Digital Investigation (2004) 1, 266e272

www.elsevier.com/locate/diin

Forensic examination of mobile phones

Barrie Mellars
Digital Crime Unit, LGC, Queens Road, Middx, Teddington TW11 0LY, United Kingdom

KEYWORDS
Mobile phones;
SIM cards;
Cellular telephone
network;
Forensic investigation

Abstract The proliferation of mobile phones in society has led to a concomitant

increase in their use in and connected to criminal activity. The examination and
analysis of all telecommunications equipment has become an important aid to law
enforcement in the investigation of crime. An understanding of the mechanism of
the mobile phone network is vital to appreciate the worth of data retrieved during
such an examination. This paper describes in principle the way a cellular mobile
phone network operates and how the data is processed. In addition it discusses
some of the tools available to examine mobile phones and SIM cards and some of
their strengths and weaknesses. It also presents a short overview of the legal
position of an analyst when examining a mobile phone.
2004 Elsevier Ltd. All rights reserved.

The use of mobile telecommunication systems

in worldwide society has now reached almost
epidemic proportions. There is scarcely any aspect
of life in modern society that has not been
impacted by the ability to send and receive voice
and text messages almost at will. Indeed mobile
communications have instigated a significant shift
in the way in which people today both communicate and react to each other.
Vodafone made the UKs first mobile call at
a few minutes past midnight on the 1 January
1985. Within 15 years, the network became
the largest company in Europe and the largest of
its kind anywhere in the world. Vodafone was

E-mail address: barrie.mellars@lgc.co.uk

quoted as saying that almost every second UK

citizen would have a mobile by the year 2000
(Vodafone UK).
The reality is that greater than 80% of the UK
population now have daily access to a mobile
phone.
Just the UK networks Vodafone, Orange, O2 and
T-Mobile (Deutsche Telekom) claim to have over
230 million customers worldwide.
On a worldwide basis, it is projected that 650
million wireless handsets have sold in 2004 and 730
million will sell next year. Trikon Technologies
Inc., which makes equipment used in the construction of cell-phone components, said in a recent
release that the worldwide handset market is
forecasted to reach 1 billion units by 2006
(www.trikon.com/pdfs/TRKN-26May04.pdf).

1742-2876/$ - see front matter 2004 Elsevier Ltd. All rights reserved.
doi:10.1016/j.diin.2004.11.007

Forensic examination of mobile phones

267

In the UK this translates to vast amounts of

voice calls daily (the exact numbers are not
known) and increasing numbers of text messages:
Average number of Text Messages sent per day in the UK
70

(person to person chargeable messages)

Million messages

60
50
40
30
20
10

pr
Ju 98
n
A -98
ug
O -98
ct
D -98
ec
Fe -98
b
A -99
pr
Ju -99
n
A -99
ug
O -99
ct
D -99
ec
Fe -99
b
A -00
pr
Ju 00
n
A -00
ug
O 00
ct
D -00
ec
Fe -00
bA 01
pr
Ju -01
n
A -01
ug
O -01
ct
D 01
ec
Fe -01
bA 02
pr
Ju -02
n
A -02
ug
O -02
ct
D 02
ec
Fe -02
bA 03
pr
Ju -03
n03

Source: Mobile Data Assocoiation www.text.it

Given the numbers and ease of use of mobile

communications, it is of no surprise that the
criminal elements of society have made enormous
use of the technology in both the pursuit of crime
and the profits to be made in the traffic of stolen
equipment.
So how do mobile phones operate given the
huge amounts of data that fly around the airwaves
at any one time?
Mobile phones are two-way radios that use radio
frequency waves e a type of electromagnetic field
(EMF) e to communicate information. The radio
signal from the handset is transmitted to the
antenna of the nearest base station, which then
passes the signal on to the network and through to
its destination (Fig. 1).
The building blocks of a mobile phone network
are radio base stations that transmit and receive
calls. The term base station refers to the antenna
fixed to the mast and connected to the radio
transmission equipment stored in a secure cabinet.
Each station covers a small area called a cell,
hence the term cellular. As radio waves reach
only limited distances, mobile communication over
a large geographical area requires a network of
many base stations, with each station providing
radio coverage over a particular area.
The size of mobile phone cells varies. In the
country base stations only arise every 10 km, but in
towns only 500 m can separate them. Each base
station can only handle a limited number of calls.
In a city many people may be making calls at once,
so many base stations are required to handle them.
The power of the base station transmitters must be

carefully calculated to avoid interference. To avoid

this, cells are grouped in clusters in which each
base station uses a different frequency e represented in Fig. 2 as different colours. These frequencies are then re-used in neighbouring clusters.

