Seeking the Truth from Mobile Evidence
Basic Fundamentals, Intermediate and Advanced Overview of Current Mobile Forensic Investigations
John Bair (Police Detective: City of Tacoma, WA), Part-Time Lecturer: Institute of Technology, University of Washington-Tacoma, WA, United States
Table of Contents
Cover image
Title page
Copyright
Dedication
Foreword
Preface
Acknowledgment
Introduction Part 1. Basic, Fundamental Concepts
Chapter 1. Defining Cell Phone Forensics and Standards
Introduction
Defining Cell Phone Forensics
Chapter Summary Key Points
Chapter 2. Evidence Contamination and Faraday Methods
Introduction
Evidence Contamination
Faraday Origins
Faraday Methods
Chapter Summary Key Points
Chapter 3. The Legal Process—Part 1
Introduction—Chapter Disclosure
The Legal Process
Mobile Network Operators
Mobile Virtual Network Operators
Determining Target Number
Chapter Summary Key Points
Chapter 4. The Legal Process—Part 2
Search Warrant Language
Destructive Court Orders
Chapter Summary Key Points
Chapter 5. The Cellular Network
Introduction to the Cellular Network
Code Division Multiple Access
Global Systems for Mobile Communications and Time Division Multiple Access
Integrated Digital Enhanced Network
Long-Term Evolution
International Mobile Equipment Identity
Mobile Equipment Identifier
Subscriber Identity Module
International Mobile Subscriber Identity
Integrated Circuit Card Identifier
Mobile Identification Number, Mobile Directory Number, and Preferred Roaming List
How a Call Is Routed Through a Global System for Mobile Communications Network
Chapter Summary Key Points
Chapter 6. Subscriber Identity Module
Introduction
SIM Sizes
Internal Makeup
Where Is My Evidence?
SIM Security
Forensic SIM Cloning
Chapter Summary Key Points
Chapter 7. Device Identification
Introduction
Handset Communication Types
The Form Factors
Common Operating Systems
Steps for Device Identification (Free)
Removable Storage
Chapter Summary Key Points
Chapter 8. Triaging Mobile Evidence
Introduction
Devices Powered On
Devices Powered Off
Locked Devices Powered On
Forensic Processing Triage Forms
Chapter Summary Key Points
Chapter 9. The Logical Examination
Introduction—A “Logical” Home
Computer Forensics and Mobile Forensics
Connection Interfaces
Agent or Client
Communication Protocols
Attention Terminal Commands
Port Monitoring
Chapter Summary Key Points
Chapter 10. Troubleshooting Logical Examinations
Introduction
History of Common Problems
Truck and Trailer Analogy
Device Manager
Advanced Tab (Device Manager)
Using Log Files
General Troubleshooting Steps
Chapter Summary Key Points
Chapter 11. Manual Examinations
History
Reasons for the Manual Examination
Hardware Tools for Manual Extractions
Software Solutions
An Alternative Solution to Hardware and Software Vendors
Chapter Summary Key Points
Chapter 12. Report Writing
History—Our Forensic Wheel
A Final Report Example
General Questions to Answer/Include in Your Report
Initial Contact
Device State
Documenting Other Initial Issues (DNA/Prints/Swabbing)
Specific Tools and Versions Used
Listing Parsed Data
Reporting Issues and Anomalies
Validation
Methods of Reporting
Other Formats and Proprietary Readers
Hashing
The Archive Disk
Chapter Summary Key Points
Part 2. Intermediate Concepts
Chapter 13. Physical Acquisitions
History
Flasher Boxes
Pros and Cons—Flasher Box Usage
Bootloaders
Current Popular Boxes
Early Physical Examination Vendors and Tools
MSAB and Cellebrite
Chapter Summary Key Points
Chapter 14. Physical Memory and Encoding
History
NAND and NOR
NAND Blocks, Spare Area, Operation Rules, Wear Leveling, Garbage Collection, and the SQLite Databases
Encoding
Chapter Summary Key Points
Chapter 15. Date and Time Stamps
Introduction “In the Beginning…”
Epoch, GMT, and UTC
Integers
Formats
Chapter Summary Key Points
Chapter 16. Manual Decoding MMS
Introduction—Lab Work
Susteen—SV Strike and Burner Breaker
MMS Carving
Containers for MMS
Chapter Summary Key Points
Chapter 17. Application Data
Introduction—A Last Argument
Applications
Supported Decoding—The Tip of the Iceberg
Database Naming—It Does Not Always Stay Original
Validating Database Content
Sanderson Forensics SQLite Forensic Browser
Write-Ahead Log Files
Journal Files
Blobs and Attachments
Chapter Summary Key Points
Chapter 18. Advanced Validation
Introduction
USB Monitoring—Can You Hear Me Now?
