Cross-examining the Cell Phone Forensics Expert at Trial
This post briefly discusses techniques for accessing and preserving cell phone data and provides pointers for conducting cross-examination of the cell phone forensics expert at trial.
As the Apple v. FBI battle percolates, let's take a step back and think about the critical role that cell phone forensics play at trial. Our cell phones contain a tremendous amount of information about our lives -- the people we know, the people we talk to on a daily basis, the content of our e-mail and text message communications, our historical whereabouts, etc. It comes as no surprise that the Government is pressing as hard as they are to gain access to the latest iOS phones, since they are currently missing a critical piece in investigating and prosecuting crimes of every kind. Once the data can be accessed, it needs to be extracted in a forensically sound manner so that it may be introduced as evidence at trial.
The utility of cell phone data in litigation cannot be underestimated. This holds true in cases ranging from homicide to employee breach of contract. Setting aside any search warrant or discovery issues, the forensic investigator's objective is to extract the phone's data so that it can be used at trial. This is typically accomplished by first taking preventive measures to ensure the phone's data is not altered in any way, then using specialized software to extract the contents of the phone.
The Government often uses a software and hardware package called "Cellebrite", which depending on the model of the phone, can extract its entire contents and generate a .PDF report with detailed information. The report will typically contain the phone's e-mails, text messages, photos, contacts, browser history, etc. Depending on the nature of your case, there can be useful information buried deep in the phone that may be extracted using advanced features built into cell phone forensic software (and is also beyond the scope of this article).
So now you have a Cellebrite report and an expert notice that a cell phone forensics expert will be testifying at trial, what can (or should) you ask this person on cross?
The answer depends on a number of factors including the nature of your case, your defense at trial, the value of the cell phone evidence to the case, etc.
Let's use as an example a criminal conspiracy case. By its nature, conspiracy cases are often about who was talking to who about what, at what time. To prove the case, the Government may rely upon text message data extracted from the phones of several co-conspirators to prove those elements (the who who what and when), more specifically to argue that messages discussing the object of the conspiracy were sent at a certain time and date.
With a few precise questions, the well-prepared defense lawyer may be able to raise a few questions about the actual timing of the messages, which can be an important issue to the case:
CROSS-EXAMINATION BY MR. HOROWITZ:
. . .
Q. I just want to ask you a few questions about the time stamps that you testified about on direct. You said that if you look in the top left-hand corner, that time corresponds to
the time that the message was received by that phone, right?
A. I'm sorry, which time are you referring to?
Q. Where it says Sunday, December 16, 2012?
A. Yes.
Q. Those time stamps on the text messages that you testified about, they are obtained from the phone's internal clock, right?
A. That's correct.
Q. The time that the phone is set to can be altered in the phone's settings, right?
A. It depends on the device. Usually the time is retrieved from whatever network it is connected to.
Q. But for this specific phone, you don't know whether that is the case, right?
A. Not off the top of my memory.
Q. It is possible then that the dates and times that are reflected here do not accurately represent the time that those messages were sent or received by the phone, right?
A. It is possible.
MR. HOROWITZ: Thank you. Nothing further, your Honor.
It is also important to be thorough in analyzing the forensic analysts worksheets that he or she should have filled out at the time that they conducted the forensic examination. For example, sound cell phone forensic practice dictates that the phone should be cut-off from all communication with outside networks to ensure the integrity of the phone's data. The failure of an analyst to follow this procedure gives rise to a few questions:
Q. I want to start by asking you a few questions about sound forensic practice when you're conducting a cell phone examination.
A. Sure.
Q. Now, you testified on your direct that you have had about 60 hours of classroom training in conducting cell phone forensics, right?
A. Yes, sir. That's right.
BY MR. HOROWITZ:
Q. In that training, you're taught that one of the first things that you do when examining a cell phone is that you should isolate it from cell tower signals and Wi-Fi signals, right?
A. That's right.
Q. One of the most common ways to accomplish that is to put the phone into what is called airplane mode, right?
A. That's right.
Q. What that essentially does is it disconnects the phone from any outside cell towers or Wi-Fi signals, Bluetooth connections, that kind of thing?
A. Right.
Q. The reason that you do that is because it ensures that the phone isn't going to be sending or receiving any data at the time that you're conducting the examination, right?
A. That's correct.
Q. And that the information in the phone won't be altered in any way?
A. That's correct.
Q. In fact, you have testified in the past about the importance of this practice, right?
A. I specifically haven't testified about that practice, but other forensic examiners have.
Q. When you examined the phone ending in 2656, you didn't do that, right?
A. I don't recall doing that.
BY MR. HOROWITZ:
Q. If you look in the top left corner of the screen, you can see that the phone has obtained a cell phone signal while you were conducting the examination, right?
A. It appears to have connected to a network.
Q. So you didn't follow that practice, right?
A. Possibly not for this phone.
The bottom line is that the information that you want to extract on cross can vary widely depending on the nature of your case. However as a good starting point, the forensic examiners knowledge and examination techniques may provide fruitful areas to begin on cross, right off the bat, to question the integrity of their results and conclusions.
*The transcript is from an SDNY narcotics conspiract trial that ended up with a deadlocked jury, 8 to 4 for acquittal and a mistrial was declared. Full trancripts of cross-examinations of the 2 Government cell phone forensics experts from that trial are available here.