<META NAME="ROBOTS" CONTENT="INDEX, FOLLOW, ARCHIVE" />
Empowering the Investigator
Copyright 2009 - John B. Minor
®Apple With over 21 Million Apple iPhones sold 1 an Investigator clearly has an opportunity to capitalize on evidence produced by this new technology in many, many cases. Apple iPhone evidence can dramatically change the way an Investigator views a case investigation – civil or criminal.
…before he could react was crushed by 6 of the tractor’s 18 wheels…
Samuel Blenko was traveling down the Interstate highway in his tractor trailer rig and had crawled to a stop as he neared the huge Texas Interstate Truck Stop. As traffic in the parking area cleared he accelerated to turn into the parking lot without noticing the pedestrian crossing the street directly in front of his tractor. Jim Luckley was walking across the road to return to the safety of his tractor cab and before he could react was crushed by 6 of the tractor’s 18 wheels. The ensuing wrongful death case investigation appeared to be just another tragic accident until Private Investigator Bill Justin began to leverage the skills learned from a recent cell phone evidence class he had completed.
Police Investigators at the accident scene had questioned Mr. Blenko about the use of his cell phone as part of the post accident inquiry and Blenko had replied that he had not been on the phone or even using his cell phone at the time of the accident. Investigator Justin began by determining that police had not seized Blenko’s cell phone and by recommending to his legal team that despite the statement by Blenko that he was not on the cell phone at the time of the accident they should have his cell phone examined and maybe should request a court order to obtain his cell phone call detail records.
The Judge granted a court order requiring Blenko to surrender his Apple iPhone and requiring the cell phone carrier to provide the legal team call detail records for his cell phone account.
Blenko had deleted all of his call and SMS text message history, cleared his email account, and cleared the Internet browsing history on his cell phone before surrendering the phone to the court.
A review of the call detail records (CDR’s) for Blenko’s cell phone revealed that he was not using the phone in a call, text message or other Internet browsing activity.
An expert forensic examination was contracted for the cell phone and despite Blenko’s efforts to clear his iPhone activities the examiner found evidence of call, text and Internet browsing history. Still no evidence was located which implicated that Blenko was using his cell phone when the accident occurred.
The Tipping Point?... The cell phone examiner, upon learning more about the case and what Investigator Justin was searching for, reviewed the iPhone evidence a second time and found that a Skype application had been installed on the cell phone months earlier. Skype enables Internet based phone calls through a technology termed Voice Over IP or VOIP. A closer look at the Skype related logs revealed that Blenko had connected to the Internet via the truck stop wireless service while stopped on the road at the truck stop entrance and had initiated a Skype Phone Call to his wife seconds before accelerating into the parking lot and ending Luckley’s life. Investigator Justin had just found the smoking gun he was searching for…evidence of the trucker’s negligence! See figure 1 below.
Figure 1: iPhone Evidence of Skype Phone Calls, etc.
This huge investigative success contributed to the legal team obtaining a seven figure settlement in the wrongful death of Mr. Luckley……..
What are the odds that you as an Investigator may encounter iPhone evidence…..
iPhone users can choose from over 40,000 Apple iTunes Store iPhone applications and the number is growing rapidly. Specialty applications from medical to ballistics to finance and many more are being rapidly developed and sold directly to the iPhone users. The data maintained by these applications can harbor an endless variety of evidence useful to the Investigator.
What are the odds that you as an Investigator may encounter iPhone evidence? In addition to over 21 Million iPhone sales to date over 1 Billion iPhone applications have been downloaded as of April 2009.
What about the iPhone look alike iPod Touch? Over 15 Million iPod Touch devices have been sold. Even though this product is Not a Cell Phone it is capable of Wireless Phone Calls using Skype or other VOIP (Voice Over IP) software applications as well as countless other Instant Messaging and other communications applications readily available in the iTunes store.
The average Attorney or Investigator has little awareness of the evidentiary power of an iPhone. An Investigator must be prepared to educate his litigation team associates regarding the types of potential evidence that may be found in cases where an iPhone was in use. Likewise, the average digital Investigator may not be technically capable of performing an in depth examination of an iPhone. Regular cell phone forensic examination software and techniques produce only a fraction of the evidence mentioned in this article. Contracting an iPhone Expert examiner could make or break your case.