UltraCompare Professional
Chapter Summary Key Points
Part 3. Advanced Concepts
Chapter 19. Android User Enabled Security: Passwords and Gesture
Introduction—Security on Androids
Simple Security Values
The Password Lock
Hashcat
The Pattern Lock (Gesture)
SHA-1 Exercise
Chapter Summary Key Points
Chapter 20. Nondestructive Hardware and Software Solutions
Introduction
MFC Dongle
IP Box
UFED User Lock Code Recovery Tool
Best Smart Tool
FuriousGold
XPIN Clip
Other Methods
Chapter Summary Key Points
Chapter 21. Phone Disassembly and Water-Damaged Phones
Introduction—Holding It All Together
Fastening Methods
Tools Used
Removing Moisture (Water Damage)
Suggestions—Saltwater Exposure
Chapter Summary Key Points
Chapter 22. JTAG (Joint Test Action Group)
Introduction
Joint Test Action Group
How Joint Test Action Group Works
Test Access Port
Molex (Connections)
Joint Test Action Group Issues
Chapter Summary Key Points
Chapter 23. JTAG Specialized Equipment
Introduction—Slow and Deliberant
Pogo Pins and Jigs
Molex Parts
Wires and Wire Harnesses
JTAG Finder
Precise Soldering Units
Hot Glue, Rubber Bands, and Cardboard
Chapter Summary Key Points
Chapter 24. RIFF Box Overview
Introduction
RIFF Box Components
JTAG Manager Software
Saving the Binary Scan
Manual Probing Test Access Ports
RIFF 2 Overview
Software and Driver Install
DLLs and Account Manage
Connector Pinout Locations
General Purpose Input/Output
eMMC/SD Access Tab
Useful Plugins Tab
Advanced Settings
Chapter Summary Key Points
Chapter 25. Z3X Box (Easy JTAG) Overview
Introduction
Easy-JTAG W/Cables and ISP Adaptor
Software and Driver Install
Additional Activations
Easy JTAG Tool (Z3X EasyJtag Box JTAG Classic Suite)
Reading Target Flash
JTAG Finder
Chapter Summary Key Points
Chapter 26. Thermal Chip Removal
Introduction—Chain of Command Knowledge Phenomenon
Steps Involved in Chip-off
Research the Phone and Chip
Is the Chip Encrypted?
Prepping the Board
Using Heat for Memory Removal
Basic Removal Steps When Using Heat
Chapter Summary Key Points
Chapter 27. Nonthermal Chip Removal
Introduction—“Step Away From the Heat”
Removal Through a Cold Process
Removing the Chip From the Board
Milling
Lap and Polishing
ULTRAPOL Basic
Chapter Summary Key Points
Chapter 28. BGA Cleaning
Introduction—Your First Car
Examples From Thermal Use
Equipment Used in Cleaning (Thermal)
Steps Involved in Cleaning (Thermal Removed)
The Re-tinning Process
Reballing
Case Example (Thermal Cleaning) Steps
Chapter Summary Key Points
Chapter 29. Creating an Image
Introduction—Fish On!
