Category Archives: Google

The Evolution of Vehicle Forensics

The Evolution of Vehicle Forensics

by Matthew J Parkinson BSc (Hons), Digital Forensic Analyst, SYTECH
Matthew G McKay MComp (Hons), Digital Forensic Analyst, SYTECH

Smart Car






In this day and age, technology surrounds our everyday lives, whether it be at home watching the Smart TV, at the gym using a Smart Watch or in the car using a Sat-Nav, society thrives on it. At the center of this ever-growing, fast paced industry, is the Mobile Phone.

Mobile Phones are leading the way in technological advancements with many new technologies exploiting the phone’s connectivity and capabilities, since a mobile phone is generally with the user, it is the perfect hub for all of our digital needs. This has led to a growing interest in the “Internet of Things” and the idea of a “Smart Home” which allows different aspects of your home to be autonomous or controlled via a Mobile Phone. This growth of the idea of everything being connected has now extended into vehicles, altering the way vehicle technology is implemented.

Since 1930, when the first stereo was implemented within a car, until not so long ago, car technology has been stagnating with not many changes away from the original idea. Recently, car technology has started catching up to the 21st Century with the buyer’s expectation increasing, and expecting; Bluetooth, Touch Screens and DAB radio as standard. With the implementation of the aforementioned features comes concerns over what data the car will store.

Currently, Vehicle Forensics involves the investigation of a bespoke system with limited research available and manufacturers restricting information to assist. We believe the future of Vehicle Forensics will revolve around a Mobile Phone, eliminating past issues and forensic limitations.

Predicting the direction in which technology will flow towards is important for any digital forensics company and here at SYTECH Digital Forensics it’s no different. At SYTECH, we endeavour to maintain a strong arm in research and development in order to stay up-to-date with “bleeding edge” technology, this innovative characteristic of the company is vital in order to maintain a well-established advantage in the digital forensic age.

This article explores the marriage of two industries, mobile devices and vehicle technology, and how they will change Vehicle Forensics for the better.

Apple CarPlay










The Evolution of Vehicle Technology


In the past, Vehicle Technology was confined to the car radio, with the only improvements relating to different ways of storing and accessing music, this originally came in the form of a tape (cassette) which was then followed by CD’s. The first stage of device connectivity to a car was an Auxiliary Port (AUX) which was implemented by vehicle manufacturers. This enabled a user to play music from a personal device.

After this, Car manufacturers started developing Vehicle Infotainment Systems, which generally used a touch-screen with bespoke hardware and software. These systems displayed a visual interface of what was once analogue and included features such as programmable radio stations and basic manufacturer-supplied satellite navigation. This system was quickly outdated as the process of updating the system’s software was inconvenient and not undertaken by the majority of the users. This process involved getting the software from the manufacturer, commonly in the form of a CD / DVD. This led the car manufacturers to look for other means of keeping the system up-to-date.


Society’s heavy reliance on Mobile Phones and their idea of being connected at all times has led to vehicles needing to implement a strong link to take advantage of these devices. This started out as the connection to a phone being possible via Bluetooth or Physical connection. This allowed the user to play music stored on their mobile phone, download their phonebook onto the in-car system and make and receive phone calls hands-free. This was achieved by the phone sharing its data with the in-car system that displayed the music, phonebook and call information in its native format.

At this stage, the connectivity of the phone and vehicle infotainment system was useful but still restrictive with the users still having to rely on limited functionality and basic software provided by the vehicle manufacturer. This often included a native satellite navigation system that was both expensive and difficult to update leading to maps becoming erroneous. Due to the issues of the in-car system, many technology companies started looking for a solution. Overlooking these issues, there is a strong foundation for an efficient, connected and up-to-date eco-system to build upon, with the already present Bluetooth and USB connections, Touch Screen display and microphones placed for hands-free control.

The in-car technology market is at a very pivotal point right now with two well-established companies introducing the following standards:

Apple CarPlay

Apple CarPlay is a development from Apple which was released in 2014 as “iOS in the Car” but rebranded to CarPlay, it allows the user to connect their iPhone to the in-car display through a USB or Bluetooth connection. The display will then show a refined version of the iPhone’s display with all the applications and notifications the user will need whilst in the car. As standard these applications are; Apple Maps, Phone, Messages and Music. The user will then have the option to include additional third-party apps that are compatible with CarPlay and accepted by Apple, these include music streaming, navigation, radio, communication and many other genres of apps. Currently, application development is in its infancy but will grow as the technology is standardised across the vehicle manufacturing range.

The user can control CarPlay using their voice, touch or in-car controls. The voice control will use the already established voice recognition software built into most Apple products called Siri, this can be activated from the steering wheel or saying the words “Hey Siri”. After activating this voice control the user is able to control all the supported applications, as well as perform internet searches. Siri can also answer many different queries from the user for example “How long will it take to get home?” and “Play a song by Bon Jovi”, both useful if stuck in traffic. The touch controls will be utilised on the in-car screen where the current activity will be displayed. CarPlay will integrate and operate with the vehicle’s in-car controls such as steering wheel buttons and dashboard dials. Apple CarPlay requires a compatible Infotainment System and an iPhone 5 or later running Apple’s mobile device operating system, iOS 7.1 or above.


