By Lee Lerussi
As digital devices evolve, so does the landscape of criminal investigations. Smartphones, now integral to our daily communications, carry vast troves of data that can prove crucial in solving crimes.
The adoption of technologies such as multiple SIM cards and embedded SIMs (eSIMs) adds layers of complexity to forensic investigations. These devices can store not only personal and professional information but may also retain data related to various network identities, offering both opportunities and challenges in forensic analysis. Additionally, SIMs and eSIMs are readily available from a wide range of sources. These range from sellers and resellers and may even be purchased at your local big box store, as well as being ordered online from reputable companies and not so reputable sellers on the dark web.
In the case of eSIMs they can be purchased on the internet and downloaded directly to the smart phone. The latter example provides customers the ability to purchase identities from other countries, limited only by which carriers have agreements with the global providers. This complexity requires advanced capabilities in digital forensics and strict adherence to evolving legal standards to ensure the evidence is admissible in court.
The growing role of digital evidence
In the last decade, the ubiquity of digital devices has reshaped the approach to gathering evidence. As of 2021, there are approximately 6.4 billion smartphone subscriptions globally, a number expected to grow with advancing technology. In the United States alone, smartphone penetration has reached 85%, a significant increase from 35% in 2011, according to Pew Research Center.
Alongside smartphones, other digital devices such as tablets, laptops, smartwatches and IoT devices increasingly play roles in criminal activities, serving as sources of evidence that can provide insights into the behaviors and networks of suspects. The FBI’s Internet Crime Complaint Center reported in 2020 that cybercrimes, facilitated by these digital devices, led to losses exceeding $4.2 billion, underscoring the critical need for competent digital forensic investigations.
Understanding SIM and eSIM technologies
A Subscriber Identity Module (SIM) card is a small chip that stores network information essential for connecting your phone to your carrier. It holds your identity in the form of an International Mobile Subscriber Identity (IMSI) number and can store limited data such as contact lists and text messages. An embedded SIM (eSIM) is a newer technology that performs the same functions but is built directly into the phone’s hardware, making it easier to switch carriers or manage multiple accounts without needing physical SIM cards.
Both SIMs and eSIMs are pivotal in investigations as they can provide investigators with crucial data about the phone’s user, their contacts and their movements. Understanding how these technologies store and manage data is essential for accurately extracting and attributing information during forensic examinations.
Navigating the technical maze of multiple SIMs and eSIMs
Devices capable of supporting multiple SIM cards and eSIMs complicate digital forensic investigations significantly. Each SIM may represent a different network or user identity, challenging forensic experts to not only extract but also separate and attribute data accurately to specific profiles. This process is vital for piecing together a suspect’s activities and state of mind, which are crucial for legal proceedings. The resulting increase in data volume demands sophisticated tools and methods to manage and analyze information efficiently, ensuring that investigations are thorough and legally sound.
Real-world scenario: A forensic fable
Imagine a device equipped with a personal SIM, a corporate eSIM and another eSIM for international use. This setup could enable a range of legitimate and illicit activities, from corporate communications to coordinating international criminal activities. It also opens avenues for misuses such as anonymous hate speech or the spread of extremist propaganda through various encrypted messaging platforms. These platforms provide secure communication channels that can be difficult to monitor, making it challenging to link online activities to real-world identities.
Forensic experts face the task of using advanced digital tools to differentiate data linked to each SIM and eSIM. Collaborating with international law enforcement and telecom providers, they work to trace communications back to their origins, uncover identities and understand the context of these interactions within criminal investigations.
Recent court case challenges
The legal framework for digital forensics is continually evolving. One notable case from 2022, which addressed the complexity of searches involving devices with multiple SIMs, is United States v. Thompson. This case underscored the need for law enforcement to obtain warrants that are specifically tailored to the scope of the investigation, emphasizing the necessity of particularity and specificity in warrants for cell phone searches. This decision built on the principles established by Carpenter v. United States (2018), where the Supreme Court ruled that accessing historical cellphone location records without a warrant violates the Fourth Amendment.
Further illustrating the need for specificity in digital searches, State v. Andrews (2020) and Jones v. United States (2021) reinforced that warrants must clearly describe the electronic devices and the data to be searched and seized. These cases highlight that overly broad or vague warrants are unacceptable, as they can lead to extensive searches that infringe on privacy rights beyond the scope of the investigation.
It has become even more crucial to adhere to proper legal processes to protect your investigation. The presence of multiple SIMs may require additional subpoenas to identify subscriber information to each SIM. This may include legal process to multiple carriers in different jurisdictions and may even include partner nations. The same process may be required to extend a search warrant that identifies each SIM to avoid a fourth amendment challenge for being overly broad or intrusive.
