Enhancing Mobile Investigations: A Focus On Screenshots And Screen Recording

Rich Frawley: All right, good day everybody, and welcome to our webinar, Enhancing Mobile Investigations, and we’re going to specifically focus on screenshots and screen recordings today. So with that, I’m just going to give you a couple seconds here to adjust your audio, adjust your layout on your screens there, and we’ll let a couple more people come in as I get started. All right. Again, so it’s Enhancing Mobile Investigations. We’re going to focus on screenshots and screen recordings, and I am your host for today. I am Rich Frawley and I’m the director of training here at ADF Solutions. I’ve been with ADF for about eight years now. Prior to that, 23 years in law enforcement as a forensic examiner and investigator.

I’ve worked with the local Internet Crimes Against Children task force. I worked with the FBI’s Crimes Against Children task force, and worked with a lot of other state and local and federal agencies with all different types of case. So you could imagine 23 years in law enforcement. I started doing these types of cases back in 1999, 2000s when I got my start doing all this. And with that, very heavy on computers, of course, in the first few years, and then somewhere around 2007, all the phones started coming out, 2006, 2007 and just mobile has taken off since then.

So with that, tell you what we’re going to do here today is a couple more people are coming in, I figure I’ll run through introductions. Did myself, we’re going to do ADF, a little bit of the MDI capabilities as a whole tool, we’re going to focus in on the screenshots, screen recordings today. So we’ll go over to capabilities. We’ll talk about how it’s becoming a logical world and getting the information that you need out of these devices. Some of the current methods that are being used out there, we’ll glance over that and then look at our method and how we’re handling those issues that may be out there. And then we’re going to get right into showing you with our tool, Mobile Device Investigator, screencasting, screen recording, screen captures, showing you how to use it, showing you what it looks like and a couple tips and tricks as we go along through there, give you an idea of what you can get out of these devices and how to get and how to think about what you’re grabbing as you’re going through this.

So let me start with ADF, Advanced Digital Forensic Solutions. We have been around since about 2005, 2006. ADF started out as a image identification tool, focusing on the child exploitation cases, and moving up, we became more… we were still image-focused but we focused a lot more on grabbing artifacts and things you would need in a typical case, so that triage type examination, the investigative type examinations. And we’ve really built on that and definitely, the premier triage tool in computers and now, actually, true triage for mobile and that came around in about 2017, 2018.

Triage, early case assessment on scene, victim witness consent, you name it, we can pull it, we can get it, we can customize it. You don’t have to wait for everything. You can start looking at stuff right away or grabbing exactly what you need or looking for exactly what you need, not worrying about everything, weed out all the noise, say this is what I’m looking for, this is what I need to start my case. This is what I need today. Within 10 minutes, I’m going to grab all this information and I’m going to keep working on my case while that computer goes up for that deeper dive. So if you’re on scene, you’re an investigator and the old way was seize and then wait a couple weeks to get your information, this gets you the information in your hand, allows you to work for those couple weeks, preservation order, search warrants, arrest warrants, whatever comes out of it.

Get The Latest DFIR News

Join the Forensic Focus newsletter for the best DFIR articles in your inbox every month.

Unsubscribe any time. We respect your privacy - read our privacy policy.

Back to ADF, like I said, we’ve been around, we have a couple of different products, Mobile Device Investigators, what you’re looking at today, our computer tool is Digital Evidence Investigator, Triage-Investigator, Triage-G2. Think DEI is the flagship tool, lets you customize, lets you do everything you want. Triage-Investigator, just as it sounds, it’s made for the investigator to go out and just grab some specific items in there. And T-G2 is more on the intelligence, I have time but I don’t know how much time type of scans. And again, MDI can be added to any of those tools to make them pro.

We’re all over. We’ve been around a long time. We have a lot of customers. So we’re here. If you haven’t heard of us before, we’re here, we’re not going anywhere. We’ve been around a long time. We’re reputable and we have a team that is always putting things into the tools based on customer feedback and based on what we have here. So why are we here? Screenshot, screen recording, screencasting, victim witness, consent type scans. You have the phone, it’s in front of you. It is becoming a logical world when we’re talking about digital evidence. All these developers, the operating systems, computers, phones, mobile devices, whatever you want, they are trying to keep you out of these devices. It’s evident in some still not being able to get into lock devices, and or get decent physicals out of those. So they’re really trying to make it a logical world and it’s getting more and more that way. When you have that device in front of you, that’s when you’re really going to want to start locking in what you have before that walks away.