Reading the Memory
Using the UP 828 and 828P Programmers
SD Adaptors
DediProg NuProg-E Programmer
Imaging
Regular Expression Searching
Common Email Regular Expressions
Chapter Summary Key Points
Chapter 30. eMMC Reading and In-System Programming
Introduction—Model Building
What Is In-System Programming?
How Does Communication Occur?
Understand eMMC Support Versus ISP
Researching ISP Connections
Probing In-System Programming Connections
Probing Example
Undocumented Phones
Wires and Jumper Boards
Medusa Pro and Octoplus Pro JTAG
Chapter Summary Key Points
Closing Remarks
Index
Copyright
Academic Press is an imprint of Elsevier 125 London Wall, London EC2Y 5AS, United Kingdom 525 B Street, Suite 1800, San Diego, CA 92101-4495, United States 50 Hampshire Street, 5th Floor, Cambridge, MA 02139, United States The Boulevard, Langford Lane, Kidlington, Oxford OX5 1GB, United Kingdom
Copyright © 2018 Elsevier Inc. All rights reserved.
No part of this publication may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying, recording, or any information storage and retrieval system, without permission in writing from the publisher. Details on how to seek permission, further information about the Publisher’s permissions policies and our arrangements with organizations such as the Copyright Clearance Center and the Copyright Licensing Agency, can be found at our website: www.elsevier.com/permissions.
This book and the individual contributions contained in it are protected under copyright by the Publisher (other than as may be noted herein).
Notices
Knowledge and best practice in this field are constantly changing. As new research and experience broaden our understanding, changes in research methods, professional practices, or medical treatment may become necessary.
http://www.elsevier.com/permissions
Practitioners and researchers must always rely on their own experience and knowledge in evaluating and using any information, methods, compounds, or experiments described herein. In using such information or methods they should be mindful of their own safety and the safety of others, including parties for whom they have a professional responsibility.
To the fullest extent of the law, neither the Publisher nor the authors, contributors, or editors, assume any liability for any injury and/or damage to persons or property as a matter of products liability, negligence or otherwise, or from any use or operation of any methods, products, instructions, or ideas contained in the material herein.
Library of Congress Cataloging-in-Publication Data A catalog record for this book is available from the Library of Congress
British Library Cataloguing-in-Publication Data A catalogue record for this book is available from the British Library
ISBN: 978-0-12-811056-0
For information on all Academic Press publications visit our website at https://www.elsevier.com/books-and-journals
Publisher: Mica Haley Acquisition Editor: Elizabeth Brown
https://www.elsevier.com/books-and-journals
Editorial Project Manager: Sam W. Young Production Project Manager: Poulouse Joseph Designer: Victoria Pearson
Typeset by TNQ Books and Journals
Cover designed by John Bair & Lisa Taylor
Dedication
This book is dedicated to the thousands of men and women in law enforcement who spend a magnitude of hours each year sifting
through electronic evidence. You may be underappreciated, overlooked, and go unrecognized. The job may require locating
media of innocent children or others who are being victimized, or exploited. There may be expectations on what you can and cannot locate, and a chain of command whom you struggle with for the
logistics needed in your job. I truly appreciate your efforts. I dedicate this book to each of you.
Foreword
Mobile devices and the rich data associated with them have become the single most important source of evidence in virtually every type of investigation. These data commonly include the information stored on removable media and data from backups, installed applications, and the records retained by service providers. Whether the information is being relied on in a corporate environment to protect intellectual property or in civil law to resolve disputes and provide accountability or as part of a criminal investigation to determine guilt or innocence, the reason for examining mobile device evidence is the same—to find important and reliable information that can be used in proper context to help the finders of fact make important decisions.
In Seeking the Truth from Mobile Evidence, John Bair has carefully and thoroughly laid out important foundational concepts, troubleshooting strategies, helpful hints, and expanded analysis considerations. He has also provided suggestions and methods to help practitioners verify and test findings and build trust in the evidence and examination process. While this book is primarily directed toward law enforcement mobile device forensics practitioners, it includes valuable information for anyone who will benefit from an improved knowledge of how and why data associated with mobile devices can be acquired, analyzed, and explained.