Android Auto

Android Auto was developed and released by Google in 2015, it allows the Android operating system to be displayed on an in-car infotainment system. Android Auto requires a Physical and Bluetooth connection which enables the device to display notifications, sync contact information and make and receive calls. Android Auto is built around Google Maps, Google Now and the ability to talk to Google and also has a growing audio and messaging app eco-system. Android Auto requires an application to be installed on the Mobile Phone to allow the connection to the in-car system, this is downloaded from the Google Play store.

Android Auto displays five option panels to the user: Navigation, Phone function, Information, Music & Media and Car diagnostics information. The Navigation pane will present the user with a polished version of Google Maps, this will include a voice controlled search function, live traffic information and turn-by-turn directions. The Phone function pane will allow the user to receive and make calls as well as dictating SMS messages. The Information pane will allow the user to conduct internet searches, using Google, with their voice. The Music & Media pane will contain all the entertainment apps which include Spotify, Pocket Casts and Google Play Music. The Car diagnostics pane will show the car’s various statistics.

In a similar fashion to Apple, Google will monitor and control the applications that will be compatible with Android Auto to keep driver-safety measures at the forefront of their vision. Android Auto requires a compatible vehicle infotainment system and can be used with mobile devices running Android operating system, version 5.0, also known as “Lollipop”, or higher.



Similar Technologies

Technologies similar to both Apple CarPlay and Android Auto include, MirrorLink, a research project by Nokia, created to integrate a smart phone and a car’s infotainment system. Some vehicle manufacturers have native systems for syncing the car with smartphones but Android Auto and Apple CarPlay will have many benefits over the competition, this is due to the link to the user’s mobile phone. This link provides the user with the already present functionality, applications and personal data that the phone possesses to use with the in-car system.

Another technology that has features that compliment both Apple CarPlay and Android Auto is “OnStar”. This is being introduced to many new vehicles across the UK, with Vauxhall being the first to include this service across the range. “OnStar” provides direct communication to an advisor who can assist with tasks such as Navigation, security and various other features. Along with this, “OnStar” also brings other useful technologies to the vehicle system which include WiFi, sensor access, automated emergency response and limited app control such as unlocking your car using an app on your mobile phone.

An analogy for these technologies is a set top box and a TV:

  • The set top box is the Mobile Phone
  • The TV is the Car Display

The TV alone has limited functionality but the connection of a set top box allows further capabilities to be added and displayed on the TV.


 Data Created

The implementation of all this new technology brings a new perspective on the way we use our cars, resulting in different data being collected about its user. In the past, vehicles have been a gold mine of data but forensic barriers including bespoke systems and unsupported hardware meant that vehicles were being overlooked, although potentially imperative to an investigation. The introduction of new in-car systems means the Mobile Phone will become the hub of all the data thus allowing a clear cut method in obtaining the data without the previous complications, meaning Vehicle Forensics will become Mobile Forensics.


Vehicle & Mobile Forensics

The merging together of Mobile & Vehicle Forensics will result in the main extraction method of vehicle data becoming the analysis of Mobile Phones that have been connected to the vehicle in question. This will bring simplicity and speed to these investigations, as Mobile Forensics has a strong foundation with industry-recognised tools, a Mobile Phone is easier to store and work with and the fact that two avenues of data can be analysed as one.

Along with data that is already recovered from a Mobile Phone examination, data from the connection to the in-car system through Apple CarPlay or Android Auto will also be included, this will show the user’s activity whilst in the car. Applications running through Android Auto and Apple CarPlay from the connected phone will create the majority of the data. The types of applications currently available and future considerations are as follows:

Location-based Applications

  • Location-based applications are predominately satellite navigation apps such as Apple Maps and Google Maps. Siri and Google Now both use the user’s location to narrow down the scope of a user’s requests such as nearby petrol stations and restaurants. These applications will create location data which is very useful in pin-pointing the user’s movements and location, potentially providing important evidence for a case.

Phone Applications

  • Phone applications will include the native Phone app and various other third-party apps, these allow contacts to be saved and the making and receiving of calls over GSM or an internet-based network e.g. Skype and FaceTime Audio. These applications will create call logs which will provide the user’s communication activity, which is useful evidence in a case.

Messaging Applications

  • Messaging applications will include the native Messaging application, Email and various third-party apps, these allow for messages to be sent over GSM or an internet-based network, e.g. iMessage, WhatsApp and Kik. These applications will create chat logs which could be used for evidence of communication between two or more parties.

Music & Audio Applications

  • Music & Audio applications will include the native Audio application as well as many music streaming options such as Spotify and Deezer. Other types of Music & Audio applications will include Audiobooks, Podcasts and News apps. These applications can show user activity and they have potential to compliment evidence in a case.

Voice Control

  • Voice Control applications will utilise the user’s voice to control various aspects of the in-car system, this will be achieved through the native voice recognition software from the Mobile Phone, e.g. Siri and Google Now. This software brings functionality that is easy to control whilst maintaining driver safety, this functionality includes:
    • Internet Searches
    • Voice Dialling, e.g. “Call George”
    • SMS dictation, e.g. “Message Stuart”
    • Updating social media feeds, e.g. Facebook and Twitter
    • Location queries, e.g. Where’s the nearest petrol station?
    • Various other requests, e.g. Music, Time, Weather, Sport
  • These activities will amass valuable data that can be used in many types of investigations.

