Mobile Telephone Extraction
Introduction
Many modern criminal investigations now involve the seizure of a mobile telephone. Devices range from cheap ‘burner’ phones with functionality limited to traditional calls and text messages, through to smartphones with a suite of apps providing a wide range of features.
A mobile telephone works with one or more Subscriber Identity Module (SIM) cards, that provide the information necessary for it to register and connect to a mobile cellular network. Every mobile telephone will have a unique identifier – the International Mobile Equipment Identity (IMEI). Devices that accept multiple SIM cards will also have multiple IMEIs.
The volume of information held in modern mobile telephones is staggering. A typical smartphone can hold hundreds of thousands of high-quality photographs, hours of high-resolution video, and years’ worth of conversations over traditional SMS text messages, social media, or encrypted messaging apps. A key issue for any criminal investigation is how to collect this information, sift through the vast and varied content, identify anything relevant, and then package it in a form that can be explained and presented.
The focus of this chapter is on the analysis and extraction of data from a mobile telephone. Having seized a mobile telephone from a suspect, investigators can often switch it on and conduct an initial analysis of it – this could involve the investigator scrolling through the text messages on it to identify anything relevant, and then recording those messages in a witness statement.
A further and more detailed analysis of the device requires specialist software and skills. There are three general levels of Mobile Telephone Extraction, which progressively increase in the types of data that can be extracted.
Level 1, also known as logical extraction, is the most common method used. This usually involves connecting the mobile telephone to a computer (often called a ‘kiosk’) by a cable. Special software on that computer then communicates with the operating system on the mobile telephone and allows it to read the data from it. This is the most straightforward method and allows for the extraction of most types of data (e.g. call logs, contacts, text messages, photos), but will generally only extract items that could have been viewed by simply switching on and scrolling though the mobile telephone.
Level 2, also known as physical extraction, involves a more intensive extraction process usually in a laboratory. This process creates an exact copy of the mobile telephone’s memory, rather than accessing and extracting information item by item. This often allows for deleted data to be recovered.
Level 3 involves the use of an expert undertaking a specialist examination of the device. This is often required for devices that are damaged and so a Level 1 or 2 extraction will not work, or where there are other specialist issues that can only be addressed by an expert.
Law and Guidance
Police constables have various statutory powers under the Police and Criminal Evidence Act 1984 (PACE) to seize items, including mobile telephones.
Section 8(2) of PACE allows for the seizure of items found during a search carried out with a warrant.
Section 18(2) of PACE allows for the seizure of items found during a search of premises occupied or controlled by a person under arrest for an indictable offence.
Section 19 of PACE allows for the seizure of items where the constable is lawfully on any premises.
Sections 19(4) and 20 of PACE extend those three powers by including a power to require any information stored in any electronic form contained in a computer and accessible from the premises to be produced in a form in which it can be taken away and in which it is visible and legible.
Section 32(9) of PACE allows for the seizure of items found during the search of a person under arrest.
Sections 50 and 51 of the Criminal Justice and Police Act 2001 extend the above powers under PACE to cover circumstances where it is not reasonably practicable to separate material that can be lawfully seized from other material.
There are other similar powers of seizure for other law enforcement agencies (e.g. for immigration officers under section 28G of the Immigration Act 1971).
Although it is not expressly provided for in the statutory powers listed above, the courts appear to have accepted that a power to extract and examine material from a seized mobile telephone flows from these general powers (for examples, see R (Cabot Global Ltd) v Barkingside Magistrates’ Court [2015] EWHC 1458 (Admin), R (Faisaltex Ltd) v Crown Court at Preston [2008] EWHC 2832 (Admin), and R (A and another) v Central Criminal Court [2017] EWHC 70 (Admin)).
Various other documents provide guidance on how investigators should deal with mobile telephones.
Despite having been drafted over 10 years ago, the ‘ACPO Good Practice Guidelines for Digital Evidence’ are still frequently cited by law enforcement authorities. They set out the following four principles that should be followed:
Principle 1: No action taken by law enforcement agencies, persons employed within those agencies or their agents should change data which may subsequently be relied upon in court.
Principle 2: In circumstances where a person finds it necessary to access original data, that person must be competent to do so and be able to give evidence explaining the relevance and the implications of their actions.
Principle 3: An audit trail or other record of all processes applied to digital evidence should be created and preserved. An independent third party should be able to examine those processes and achieve the same result.
Principle 4: The person in charge of the investigation has overall responsibility for ensuring that the law and these principles are adhered to.
The ‘Forensic Science Regulator Codes of Practice and Conduct’ also set out minimum standards to be followed by those conducting forensic examinations of mobile telephones.
Uses
The data extracted from a mobile telephone often helps paint a vivid picture of contact between parties. Call logs record incoming and outgoing telephone calls, including date, time, and duration. Message and chat logs record conversations, including the actual content of messages alongside date and timestamps (with the caveat that some messages may have been deleted, depending on the method of extraction). Address book entries show links to other individuals and other telephone numbers, and can often provide other useful information such as nicknames and relationships.