Like me, John Bair began his nearly three-decade long career in law enforcement at a time when cell phones, tablets, personal computers, digital cameras, cloud storage, “Apps,” and the Internet had not yet penetrated our lives. We wrote police reports with pencils and paper, we looked up information in books, we exchanged information by printed interoffice memos, and we made telephone calls using
hardwired telephones. As the digital world began infiltrating the real world and criminals began using the same technology to gain an advantage and facilitate their crimes, John was one of the early pioneers in police work who led the way to “figure this stuff out.” As a lifelong learner, John adapted his practice of criminal investigation along with his knack for problem-solving and reverse engineering to leverage mobile device technology and find important evidence. John was not willing to allow important evidence to be locked away and remain unused.
Anyone who knows John quickly realizes that mobile device forensics is not simply a part of his job—it’s his passion. John is an amazingly talented, humble, and generous forensic practitioner who is quick to share his skills, knowledge, research, and experience to help anyone who is seeking the truth. He has always been on the cutting edge of the newest methods without losing sight of the basics. Just as he has done in this book, John has the rare ability to explain complex technical issues. Through the use of examples from his extensive experience, John is able to bring important and meaningful information to levels appropriate for his audience—novice to advanced. He has trained, mentored, and coached countless students of mobile forensics both inside and outside the criminal justice community.
John has written agency policies and crafted technical guidelines, and he has testified extensively in State and Federal courts as an expert witness in mobile device forensics. While some began as reluctant students, John has educated numerous police officers, detectives, prosecutors, defense attorneys, judges, academics, and product developers. As a truly legitimate and committed mobile device “forensic” practitioner, John is obsessed with finding ways to validate, verify, retest, and prove his findings before he is willing to settle on a particular method or outcome. John recognizes and teaches others that the data in themselves are of no value unless they can be trusted and the process replicated. Throughout this book, you will find references to validation and verification that are important for any practitioner for producing defendable and reliable results.
In addition to the great depth of real-world and practical experience that John brings to the subject of criminal investigation, mobile device forensics, and data analysis, he uses easily relatable stories, scenarios, and anecdotes throughout this book to explain important concepts. These examples give relevance and context that help the reader better understand the “why” and “how.” I have found John’s examples useful during my own efforts to craft language for affidavits in support of search warrants; when writing forensic reports; during expert testimony; and when explaining sometimes highly technical concepts to jurors, lawyers, judges, and law enforcement colleagues.
I must admit that I am an old school guy. I prefer printed books that I can hold in my hand and pages I can flip through. I also generally like the content to be in one place. That said this book uses a Companion Site where expanded content for each chapter can be viewed. John has done an excellent job adding helpful screenshots and other content that add additional value to his book. While I was initially skeptical, I think it is very well suited for books like this one and I value having the additional material.
The field of digital forensics, and in particular mobile device forensics, is dynamic and challenging. Each day brings new device models, new operating system versions, new and changing applications, greater storage capacities, new and changing methods of storage, backups, and the frustration that come with locked screens and encryption. While automated commercial forensic tools are very valuable, John emphasizes how important it is for mobile device forensic practitioners to have the ability to know what these tools are not revealing and how these tools and methods may change, not read, or misread user data. Through this book, John Bair will prepare you for a journey to improve your own practice and he will arm you with a technical knowledge and deeper understanding of mobile device forensics.
For those in law enforcement, you know that there is no greater satisfaction than to protect the weak, get justice for the innocent, and to hold bad actors accountable. This is particularly true in cases
involving child sexual exploitation. While advances in technology have brought us greater opportunities to do our jobs, technology has also brought greater threats to civilized societies as well as more opportunities for suspect anonymity, expanded jurisdictional complexities, reduced cooperation from content service providers, and an increased public distrust and scrutiny of the government. As we move forward together, it’s critical that we work to proactively influence new legislation, strive to not create adverse case law, maintain and improve examiner certifications and training, and lead the way for laboratory accreditation and policies in ways that build trust and confidence in our methods and practices. John Bair has worked throughout his career to become a model for best practices, and this book is a guide to help other mobile device forensic practitioners lay down a solid foundation for the future.