Car Diagnostics Applications

  • This area of Apple CarPlay and Android Auto has limited support but we believe it will become useful and increasingly popular as car manufacturers implement this. Car Diagnostic applications will show the user many statistics about the vehicle, for example, fuel level, service reminders, crash information and speed warnings, all of which could be of beneficial use within a case.

All of these different types of applications and the various data that they store will need extracting to be used in a forensic investigation.

Since the data is stored upon the Mobile Phone, the extraction will be performed in exactly the same manner in which a normal Mobile Phone examination will be completed. This involves various stages that takes it from the extraction of raw data, the analysis and finally production of an expert witness statement.



The three common extraction types are:

  • Physical – this will recover both live and deleted data
  • File System – this will recover both live and deleted data depending on the phone
  • Logical – this will recover live data.


There are also five advanced forensic techniques that assist in completing the extraction of the Mobile Phone which are as follows:

  • JTAG / Flasher Box examinations
  • Advanced iOS PIN Decryption (iOS 7, iOS 8 and working towards an iOS 9 exploit)
  • Advanced Chip-Off Examination
  • In-System Programming (ISP)
  • Custom Recoveries

All of which SYTECH Digital Forensics can provide.

After the data has been successfully extracted using one or many of the aforementioned techniques it will then be analysed.





Analysis involves parsing the raw data to present it in an understandable format including different data types such as SMS messages, Search History and other valuable evidence recovered from the Mobile Phone.

Prior to a full investigation and further in-depth testing of both Apple CarPlay and Android Auto we are unable to say how the data, that is created from both, is stored on the Mobile Phone. We do however believe the following:

  • Apple CarPlay – The data created whilst using Apple CarPlay will not contain any indication that the data was created via this, resulting in Mobile Phone and in-car data being analysed as one.
  • Android Auto – Taking into consideration that Android Auto requires an application to be installed on the Mobile Phone for a connection to the vehicle, we believe that the data will be sent through this application thus making it identifiable as in-car data. However, as all of the data is stored on the Mobile Phone, it will still be analysed as one.

The analysis carried out will depend on the type of case we are dealing with, as previously mentioned it may not be easy to differentiate in-car and mobile data, causing issues with cases that only involve in-car data. However, if we need to find out if the suspect has contacted a certain person, we will be able to analyse the communication data whether or not it has been created whilst connected to Apple CarPlay / Android Auto.

Below are examples of cases that data from cars and mobiles can be used as one:

  • Robbery – We may use the data from the Sat Nav application to see the details of a journey, as well as calls to accomplices and internet searches, all of which could be created whilst the phone was connected to the car.
  • Grooming – Messages of a grooming nature may have been sent whilst the phone was connected to the car through voice dictation.
  • IIOC offenses – The user could use voice dictation whilst their phone is connected to the vehicle to search for, and/or view Indecent Images of Children.
  • Drug Offenses – Activity of intent to supply or the purchase of illegal drugs could be created whilst the user’s device is connected to the car, for example SMS messages or call history.
  • Person of interest – The device’s Music & Audio may be used to assist in a case where very limited evidence is available, for example the user’s music or audiobook preference may help identify the device’s user.
  • Murder – Activity that could be used as evidence in a murder case may be created upon the Mobile Phone whilst connected to the in-car system. This includes location, communication and many other types of data.


Future Considerations

Many vehicle manufacturers will be implementing Apple CarPlay and Android Auto compatibility into their new build models, for example Ford, who have said they will be adding support for both platforms to all 2017 models.

The availability and support of both platforms will increase significantly over the coming years, this will lead to more applications being developed, adding more functionality to the in-car system, this will in turn create more data that can be forensically extracted, analysed and used for a digital forensic investigation.


SYTECH Digital Forensics

In conclusion, Mobile Phone forensics is going to take over Vehicle Forensics and being one of the leading companies in the UK dealing with Mobile Forensics, SYTECH will in turn become leading experts in Vehicle Forensics.

Our already successful advanced forensic techniques will play a key role in the future of Vehicle Forensics.

SYTECH Digital Forensics can conduct In-House Advanced Chip-off examinations

SYTECH also offers Advanced iOS PIN Decryption.

SYTECH Assisted Case – “‘Truly Evil’ Couple Jailed For ‘Sick’ Murder”

SYTECH received instructions from Dorset Police whom requested the Mobile Phone Forensic examinations and analysis of multiple Mobile Phone Handsets not supported for analysis via conventional forensic means and were all attributed to the below referenced murder investigation.

A “truly evil” couple who stabbed a man to death and recorded the “protracted and brutal” attack on a mobile phone have been jailed for life.

Phillip Nicholson, 22, was lured to a flat in Bournemouth where he was set upon by his ex-girlfriend, Isabella Gossling, and her new partner Richard Moors.

Gossling, 20, was found guilty of murder following a trial at Winchester Crown Court. She has been sentenced on Monday to a minimum of 19 years in jail.

Her boyfriend Richard Moors, 25, pleaded guilty to murder in a previous hearing at Portsmouth Crown Court in October.

He was sentenced on Monday to at least 22 years in jail.

Mr Nicholson, who had learning difficulties, was found dead in Gossling’s flat in the Boscombe area of the town on 26 May. He died from a stab wound to the neck.

He was enticed to her home on the pretence of meeting another girl who the couple were friends with, Winchester Crown Court heard.

But the meet-up was a lie made up by Gossling and Moors.

