The document discusses the increasing use of mobile devices in forensic investigations and the challenges posed by traditional evidence collection methods. It suggests a multi-tiered model that enhances evidence collection at the scene, improves efficiency, and reduces backlog while ensuring the quality of evidence submitted for analysis. The implementation of educational programs, engineering solutions, and enforcement policies are essential for maximizing the effectiveness of mobile forensics and improving public safety.

1. Reducing Backlog:
Mobile Forensic Previews
Lee Papathanasiou
Cellebrite: Sales Engineer, Forensics

2. Mobile Device Proliferation

3. *As of January 2014:
 90% of American adults have a cell phone
 58% of American adults have a smart phone
 32% of American adults own an e-reader
 42% of American adults own a tablet
Multi-Device Environment
Source: Pew Research Center
http://www.pewinternet.org/

4. Volume & Complexity of Data

5. Volume & Complexity of Data

6. Mobile Device Exams Increase
 Statistics from three cities in
North America anecdotally*
show a steady increase in the
ratio of mobile forensic
exams to computer exams
starting from 2005 to present.
*No standards exist for the tracking of forensic lab statistics, so not all labs report
the same way. In addition, labs’ own reporting may be inconsistent from year to
year. Other variables, such as trends in investigations themselves, have not been
accounted for.

7. Mobile Forensics:
A Team Effort

8. Today’s model of mobile
device evidence collection
■ Forensic Examiner performs extraction & analysis at the Lab
■ First Responder Secures Scene
■ Investigator Seizes Evidence: “Bag and Tag”

9. Limitations of Current Model
■ Actionable information NOT available to First Responder
o Result: Opportunity for time-sensitive decisions is missed which could mean the difference
between Life and Death
■ Evidence becomes more vulnerable the longer it sits at scene
o Result: Evidence on the device is remotely Wiped/Deleted
■ The importance of evidence is not identified or qualified at scene
o Result: Lack of insight leads to collection of unnecessary evidence and directly
contributes to EVIDENCE BACKLOG!
■ Field personnel are not being utilized to their full capacity
o Result: The inefficient use of resources is an unnecessary Waste of Money
■ Forensic Examiners are spending valuable time on basic evidence collection
o Result: Less time available to focus on the deeper/complex examinations which can yield
important evidence & deleted information. This amounts to a Waste of Talent.

10. Mobile Forensics: Multi-Tiered Model

11. Location Hierarchy
Least Most
Gradient Scale

12. Personnel Hierarchy
Least Most
Gradient Scale

13. Function Hierarchy
Least Most
Gradient Scale

14. Multi-Tiered Model Reduces Backlog!
■Increases Quality of evidence in lab
■Empowers existing personnel with mobile forensic technology
■Enables rapid evidence collection & preview in field
■Decreases Quantity of evidence in field
■Result: More Leads in Less Time

15. Use Cases that can Benefit
■Monitoring Probation/Parole
■Child Abuse Image Investigations
■Drug Interdiction
■Substantiate Victim Claims
■List goes on…

16. Implementation Requirements: EEE
■Education ■Engineering■Enforcement

17. ■Data collection & review contributes to officer/civilian safety
Education: Academy Level
■Eliminate & Prevent Intimidation
■Academy Curricula needs to be prioritized & updated
■SOP & Training need to compliment each other

18. Education: Field Level
■Evidence Handling & Collection
■Establish guidelines for escalations to lab
(i.e. Prosecution over Intel, Felonies over Misdemeanor)
■Incorporate 15 min hands-on training during briefings
■Keep current with warrant templates, preservation letters, etc.

19. ■Types of Evidence Collected: Textual Data and/or Media Files?
(Dictates bandwidth & storage capacity needed)
Engineering: Data Management Infrastructure
■Decide on method of transferring and/or storing evidence
■Need to maintain Chain of Custody and Integrity of data
■Remote Storage: Secure 4G/WiFi connection. VPN Tunneling.
■Local Storage: Hard Drive/ Flash Drive/ SD Card – Logistics

20. ■Software must have built-in reviewing & basic analysis capabilities
Engineering: Mobile Forensic Solution
■Mobile forensics software solution needs to be flexible & easy to use
■Software needs to be able to support extraction from an immense
variety of mobile devices in order to be effective
■A laptop/tablet or stand-alone forensic device will be required.
Preferably semi or fully ruggedized with relatively small footprint

21. © 2014 Cellebrite Mobile Synchronization LTD, All rights reserved
• Purpose built
• Closed for other
applications
• No User maintenance
• Extraction only
UFED Touch
• Multiple tools single
platform
• Full Cycle capabilities
• HW upgrade at your own
pace
• Chose your platform –
Flexibility
UFED 4PC
• Single source
• Multiple tools single
platform
• Full Cycle capabilities
• No user installation
• Standalone and
ruggedized
UFED TK

22. © 2014 Cellebrite Mobile Synchronization LTD, All rights reserved
UFED: Extract & Preview

23. ■SOP should set clear expectations for everyone involved
including when to escalate devices to a forensic specialist
Enforcement
■Controls need to be in place to prevent abuse
■Establish Policies as well as SOP to enforce training & evidence
collection methodologies
■Software solution needs to of facilitate these requirements.
User & Permission Management, Logs, Training verification

24. Enforce: UFED Permission Manager
User Authentication and Permission Management
■ Profile defines authorized actions
■ By action
■ By data type (where applicable)
■ Profiles are assigned to Users
■ Import / Export Users list

25. ■Examples:
Search Warrant
Consent
Probation/Parole
Exigent Circumstances
Search Incident to Arrest
Plain Sight
Enforcement: Rules of Engagement
■Laws vary from state to state and are in constant flux
■Consult legal authorities to ensure adherence to law

26. Data Triage & Public Safety

27. Data Triage & Public Safety
Traffic Accidents – Was the driver distracted by their phone?
Where were they last?
Time sensitive situations that can significantly benefit from mobile
device collection at scene of incident:
Active Shooter – Did they have accomplices?
Abductions – Who was their abductor? Where were they last?
Bomb Threats – Where is the bomb located? What is the detonation
device?

28. This is only the Beginning!!
■Decision making in the field can be improved even further
• Imagine collecting evidence from a mobile device on
scene and then running that data against a database….
Fugitives
Abductees
Drug Terms
Gang Members
Terrorists
Explosives
Stolen VINs
Etc…..

29. ■State & Local Fusion centers will have more diverse datasets to
utilize which will increase situational awareness.
Impact on Crime Prevention
■Mobile Device Evidence also has value downstream
■Intel & Crime Analysts benefit from high quality data
■The variety of data on mobile devices can contribute
significantly to predictive analytics & crime prevention efforts

30. THANK YOU!!
Lee Papathanasiou
lee.papa@cellebrite.com
201-848-8552 Ext. 106