Colin Fagan, CFCE, CCME, Detective Sergeant, Digital Evidence Forensic Examiner
July 2017
Preface
It was raining (again). I had traveled from a hot and dry Texas climate to an area that in the first year, I could not seem to get my toes warm. I was now closer to my family and supposedly working for a department that had less crime than El Paso. So far, I had not seen proof of it. I sat alone and sipped on coffee in a park located in an area they called the “Hilltop.” The police radio was silent, as it should be
for 0415 h on a Tuesday morning. It was September 1993. I had passed my probation period and sat alone in a marked police car. In
the next 6 years that followed in my career, I would have no idea that I would be involved in two officer-involved shootings, the latter nearly killing me.
Out of the corner of my eye I watched a dark figure emerge from the south. Whoever he was, he was tall and had a pronounced limp. His left leg did not bend at the knee, and to travel he brought the leg around from behind him, in a small semicircle stride. My window was down, and I was parked under an overhang of a nearby building, trying to stay dry. I could hear that he was talking to himself. I continued to watch him, and as he moved closer, I could see that he was an older male in his late 50s. His conversation turned to singing.
He was directly in front of where I was parked, maybe 50 ft away. He was now under a street lamp that produced glare of reflective
light off the top of a piece of metal coming from his silhouette. I could not see the item entirely, but it was sticking out from his left side. The metal was large and seemed to be even with his head. Whatever the
metal was, it caught my attention, and I turned on my patrol spotlight and shined it directly at him. He jumped and stopped in his tracks, completely startled. It occurred to me that he had never seen my marked police car until that moment. Through the assistance from the spotlight illumination, I could now see why he was limping. I dumped my coffee out the window and started my patrol car.
I turned on my emergency lights as I pulled the police car closer to him. The man never moved, except to extend his arm to block his eyes from the spotlight. I exited the car and asked him to place his hands up, and onto his head. He complied. I had radioed for assistance, and after they arrived, I placed him in handcuffs. Once he was secured, I removed a large sword that was sticking down his left pant leg. It had
extended up nearly another 3 ft above his waist to his head. In all, the sword was over 6 ft in length and probably weighed 20 pounds.
The rain continued to fall, and all of us were getting wet during this contact. He never spoke while I removed this item from his pants. While the instrument he was carrying was being admired by my backup officers, I asked him, “What’s up with the sword you’re carrying around?” He quickly replied, “These aren’t my pants.”
I no longer drive a marked police vehicle, instead an unmarked, underpowered, “detective” vehicle. My hair has turned from brown to gray. I have incurred a few injuries, a skull fracture, and one neck surgery. My oldest child has a child of her own. I no longer patrol city streets while everyone else sleeps. I have been a detective now since April 1999. During my assignment in the homicide unit I noticed gang members were carrying around devices called Nextel’s. That gave me an idea to try and learn something about how they functioned and what could be stored on them.
Now our world has fully embraced technology. So too the individuals who have chosen to commit criminal acts. Understanding just a little bit about our electronic items we all carry around with us can certainly help aid in solving crimes. It’s September 2017. Now, the
“clients” I contact during my course of digital investigations have changed their statement from, “These aren’t my pants” to: “That’s not my phone.”
Thank you for buying this book. My hope, like the title implies, is that it can help you locate the truth in your digital mobile investigations.
John Bair
Acknowledgment
I would like to thank Mike Smith who I first met at the University of Washington, Tacoma (UWT). Mike is a combat veteran, and when I met Mike, he was senior in the IT program attending my Digital Mobile Forensic (level I) course. Mike excelled during the course, as well as the next two. After his graduation, he was hired by UWT to work in their IT department. We stayed in touch, and since Mike had a great understanding of the course content, he was hired to help with the initial editing of this book. Without his help, I am not certain if this would have ever been finished on time.