Forensic examination
Mobile phones contain a plethora of information
both in the handset and on the accompanying
Subscriber Identity Module (SIM) card contained
within the handset. The quality of this information
heavily depends on the order and process of data
extraction. An understanding of this process will
aid the successful recovery of relevant data.
The process of data recovery can and does have
a major impact on the information stored on the
phone particularly that found in the handset. If,
for instance, the battery of a Nokia 3310 is
removed, the date/time stamp information is
immediately lost. For this reason not only the
order but also the method of retrieving the information is vital and must be undertaken in
a carefully controlled manner.
There are three classifications of data that can
be obtained from a mobile phone:
 Location information.
 Billing information including call logs.
 Locally stored handset data.
The first two can only be retrieved through the
airtime provider i.e. Vodafone, O2 etc. but the

268

B. Mellars
Call received by
nearest base station
Base station controller
determines power of
transmitters and
manages handover of
calls made from one cell
to the next if you are
moving

MSSC patches the call

into the Public Telephone
Network which directs
call to the mobile or
landline

Public
Telephone
Network

Visitor Location Register

Home Location Register

Requests user
details from home
location register.
Tells network
where phone is

Holds all
information
on
every user

Authentication Centre Equipment Identity Register

Base station controller

passes call to Mobile
Services
Switching Centre
(MSSC)

Figure 1

Security checks
caller ID on SIM
Generates
encryption key
for the call

Requests IMEI
from phone and
bars call if
blacklisted

How mobile phones work.

information needed to enable the networks to

retrieve the data is stored on the handset. Thus
all three groups are very closely linked.
The way the data are stored on the handset will
depend to a large extent on the make and model of
the phone. Simplistically speaking, the newer the
model the greater the sophistication and the larger
the amount of data stored. The older Nokia models,
for instance, store the entire phonebook on the SIM
whilst the newer models allow the user to choose
not only whether to use the SIM or handset but even
which memory location slot. This has been useful in
a recent case in which the location number held
a strong link to the date of a death.
For all makes and models the data that will be
retrieved in any investigation are:
 Date and time of calls and text messages
(assuming the date/time stamp of the handset
has been set by the user).
 Calls made, received and missed.
 Text messages received e current and deleted.
 Text messages sent (depending on model).

 The phones own number (sometimes called

the MSISDN).
 The phonebook.
Even if the user has set an access PIN number,
the phone can be unlocked using a Personal Unlock
Code (PUK) supplied by the airtime provider but
only after certain technical data have been retrieved from the handset and SIM.
The amount of data retrieved by interrogation
of the handset can be very large and highly useful
to an investigating officer. The Nokia 9220 combined phone and PDA, for example, can hold up to
64 MB of data in standard trim. Even the old
humble Phillips Fizz will hold 50 numbers in the
phonebook and the last 20 calls made. However, it
is not sufficient to merely obtain the data; it must
be done in a manner that is acceptable to the
courts.
As with computers the basic tenet is:
DATA MUST NOT BE CHANGED EITHER DURING
OR AS A RESULT OF EXAMINATION.

Forensic examination of mobile phones

269

Large cells for

less densely
populated areas

Each cell is designated a

fraction of the
frequencies available to
the network
Cells are grouped together
in clusters of 2,7,12 or 21.
These clusters are then repeated
over the entire area the network
covers, allowing frequencies to
be reused in non-adjacent cells

Figure 2

Narrow beam
provides
coverage
along roads

Base station cell clusters.

However, whilst it is a simple matter to isolate

a computer hard drive and take a forensic image,
doing so on data held on a mobile phone handset
is an altogether trickier matter. The primary need
is to prevent the handset logging on to the
nearest network cell and thereby stop the download of new data, which may overwrite existing
data. Isolation of mobile phone systems is a subject in itself and as such is beyond the scope of
this article.

Class 1: Forensic examination

Examples of these tool types include:
 PhoneBase (Envisage Systems Ltd (www.envi
sagesystems.co.uk))
 SIMIS (Crownhill Associates (www.crownhill.
co.uk))
 Cell Seizure Paraben (www.paraben-forensics.
com)
 Oxygen Forensic Manager (www.oxygensoft
ware.com)

Forensic tools
There are a number of systems for downloading
the SIM data in a forensically sound manner. These
may be divided into three distinct classes:
1. Forensic examination.
2. SIM readers.
3. Manufacturers tools.

