We often think of forensics in the context of DNA testing, or studying the components left at a crime scene. Popular police procedural shows and serial killer documentaries put this singular definition of ‘forensics’ into the public consciousness. For those involved in criminal investigations, or for anyone who has been through the legal process, the word makes use of its broader definition to simply mean the application of scientific methods to investigate a crime. Ever since computers and cellular phones have been integrated as a daily part of our lives– as we further rely on them to track and manage intimate details of ourselves– police have applied those scientific methods and techniques to get into our devices. Even though mobile devices and computers have been a full part of our daily lives for a little more than a couple decades now, the law still seems frustratingly slow at keeping up with technology. It’s difficult to always know your rights. The issue presents itself with the obvious next set of questions: how do police use forensics to get inside a cell phone or computer, and to what end?

1.  When Can Police Search My Phone or Computer?

It is important to keep in mind that per California law, police must get a warrant, founded on the basis of probable cause, and said warrant must be defined with ‘reasonable particularity’ in relation to what police are searching for– ‘reasonable particularity’ meaning that the evidence investigators hope to find is well laid-out in writing. This is to prevent any officers involved in the search from freely using their discretion as to what is considered evidence. In other words, police are expected to plainly lay out what they are looking for, and potentially incriminating evidence not relating to what is defined in the search warrant, cannot be used to build a brand new case against a suspect. Ultimately, this means that police cannot continuously monitor your phone, freely and without sufficient cause, in hopes of stumbling upon incriminating information. Furthermore, the United States Supreme Court has ruled that police cannot search your phone even once they have conducted a lawful, and legitimate arrest. An arrest based on probable cause is enough to allow police to search one’s vehicle for instance (this is known as the ‘automobile exception’), however, the unanimous Supreme Court ruling cites that cell phones were “fundamentally different,” and law enforcement must always have a warrant to conduct a search of one’s phone (with the exception of certain provisions such as the prevention of harm to one’s self or others, or to prevent the imminent destruction of evidence). When dealing with law enforcement, either in an arrest or simple questioning, you have every right to say no to a phone search. Exercise that right to refuse as search:  you never know what small detail might, rightly or wrongly, be construed as evidence to a crime. Even though law enforcement have far more sophisticated ways of accessing your phone than simply asking you to unlock it for them during an arrest, but the principle of the assertion of your rights, and the understanding that police need a warrant to search your phone in most cases, should be at the forefront of your mind, as you read on more about how law enforcement can access your personal data.

Computers have similar provisions and protections as phones do with regards to when law enforcement are able to search it. A warrant must be issued except in extreme and rare circumstances. Again this includes the prevention of harm or danger to someone, the imminent threat of evidence being deleted, or in aiding law enforcement pursue a suspect. Law enforcement, like with any other item may search your phone or device when the person in question has given them permission to do so, in essence waiving their Fourth Amendment right to unreasonable search and seizure. California does state however that anyone ‘with authority’ over the device can give permission for police to search said device. This means that if you use a computer in a shared office space, or if you are in possession of a phone issued by your business, you do not necessarily have final say on whether that device gets searched. Your boss can give permission for police to access that device, even after your refusal. If you’re concerned about the police going to Apple or Google directly, to get them to unlock your phone, you’re in luck, as executives from both companies have stated that they will not help police disclose the private information of their customers. Apple has doubled down on this stance with more sophisticated encryption software, and a recent ad campaign. “Some things shouldn’t be shared” says a voiceover in an Apple commercial where a woman is offering up her credit card information through a microphone. Police hit back with their own marketing campaign on the issue: “law enforcement” the ad reads “is going dark”.

Police can, however, seize your phone or computer during an arrest, and hold it until the pertinent warrant is issued to search the device. This is the most likely scenario in which you could have your phone or computer searched. In situations where your personal device has been seized, and the warrant is issued and executed, police have several ways to access your personal electronic devices, even remotely. As an additional note, while police do require a warrant to search the contents of your phone or computer, they can have access to a limited amount of data through means of a subpoena. A subpoena in this instance is simply a request for the production of information or documents, and they usually occur during the proceedings of an ongoing trial. In that instance, the information pulled from your phone or computer will probably be limited to something like an IP address (a simple series of numbers that identifies a device on a network).

