Mobile phone forensics 'hole' reported

Police investigations are being hindered by the use of proprietary mobile phone technologies, say forensics experts
Written by Tom Espiner, Contributor on

Law enforcement is at the mercy of mobile phone manufacturers, according to University of Cambridge researchers.

Unlike PCs, where "deleted" data can still easily be accessed, information wiped from a mobile phone's internal memory can be almost impossible for the police to recover, according to Tyler Moore, a researcher at the University of Cambridge Computer Laboratory. This can hinder police investigations due to a lack of evidence.

"Standard forensics tools don't address the less popular types of phone," warned Moore, speaking at the Workshop on the Economics of Information Security in Cambridge on Monday. "Sixteen percent of phones are not accessible beyond the memory on the SIM card. This is a consequence of using proprietary as opposed to open standards," Moore told ZDNet UK.

When a user tries to delete data on a PC, the information is not actually removed. Instead, the pointers to the data are deleted, but investigators can still recover it. While mobile phone data is typically treated in the same way, the proprietary nature of the mobile phone market means that information is stored and handled in non-standard ways. This makes investigations more expensive and using up valuable resources, according to Moore.

Interface commands of proprietary phone technologies also vary widely, which means it isn't economically viable to make forensics tools for less popular types of phone.

"Developing technologies for extracting proprietary data has a higher fixed cost. Inexpensive data extraction is only possible if common storage formats and procedures are adopted," said Moore.

However, computer security experts did not agree that the police are hindered in their investigations by proprietary phone technologies, since it is also possible to gather evidence about mobile use from the network provider.

"Why bother with examining deleted text messages when you can get data of who is talking to who? With the right warrant, you can also read traffic in real time," said Peter Sommer, who has appeared as an expert forensics witness in several court cases.

"Nearly all crimes also exist in the physical domain — real people with real houses, and real cars [which can be tracked] moving around. Police correlate both real and virtual data in an investigation," Sommer said.

However, Moore argued that most crimes don't occur when a suspect was under surveillance.

"A lot of crimes aren't premeditated," said Moore. "There's a difference between getting a warrant and keeping them under surveillance rather than arresting someone at the scene of a crime when they haven't been under surveillance," Moore said.

Editorial standards