If a police officer stops you in the course of investigating some matter, can she peruse the contents of your mobile device as she might demand your identification or the contents of the glove compartment of your vehicle? Does a routine traffic stop allow access to your phone's photos, videos, text messages, and contacts?

The gear to grab this data is widely available. Cell phone extraction hardware made by CelleBrite, for instance, can grab a phone's contacts database, its text message log, call history, pictures, videos, ringtones, or even a "complete file system memory dump." The Michigan State Police is a CelleBrite customer, and its routine use is raising questions about the propriety of law enforcement accessing data stored on cell phones.

The American Civil Liberties Union of Michigan worries about how the state police have been using their gadgets, saying that CelleBrite gear can "quickly download data from cell phones without the owner of the cell phone knowing it." They want to know how, when, and where the cops are doing these searches.

After requesting the information using 70 Freedom of Information Act filings, the ACLU was told that documents in question were voluminous. They would include the department's records, logs, and reports of its actual use of these devices. According to the ACLU's latest letter to the MSP, the police estimated that a Freedom of Information Act data retrieval would cost over half a million dollars.

"In fact, we were told that no part of that set of documents would be provided unless we agreed to pay a $272,340 deposit," the ACLU said in a public complaint letter.

"Law enforcement officers are known, on occasion, to encourage citizens to cooperate if they have nothing to hide," the letter concludes. "No less should be expected of law enforcement, and the Michigan State Police should be willing to assuage concerns that these powerful extraction devices are being used illegally by honoring our requests for cooperation and disclosure."

Let's CelleBrite

The CelleBrite company makes many of these phone forensics devices. CelleBrite's profile boasts that the company "introduced a mobile data extraction solution for mobile forensic investigations" in 2007; since then, its products have been used by the military, police, and intelligence agencies around the globe.

The standard CelleBrite Universal Forensic Extraction Device [UFED] is straightforward. It knows how to extract data like a phonebook, camera pictures, videos, audio, SMS text messages and everything else in fairly short order, and it has a cable pack that can interface with most cell phones.

Once a police officer connects the gadget to a suspects' handset, the handheld displays five options:

Extract Phone Data: the option for taking the information directly from the mobile

Extract SIM/USIM Data: for physical extraction directly from a SIM card

Clone SIM ID: allows the user to copy a SIM card, enabling the officer to analyze the phone without it being able to take incoming calls

Memory dump beta (for password disabling)

Services: software upgrades and administrative tasks

Option one is easy. The officer connects to the phone, clicks number one, and is directed to a menu of hundreds of mobile vendors. She then picks the vendor and model through a series of drop down displays. Next the operator must tell the device to extract from the phone (as opposed to a SIM card), and whether access a USB or SD data drive.

Then it's time to pick the content types and extract each form of data.

Of particular utility is the UFED Physical Analyzer component of the device. This software allows the police to use specialized search fields to ferret out string patterns in a suspect's cell phone content. The technique is useful in locating certain kinds of file types. For example, JPEG images start with HEX values FF D8 FF. And regular expression (regex) fields can identify specific SMS numbers or dates.

Bluetooth, data analysis, and passwords

A physical connection to the phone isn't needed in some cases; much of this work can also be done via Bluetooth:

The UFED searches for visible Bluetooth devices within its proximity, and provides a list of all devices that it finds. Select the appropriate device from this list. Use the ?? keys to move between options. Press ? to continue. The UFED then instructs you to enter "0000" in the phone to complete the pairing between the devices. Once doing this, all data transfer between the UFED and the phone will be performed using Bluetooth.

Field extraction, CelleBrite notes in one brochure, "ensures that a suspect’s phone can be examined before the individual has a chance to destroy or erase data."