Challenges of Smart Phone Forensics

by Rob Adams ACE, CDIA+
SALIX

Mobile devices have become an essential component of our daily lives. These devices keep us connected and act as so much more than the cell phones and portable music players of the 1990’s. It is common today for a smartphone to act as a mobile office, social tool, and an entertainment center all rolled into one. Many households have one or two computers shared by the inhabitants, but almost everyone over 16 has a cell phone and, since the device is tied more closely to the user, the data is also.Today’s smartphones come with storage capacity that is similar to business laptops of just a few years ago. The combination of functionality and storage space makes smartphones a prime target for forensics investigators.

Data commonly found on Smartphones

Email
Text Messaging
Photos
Video
Audio
Web History
Call History
Application Data
eBooks
Maps

With additional functionality being added almost daily, smartphones are a rapidly changing environment which presents several challenges to a forensic investigator.


Get The Latest DFIR News

Join the Forensic Focus newsletter for the best DFIR articles in your inbox every month.


Unsubscribe any time. We respect your privacy - read our privacy policy.

OS Changes

Unlike the windows world where major OS (Operating System) changes are rare smartphones receive frequent major OS updates. Windows XP was sold on new computers from 2001 thru the end of 2009 and is still in widespread use in both the home and business markets. As you can see from the table below, the iPhone IOS (iPhone Operating System) has had major releases annually. Major releases for one Smartphone OS or another are happening nearly every quarter.

iPhone IOS Version History

 

Version Release Date Number of Updates
1.x Initial Release June 2007 8 Updates between June 2007 and July 2008
2.x Second Major Release July 2008 6 Updates between July 2008 and January 2009
3.x Third Major Release June 2009 5 Updates between June 2009 and February 2010
4.x Fourth Major Release June 2010 6 Updates between June 2010 and November 2010

Proprietary Hardware

In the windows forensic world, you can connect to most hard drives with a small number of adapters based on the type of hard drive – 3.5″ IDE, 2.5″ IDE, SATA, SCSI. On smartphones you may have to have a special data and/or power cord for each one as well as the drivers for the particular device. I have over 200 power and data cord combinations in my tool kit. Some devices only allow you to access logical information and may block access to the system databases and unallocated space.

Frequent Hardware changes

Another challenge is the speed at which mobile devices are replaced. Most people get a new phone every two years when their plan renews and some people get new phones annually. In addition, cell phones are replaced because of loss or damage at a much higher rate than computers.

Data Volatility

Smartphones add another consideration with regards to the seizure of any given device. It may be necessary to keep a seized device powered up until the analysis is complete in order to prevent loss of important data that may be changed or overwritten when the power shuts off or the device is rebooted. You may also need to keep the device in a faraday bag, (a bag made out of material that blocks cell phone signals) to prevent any deleted evidence from being overwritten on the device.

Other places to look for corroborating data

You may also be able to find relevant data on computers used to sync the devices. Most sync programs create a full or partial back up of the device when updating the OS. These backups can come in handy when items have been deleted and/or overwritten on the device itself.

The most frequent questions I receive from attorneys about retrieving deleted data from smartphones are based around what data may be available from the Carrier or servers and how hard is it to get it.

Email messages are usually passed to the device via a server outside of the Carrier’s control, for example Mobileme, Gmail, Yahoo, or a corporate server.

SMS and MMS text messages are delivered through the carrier’s network, but most networks do not keep records of the contents. They do keep billing, and call records. The call records will contain the date and time of the incoming and outgoing message as well as the other parties phone number.

All of these service providers have a process for obtaining this information. Some require written authorization from the account holder and others require a subpoena, but all of them will have a process you must follow to obtain the relevant data. The best place to start is usually with their legal or security department. Below is the contact information for AT&T Wireless. Other ISP and Wireless Carriers’ subpoena contact may be found at http://www.search.org/programs/hightech/isp/

AT&T Wireless Subpoena Contact Info

AT&T Wireless Subpoena Compliance
Address to: AT&T – Custodian of Records
P.O. Box 24679
West Palm Beach, FL 33416-4679
Phone Number 800-635-6840
Fax: 888-938-4715

Tips for Investigators

· As with any forensic investigation – start with and maintain a strict chain of custody.