Once Mr Nicholson was at the flat, they stabbed him and recorded the attack on her phone, Dorset Police said.

In the audio recording, Gossling can be heard demanding an apology from Mr Nicholson for sexually assaulting her and encouraging Moors to kill him.

Police said the sex allegation was never substantiated nor reported and they believe it was unfounded.

The phone recording also captured the couple discussing how to leave Mr Nicholson’s body in a way to make it look like he stabbed himself.

The knife used to kill Mr Nicholson was found in a sink at the flat.

The court heard the couple had previously bullied and threatened their vicitm.

Detective Chief Inspector Stewart Balmer, from Dorset Police’s Major Crime Investigation Team, said: “Isabella Gossling and Richard Moors are truly evil.

“They targeted Phillip Nicholson because he was vulnerable and they could exert power over him.

“They subjected Phillip to a brutal and protracted attack.

“This is one of the most harrowing cases I have dealt with in 30 years’ service.”

He added: “The fact they chose to audio record this violent and sick act on her mobile phone is beyond belief.”

Mr Nicholson’s family said in a statement: “We are totally devastated by the way that Phillip was cruelly tormented, tortured and murdered.

“Our son was kind, caring and helpful to all and did not deserve this callous death.

“Phillip’s death will always leave a huge dent in our hearts and those of family and friends that knew him.”


Source:  Sky News

Detailed View of a Memory Chip

SYTECH Case – Moto Android Chip-Off Examination – Murder Investigation

SYTECH Case – Moto Android Chip-Off Examination – Murder Investigation

Andrew Munro was charged with the murder of his wife and attempted murder of another close relative for which he denied both charges.

Claire Munro, mother of three, was found dead in her home with serious injuries.

SYTECH received instructions from Cheshire Police whom requested forensic examination and analysis of Motorola Moto Android based Mobile Phone Handsets not supported for analysis via conventional forensic means and were attributed to an on-going murder investigation.

At SYTECH the aim of the examination was the extraction, validation and presentation of all user based data and in particular whether there were any malicious applications installed or software capable of remotely tracking and controlling the handset.

The only way to gain access to the data held within the handsets was by that of “chip-off” examinations.

This involves the removing of the Flash Memory chip from the handsets printed circuit board (PCB).

This is where any potential data will be stored within the handset.

Data relating to the Investigation was recovered from the memory, this showed the potential to track and control a mobile phone handset remotely.


At trial Mr Munro changed his plea to guilty in relation to the murder and he also pleaded guilty to S18 wounding as an alternative to the attempted murder of another.


The Evolution of Mobile Phone Evidence

The Evolution of Mobile Phone Evidence

From Best Guess to Precise Prediction, a Science Emerges

By Daren M Greener CEng BSc CITP MBCS.
Principal Consultant, SYTECH – Digital Forensics.



The integration of the mobile phone has seamlessly interwoven itself into many aspects of everyday life with inbuilt and associated technologies that made it the must have device it is today.


This article provides a general review to the evolution of mobile phone evidence and in particular Cell-Site Analysis, highlighting how technological and sociological change has brought about a maturity to its application whilst litigation attitudes to this branch of digital forensics have not always kept pace.


Cell-Site Analysis (movement and location) is one of the fundamental components in a trident of mobile telecommunication evidence that also includes Attribution (who operated a particular phone) and Communications Analysis (who interacts with who and at what level).

Cell-Site Analysis Trident
Cell-Site Analysis Trident


Background – What is Cell-Site Analysis?

Cell-Site Analysis is a discipline of digital forensics that essentially examines the historic location and movement of mobile phones based upon record of the wireless link used to transfer call-events between ‘the network’ and mobile phone device (handset).


Each mobile phone network provider (Vodafone, O2, EE, etc.) maintains a network of transceivers (transmitter & receiver) throughout the country in distribution of service coverage/provision.


Many of these transceivers (cell-masts) are now common place and widely recognised for what they are standing like sentinels adjourning motorway networks or as great skeletal leviathans on high vantage points. Many more surreptitiously blend into the background of our surroundings, hidden on rooftops or disguised as street furniture such as lampposts, flagpoles and occasional modern artwork.

Cell-Site Analysis Masts
Cell-Site Analysis Masts

Typical Cell-Mast structures and antenna equipment


Importantly though, each network transceiver (cell-site) is uniquely identifiable. Therefore, the service provision from each transceiver is traceable and quantifiable with regards to the area of service cover.


As the mobile phone networks have grown and expanded over time, then the number and diversity of transceivers (cell-sites) has increased dramatically with the resulting coverage areas becoming ever more localised (smaller) to cope with greater capacity demands.



The Popularity of Mobile Phone Evidence.

As the adoption of the mobile phone infiltrated into society, towards the end of the 1990’s, it brought about a frequent source of information within criminal investigations that could, amongst other things, indicate the general movement and location of a suspect(s). Additionally, this evidential record of movement and activity could in turn be compared against a suspect’s account or alibi when such was offered.


  • In essence, the mobile phone represented, and continues to be, a personal tracking device.


Never before had law enforcement/forensic science had access to such a recorded stream of reference points that could indicate, without witness, a person’s general movements along with a  record of who they had been in contact with over a prescribed period of time.


Previously, such evidence would be reliant on fingerprinting or a possible DNA trace at a specific location – subject to the close scrutiny required to find such evidence. There was a greater reliance upon witnesses or informants to provide information with regards to a suspect’s whereabouts.


