By Chris Williams for The
Register.
This story has been reproduced with permission.
Police forces in the UK and worldwide already use Guidance
Software's EnCase computer forensics package, most
famously in the interminable cash for honours investigation.
Now the firm is set to announce an expansion into mobile with a
package it's calling Neutrino.
The ongoing trial of the alleged failed 21/7 bombers has seen
mobile phone evidence
used extensively. In 2002 linguistics experts were brought in
to give evidence during the Danielle Jones murder trial, when it
was shown her uncle had used her phone to dupe family
into believing she was still alive.
A police source told us: "It's [a suspect's mobile phone] one of
the first things we look for in serious crimes these days."
Brian Karney, Guidance's product management director, told
El Reg: "Your whole life's on there. Everything about
you. The SIM card, the memory, it's all in there and we can go in
and get." The package allows access to call logs, stored files, SIM
information, JAVA programs, and crucially, deleted data.
As documented on The Register
last year, the lack of standards in mobile software can make
investigation tricky. Neutrino will be subject to this barrier just
like market incumbents like Swedish firm Micro Systemation's .XRY
package, launching with support for around 50 Nokia, Motorola, Sony
Ericsson, and Siemens handset, with more to follow later.
A further stumbling block comes with the deleted content. At the
moment deleted data from the SIM is simple to retrieve and there
are many programs able to do it. The big stumbling block is data on
the phone. Guidance says Neutrino will be able to access this
precious unallocated space on selected Nokia handsets to begin
with, but has a team working on adding more in future. Configurable
hardware packaged with the program should enable the firm's coders
to find and tweak power and other settings to unearth data.
Police have no problem trawling computer systems for deleted
data given the relatively few file systems and protocols compared
to mobile handsets; it can even kick the door in over the network.
Alas no such luck in mobile forensics; as well as the software
issue, investigators need physical access to the device and even
the array of exotic connector cables can add to headaches for field
investigators.
Mobile forensics expert Kevin Mansell, who works with police to
train investigators and runs his own consultancy, Control-F, said: "There's been a lot
of chatter about it, because it's from Guidance. New versions of
EnCase are always big news in computer forensics - it's nearly a
standard, but it's fair to say there's a wait and see attitude
about Neutrino. They have to prove themselves."
However powerful a tool, sources within mobile forensics expect
take-up of Neutrino to be slow. Most in the field are active in
criminal investigations, and say they have precious little time to
evaluate new software.
Guidance said it would press ahead with diversifying its product
range into more and more devices, with several new platforms in the
pipeline. Karney said: "Mobile phones, iPods, PDAs, you name
it...chips in people's brains. We're in it."
© The Register
2007