These challenges are further complicated by the fact that the number of physical and or eSIMs may not be known at the time the device is seized. The presence of multiple SIMs may be known from a properly worded subpoena to the carrier should they have been served early in the investigation. In this scenario the information should be noted in any search warrant application. And while the SIM tray may be opened prior to issuing a search warrant to identify the carrier(s) and the SIM number, known as the Integrated Circuit Card Identifier (ICCID) for inclusion in a search warrant declaration of facts the investigator or examiner should discuss this procedure with their legal representative. There has been debate that this act may in fact be considered a search and be prohibited without a search warrant as it requires the device to be opened for inspection.
The ICCID can also be found in the device’s settings. Once again, this requires manipulation of the phone. Should you be fortunate enough for the device to be unlocked that is. However, care should be taken as it may be prohibited considering United States v Morton (2021), which highlighted the necessity of probable cause for each category of information on a cell phone and not just the device in its entirety. Additionally, and on point in the instances described here there is another landmark Supreme Court case Riley v California (2014) that held in a unanimous decision (9-0) that a warrantless search and seizure of digital contents of a cell phone during an arrest violates the Fourth Amendment. The inspection of the device’s settings prior to issuing a search warrant may jeopardize the inclusion of device’s contents as evidence.
And if all that were not enough, the presence of an eSIM is typically not known until the initial forensic examination. Whenever the examiner encounters the presence of an unknown eSIM they should be encouraged to take steps to limit review of captured data attributed to the newly discovered eSIM. Consider that the best course of action in this instance may be seeking to amend the search warrant. It is notable that this would also necessitate developing sufficient probable cause to for the new or amended search warrant and linking the eSIM to the crime under investigation.
Recommendations
Now, roll up our sleeves and dive into action! For all the detectives and digital forensic experts out there, it is time to sharpen your skills. Keep pushing for regular workshops and training to keep up with the latest tech and legal updates. Collaboration is key — reach out and strengthen those bonds with local, state and international partners alike to streamline your efforts in tackling crimes that cross jurisdictional borders.
For the bosses and decision-makers in law enforcement agencies, it is crucial to stay engaged in legislative dialogue. Advocate for clear and updated legal standards that match the pace of technological advancements. This will help clear up any ambiguities and make your team’s job easier and the public safer.
And to the managers of digital forensic labs, make sure your team is equipped with state-of-the-art tech. Continue to advocate for respectable budgets for equipment, workforce, and training. Establish robust procedures for handling complex cases, especially those involving multiple SIMs and eSIMs. This initiative-taking approach will not only streamline your operations but also ensure your findings are held in court.
Together, by embracing these changes and adapting to innovative technologies, we can enhance our capabilities to fight crime more effectively and ensure that justice is served in our digital world.
References
1. Pew Research Center. (2021). Mobile Fact Sheet.
2. Statista. (2021). “Number of smartphone subscriptions worldwide from 2016 to 2021.”
3. FBI’s Internet Crime Complaint Center (IC3). (2020). 2020 Internet Crime Report.
4. United States v. Thompson, 122 S.Ct. 674 (2022).
5. Carpenter v. United States, 138 S.Ct. 2206 (2018).
6. State v. Andrews, 227 A.3d 228 (2020).
7. Jones v. United States, 899 F.3d 135 (2021).
8. Riley v. California, 573 U.S. 373 (2014).
9. United States v. Morton, 17 F.4th 746 (5th Cir. 2021).
About the author
Lee Lerussi is a national security, cyber crimes and anti-terrorism expert with over 25+ years of leadership experience and a total of 38 years in law enforcement. He is the founder and owner of LeeLand Consulting, Inc located in Ohio. He has been working in the U.S. State Department’s Anti-Terrorism Program as a Subject Matter Expert (SME) and Instructor since 2013. Since 2019 Lee has served as an embedded mentor to Antiterrorism and Digital Forensic Units deployed overseas for Constellis, LCC a prime contractor to the US State Department. Lee served 23 years as a Senior Special Agent (retired) of the Ohio Bureau of Criminal Investigation. He frequently served as the Lead Agent, successfully completing several complex, high profile and lengthy investigations using an interdisciplinary team approach. He currently facilitates learning and mentoring in the areas of anti-terrorism, cyber investigations, and computer and mobile device forensics for the United States Department of State – Anti-terrorism Assistance Program. Lee holds a Bachelor of Science in Psychology from Heidelberg University and has numerous certifications and awards in his field.