

• Emails were present on the device but had not been extracted.
Following consultation with the client, a sample of emails was reviewed and noted to contain information of sexual communications with several participants and photographs of houses alongside threats stating they know where those subjects lived. This constituted potential criminal behaviour and was raised with the client for decisions on sharing with the police. This evidence would not have been recoverable if the device had been returned after the data acquisition stage.
The tagged data was provided in a Reader File which required no additional software/licensing and enabled the client to search, filter and sort the data reported. Readers also have features to export to PDF and Microsoft Office formats (Word, Excel etc). The Reader File was accompanied by a PDF examination report.
The examination report was written by the analyst to report on the specific findings of the investigation and provide context to some of the evidence recovered. Analysts use their experience and judgement to provide additional explanation or definition where it is likely to pose questions for the client or Court.
The data was produced on (an encrypted for data protection) USB stick and sent to the client. Confirmation of the completion of the forensic examination was communicated to the client, with a copy of the examination report attached to this email.

We're here to help

Our experts are on hand to learn about your organisation and suggest the best approach to meet your needs. Contact an expert today.

Get in touch