Another couple of individuals who need acknowledgment also come from the academia field: Professors Robert Friedman and Bryan Goda. I called Robert in the fall of 2013 and asked if I could have a few minutes of his time to present an idea. Robert allowed me to present the concept of creating a lab that was modeled after the Marshal University in Virginia. A few months later I was presenting the first Mobile Forensics course as a beta class at the Tacoma branch of the University of Washington. Since then, Robert has moved to another university, and Professor Bryan Goda took over where Robert left off. Bryan has allowed me to introduce advanced tools, concepts, and methodologies to senior students in the IT program at the Institute of Technology. Bryan continues to invest in new toys for our classes; most importantly, he believes in what I do and treats me as an asset. I appreciate their willingness to create this program, and all the logistical support along the way.
Of course, there is my spouse that I had to neglect in some way or another over the past couple of years. Thank you for being so patient with me. Sorry the fence (and deck) was never painted, the weeds
were not pulled, and the garage looks like a Sanford and Sons episode. Like many other people who write books, I would never been able to finish if you were not around to love and support me. You always provided assistance simply by listening, even when I was boring you to tears most of the time.
Then there is my Dad. He will never be able to read this book, but he was certainly alive with me as a kid when I was testing for continuity, soldering, stripped wires, and performing hundreds of other tasks related to electronics. He was the type of person who had trouble conveying such short sentences or one liners as, “I love you, thanks, and sorry.” He made all seven of his kids as they were growing up work in some capacity or another. Some of us worked on a 300+ acre farm, which he had as a “hobby” while he was employed full time for Mountain Bell Telephone. (How ironic that he spliced
phone lines for 44 years, and his youngest child now performs mobile forensics) I thought for years that all this man knew from life, was how to work. Embedded and tangled into all that labor; he taught me things that carry me into what I do and utterly love now. How do I thank a person who has died, but influenced me so much? The answer I guess is to share with others. Just like the old saying: “It’s not what you know in life, but what you share.”
Last, are my children. At the time I wrote this book, two of you were out in the world living on your own. All of you have given me some great memories over the past 25+ years. I have learned (and continue to learn) about patience, sacrifice, and unconditional love. Thank you for (sometimes) listening to me—and also the few times when you decided not to. Hopefully all of you will remember us riding our bikes, lighting off fireworks, the back yard swimming pool(s), the camping trips that include building our Big Ass Fires (BAFs we called them), road trips to Idaho, and most of all, the laugher. I know you didn’t have a choice in the matter, but thanks anyways for being great children. The three of you will always be my greatest accomplishment in this short life.
Introduction
Introduction–The Multitool Two individuals employed in the military were having domestic issues. Partner A wanted to break up with partner B. Partner B refused to terminate their relationship and began arguing with A. Their argument turn violent and B stabbed A in the neck with a Leatherman multitool. B initially refused to allow A to seek medical treatment, and took images (with his cell phone) while he was bleeding. B informed A that after he dies, he would dismember his body, and dispose of him of various dumpsters. A couple hours later, B drops A off at the hospital. A initially does not inform hospital personnel the correct information on how his injuries occurred, and he slips into a coma. B refuses to provide law enforcement a statement about the incident. Both A and B have the first generation HTC G1 Android phones. They have pattern locks across the screen, and at the time of this investigation, there was no commercially available forensic tool that could bypass this security.
The Sex Offender
He left school at 14 years age. Soon, he was being reported as a runaway and found comfort with others who would “crash” at an abandoned house. He learned about various street drugs and how to steal Honda Civics. For a number of years, he was in and out of juvenile detention for several offenses. As he entered into his adult life, his friends were always younger kids, usually half his age. Many times, the friendships would lead to various games that he had
invented. Most of them were inappropriate. One of the parents of a child he was “friends” with called the police about his behavior. He decides to delete the application he used to communicate with the victim, and also deletes all the incriminating images that he shared. Again, he ends up in jail. This time accused of several sexual offenses with a minor child.