All of the above will show the portable data from

the SIM card but to retrieve dynamic handset data
requires electronic access, which has the potential
to amend. Retrieval of handset data from most
modern handsets, which have cable, infrared or
Bluetooth
connections may be used with forensic
software such as PhoneBase, Oxygen or Cell Seizure
to extract stored information.

270

B. Mellars

Figure 3

Typical examination data from PhoneBase.

Most analysts choose to use an armoury of software depending on the type of handset under
investigation. All of these systems have limitations.
Oxygen Forensic Manager works only with certain models of Nokia phones but is both robust and
reliable for handset data. A major drawback is the
lack of a single report, the data must be extracted
according to type i.e. the abbreviated dial numbers will export in a number of formats but the call

Figure 4

data will only export as csv or Excel files. Oxygen is

not a SIM card reader.
PhoneBase until recently would only retrieve the
SIM data including deleted SMS text messages but
the introduction of a major upgrade to version 2 now
includes a mechanism for retrieval of handset data
from a limited ranges of Nokia handsets via an
infrared link which has proved in practise to be
a little fragile. However, PhoneBase does produce

Typical examination data from PhoneBase.

Forensic examination of mobile phones

271

SMS MESSAGES
OPENED or UNOPENED

ADDRESS BOOK/CALL
HISTORY DETAILS

VOICEMAIL

YES

Has the mobile phone

been seized as evidence
under a statutory power
of search/seizuree.g.
S32 PACE or search
warrant?

Do you have the

written consent of
ALL parties to the
voicemail?

YES

NO

Has the mobile phone

been seized as evidence
under a statutory power
of search/seizure e.g.
S32 PACE or search
warrant?
NO

NO

YES

YES
Do you have the
written consent of
the owner to
examine the phone?

Do you have the

written consent of
the owner to
examine the phone?

Do you have the written

consent of the intended
recipient or sender of
the voicemail?

YES

NO

YES
NO
Was the phone on
or off when it was
seized?
OFF

ON

DO NOT switch the

phone on
(see Notes 1 & 3)

Are you investigating

a serious arrestable
offence? (PACE
sect 116)

Obtain authority to
interfere with property
(i.e. the phone) under
Part lll Police Act 1997
BEFORE examination

Turn the phone off

IMMEDIATELY
the power of search/
seizure expires
(see Note 2)

NO

YES

Examination
is lawful

Obtain a directed
surveillance authority

YES

YES

Examination is
UNLAWFUL

Apply for a Production

Order under PACE 84
Sch 1 or Drug
Trafficking Act 1994 S55

YES

Do you have the written

consent of ALL parties
to the SMS?

Serve Production Order upon the

service provider who will produce
voicemail data in an evidential
format or otherwise make it
available to law enforcemen

NO
Do you have the written
consent of the intended
recipient(s),or sender(s)
of the SMS?

NO

YES

Is the offence under

investigation serious
crime? RIPA Sect 5(3)

Seek a Directed
Surveillance authority
in respect of the other
party to the
SMS under RIPA

YES

NO

Examination of
the stored SMS is
unlawful

YES
If criteria are met, consider application for an
Interception Warrant (RIPA sect 5)

YES

Figure 5

YES
Obtain a directed
surveillance
authority

YES

YES

Examination is lawful

Obtain authority to
interfere with property
(I.e. the phone) under
Part lll Police Act 1997
BEFORE examination

NO

YES

Examination is lawful

NSLEC mobile phone examination guidelines.

an MD5 hash in a security file to allow a good audit

trail. The company is planning to considerably
expand the range of handsets in the near future.
PhoneBase produces a very user-friendly report,
which is based on the well-known and extensively
used Crystal Reports engine. The report format has
proved popular with both law enforcement and
defence officers Figs. 3 and 4 show screenshots of
typical examination data obtained from PhoneBase.
The Cell Seizure Toolbox product is Parabens
recent foray into the world of mobile phones having
been prominent for some years in the field of PDAs.
Parabens Cell Seizure currently supports certain
models of Nokia, Sony-Ericsson, Motorola, and
Siemens and produces a verification of file integrity
but does not come as a complete kit; the SIM reader
must be bought as part of a separate package. Cell
Seizure also produces an excellent report but is still
relatively new and untried in Europe.
SIMIS by Crownhill is the granddaddy of cellphone SIM software having been around now for
some years. It is tried and tested and is extremely
robust producing vast amounts of highly technical
data albeit in a rather user-unfriendly report
format that requires considerable patience to

read. SIMIS is used in my laboratory as the final

arbiter for technical data in any case of dispute.
A major drawback is the sheer size of the SIMIS
report, which can extend to over 20 pages on even
a very small amount of data.
Radio Tactics have taken the computer forensics
approach and use a system that clones the SIM card
on to another blank SIM card for examination
purposes. This has the advantages of ensuring that
the original media remains untouched and thereby
unaltered, that the data is protected from any
incoming call data whilst at the same time providing a snapshot of the data, which may be saved
for any potential challenges in the future. The
drawback is the cost, as the system requires
a license payment for each examination.
All these commercial systems extract data via
a write-block mechanism to ensure evidential
integrity.