The introduction of electronic banking services during the mid-1980’s had been a catalyst to early electronic activity tracking. The introduction of the Automated Teller Machine (ATM / cash point) in 1985 was followed by the arrival of the debit card in 1987 and both provided a limited source of information when tracking a person’s location or movements in accordance with their purchasing/financial activity.


For law enforcement the adoption of the mobile phone has been akin to having a string of eye-witnesses or informants all pointing in sequence to the area of a suspect. ‘He’s over here, he’s over there, he went that way and no he wasn’t over there.’


In the early stages Cell-Site Analysis was often applied to define where a person (and their phone) could not have been to support or refute an alibi or allegation.


A suspect may have stated that they had spent an evening at home whilst their corresponding Cell-Site activity may have contradicted such assertion and demonstrate widespread movements and activity.


Predominantly mobile phone evidence often provides the glue to bring other evidence into sequence.  It acts like fly-paper attracting and sticking other items of evidential value – eye witness accounts, DNA recovery, CCTV footage, ANPR sightings and payment transactions etc – into a pattern of chronological consistency.


  • The greater the level of transaction within the mobile phone records the stronger the bond of the glue.


A Note on Attribution

A crucial aspect to the value of obtainable evidence is the attribution of the mobile phone to a particular person. Attribution applies both in terms of phone ownership and actual usage at the time when cell-site data or communication activity was recorded. (“it’s not my phone” or “I lend it to others” or “many people have access to it”)


  • The attribution of a mobile phone is a process in its own right and the subject of much debate beyond the remit of this article. However, similar to the advances of Cell-Site Analysis the ever involving technical and social change continues to produce far more intrinsic user profiling to cement attribution assertions.


Developments and effects – The rise and rise of phone ownership and use.

The mobile phone revolution started to gather pace in the late 1990’s as the cost of ownership started to become within the grasp of the mass populous.


  • In January 1999 Ofcom estimated that approximately 27% (1 in every 4) of UK adults owned, or had access to, a mobile phone.
  • Just 12 months later that figure had almost doubled and stood at 46% and by November 2001 the figure had risen to 75% (3 in every 4). (OfTel, 2002).


Cell-Site Analysis Map
Cell-Site Analysis Map
  • In recent figures, from 2014, the level of UK mobile phone ownership stood at 93% of the adult population (Ofcom).


1993    Digital mobile phone networks started to emerge from frontrunners Mercury and Vodafone quickly followed by Orange in 1994. Initial consumer take-up was slow and mostly aimed at the business executive in acknowledgement of the high cost of ownership and usage.


Early networks suffered from poor coverage in non-metropolitan areas and internment service quality.  This generated a demand and competition for network companies to dramatically expand their network coverage.



During the early adoption phones the biggest inhibitor to phone ownership was cost both in terms of handset ownership and monthly running expense from subscription fees and relatively high usage costs.


In 1996 Motorola introduced its ‘Startac’ handset the world’s first Clam Shell design with the promise of up-to 8-day battery life.  In the UK the handset retailed at £1,400.

Motorola StarTac Handset
Motorola StarTac Handset


1997    In attempt to address the issue of usage costs mobile phone companies introduced ‘pre-pay options to unshackle consumers from the requirement of a monthly contract. The move was to prove a huge success.


The subsequent explosion of mobile phone ownership was driven by many social factors but predominantly by the reduction of cost and through advances in handset design and desirability.  Since the turn of the millennium the growth in mobile phone ownership has been exponential.


1999    In January 1999 ‘Oftel’ reported that approximately 27% (1 in every 4) of UK adults owned, or had access to, a mobile phone. In the same year (1999) Supermarkets started to sell pre-pay mobile phone bundles with a price point under £100.


Unsubscribed pre-pay – ‘burn’ phones

One affliction to the criminal investigation process was, and still remains, the unsubscribed pre-pay option, which adds to the burden of the attribution process.


The popularity of pre-pay options and the ease of access to unregistered SIM cards led to the use of short life ‘burn’ phones.  Such phones are frequently acquired by individual’s intent on criminal activity and deployed for very limited periods of time before being discarded and replaced on a regimental basis.


2001    In November 2001 UK adult mobile phone ownership had risen to 75% (OfTel 2002) and it had become the norm for a person to own or have access to a mobile phone device.  As a consequence the mobile phone became a more frequent source of potential evidence in criminal investigations.


At this time the mobile phone networks deployed 2nd generation (2G) cell-sites. These 2G cell-sites have a theoretical coverage range of 35-kilometres. This value was frequently bandied by barristers as the de-facto argument to throw at cell-site evidence when it got to the courtroom.


In reality few, if any, of the deployed 2G cell-sites afforded ranges reaching the quoted theoretical level.  However, at the time, it was not uncommon to find rural based cell-sites with a coverage range in the order of 15 to 20 kilometres and urban based city/town centre cell-sites would often extend in excess of 5 kilometres.  Therefore, the level of affordable accuracy was far from precise and Cell-Site Analysis was frequently referred to as an un-precise science. A further inhibitor to early Cell-Site Analysis was the infrequency of phone usage, which still remained limited due to call and text messaging tariffing.


