Mobile Forensics..A New Challenge



The increasing use of Mobile phones, prepaid cell phones as well as post paid, by the population as a personal means of communication has made Mobile Phones an important piece of evidence in many legal cases.  In the coming days, Mobiles will be used for e-commerce and the relevance of Mobile Evidence will assume greater importance.

Since Mobile phone is an electronic device there are several aspects of ITA-2000 that apply to the Mobile phone transactions.

These are early days of using of Mobile evidence and there is a very high possibility that an imperfect understanding of the technology by the Police, the Lawyers and the Judges may lead to wrong judicial decisions.

In view of the importance of the Mobile devices as Cyber Evidence we shall discuss some key elements of Mobile evidence for academic understanding and debate.

The important aspects for which Mobile evidence is being presently used are

a) To find out the numbers to which calls have been made from a given mobile with date and time

b) To find out the numbers from which the calls have been received in a given mobile with date and time

c) To know the contacts through the Phone book.

d) To know the details of recent SMS messages received

e) To know the details of SMS templates

f) To know the Ring tones and Games stored in the instrument

g) To know the Pictures and video clips stored in the mobile either on the SIM card or a flash memory card.

Of these, a) and b) are also available at the service provider's level. Also while the number of entries available on the instrument may be limited by the memory, the service provider has a more detailed and reliable data with timing for the purpose of billing.

What the service provider's data may provide is however the information as recorded at their system based on the SIM card recognized by the system.

If the data at the service provider's systems match the data of recently called and received numbers as found on the instrument, it could mean that the SIM card presently on the instrument has data matching with what is available at the service provider's level.

If the two data does not match it means that the SIM card data has been manipulated.

Manipulating SIM card data on the instrument is a very easy process and hence the data on the SIM card can only be taken as only an indicating evidence and has to be properly certified to be of any use in a court of law.

If the data on the SIM card is extracted from the Mobile after the mobile has been in the custody of the Police for some time, it is possible for the defense to take a stand that the data has been manipulated.

On the other hand the data at the service provider's level cannot be manipulated except with the connivance of the service provider or hacking into their system. Again here the data as found visible on the computers of the service provider can be taken as prima-facie evidence but if it has to be relied upon, there has to be a corroborative certification that the data is apparently not altered.

Since mobile conversations are not  presently recorded by the service provider and they are not normally available for any evidence.

If the conversation is hacked and recorded, then it will be a case of illegal tapping and the quality of the evidence needs to be evaluated by other parameters including a voice recognition.

The phone book details only provides information about the persons whom the mobile owner has been in contact and nothing more.

A few of the incoming SMS messages are normally stored on the mobile and along with time data corroborated with the service provider's information, may be evidence of an incoming message. Templates may indicate the likely outgoing information and if it contains any spam or obscene message, may indicate the intention of the mobile user and nothing more.

Ring tones and Games may be relevant from the point of view of copyright violations.

Details of pictures and video clippings on an accompanying memory card indicates the intentions of the mobile user and if they can be matched with any outgoing data packets, may be used as evidence for the likely outgoing message. These can be of use in case of any obscene pictures being transmitted from the mobile.

However linking the stored data to a sent message requires certain Forensic testing and it is doubtful if such capabilities exist with the Indian Police as of date.

Identification of Mobile

Essentially there are two identification aspects of a mobile device. Firstly the SIM card identity which allows the transactions of a mobile to be recorded in the service provider's records.

The second is the IMEI (International Mobile Equipment Identifier) which is associated with the hardware.

Some service providers monitor IMEI numbers with call data. In such cases if a mobile is stolen and a new SIM card is being used, it would be possible to run IMEI filters to block the stolen numbers.


It must be remembered that spoofing of SMS messages as well as voice messages is not impossible on a mobile.

Firstly it is possible to send SMS messages from a computing device with a false "Sender's Mobile Number".

Secondly, it is possible to pick a hand set and alter the SIM card data to make it look like a different SIM card and use it for sending offending messages or making calls which can be attributed to the original owner of the SIM Card.

For example a card belonging to Mr Fraud can be altered to match the SIM card of Mr Innocent and used for making calls to Targets 1 and 2 . Then if this SIM card is presented as evidence with or without the hand set of Mr Innocent, it is possible to create an evidence which appears as if Mr Innocent has made calls to Mr Targets 1 and 2.

Acceptance of SIM card data as evidence is therefore required to be accompanied by several collaborative Forensic  certifications that eliminate the possibilities of such manipulation.

Even though the IMEI number is considered a good identification of the hardware, it is said that in India  the existence of sets with duplicate  IMEI numbers is wide spread and hence the service providers have been reluctant to use IMEI blocking as a solution to immobilize stolen mobiles.

[P.S: In CDMA phones the identification is through what is called ESN-(Electronic Security Number) numbers.]

Further both IMEI numbers and ESN numbers can be modified with the use of right equipments and such practices are being regularly practiced by those who deal in stolen mobiles.

It must therefore be considered possible to clone a mobile if the person so charged is shown to have sufficient resources and access to technology.

Future of Mobile Evidence

The first impact of the recognition that Mobile Evidence can be modified, will be felt by the law enforcement authorities since evidence gathered by them in many cases will be questioned in the courts of law.

Just when the judiciary in India is grappling with understanding the evidentiary aspects of Computer records, the focus being generated on the Mobile Evidence will be a further challenge to the Indian judiciary.

The undersigned is in the process of  developing a Check list and Guidance Note to suggest the preferred procedure for Mobile Evidence Seizure, Preservation and Presentation as part of its activity to contribute to the "Mobile Forensics".

(Comments Welcome)


November 22, 2004

Related Article:

BJP’s Naroda MLA says she wasn’t at riot site, cell phone records say she was there

Mobile phones - the new fingerprints

For Structured Online Courses in Cyber laws, Visit Cyber Law


Back To