As I had previously mentioned in my post from April 29, 2014, I totally expected the Supreme Court to rule that a search warrant would be required to search cell phones.  I had also mentioned that SCOTUS should stipulate the due to the advancements in technology, they should consider that seizure of volatile data should be available without a warrant.  Unfortunately, the hope for this second portion did not happen. 

On the subject of remote wiping of cell phones, i
t is sad to see that the SCOTUS used a source referred to in the opinion that they viewed as "anecdotal examples of remote wiping triggered by an arrest.
"  Perhaps they should have had staffers consult with real practitioners who have seen actual remote wiping happen on real cases.  During a recent consultation with a local law enforcement agency in South Florida, I was informed that not only was an iPhone remotely wiped after arrest, but a message of "F the police" was displayed on it as well - how anecdotal is that?

As a solution to the remote wiping threat, SCOTUS mentioned that officers can either power off the device or pull the battery - sure, this works.  They also mention the use of faraday bags to secure mobile devices from the network.  Although this may work in some situations, they are not foolproof.  In every class I teach regarding mobile forensics, I talk about these faraday bags and also demonstrate how, depending on a variety of environmental factors, they do not work properly - yes, I carry one with me to every class.

Speaking of anecdotal, I have to point out another part of this opinion which is quite interesting on how it was used.  The opinion states:

Remote wiping occurs when a phone, connected to a wireless network, receives a signal that erases stored data. This can happen when a third party sends a remote signal or when a phone is preprogrammed to delete data upon entering or leaving certain geographic areas (so-called “geofencing”)

Hmmm... I have not found many references to this other than an enterprise solution for policy administration on iOS devices.  According to the Citrix site I found with reference to this, it states: "
Geo-fencing in Device Manager allows you to define a geographic perimeter for an iOS device. You can then perform a selective or full wipe upon the breach of the perimeter you set. The policy also notifies Device Manager and the device user when the device has moved beyond the defined radius of the policy. You have the option of setting a delay before the device is wiped, which can give the user time to return to the allowed GPS location perimeter."  Please tell me SCOTUS, just how is an average user that gets arrested going to have this ability?

Again, the search warrant requirement was not a surprise in the least.  I fully expected it.  However, I wished that the justices would have considered how technology has, and will always be ahead of the law of the land.  A forward-thinking decision to enable law enforcement to seize the contents of the device, much like what is done using a mere preservation letter to a cell phone carrier or internet service provider, would have been extraordinary.  Unfortunately, we must live with what
Chief Justice John Roberts stated in the opinion, "It is true that this decision will have some impact on the ability of law enforcement to combat crime." - what an understatement!

PS... SCOTUS referred to a DRAFT document by NIST instead of the final version which was available to them since last month at http://dx.doi.org/10.6028/NIST.SP.800-101r1.

The full opinion can be downloaded at http://www.supremecourt.gov/opinions/13pdf/13-132_8l9c.pdf
 

RE: U.S. v. Wurie (13-212) and Riley v. California (13-132)

 
 
I will be teaching the Cellebrite 5-Day Mobile Device Examiner Course at the North Miami Beach Police Department May 19-23, 2014 (registration link below).

The Cellebrite Certified Mobile Examiners Course is designed for the intermediate and advanced investigator / digital forensic examiner. This 5 day course combines the curriculum from the Cellebrite Certified Logical Operator (CCLO) and the Cellebrite Certified Physical Analyst (CCPA) Courses providing the participant with an intense exposure to Cellebrite UFED, Physical Analyzer Software and all of the core competencies associated with examination of mobile devices using Cellebrite’s Tools and methodology.  During the course two optional written exams and two optional practical skill challenges are administered and students may earn the Cellebrite Certified Logical Operator Certificate (CCLO) and the Cellebrite Certified Physical Analyst (CCPA), both of which are prerequisites for entering the Cellebrite Certified Mobile Examiner Process.


REGISTER HERE
 
 
Back in January of this year, Cellebrite published an iOS application to help examiners identify phones in the field.  UFED Phone Detective is a simple tool for investigators to identify mobile devices, and determine what capabilities exist for extracting data from those devices.

The application is available for both iPhones and iPads with a graphical user interface which works very similar to the UFED Touch and UFED4PC device.  It allows you to search for vendors and mobile device names and even find out if Cellebrite can acquire the data even if the device is locked.

If you already have access to the Cellebrite portal, you will need to use your same credentials to access and use the application.  This is a nice and free tool to have for anyone involved in digital evidence investigations!

Here is a direct link to the iTunes store to get the app!