· Know the limitations of your forensic software – some software packages work well with one type of phone and not others. For example, with the advent of IOS 4.x for the iPhone, most tools cannot create a physical image without jailbreaking the device.

· Know where to go for research on various phone types and their potential forensic yield. The forums on www.forensicfocus.com are a great place to start.

· Tool Kits – a subscription based kit is a good idea as they will generally keep you current with frequent cord and driver updates, as well as providing you access to technical support. Paraben’s Device Seizure and AccessData’s Mobile Phone Examiner both offer subscription based kits.

Rob Adams ACE, CDIA+
Web: www.salixdata.com
Email: [email protected]

Rob is a Computer Forensics professional with 16 years of experience in the IT field. SALIX is a leading Litigation Support and Records Management company headquartered in Cincinnati, OH.

Leave a Comment

Latest Videos

In this episode of the Forensic Focus podcast, Si and Desi explore how artificial intelligence is being leveraged to uncover crucial evidence in investigations involving child sexual abuse material (CSAM) and examine the importance of exercising caution when implementing these tools. 

They also discuss a recent murder case in which cyber experts played a vital role in securing a conviction, and explore the unique challenges associated with using digital evidence as an alibi.

Show Notes:

A Practitioner Survey Exploring the Value of Forensic Tools, AI, Filtering, & Safer Presentation for Investigating Child Sexual Abuse Material (CSAM) - https://dfrws.org/wp-content/uploads/2019/06/2019_USA_paper-a_practitioner_survey_exploring_the_value_of_forensic_tools_ai_filtering_safer_presentation_for_investigating_child_sexual_abuse_material_csam.pdf

Man charged with NI murder ‘faked live stream to provide alibi’ (The Guardian) - https://www.theguardian.com/uk-news/2023/feb/02/man-charged-with-ni-faked-live-stream-to-provide-alibi

A YouTuber accused of murder faked a 6-hour livestream to produce an alibi (Sportskeeda) - https://www.sportskeeda.com/esports/news-a-youtuber-accused-murder-faked-6-hour-livestream-produce-alibi

European Interdisciplinary Cybersecurity Conference (EICC) 2023 - https://www.forensicfocus.com/event/european-interdisciplinary-cybersecurity-conference-eicc-2023/#more-493234

YouTuber reportedly faked GTA livestream to have an alibi while he committed murder (Dexerto) - https://www.dexerto.com/entertainment/youtuber-reportedly-faked-gta-livestream-to-have-an-alibi-while-he-committed-murder-2052974/

Forensic Europe Expo - https://www.forensicfocus.com/event/forensic-europe-expo/#more-493225

In this episode of the Forensic Focus podcast, Si and Desi explore how artificial intelligence is being leveraged to uncover crucial evidence in investigations involving child sexual abuse material (CSAM) and examine the importance of exercising caution when implementing these tools.

They also discuss a recent murder case in which cyber experts played a vital role in securing a conviction, and explore the unique challenges associated with using digital evidence as an alibi.

Show Notes:

A Practitioner Survey Exploring the Value of Forensic Tools, AI, Filtering, & Safer Presentation for Investigating Child Sexual Abuse Material (CSAM) - https://dfrws.org/wp-content/uploads/2019/06/2019_USA_paper-a_practitioner_survey_exploring_the_value_of_forensic_tools_ai_filtering_safer_presentation_for_investigating_child_sexual_abuse_material_csam.pdf

Man charged with NI murder ‘faked live stream to provide alibi’ (The Guardian) - https://www.theguardian.com/uk-news/2023/feb/02/man-charged-with-ni-faked-live-stream-to-provide-alibi

A YouTuber accused of murder faked a 6-hour livestream to produce an alibi (Sportskeeda) - https://www.sportskeeda.com/esports/news-a-youtuber-accused-murder-faked-6-hour-livestream-produce-alibi