2.  The Police Have My Phone– How Will They Access My Information?

In the instance where law enforcement has your phone, instead of simply pursuing your browsing history as you might expect they would, police will likely extract information off your phone using a mobile forensics software called Cellebrite, named for the Israeli based company of the same name (other mobile data software exists as well, Cellebrite happens to be the most popular and accessible to law enforcement. Similar softwares exists for extracting browsing history and data for computers as well). Using Cellebrite to extract data happens in essentially two tiers, a ‘logical extraction,’ and a ‘physical extraction’; the former requires the phone to already be unlocked, is quicker, easier, but ultimately a more limited type of extraction than the latter. In a logical extraction, police might uncover things such as media files (it cannot always access deleted media files. A logical extraction may sometimes only show that deleted files had existed at some point), crash and diagnostic logs, and shared application data. A physical extraction– the latter– is a longer, more complex and involved process but can work through locked devices, albeit not always with one-hundred percent accuracy. Still, the information gained from a physical extraction can lead to law enforcement finding much more sensitive and incriminating evidence, which might include data from call and text logs, social media passwords, contact lists, and any saved photos or videos. If police have seized your phone and are waiting on a search warrant to legally look through your phone, they are probably hoping to undergo a physical extraction on your device, whereas a logical extraction can be more quickly done in a spur of the moment type search, especially in instances where you have consented to the search, and have even unlocked your phone for the officer. If your phone has been seized to undergo a physical extraction, it’s difficult to say how long that process will take. Depending on what kind of protections you have in place, and the level of encryption that has been implemented on your phone, it could take investigators days, weeks, or even months. The technology is sophisticated and thorough, but still imperfect as it continuously develops and adapts to match new levels of security and encryption. When police are using the Cellebrite software to extract data in a physical extraction, this happens in two stages. The first stage happens through what is called a UFED (Universal Forensics Extraction Device), which simply extracts the data and backs it up on a Windows computer. The second part of the process goes through what is called a physical analyzer. In this stage, the information is organized and neatly presented in a report. At the end of the second step, police will have a full picture of all your data, categorized, indexed, and searchable through the Cellebrite software. To do this, law enforcement must have physical access to your phone; this cannot be done remotely. While there are ways for law enforcement to remotely access your information– this will be touched on a bit later– there is little means for police to extract such an intimate and detailed report on your device without having said device physically present.

When extracting data, law enforcement will try to preserve the extracted data to be as close to the original state as possible. Maintaining the integrity of that data is important for police and prosecutors to make sure it is admissible as evidence. Much like the way physical evidence collected at a crime scene cannot be altered, the same must be true for phone data, for it to be of any use to law enforcement. Any evidence of corrupted data can be construed as inadmissible evidence. For this reason, police will use a specialized computer hard disc called a ‘write blocker,’ which is a device that allows law enforcement to search data on your phone without leaving any evidence that it was ever searched. A ‘write blocker’ is designed to make the process as unobtrusive to the data as possible.

3.  Can Police Access My Phone Remotely?

On the face of it, it seems that law enforcement routinely access your phone and personal information with relative ease and impunity. You might often hear the joke “the FBI are always listening,” but how accurate is that adage? So far, in this article, we’ve covered police searches on your phone by way of warrant, or consent by the suspect, and when police have physical access to your device. Even if you feel as though you don’t have anything to hide, the question of privacy and law enforcement merits plenty of discussion, as law enforcement have several means of remotely monitoring your phone. Wiretapping is a powerful tool, in the hands of police, but there are some limits to how and when they do it. Like in most cases, wiretapping must be conducted per the defined parameters of a wiretap order– different from a search warrant but functions in much the same way, and is obtained through similar procedures. The basis of all legally sanctioned searches is the evident existence of ‘probable cause’ that someone is committing, has committed, or about to commit a serious crime. In the instance of a wiretap order, these crimes include either drug trafficking, kidnapping, murder or the solicitation to commit murder, terrorism, or the conspiring to committ any of the aforementioned acts. To legally sanction a wiretap, the judge must determine that 1) there is probable cause that the wiretap will actually lead law enforcement to overhear information on the particular crime, 2) that the place where the wire belongs is being used or will be used to commit the crime, and 3) normal investigative procedures that don’t rely on a wiretap have failed or will likely fail. Not only must law enforcement meet these requirements to obtain the order for a wiretap, but those orders allowing such actions do not stay valid long: the maximum amount of time that a wiretapping order can be in effect is ten days from the issuing of said order, or thirty days from the first day the communication was intercepted– whichever comes first. While the prerequisites involved for the police to monitor your phone conversations are relatively stringent, they do not need a wiretap order to monitor your phone in other ways. In other words, there are methods police use to monitor your phone that do not require a wiretap order, and therefore do not require probable cause. The following police monitoring techniques can be executed by the sanctioning of a simple court order:

3a.  “Tap and traces,” also known as “pen registers” record outgoing calls and the length of those calls from the phone being monitored. They do not record the conversations themselves, and therefore are not subject to the prerequisites outlined by a wiretap search. However, police might find it useful to have an account of who the suspect is contacting, when, and for how long.

