Mobile Device Forensic Tools: Unlocking an Assassin’s Phone.

  • 25 Jul 2024
  • 3 Mins Read
  • 〜 by Anne Ndungu

 

On July 13, 2024, the world watched on a CNN live stream as 20-year-old Thomas Matthew Crooks tried to take out former US President Donald J. Trump as he was campaigning in Pennsylvania for a second term. He narrowly missed, only managing to graze his target’s ear. He also managed to kill one person and injure two others. He died shortly after, shot by the Secret Service. 

The Anatomy of an Assassin

Speculation is rife as to his motives. It is said he was not acting alone as, according to many eyewitnesses, there was a second shooter on a water tower. A background check reveals he had a normal childhood, by all accounts, with parents who are professional counsellors. His parents, however, were concerned enough to call the police and report that he was missing on the day of the shooting. You would be if your son disappeared with your AR-15 rifle, which has become the weapon of choice for most mass shooters.

Crooks did not have any significant social media presence that could help establish his motives, except for a Discord account and a gaming platform called Steam where he left a message about July 13.  He was a registered republican, but a certain donation he made when Joe Biden was elected president showed him leaning to the left. It was, therefore, important to get into his phone and into his mind. 

Cracking Crooks’ Phone

Initially, the Federal Bureau of Investigations (FBI)claimed they could not crack his phone much to the incredulity of the world. Crooks is believed to have been using two phones, one of which was a Samsung phone running on Android and apparently the current software in the market is not able to crack iPhones on iOS 17.4 or Google Pixel 6, 7, and 8 phones. 

Apparently, it takes months to do this, but given the urgency, the FBI resorted to unreleased technology by an Israeli mobile forensics company, Cellebrite, and it only took 40 minutes. The technology is still under development, which goes to show that 

Crooks’ devices have shown his search history, which reveals that he tried to self-diagnose, looking up terms of mental illness months before his assassination attempt. However, instead of seeking help, he chose violence. He also looked up a high school shooter and he searched for high profile political figures. This search history, together with his actions, gives an unfolding picture of his mental frame of mind.

His phone will also help investigators get in touch with people he may have been in touch with. 

 

Mobile Device Forensic Tools (MDTFs)

Meanwhile, Cellebrite, the firm that provided the tool, is listed on NASDAQ, and has faced criticism from human rights groups for selling its services to repressive regimes such as Pakistan and Belarus. Cellebrite asserts that its product, which physically connects to phones, can recover even remnants of deleted files. It also likes to keep a low profile, and has been known to tell its clients not to talk about its products.  According to a survey carried out by Cellebrite in 2023, a digital device can, on average, contain 32,000+ images,1,000+ videos, and a staggering 60,000 messages. Reviewing this kind of information can be time-consuming, making sense of it to get any useful insights would be impossible without the use of tools like those developed by Cellebrite.

What makes it difficult to do this is that there is no standardised way of accessing mobile devices which come in many different forms and types due to type –  differences in hardware and software variations. Some devices are too old, others too new. Devices made in China are different from those manufactured in other countries. Sometimes, it is easier to crack older phones running on older OS than newer phones. 

There is no single tool that can evaluate all mobile devices. MDTFs have to keep being updated due to the ever-growing changes to mobile operating systems. They are invaluable tools for investigative work and can be used to save investigators’ time in finding evidence when they get into a phone using MTDFs to gain access to even deleted files. Other than existing data on the phone, they also assist investigators in gaining access to Metadata, which helps in the reconstruction of events and gathering of evidence.

In the case of Crooks, the American Congress has begun investigations that have led to the resignation of Secret Service Director Kimberly Cheatle. Congress has asked the Secret Service to also subpoena for Crooks’ Discord records to get more information. However, company representatives, who have since been removed, had not been used in months and did not contain any information that was linked to the shooting. 

MDTFs are becoming invaluable in forensic work and are poised to expand their use beyond police and government investigations, finding applications in the private sector as well. For example, insurance companies can utilise MDTFs to investigate fraudulent claims. By analysing data from claimants’ devices, insurers can verify the validity of claims and detect inconsistencies. However, data privacy and ethical concerns will curtail the expansion of these applications