European Interdisciplinary Cybersecurity Conference (EICC) 2023 - https://www.forensicfocus.com/event/european-interdisciplinary-cybersecurity-conference-eicc-2023/#more-493234

YouTuber reportedly faked GTA livestream to have an alibi while he committed murder (Dexerto) - https://www.dexerto.com/entertainment/youtuber-reportedly-faked-gta-livestream-to-have-an-alibi-while-he-committed-murder-2052974/

Forensic Europe Expo - https://www.forensicfocus.com/event/forensic-europe-expo/#more-493225

YouTube Video UCQajlJPesqmyWJDN52AZI4Q_7QiFTiuY7Vw

AI In CSAM Investigations And The Role Of Digital Evidence In Criminal Cases

Forensic Focus 22nd March 2023 12:44 pm

Throughout the past few years, the way employees communicate with each other has changed forever.<br /><br />69% of employees note that the number of business applications they use at work has increased during the pandemic.<br /><br />Desk phones, LAN lines and even VOIP have become technologies of the past workplace environment as employees turn to cloud applications on their computers and phones to collaborate with each other in today’s workplace environment.<br /><br />Whether it’s conversations in Teams, file uploads in Slack chats, or confidential documents stored in Office 365, the amount of data stored and where it is stored, is growing quicker than IT and systems administrators can keep up with.<br /><br />Corporate investigators and eDiscovery professionals need to seamlessly collect relevant data from cloud sources and accelerate the time to investigative and discovery review.<br /><br />With the latest in Cellebrite’s remote collection suite of capabilities, investigators and legal professionals can benefit from secure collection with targeted capabilities for the most used workplace applications.<br /><br />Join Monica Harris, Product Business Manager, as she showcases how investigators can:<br /><br />- Manage multiple cloud collections through a web interface<br />- Cull data prior to collection to save time and money by gaining these valuable insights of the data available<br />- Collect data from the fastest growing cloud collaboration applications like Office365, Google Workspace, Slack and Box<br />- Login to a single source for workplace app collection without logging into every app and pulling data from multiple sources for every employee<br />- Utilize a single unified collection workflow for computer, mobile and workplace cloud applications without the need to purchase multiple tools for different types of collections – a solution unique to Cellebrite’s enterprise solution capabilities

Throughout the past few years, the way employees communicate with each other has changed forever.

69% of employees note that the number of business applications they use at work has increased during the pandemic.

Desk phones, LAN lines and even VOIP have become technologies of the past workplace environment as employees turn to cloud applications on their computers and phones to collaborate with each other in today’s workplace environment.

Whether it’s conversations in Teams, file uploads in Slack chats, or confidential documents stored in Office 365, the amount of data stored and where it is stored, is growing quicker than IT and systems administrators can keep up with.

Corporate investigators and eDiscovery professionals need to seamlessly collect relevant data from cloud sources and accelerate the time to investigative and discovery review.

With the latest in Cellebrite’s remote collection suite of capabilities, investigators and legal professionals can benefit from secure collection with targeted capabilities for the most used workplace applications.

Join Monica Harris, Product Business Manager, as she showcases how investigators can:

- Manage multiple cloud collections through a web interface
- Cull data prior to collection to save time and money by gaining these valuable insights of the data available
- Collect data from the fastest growing cloud collaboration applications like Office365, Google Workspace, Slack and Box
- Login to a single source for workplace app collection without logging into every app and pulling data from multiple sources for every employee
- Utilize a single unified collection workflow for computer, mobile and workplace cloud applications without the need to purchase multiple tools for different types of collections – a solution unique to Cellebrite’s enterprise solution capabilities

YouTube Video UCQajlJPesqmyWJDN52AZI4Q_g6nTjfEMnsA

Tips And Tricks Data Collection For Cloud Workplace Applications

Forensic Focus 20th March 2023 12:00 pm

This error message is only visible to WordPress admins

Important: No API Key Entered.

Many features are not available without adding an API Key. Please go to the YouTube Feed settings page to add an API key after following these instructions.

Latest Articles

Share to...