Although the focus of this book is on communications evidence, modern mobile telephones can often be a treasure trove of other information relevant to an investigation. Examples of this include browser history, photographs, videos, stored account details, and files.
Limitations
The main limitations for each level of extraction are set out above. As the level increases, so does the time and cost. This inevitably involves an assessment of proportionality when identifying the appropriate level of extraction in any particular investigation.
Modern smartphones come with built-in encryption, which essentially scrambles the data on the device until the correct password is entered. Some extraction software products can bypass this protection, depending on the make and model of mobile telephone. There is a game of ‘cat and mouse’ as a software company manages to bypass or break the encryption for one model of mobile telephone, only for the manufacturer to fix it for the next model.
Software companies must also constantly update their extraction software, as new models of mobile telephones are released and applications running on those devices are changed. If a new social media platform becomes popular, the software running on a ‘kiosk’ has to be updated so that it can access the material on that particular platform’s app.
The deletion of material is another issue. Most modern smartphones can be remotely wiped – an owner can send a signal to the device that it receives when it next connects to the internet, triggering it to delete its content. Investigators must be careful not to inadvertently allow the device to connect to the internet for this reason. Similarly, some social media and messaging apps allow for messages received by a device to be remotely wiped by the sender or automatically deleted after a set time. This creates an obvious challenge when a mobile telephone is later analysed, and may be a situation where a Level 2 or 3 extraction is required.
Presentation
The physical product created at the end of the extraction process will very much depend upon the level of extraction, the type of device interrogated, and the specific extraction software used. However, generally an archive file will be produced (a compressed folder containing the extracted data). These tend to be very large files which require special software to access and are therefore not very useful for sharing with others – either as used or unused material.
Investigators can create a PDF report from these archives, which sets out the extracted data in a form that can be shared more easily. This PDF report can contain all the data extracted, or can be a subset of the data (e.g. only messages, or only messages between two dates, or only messages selected by the investigator). It is this PDF report which is typically served as evidence or disclosed. It is possible for one PDF report to be generated containing the data said to be relied upon as evidence (e.g. all of the SMS text messages) and another PDF report to be generated containing every item of data extracted, to be scheduled and considered for disclosure – whether or not it is fair to sub-divide the evidence in this way will be fact-specific, and should not be done in a case where it is necessary for all of the data to be exhibited so that the parts on which the prosecution rely can fairly be seen in their proper context (see Lord Chancellor v SVS Solicitors [2017] EWHC 1045 (QB)).
There are often requests made, both by those prosecuting and defending, for a ‘full download’ of a mobile telephone to be provided by investigators. This term is vague and imprecise – it could be a request for a PDF report containing all the data extracted rather than just a subset, or it could be a request for the archive file accompanied by the special software required to open it. Often its use simply comes from a misunderstanding of the extraction process, what data is available, and in what format. A request should instead be specific as to the type of material (e.g. all content extracted, or just SMS text messages), the format (e.g. a PDF report) and any other parameters (e.g. date range).
At trial, evidence extracted from mobile telephones is often presented within a ‘working document’ communications schedule (for calls logs and messages) or as part of an Agreed Facts document. For example:
-
The data on the seized mobile telephone was extracted. The following SMS text messages had been sent and received on that device, using the telephone number 0131 496 xxxx:
Date | Time | Sender | Recipient | Content |
5 December 2022 | 23:15:34 | 07700 900xxx (Clive) | 0131 496 xxxx | Hv u got any w |
5 December 2022 | 23:15:58 | 0131 496 xxxx | 07700 900xxx (Clive) | Yh |
5 December 2022 | 23:26:00 | 0131 496 xxxx | 07700 900xxx (Clive) | 1 hour |
5 December 2022 | 23:54:12 | 07700 900xxx (Clive) | 0131 496 xxxx | Ok usual place |
6 December 2022 | 00:05:03 | 07700 900xxx (Clive) | 0131 496 xxxx | Here |
6 December 2022 | 01:04:43 | 0131 496 xxxx | 07700 900xxx (Clive) | Coming – got 5 w |
Future Developments
The increasing reliance on mobile telephones in everyday life is likely to continue, resulting in even more information being stored on them. This in turn generates a significant burden on investigators who have to sift through the extracted material and identify anything of relevance. The use of artificial intelligence (software that learns and adapts by itself, that could be used to accurately identify relevant data) may assist with this but the technology is still some way off from being able to replace a trained investigator spending hours looking through material extracted from multiple mobile telephones.
There is also a general move by technology companies (e.g. mobile telephone manufacturers) towards more secure encryption, and there is an ongoing debate over the balance between the right to privacy and the need for law enforcement to have access to some communications. This is likely to be a source of further legislation over the coming decade.