As the consumer boom in mobile phone ownership took hold it drove forward widespread investment and development both for mobile networks and mobile phone devices. At the turn of the millennium mobile phone networks had grown to cover all major cities and towns with 2nd Generation (2G) cell-sites. As the demand for services continued to increase so did the number of mobile phone users at any given location and especially within busy urban environments.


The coverage area of a mobile phone cell-site can sustain a finite number of active users/subscribers.  Generally the greater the volume of mobile devices at, or in any, particular location/area then the smaller the size of cell-site required to sustain those devices and combat the signal to noise ratio (SNR) problems.




In 2001 the vogue for mobile phone handsets was for smaller compact designs and few at the time had colour displays. Ericson’s T68 handset was the manufacturer’s first with a colour display.


Evolution of Samsung Handsets
Evolution of Samsung Handsets


2002    It wasn’t until 2002 that mainstream mobile phone devices started to include a camera option to further enhance their desirability.  This additional option would in part contribute to a greater demand for the transference of digitised data (pictures/video) across the mobile phone network.


Coincidently, the development and popularity of the camera option was to play a major part in improving the evidential value of recovering a mobile phone device as the stored imagery (of a subject or their family/associates) would often prove vital in the attribution of a mobile phone device to a particular person.


Handset data could also provide vital information with regards to a person’s association with others and in certain cases actual evidence of crimes themselves as criminals took trophy pictures of their actions or ill-gotten gains.



2003 – Hutchison introduce 3G services   

In 2003, in response to the demand for a greater range of services and higher data transfer speeds, Hutchison introduced the third generation 3G network.  Other network operators would eventually catch-up with the introduction of their own 3G network in tandem with their existing 2G networks.


The major impact of the 3G network from a Cell-Site Analysis perspective was that it pulled the rug from under the theoretical 35 kilometre range argument as 3G operated at a higher frequency and had much reduced range potential.


Additionally, it created situations where a mobile phone would utilise combinations of 2G and 3G cell-sites, which in-turn improved analysis when examining the service and overlap of the differing technologies at relevant locations of interest.


2003 – Blackberry impact upon messaging

In 2003 ‘Blackberry’ came to the market with its RIM 850 device that it marketed as a Personal Digital Assistant or PDA. Significantly, Blackberry were to introduce the Blackberry Messaging (BBM) service that offered instant messaging without the costs then often associated to text messaging.

In the fullness of time, other third-party offerings for instance messaging services came to the fore that could be operated on cross-platform devices.



To an extent BBM still remains a commonly used communication mechanism uncovered in investigations into Organised Crime Groups.


In 2004 Nokia, the then world leading handset manufacturer, released the 7610 handset which was the first to feature a 1 mega-pixel camera.


In 2004 Motorola gained huge success with the introduction of the Motorola ‘Razr’ handset with its brushed aluminium casing and 2.2inch TFT screen it became a must have fashion accessory that led to eventual sales of over 130 million devices.  Despite the 0.3megapixel camera and 5MB (yes mega-bytes) of non-expandable memory it would be the top selling phone 2004 – 2006.

Motorola Razr
Motorola Razr Handset


In 2006 many network operators were offering of “all you can eat” data plans such had been the growth in demand from consumers now embracing mobile data services.


By 2007 Ofcom were reporting 73.5 million active UK mobile subscriptions. (UK Population for 2007 was 61.3 million). Many consumers now ran two or more phones or would use secondary subscriptions for data services.


The double-phone use is often found to apply in criminal investigations where a suspect may operate, or be accused of operating, what is often termed ‘Clean Phone’ ‘Dirty Phone’ separating out personal life (clean-phone) and otherwise dubious activity (dirty-phone).


In essence though, when such strategies are applied by those engaging in criminal activity the double use of phones merely adds to the level of obtainable evidence. That evidence can subsequently be compared and combined to show a much greater consistency to other events. Additionally, twice the amount of cell-site data may prevail to afford greater scrutiny, particularly in the identification of specifically defined travel patterns.


Ofcom reported that by the end of 2007, 17 percent of all mobile users (12.5 million) were using 3G, which had been an 11 percent increase on the previous year.  The uptake in 3G subscriptions would continue to rise.


Within the realm of Cell-Site Analysis it was now becoming common place to find a subject’s phone switching between 2G and 3G technologies within the Call Data Records under scrutiny.  This added greatly to the level of analysis that could be applied, as examination could be made into where the two technologies would overlap and where one takes over from another.


2007 – Apple gets a bite of the market

In 2007 Apple Inc. branched out into the mobile phone market with the release of the Apple iPhone. Apple already had a loyal customer base from successful sales of IT and multi-media devices and its multi-media management platform ‘i-Tunes’, which was established in 2001.

The introduction of the iPhone was a major development to the ‘Smartphone’ market that intensified brand competition, which continues to drive technological and ascetical development of mobile phones.


The capabilities and functions of mobile phones continued to diversify to provide extra added benefit to the consumer in the battle for brand popularity.

Apple iPhone
Apple iPhone


A growing number of mobile phones would incorporate GPS technology, which in turn could provide Satellite Navigation functionality. Wi-Fi transceivers were also being incorporated into mobile phone devices to extend the connectivity options for access to the internet and other digital devices.


October 2007 saw the commencement of a program to switch over the existing analogue terrestrial TV broadcasting on to a digital broadcast that was to be completed by October 2012.