Class 2: SIM readers

Examples of these programs include: Dr SIM,
SIMGuard, SIMClone, SIMScan, SIMMaster, SIMCopy, SIM-Backup, SIM Tools, Dekart SIM reader

272
and many more. All are designed to allow users to
backup the data on their cards and do not have any
forensic integrity. The Dekart SIM reader is of
interest in that it uses a memory stick.

Class 3: Manufacturers tools

In addition to the above programs are the huge
numbers of software produced by the manufacturers of the mobile phones designed to backup,
restore, synchronise or transfer data to and from
their phones and domestic computers. Whilst on
occasions it is useful to have access to these
programs, it is vital to appreciate that they are
not forensic tools but are designed to allow free
alteration of stored and dynamic data and as such
must be used with extreme caution. The same
prudence must also be exercised when using any of
the commercial SIM reading systems that are now
freely available and marketed as means of backing
up or transferring data from SIM cards.
Older models of handset, however, often do not
have electronic connections and require the oldfashioned technique of manual extraction using
two analysts; a time-consuming and expensive
method.

Case histories
In addition to the traditional text-based information found on mobile phones, there is now the
facility on many units to take and store images using
integral cameras as well as receive images from
other users. The quality of these images is limited
but is still sufficient to permit clear identification in
many instances. It is not uncommon now to find
units capable of storing hundreds of images particularly in the units with a removable memory card.
In a recent case a suspect was accused of
possessing and dealing in Class A drugs. Subsequent examination of the handset showed the
suspect preparing packages containing white powder with the additional bonus of clearly showing
a clock and calendar in the background.
Mobile phones have been used in a number of
cases involving children groomed on the Internet
who were subsequently assaulted. Call data showing dates and times, text messages and on occasions pictures have all led to convictions.
Another example of the use to which law
enforcement agencies put mobile phone data was
a murder committed outside a nightclub in the UK.
The murder followed an incident in the club and

B. Mellars
was committed outside by a number of males who
had been summoned for this purpose using a series
of mobile phones. Examination of the seized
handsets showed a clear pattern of communication
between the accused at the time in question and
was accepted as prima fasciae evidence of a conspiracy.
In another case involving false accounting and
benefit fraud the data retrieved from the mobile
phones were cross-referenced using specialist
software. The results obtained clearly showed that
the basis of the defence case e that the accused
were not known to each other, was false and that
there was a long-standing association amongst all
the defendants. All defendants were found guilty
and sentenced accordingly.

Process of examination
In addition to the many pitfalls that can await the
mobile phone analyst is the onus of ensuring that
all examinations are conducted within the law.
Under UK law seizure of units must fulfil the
criteria laid down under PACE (http://tash.gn.apc.
org/pace_act.pdf), there must be appropriate
authorities to examine under the Police Act
1997
(http://www.hmso.gov.uk/acts/acts1997/
1997050.htm) and the implications of RIPA
2000
(http://www.hmso.gov.uk/acts/acts2000/
20000023.htm) and the Telecommunications Act
1996
(http://www.communicationsbill.gov.uk/
legislation/Telecommunications_Act_1984.doc),
2000
(http://www.hmso.gov.uk/acts/acts2000/
20000007.htm) have to be fully understood to be
certain that during the examination there is no
breach of current legislation.
The National Specialist Law Enforcement Centre
(NSLEC) (http://www.centrex.police.uk/business/
law.html) produces a helpful flowchart (Fig. 5)
which amply illustrates the complexity of this
process.

References
Crownhill Associates: www.crownhill.co.uk.
Envisage Systems Ltd: www.envisagesystems.co.uk.
Vodafone UK: www.crownhill.co.uk.
!http://www.hmso.gov.uk/acts/acts1997/1997050.htmO.
!http://www.hmso.gov.uk/acts/acts2000/20000023.htmO.
!http://www.hmso.gov.uk/acts/acts2000/20000007.htmO.
Paraben: www.paraben.com.
Radio Tactics: www.radio-tactics.com.
Oxygen Software: www.opm-2.com/forensic.