After carefully following legal advice and enterprise policies, security can seize the cell phone and extract evidence. Pictured: Dr. Eamon Doherty uses Susteen’s Secure View to download pictures from a Motorola V710 camera phone for examination.


There are a growing number of instances in which an employee or visitor in a corporate facility, factory, research and development lab or business exposition has photographed sensitive information, prototype products or processes using a company or personal cellular phone and sent the data instantly elsewhere. Such actions may be illegal; some are legal; and some corporations have instituted policies and prohibitions on cell phones. This article shows how a chief security officer, working with his or her counsel, can conduct an investigation of a suspected phone. This advice is obviously most relevant to an employee’s cell phone, especially if that phone is provided or service paid by the employer.
– Editor

The extraction and examination of data, photographic pictures and documents stored within a cell phone is not especially difficult.

It is imperative that security or an outside contracted service be properly authorized to proceed before commencing with such an action. The correct “tools” make the actual process a routine exercise. In a corporate setting, for example, an allegation may be made about an employee inappropriately using a camera cell phone to take and send photos to another employee. An authorized requestor (what this article calls the AR) may initiate and lead an investigation as a result of such an allegation.

An employee places his company cell phone on the meeting table near sensitive corporate information. During the meeting, he picks up the cell phone “to check his messages” and captures pictures of the documents and sends them to a co-conspirator instantly.

GET LEGAL ADVICE FIRST

The AR often begins with a call to the general counsel or in-house counsel. This allows the AR to coordinate the process with human resources and telephone services and to make certain that all relevant use policies for the telephone, the computer, the Internet and hand-held devices were signed by the accused. Once counsel gives the authorization to proceed, based upon meeting the legal standard for such an action by the AR, then the incident response team, in coordination with physical security, may then investigate the situation.

The AR is the focal person in the investigation. It may be necessary to ask for or demand that the cell phone, the battery charger and the data transfer cable be surrendered.

Once the phone is collected from the employee, it is necessary to prevent any further wireless, infrared or Bluetooth communication with the device so that evidence is neither added nor deleted. The signal isolation of the cell phone may be accomplished with an aluminum foil pouch or a Faraday Bag. When the phone and apparatus is confiscated, a document called the chain of custody form is immediately filled out. This document will show the trail of the evidence from the time of its surrender or seizure through its processing and storage, and ultimately until its appearance in court.

The authorization stage of the evidence handling as well as its preservation has been thus far covered.

SOFTWARE TOOLS

The next stage of physically collecting the data should be done with a tool that includes a write blocker so that none of the evidence stored in the phone is altered. Device Seizure from Paraben, Secure View from Susteen and the Cell-Dek from Logic Cube are commonly used software tools that have been accepted by the legal system in other investigations that became criminal matters and went to court. These software tools include an assortment of phone cables. The listed software makers commonly send updates for their tools as new and differently formatted phones emerge and come onto the market. It is important to see if the forensic phone tool you choose also recovers deleted pictures and e-mail that has not been, as yet, written over.

In conclusion, as can readily be seen, a cell phone forensics component in the security operation of enterprises can easily be developed. It can be started by training security professionals with some online or in person classes at the Cybercrime Training Lab at Fairleigh Dickinson University or from the SANS Institute. There is a small group of free documents on the National Institute of Standards Web site (http://csrc.nist.gov/publications/nistpubs/800-101/SP800-101.pdf) that address the collection of digital evidence from cell phones. It is worth contacting places such as the Regional Computer Forensics Lab or the Computer Crimes Task Force at a local county prosecutor’s office to arrange for a tour of their facility to see how law enforcement examines phones.

SIDEBAR: Camera Phones as Theft Device

Camera phones share pictures instantly and automatically via a sharing infrastructure integrated with the carrier network. They do not use connecting cables or removable media to transfer pictures. Personal computer intervention is not necessary. Some camera phones use CMOS image sensors, due largely to reduced power consumption compared to CCD type cameras, which are also used. The lower power consumption prevents the camera from quickly depleting the phone’s battery.

Images are usually saved in the JPEG file format, and the wireless infrastructure manages the sharing. The sharing infrastructure is critical and explains the early successes of J-Phone and DoCoMo in Japan as well as Sprint and other carriers in the United States and the widespread success worldwide. Over 1 billion camera phones will be shipped in 2008.

Enterprises are responding to real and potential misuse of camera phones.

For example, more than half of members surveyed by the Society for Human Resources Management have written policies addressing the use of standard cell phones. Fewer have written policies for the use of camera phones.

Illegal use of a cell phone related to corporate espionage can lead to the headache of a federal investigation, indictment and criminal charges.

SIDEBAR: Economic Espionage

Sometimes an enterprise may choose to just dismiss an employee caught spying, often depending on the extent of the real or potential loss. More often visitors, contractors and others may face federal charges.

Economic Espionage (18 U.S.C. § 1831) – In order for one to be convicted of this statute, the government prosecutor, usually an Assistant United States Attorney (AUSA), must prove beyond a reasonable doubt:
  1. That the defendant stole, duplicated, communicated, bought, or otherwise obtained or provided access to trade secrets, without authorization; or

  2. That the defendant conspired with one or more person to commit any of the above mentioned acts; and/or

  3. That the defendant knew or intended for the acts to benefit any foreign government, entity, or agent.
Potential Punishment: Upon conviction, an individual may be fined up to $500,000 and imprisoned for up to 15 years. If the violation of the statute was committed by an organization, that organization may be fined up to $10,000,000. Additionally, 18 U.S.C. § 1834 mandates that the court, in imposing a sentence, shall also seize any property related to the unlawful act.

Theft of Trade Secrets (18 U.S.C. § 1832) -- In order for one to be convicted of this statute, the government prosecutor must prove beyond a reasonable doubt:
  1. That the defendant stole, duplicated, communicated, bought, or otherwise obtained or provided access to trade secrets, without authorization; or

  2. That the defendant conspired with one or more person to commit any of the above mentioned acts;

  3. That the defendant intended to obtain or communicate trade secrets for the economic interests of anyone other than the owner of that product;

  4. That the defendant intended or knew that such an act would in some way injure the owner of that trade secret.
Potential Punishment: Upon conviction, an individual may be fined and imprisoned for up to 10 years. If the violation of the statute were committed by an organization, that organization may be fined up to $5,000,000. Additionally, 18 U.S.C. § 1834 mandates that the court, in imposing a sentence, shall also seize any property related to the unlawful act.

When one is charged under this statute, the AUSA will seek an indictment from a Federal Grand Jury and may include charges for import crimes, export crimes, trading with the enemy, industrial espionage, transnational money laundering or nuclear, biological or chemical weapons, and is likely to couple those charges with lesser included offenses such as false statements or obstruction of justice where applicable. Should the government decide not to immediately seek indictment, one may be held under the material witness statute or, if related to any ongoing war (including the war on terrorism) may be held through combatant detention.

Source: McNabb Associates, a federal criminal defense law firm.

SIDEBAR: Tracking Lost Corporate Cell Phones

There are more instances of corporate or employee cellular phones lost or stolen. But technology exists to trace missing handsets.

One example:

A membership service called CellTrace (celltrace.com) preserves cell phone identities, blacklists missing (lost/stolen/mislaid) handsets, detects identities and facilitates retrieval of blacklisted handsets. This and other services maintain a global cell phone lost registry to facilitate retrieval of a phone, by informing the owner immediately with details, once a blacklisted handset has been detected on the tracing system.