Cellphones packed with text messages, emails, phone numbers, photos, location data, and chat logs are valuable sources of information for criminal investigators. Many of the phones that law enforcement officers confiscate, however, are locked by passwords, damaged, or contain encrypted data.
Since 2001, the Cyber Crimes Unit of the Ohio Attorney General’s Bureau of Criminal Investigation (BCI) has been helping law enforcement gain entry to, and find evidence on, not only cellphones, but also computers, external drives, memory cards, cameras, gaming systems, DVRs, car navigation systems, and more.
When Ohio Attorney General Mike DeWine took office in 2011, he recognized the importance and scope of digital evidence and increased the size of the unit, which had been operating with four employees.
“This unit is a great tool for law enforcement,” he said. “Amazing evidence can be found on phones and other devices.”
In 2016, nine special agents and eight computer forensic specialists in laboratories in London, Youngstown, Richfield, and Bowling Green worked on 945 phones and consulted with law enforcement on many other devices, said Vicki Angelopoulos, the special agent supervisor of the unit.
“If law enforcement requests help,” Angelopoulos said, “we can have agents out in the field 24/7. The key thing is that the information is so volatile that it can be lost if it is not appropriately seized or brought to us.”
Everyone in the unit has a specialty, but all of the members work as a team to get results, she said. The unit’s special agents are sworn officers and can perform forensic analysis of digital devices in the lab or at the scene and write and execute search warrants, too.
Sometimes, first responders and others ask members of the unit to speak about their work, Internet safety, and other topics.
“We are often requested to give presentations,” Angelopoulos said. “We are called in to discuss technology, how to talk about the evidence in a search warrant, and how to write proper search warrants.”
To submit evidence, the case investigator may contact BCI at 855-BCI-OHIO (855-224-6446), or the Cyber Crimes Unit directly:
- London: Diamond Boggs, 740-845-2418
- Bowling Green: Jeff Wappelhorst, 419-419-3590
- Richfield: Alica Kraemer, 234-400-3729
- Youngstown: Barb Rogers, 330-884-7545, or JoAnn Gibb, 330-884-7507
BCI will only accept evidence if the investigator has the proper legal authority, such as a search warrant, signed consent form, or a letter from the prosecutor.
Specialists turn to ‘advanced methods’
Experts at BCI’s Cyber Crimes Unit have retrieved information from a variety of PIN-protected, encrypted, and damaged devices.
Dylan Waggy and Jonathan Robbins, computer forensic specialists at BCI in London, said they have worked on phones that were waterlogged, bloody, melted, and smashed.
“Suspects may think PIN codes, pattern locks, and biometric locks hinder us from getting evidentiary information, but this might not always be the case by using advanced extractions methods,” Robbins said.
If a cellphone is in working order, the specialists start by connecting it to a computer and using special software to copy the phone’s data. The information can then be shared with the investigator and prosecutor. If that method doesn’t work or can’t be performed because the phone is blocked by a password, PIN, or fingerprint ID; or has a damaged screen, power port, data connection or some other problem, the specialists might opt to do an advanced method of extraction, with the prosecutor’s consent. These methods of extraction have potential to cause permanent damage to the device and also possible loss of evidentiary data.
- JTAG: Named for the Joint Test Action Group, this acquisition procedure involves opening the phone and exposing the circuit board’s Standard Test Access Ports (TAPS). The specialist solders wires to the TAPS, through which he or she can transfer data from the phone to a computer where special software divides the information into categories, such as videos, chats, text messages, and calendar events to be shared with investigators and prosecutors.
- ISP (In-System Programming): With this method, the specialist exposes the phone’s circuit board and solders hair-sized wires to resisters so data can be extracted directly from the phone’s memory chip.
- Chip-Off: If none of the other methods work, specialists remove the memory chip from the phone’s circuit board and extract the data using specialized equipment.
Tips for law enforcement
When dealing with cellphones at crime scenes, officers should:
- Immediately place the phone in airplane mode. “If you don’t put it in airplane mode, which disables all connections so nothing can communicate with the phone, people can send remote wipe signals,” Robbins said. If the officer can’t do that, the phone should be placed in a Faraday bag, which blocks signals and ensures the phone never connects with a network.
- Avoid opening apps or messages. “If law enforcement pokes around in a phone, they could change the date and time of access or accidentally delete stuff,” he said. “The evidence could be compromised.” In some circumstances, however, it might be necessary for the investigator to immediately find something on the device. In that case, it is important for the investigator to document exactly what he or she did and to proceed with caution.
- Get the phone to BCI without delay. Agents will file preservation letters with third-party apps, such as Facebook and Snapchat, and phone service providers. “The letter says, ‘We’re doing an investigation on this account, please save this information for us. When we are ready, we’ll come and get it with a search warrant,” Robbins said. “Even if they go on Facebook and start deleting stuff, we will have the information the way it looked at the time of the request,” Waggy said. Even phone providers only keep information for 30 to 60 days, unless they receive a preservation letter. Vicki Angelopoulos, the special agent supervisor of the unit, said “It’s important to get us involved immediately. Please request our assistance on Day 1 not Day 15.”
- Obtain a search warrant, signed consent form, or a letter from the prosecutor to access the phone.