The Last Argument She was married just a few months before her death. Her husband took her life and then his own. Her phone was triaged through a forensic tool commonly used by law enforcement. The initial investigation located two short recordings that documented arguments they had been having. She had recorded them without his knowledge, just days prior to their bodies being discovered. After the phone was triaged, the case agent reviewed the case report (media disk). He called the examiner back a few days later. “I believe there’s another large file on her phone that recorded the events that took place at her death. Can you try to get it to play?” The file had initially been “looked over” and dismissed as a corrupt, unplayable sound file. Per the request of the case agent, the file was viewed with additional scrutiny. Using a hex editor, it was found that the file header and footer were missing, but the case agent may be correct; based on the size of the file, and the time and date of its creation, she probably did record her own death.
The Drug Dealer A missing suspected drug dealer was located, murdered. His lower torso was recovered, buried, and contained inside a duffle bag. His cellular phone had absorbed his human fluids as he had decomposed over a few mouths. Local law enforcement cleaned the device and again connected it to common forensic tools to perform a data extraction. The extraction would start, and then fail. After numerous troubleshooting steps, they still could not gain entry into the device. Although they had cleaned it, the main board was still black from his
bodily fluids. The device was supported by commercial forensic tools for user security bypass, but that was not the problem. They obviously needed a different technique to locate what was needed in their case, and glean insight into who may have communicated with him before his disappearance.
Truth Is Not Pretty These summaries were just some of the small snippets from the author’s experience when it comes to triaging mobile evidence. Each of them came into the laboratory with something missing—answers. In these examples, the author was eventually able to locate what was being requested. Some of the cases were from the author’s own department, and others were from outside agencies where he provided technical assistance. There are times when finding the answer can help add another layer to the story. There are times when the answer helps the public understand a traumatic event with precise clarity. Then there are times when no one seems to give much regards to the truth. A drug dealer? A prostitute? Many in society may not admit that they feel little to no remorse when it comes to specific victims of certain types of crimes having a tragic ending to their life. Locating the truth within an investigation does not necessarily mean that it can be solved. There are times when investigators know exactly who the primary suspect or suspects are. Truth does not necessarily incarcerate someone.
As we hear more horrific events unfold that involve mass causalities, one of the common things we hear being asked at work, dinner parties, and family get-togethers is the why question. People want to know what goes through the mind of a person, and why they acted a certain way. Why did he stab his domestic partner and took images of him while he was bleeding, or why the sex offender wanted to victimize little kids, or why a man must kill his wife and himself, or why one drug dealer kills and dismembers a fellow drug dealer? These investigations, like yours, have a why that must be answered to society. It is incumbent on you to gain enough knowledge to get the
task accomplished. If your job focuses on locating these answers from mobile evidence, this book was created to help you.
Book Layout–The Companion Site Seeking the Truth from Mobile Evidence has been written to allow the reader to see specific steps, program interfaces, techniques, equipment, and overall forensic methods. The author wants the reader to understand the subject materials being conveyed in each chapter. As such, the publisher strives to keep production costs down. This effort has been awarded back to the consumer, and instead of a book costing over hundreds of dollars, it is a third of that cost. Why is this being conveyed to you? As you read several of the chapters, you will encounter instructions directing the reader to images stored on the (included) companion site. There will be a few chapters (Chapters 1, 3, 12, 13, 17, and 29) that do not have references to images found on the companion site. Some of the chapters will also have additional documents such as PDF files that will be contained on the companion site (https://www.elsevier.com/books-and-journals/book- companion/9780128110560). These can assist the reader with supplemental information related to the topic in the chapter they are contained in.
Readers can utilize the (above) link to navigate to the figures, and extra materials on the companion site. On the site, click on the, “Chapter Figures” under Quick Links. The affected chapters are highlighted accordingly. Simply click on the desired chapter to begin the process of downloading a zipped folder for the items listed in the narrative of that chapter. If readers elect to do so, all the materials can be downloaded prior to reading each chapter to allow quicker reference.