• Simon Varley


With almost all adults carrying a cellphone wherever

they go, there is a high probability that any

legal case whether employment, criminal or

otherwise will involve cellphone data in some way. Although

we know cellphones may be relevant it is not always

easy to determine benefits of collecting and analyzing

cellphone data. To help with this determination I have

detailed below four tasks that a cellphone forensic expert

is commonly asked to perform:

1. Create an Activity Timeline

A cellphone forensic expert can use the data from a cellphone

and produce a timeline of activity for any given

time period. This includes many different types of activity

from web searches to the sending of text messages. This

timeline of data can be used to identify behavior, location,

and to some extent the frame of mind of the cellphone

user during that period. An example of a ‘frame of mind’

investigation would be where a cellphone user has

claimed to be in fear of their life. The cellphone forensic

expert would then review the timeline for what messages

they sent to their friends, whether they downloaded the

new version of a game they play on their cellphone etc. All

these activities would be inconsistent with behavior under

intense stress.

2. Recover and Analyze Communications

People constantly chat or message with each other. They

tell each other what they plan to do, what they are currently

doing and what they have just done. This, as you

can imagine, can be a valuable source of evidence for any

case. A cellphone forensic expert can not only recover and

validate the existence of messages on a device but also

recover a number of messages that have been deleted.

In the last year or two the number of different applications

that people use to communicate has increased exponentially.

These apps, for the most part, store data on the

cellphone that can be retrieved by a forensic expert. Some

of these messaging apps are more difficult to recover data

from, such as Snapchat.

Snapchat is a messaging application that deletes evidence

off the cellphone itself and leaves very little for the examiner

to review. The examiner may however analyze any

artifacts that may remain and possibly help to determine

the existence of prior communication between two parties

even though message content is unavailable.

With the complexities of these newer applications, cellphone

forensic experts can also be used to testify as a way

of explaining their function and use to the court.

3. Analyze and Map Location Information

A cellphone forensic expert can analyze the cellphone data

and recover location information from a large number

of storage locations on the device. A map of activity over a

given timeline can then be prepared to inform issues in a

case. The location data itself can be found in a number of

different locations on the cellphone. Images and videos

can store location information within the files’ ‘metadata’.

Metadata is information about a file that is saved such as

‘creation date’, ‘last modified date’, and location that is

embedded in the file itself. It is this location information

in the metadata that allows an iPhone to group user photos

by location such as ‘London, UK’.

Another source of location information for the examiner

is the Wi-Fi network logs. When a cellphone connects to a

Wi-Fi network some useful information is stored along

with the name and the connect date and time. Wi-Fi data

for hotspots not even connected to may also be present as

cellphones perform an initial ‘handshake’ with the

hotspot prior to connection. The Wi-Fi data can be used

to identify a location such as a particular branch of a bank

or a local coffee shop which can be particularly useful in

wage and hour cases.

Navigation applications can be an obvious source of location

history, and it’s not unheard of for criminals to input

a crime scene’s address into a map application to find the

quickest route. These apps store route data that can also

be added to the examiner’s report.

Many websites communicate with cellphones and use its

data to track its location during a certain time period. One

particular website is Google’s 'Timeline'. Timeline tracks a

Google user's movements with relatively high accuracy

and utilizes location data from known Wi-Fi networks

such as fast food restaurants and coffee shops.

4. Map Network Cell Tower Data

In addition to location data stored on the cellphone itself,

cellphone forensic examiners will be able to assist in

collecting and mapping location data from the cell networks

themselves. The cell networks record which section of

which cell tower is in communication with the cellphone

when a call or SMS is sent or received. This data can provide

key evidence however the period of time that the networks

retain this information varies by network from one

to seven years. Up until last year these cell tower records

were available via subpoena, however a Supreme Court

ruling last year (Carpenter v. United States, No. 16-402,

585 U.S. (2018)) held that it is now private data and is

protected. This means that although the subscriber can

easily request their own data from the network with a

notarized form, access to any other subscriber’s data

requires a court order or search warrant.



For nearly 20 years, Simon has provided digital forensics

and security services to governments, corporations, and

law firms. His expertise in cell phone forensics is at the

highest levels, having received multiple certifications and

advanced training in that area. Simon has been approved

as an expert by several courts and is a regular presenter

to industry and legal professionals on digital forensics

and e-discovery. He received a Bachelor of Science degree

with honors in Electronics from the University of Central

Lancashire in England.