… Actual GPS coordinates are recorded thus enabling Experts to reconstruct exactly where the iPhone was located when an incident occurred…
What makes the iPhone such a powerful evidence generator? The Apple iPhone uses a special version of the Apple OSX operating system which is based on the Unix operating system.
iPhones maintain a variety of logs within the cell phone that document where the iPhone was located at specific dates and times when the iPhone was in use. Actual GPS coordinates are recorded thus enabling Experts to reconstruct exactly where the iPhone was located when an incident occurred.
iPhones may also maintain a larger and more complete history of cell phone calls, SMS text message history and Internet browsing history than most cell phones. See figures 2, 3 & 4 below for examples.
Figure 2: Sample iPhone Call History
Figure 3: Sample iPhone SMS Text Message History.
Figure 4: Sample iPhone Internet Browsing History Including Date and Time of Browsing.
iPhones produce screen snapshots of user activities automatically when the iPhone is in use. The screen snapshots are produced by the phone’s operating system in order to speed user access to the phone’s variety of capabilities. The result can be key evidence of activities on the iPhone. See figure 5 below.
Figure 5: Examples of Automatically Created iPhone Screenshots.
iPhones produce powerful photo-evidence from the built-in camera. When a picture is snapped with a digital camera EXIF2 metadata3 is usually embedded within the image. This metadata includes the brand and model of camera used to snap the picture and the date and time that the picture was taken. iPhone pictures often contain additional metadata including the GPS coordinates of the iPhone when the picture was snapped. This portion of the metadata enables the Investigator to track the iPhone’s location via Google Earth or other mapping software. See figure 6 below.
Figure 6: iPhone Photograph Traced to Shanghai, China.
When an iPhone is used to search for a geographical location or a route between two points a screenshot is often snapped automatically by the iPhone. This can produce evidence of a route traveled by the iPhone user. A maps Plist 4 reveals the last GPS coordinates viewed in the Google Map application. See figure 7 below.
Figure 7: Sample iPhone Google Maps Directions – Route Screen Snapshot.
The iPhone even documents the last GPS coordinates it established including the date and time the location was determined. See figure 8 below.
Figure 8: Produced from Evidence Located Within the iPhone.
The iPhone can produce many other evidence surprises -
Voice Mail Evidence - Voice mails are often recoverable…sometimes up to 100 or more voice mails! The voice mails are recovered from a database as individual audio files and are of excellent audio quality requiring no modification or enhancement.
Email Evidence - An email database is maintained by the iPhone which can provide an entire message history for an email account.
Calendar Events Evidence - The event calendar is also maintained in a database and can produce a complete history of calendar events and alarms created by the iPhone user.
Address Book Evidence - The address book for the iPhone not only provides contact information such as phone numbers, addresses, and email addresses but may also contain photographic images of each contact that are associated by the iPhone. The images are used to display an image of the contact when a call is placed or received.
Web Search Evidence - The iPhone often produces evidence of recent searches performed in its Safari Web Browser along with a complete list of web browser bookmarks.
…This means that an iPhone may just be the tipping point in your next case…
Almost all of the evidence examples mentioned in this article are practically impossible to modify by the average user/subscriber of an iPhone. This means that an iPhone may just be the tipping point in your next case.
With millions more iPhones expected to be purchased in the months and years ahead Investigators and other litigation team members who realize the powerful evidentiary potential of Apple’s iPhone will likely gain the edge in future litigation and clearly, the Investigator who leverages this new dimension in cell phone evidence will find answers not previously available.
Investigators should always seek the services of a qualified expert when an iPhone or other digital evidence needs to be examined. Amateur attempts to examine and extract evidence from digital devices often result in spoliation issues rendering potentially high quality evidence useless.
About the Author – John B. Minor is a practicing communications expert, cell phone signals analyst, digital Investigator and iPhone examiner. John has leveraged huge successes for litigation teams by locating digital evidence under unusual scenarios. John’s casework takes his expertise to the corners of the globe in a variety of investigations ranging from terrorism threats to financial fraud and to more common civil and criminal venues including homicides. John is currently partnered with Atwater Enterprises. See http://johnbminor.com for more information about Mr. Minor.
1 iPhone & iPod Touch Sales source http://www.mediapost.com/publications/?fa=Articles.showArticle&art_aid=104701
2 EXIF – Exchangeable Image File Format - http://en.wikipedia.org/wiki/Exchangeable_image_file_format
3 Metadata – Data About Other Data - http://en.wikipedia.org/wiki/Metadata
4 Plist – Property List - http://en.wikipedia.org/wiki/Property_list
Home About Articles Graphics/FAQ’s Recent Projects Areas of Expertise Contact