3b.  Police can access opened and unopened email messages that are 180 days or older by way of subpoena. To do so, they must inform you that they have requested access from your email provider. To gain access to unopened emails from the past 180, they must get a search warrant.

3c.  As outlined by a court order, and once proven to be relevant to an already ongoing investigation, police can gain real-time access to your IP address. 

3d.  Many of you reading are probably the most curious about how and when police can access your text messages, and many of us who are rightfully cautious look to popular messaging encryption apps like Signal for added privacy protection. Text messages are treated by the law almost as identically as emails: to paraphrase, police are free to search messages 180 days or older without a formal search warrant, however, messages received and sent as recently as six months will require a judge’s signature. Police also use software like ‘Decipher TextMessage’ to recover deleted texts to further gather evidence. 

4.  How Do I Know if Police are Monitoring My Phone?

If you are being questioned by an officer in a Terry stop, or if you have even been arrested, remember your rights: you do have to give consent for police to search your phone. At most, in the instance of a lawful arrest, police can seize your phone and hold it until the pertinent search warrant is secured. Even if they use a ‘write blocker’ to prevent evidence that the phone has been searched, this is typically done to maintain the integrity of the files, not to hide the fact that they have gone through the device. If the police have secured a wiretap order, they are required to inform you, except in rare instances. Even if the petition for a wiretap order is declined by a judge, law enforcement are still required to tell you that they took such action. The notice of a wiretap must include the grant of the order requiring a wiretap, the duration of the wiretap, and what–if any– conversations were monitored. If you know or suspect that your phone is being tapped, there are several signs to look and listen for, although none of these signs, on their own, automatically mean that you are being tapped. During your phone conversations, listen for odd background noises– a high pitched hum or buzz, the sound of whirring static, or something similar. Although these examples can more often be the case of simply owning an old phone, a frequently hot or overheating battery or a phone’s refusal to charge, paired with the aforementioned sounds could also indicate the possibility of being monitored. If you find your phone shutting down or lighting up at unusual moments, that could also be an indicator. Remember which apps are stored on your phone, and track any apps that you don’t remember downloading. Monitor any apps that have randomly been downloaded to your phone, as this could be another sign that someone is tracking your phone remotely. 

5.  What are My Options if Police Have Collected My Data or Tapped My Phone?

As with any piece of evidence, there are means to ascertain whether law enforcement has acquired any phone or computer data through legitimate means, and if not, such evidence can be construed as inadmissible. Unfortunately, phone data that can be acquired through a simple subpoena or court order is far more difficult to suppress. If it is found that there is a certain lack of clarity in how the evidence was acquired, or if there are any discrepancies in the investigation, your lawyer could file a ‘motion to suppress evidence’ under penal code 1538.5. You can, for instance, challenge wiretap evidence on the grounds that the court order was found invalid. For example, acquiring a wiretap order on the basis that normal investigative methods would have proved insufficient, is one of the harder requirements for law enforcement to prove when petitioning for a wiretap order. Nevertheless, your lawyer will know the best options in these types of situations. Always remember that a formal wiretap order must identify the alleged or possible crime in question, as a serious felony. 

While there are certain safeguards to protect the average citizen from having law enforcement collect data from their phone or computer with total impunity, the act of extracting information from one’s personal device, even through legal means, brings up a considerable amount of gray area within the law. There are many that argue that even when police are looking through your phone for evidence, given the intimate details of our lives that we pour into our phones, it’s hard to know where to draw the line as to how much privacy we still maintain the right to. This is especially in cases where police are searching for basic information, without the need for a full search warrant or wiretap. Does a simple misdemeanor, for instance, merit the forfeiture of privacy to an IP address, or phone logs– things which can be obtained by police without the full use of a wiretap or search warrant.