by Rob Adams ACE, CDIA+
Data commonly found on Smartphones
With additional functionality being added almost daily, smartphones are a rapidly changing environment which presents several challenges to a forensic investigator.
Unlike the windows world where major OS (Operating System) changes are rare smartphones receive frequent major OS updates. Windows XP was sold on new computers from 2001 thru the end of 2009 and is still in widespread use in both the home and business markets. As you can see from the table below, the iPhone IOS (iPhone Operating System) has had major releases annually. Major releases for one Smartphone OS or another are happening nearly every quarter.
iPhone IOS Version History
|Number of Updates
|8 Updates between June 2007 and July 2008
|Second Major Release
|6 Updates between July 2008 and January 2009
|Third Major Release
|5 Updates between June 2009 and February 2010
|Fourth Major Release
|6 Updates between June 2010 and November 2010
In the windows forensic world, you can connect to most hard drives with a small number of adapters based on the type of hard drive – 3.5″ IDE, 2.5″ IDE, SATA, SCSI. On smartphones you may have to have a special data and/or power cord for each one as well as the drivers for the particular device. I have over 200 power and data cord combinations in my tool kit. Some devices only allow you to access logical information and may block access to the system databases and unallocated space.
Frequent Hardware changes
Another challenge is the speed at which mobile devices are replaced. Most people get a new phone every two years when their plan renews and some people get new phones annually. In addition, cell phones are replaced because of loss or damage at a much higher rate than computers.
Smartphones add another consideration with regards to the seizure of any given device. It may be necessary to keep a seized device powered up until the analysis is complete in order to prevent loss of important data that may be changed or overwritten when the power shuts off or the device is rebooted. You may also need to keep the device in a faraday bag, (a bag made out of material that blocks cell phone signals) to prevent any deleted evidence from being overwritten on the device.
Other places to look for corroborating data
You may also be able to find relevant data on computers used to sync the devices. Most sync programs create a full or partial back up of the device when updating the OS. These backups can come in handy when items have been deleted and/or overwritten on the device itself.
The most frequent questions I receive from attorneys about retrieving deleted data from smartphones are based around what data may be available from the Carrier or servers and how hard is it to get it.
Email messages are usually passed to the device via a server outside of the Carrier’s control, for example Mobileme, Gmail, Yahoo, or a corporate server.
SMS and MMS text messages are delivered through the carrier’s network, but most networks do not keep records of the contents. They do keep billing, and call records. The call records will contain the date and time of the incoming and outgoing message as well as the other parties phone number.
All of these service providers have a process for obtaining this information. Some require written authorization from the account holder and others require a subpoena, but all of them will have a process you must follow to obtain the relevant data. The best place to start is usually with their legal or security department. Below is the contact information for AT&T Wireless. Other ISP and Wireless Carriers’ subpoena contact may be found at http://www.search.org/programs/hightech/isp/
AT&T Wireless Subpoena Contact Info
AT&T Wireless Subpoena Compliance
Address to: AT&T – Custodian of Records
P.O. Box 24679
West Palm Beach, FL 33416-4679
Phone Number 800-635-6840
Tips for Investigators
· As with any forensic investigation – start with and maintain a strict chain of custody.
· Know the limitations of your forensic software – some software packages work well with one type of phone and not others. For example, with the advent of IOS 4.x for the iPhone, most tools cannot create a physical image without jailbreaking the device.
· Know where to go for research on various phone types and their potential forensic yield. The forums on www.forensicfocus.com are a great place to start.
· Tool Kits – a subscription based kit is a good idea as they will generally keep you current with frequent cord and driver updates, as well as providing you access to technical support. Paraben’s Device Seizure and AccessData’s Mobile Phone Examiner both offer subscription based kits.
Rob is a Computer Forensics professional with 16 years of experience in the IT field. SALIX is a leading Litigation Support and Records Management company headquartered in Cincinnati, OH.