The resulting changeover made particular frequency bands available that were sold under licensed to communication network providers for further expansion and development of the mobile phone network.


2008    In 2008 the 4th generation (4G) network was under development in timely anticipation of the ravenous demand for high speed data transfers from media hungry consumers. It would be four years in development before the roll-out of 4G cell-sites that commenced in 2012.


The expansion of the mobile phone networks continued to see the installation of more 2G and 3G Cell-Sites (particularly 3G) nationally and generally a continual reduction in the size of cell-site coverage areas across urban and rural environments.


  • Governmental policy amended certain planning restrictions in order to facilitate a wide-spread expansion of mobile phone and data networks within the UK.


2010    In 2010 the Mobile Network Operator ‘EE’ was formed (then as Everything Everywhere and latter abbreviated to EE) from a merger of network operators T-Mobile and Orange.  Effectively it meshed together the network resources (cell-sites) of each provider.


In respect of the Cell-Site Analysis the creation of EE improved the affordable accuracy level when applying analysis in respect of T-Mobile or Orange phones. The merging of networks now allowed analysis to show where and why service ‘crossed-over’ between T-Mobile and Orange resources. Furthermore, the increase of cell-masts now jointly available led to a general reduction in the size of coverage areas of individual cell-sites.


The developments of Smartphone capabilities have driven an ever expanding ‘apps’ market covering all manner of entertainment, service, information, and function.


2011    In October 2011 Apple announced that their App Store listed over 500,000 application titles for download, that number then exceeded the 1 million mark by October 2013.  The latest figures announced by Apple (Jan 2015) claim that the App Store contained over 1.4 million titles to choose from and that total App Store downloads had exceeded 75 billion.


The ‘apps’ themselves often provide a vital source of information in the attribution and/or profiling of a subjects lifestyle and associations.


2013 – 2014   Mass Messaging

Deloitte estimated the volume of instant messages composed in Britain doubled from 160 billion in 2013 to 300 billion by the end of 2014. This equates to approximately 820 million instant messages transacted daily (about 12 messages per day sent by every UK resident).


Social Media Revolution.

The Smartphone phenomena supports, and is supported by, the social media revolution as it provides the ‘take anywhere – always connected’ portal to access and function. Over the last decade the development of the ‘mobile device’ (Phones, PDA, Tablets, Laptops) has been a perfect marriage to the social media revolution.


The rapid adoption of ‘social media’ and the notion of ‘always being connected’ have seen the creation of vast global business empires transacting multi-billion dollar acquisition deals. What makes this more remarkable is that the majority of those business empires predominantly provide a free of charge service to the majority of their subscriber base.  Here we look at a few of the movers and shakers of the social media world.


August 2003 Skype              Voice and Video Calling

  • Skype – launched in 2003 and purchased in August 2005 by Ebay for 2.6 billon dollars. It was sold to Microsoft in 2011 for 8.5 billon dollars (Doug Aamoth,, May 2011)


February 2004            Facebook       Social Media Services

  • 3 billon active users by June 2014


February 2005            YouTube        Video Sharing Website

  • Conceived in the wake of the 2004 Boxing Day tsunami. In 2015 YouTube’s website claimed more than 1 billion users and estimated 300 hours of video were uploaded every minute and 50% of YouTube views being made from a mobile device.


March 2006                Twitter            Social Media Services

  • First ‘Tweet’ posted by the company on 21st March 2006. In 2015 Twitter reported 288 million monthly active users sending over 500 million tweets daily with 80% of users accessing via a mobile device.


November 2009         Whatsapp      Instant Messaging App

  • WhatsApp can be used to send messaging, images, video and audio media messages.
  • In October 2014 WhatsApp was considered the most popular messaging app with more than 600 million active users. By January 2015 this had risen to 700 million users.


October 2010             Instagram       Mobile Online Multi-Media Sharing

  • Following launch in October 2010 Instagram rapidly gained popularity. The Instagram website of 2015 reported daily uploads of more than 60 million photos by its online community of over 300 million subscribers.


September 2011        Snapchat        Mobile online multi-media messaging

  • According to Snapchat in May 2014, the app’s users were sending 700 million photos and videos per day.


The development and adoption of both mobile devices and social media highlights the rapid technological and sociological changes that now make a mobile phone the most intrinsic and intrusive evidential hub into everyday life and personal detail.


Additionally, the continual rising scale of customer interaction is phenomenal and generates colossal volumes of network traffic.  This continues to drive heavy investment into the underlying network infrastructures that keep mobile phone devices connected.


This has again led to a greater level and diversification of technology deployed to maintain and support the connected community.


Through development of mobile phones networks there are now 2G, 3G and 4G cell-sites with, differing frequency ranges within these technologies.  The diversification of underlying digital networks from founding 2G technologies is now complemented by increasing numbers of Micro and Pico cell-sites. Development and diversification continue to expand and enhance the level of analysis that can be applied in respect of mobile phone usage and its evidential value.


 The main challenge today

One of the on-going challenges facing (mobile phone evidence) Cell-Site Analysis is to educate both Law Enforcement and Litigators that the afforded evidential value has risen exponentially along with the growth and development of the mobile phone networks (technological) and the growth in phone usage (sociological).


As the evidential value of Cell-Site Analysis has increased the actual cost of its application has drastically reduced from the overly exhortation prices once charged by entities that monopolised and exploited the Law Enforcement (Prosecution) market.


The cost reduction is due to a number of factors including; standardisation of Call Data Records, control on underlying data costs, the development and availability of surveying equipment options, and a wider pool of expertise. These factors, blended with commercial competition have driven down the cost of application.


However, as a consequence of the rapid growth the complexity of the mobile phone network, with regard to Cell-Site Analysis, is ever more involved and requires in-depth analysis if it is to be utilised effectively.


During the current climate of austerity and budget reductions the prosecution markets are outsourcing less and relying more upon their limited internal resources to provide basic overviews of cell-mast usage. This can have a negative effect both for an actual investigation and ultimately on the criminal justice process, for either prosecution of defence.   It further demines the true value of Cell-Site Analysis and extends the negative viewpoint of an imprecise science.


The evidential value of evidence cannot reach full potential if it is not accurately understood.  If the primary decision maker (defendant or juror) is not empowered with the information in an understandable form then the usefulness of the evidence may not be achieved or worse be perceived to establish unsupported facts.


When well-presented evidence is produced showing that a properly attributed phone is intrinsically linked to all, or even the majority, of an incident’s milestones and where the overall pattern of consistency can be shown to be robust then such evidence may convince a subject to admit their involvement and guilt. Where this happens, and it often does, the resultant early admission of guilt saves the taxpayer the expenditure of a costly trial process.  Such capital saving cannot be achieved on the back of summary analysis and poorly presented evidence.



Download – The Evolution of Mobile Phone Evidence.pdf

SYTECH Case Study – Digital Forensic Investigations in Cases Against Child Predators and Co-Conspirators

How Cellebrite’s UFED Link Analysis Strengthens Cases Against Child Predators and Co-Conspirators – Mobile Phone Forensic Examinations



Simon Lang, Senior Digital Forensic Consultant / Digital Forensics Manager, SYTECH – Digital FOrensics, Stoke-on-Trent, England



Use of Cellebrite UFED Link Analysis to attribute suspect handsets and assess and identify victims



Investigating rings of criminals who produce child exploitation materials



UFED Link Analysis saves time and effort associated with connecting suspects and victims on child exploitation, illegal money lending and drug conspiracy cases


Child exploitation can be one of the hardest crimes to prosecute. Victims are often too scared or ashamed to admit any connection to a suspect, and paedophiles go to great lengths to protect one another. To make their cases, police need ways to tie suspects and victims to one another via the frequency, type, and mode of their communications. Often this evidence is found on their mobile phones and GPS devices.


Simon Lang, Digital Forensics Manager at SYTECH – Systems Technology Consultants Ltd., England, has put UFED Link Analysis to work on several such cases in recent months. In the United Kingdom, law enforcement agencies frequently outsource digital forensics to ­rms like SYTECH. That’s because when a case goes to trial, the courts require an independent review of the work police did. High pro­le or complex cases with multiple devices often end up in court, so teams like Lang’s need tools that enable them to explain digital evidence simply and concisely at trial.


Lang himself has been a mobile device forensics examiner since about 2008, and he and his team have used Cellebrite systems since 2011. However, when faced with multiple mobile devices on a single case, they faced the time-consuming process of running data through spreadsheet software.


“Creating custom ­filters in Microsoft® Excel® and looking for common contacts, usernames and IDs, and incriminating content [such as text messages] can take a few hours when comparing the results from iPhones etc.,” says Lang.


That’s because of the sheer amount of data that iPhones and other smartphones can store. UFED Link Analysis provides an almost instantaneous graphical representation of the common contacts with the click of a button. “It is easier using these diagrams than looking at rows of text,” says Lang.


Why is this important? Lang and his team work on large cases involving multiple defendants across the United Kingdom, including child exploitation and drug conspiracy cases. “This tool comes in extremely handy in child exploitation and grooming cases, which are becoming more common in the UK,” Lang explains. “There are large ‘rings’ of individuals who have been targeting vulnerable people across the country.”


One of the most common ways his team uses UFED Link Analysis is for attribution of handsets, when the suspect denies ownership. Investigators can corroborate text messages or instant messaging, call logs, contacts and found on the suspect’s handset with like data found on victims’ or other suspects’ handsets.


Lang’s investigators also use UFED Link Analysis to compare “clean” and “dirty” phones. In these scenarios, suspects use one device for everyday noncriminal activities, and a second or more devices for their criminal activities. Common contacts and locations between the two can show which devices are used by the same suspect(s) and thus, can tie otherwise “innocent” suspects to the crimes they commissioned or committed.


The software is also handy for assessing multiple victims on these cases. The “Links-Mutual” view shows whether victims all had one or more suspects in common on their devices; patterns in keywords or timelines—days of the week or times of day—can help corroborate the evidence.


Once the evidence is collected and analysed, Lang uses the snapshot option to show common contacts within cases, placing these within his report. Put together, the links and patterns strengthen the Crown’s case and lead to what Lang believes will be a higher likelihood of conviction.


About Cellebrite Founded in 1999, Cellebrite is known for its technological breakthroughs in mobile forensics. Its Universal Forensic Extraction Device (UFED) is used internationally by law enforcement, military, intelligence, corporate security, and eDiscovery agencies to extract data from legacy and feature phones, smartphones, portable GPS, tablets and phones manufactured with Chinese chipsets.


SYTECH – UFED Link Analysis – Child Exploitation Case Study