Not only is it becoming logical and this is the way to get stuff, but the amount of devices that you are coming across on any given day. I know if I went on a search warrant, if there were five people in the house, you can almost guarantee there were five mobile devices. Then you start getting into the work computer, school computers and everything else. So you can easily be anywhere from, let’s say, three or four devices to 10+. That’s just normal, local, small investigation that you’re working. Probation, you’re going to check, you got one, two, maybe three devices you got to look at. But start thinking border, start thinking custom, start thinking airport, start thinking mass casualty, start thinking thousands of devices coming in that need to be looked at and need… You’re going to see that information there. They’re going to need to be early case assessment, triage, it’s here right now, grab what you can and start to charge.

The time to acquire a device even logical, logical is faster, we can do that as well. We’re not just talking grabbing information off the device right away, but the time to acquire can be quite lengthy and detrimental to what you’re trying to do. A lot of the things we’re coming across now are consent, or you have limitations on what you can obtain from your legal team, from your prosecutors, from your judges. They’re saying, hey, you can go in, but they’ve had this phone and they’ve been backing it up for 10 years. This incident only happened on the weekend. That’s all you’re allowed to get. Very, very difficult to do in this day and age. And there’s limitations on what’s available if you’re working in this manner.

Not all apps will be in a logical acquisition. Hopefully, you know that going into this, that when you make a logical, you’re going to get a lot of information. We’re going to get you as much as we possibly can but there’s things that just aren’t going to be in there. The developers have that ability to say, nope, you’re not going to be part of any kind of backup and you’re going to have to root or jailbreak this device in order to get to it. A lot of the stuff is encrypted end-to-end. There’s new apps that you still may not get even if you do information. They’re not parsed out. Nobody knows, they haven’t been figured out yet, they haven’t been examined or researched. So you got to think about those things too. I can see it and I need it to charge today. It’s in front of me. I want to get this case going. You are going to be able to do that in there. So what are we doing now? What are some of the current methods out there?

Everything is seized and a physical is obtained back at the lab. Logical acquisition and analysis on scene, takes time, you could spend all day at somebody’s house doing logical acquisitions of devices and trying to do an analysis and figure out which goes, which stays. And if that doesn’t work out for you, you’re back up to one, everything gets seized and it comes back to the lab. Detrimental to you and your investigation as well because now it’s got to sit in the lab until it’s gone through. Screenshots, so yes, they’re being used out there. A current method is, hey, you have something, send it to me, or you have something, don’t send it to me, send it to our secure server.

So you have those methods available to you. You have free tools out there to mirror and do your own screenshots, time-consuming. Again, you have to break free that phone from its person. So short of a very limited search warrant, really, if you have the consent, if you can work with these people, you’ll get a lot more information off of that device. And then you have your camera stands, so you have the camera mounted and you go through the phone manually and take pictures of the screen that you need.

Our methods, connect and collect, work with the victims and the witnesses if you have that consent, victim witness, consent type searches are going to be your best way to get what you need to move on with your case. With that, if you connect and collect with screenshots and screen recordings, and I’ll show you quickly when we get into this. We also have previews. So if you’re doing ICAC type cases and you want to see all the images on there, toot suite right quick, you’ll be able to connect that and do that. You can record your whole session through the tool when you are connected to their phone. Connect to their phone, you hit the record button and everything you do, every screen you go to, everything you collect will be recorded. We can also just record specific parts of your connection. So if you’re going through looking at the phone and taking screenshots, you can then say, okay, I want to play this video… you can play the video and the audio will be included with that video as well, and then you can screenshot any metadata that you may want from it.

Screenshot, anything that can be seen can be collected. You can collect the encrypted chats. They’re open, they’re on the screen, you can see them, you can get settings, you can get videos, you can get images, you can get metadata. You can poke around and see exactly as they see it, and that’s great when it comes to charging or when you have to tell the story to somebody else, everybody understands what their phone looks like. So you show them those screenshots. It’s a lot easier for them to understand than if they were just reading something on a page, like Photo Vault’s, hidden folders, there’s just a ton of different ways to filter what you’re looking at on the phone and get what you want. When you’re working with consent, I like to throw this in here, and then we’re going to get into the demo and start showing you a tool right after this.

So this comes right out of some of the UK recent laws here, but it’s pretty much the same wherever you go. These three things have to be part of your consent. It has to be voluntary. They either have to agree to the examination or not and it has to be made freely. They’re going to have to sign a document, there’s no coercion, no pressure, no influence. It has to be informed. You have to give them the information about what’s going to happen and what their rights are refusing, withdrawing their agreement and what’s been collected and then the capacity. The person has to have the capability to agree to this examination, which means they understand that. So voluntary, informed and have the capacity. You put those three things together with the right forms, right signatures, you’re going to have a really solid way for you to gather this information. And remember, when this information’s gathered and it’s used, it is upon the prosecution to say and prove that it was voluntary informed and you had the capacity.

So remember that, working with these victims or witnesses goes a long way, and we’ll show you next here with the tool how you can… they can sit right next to you and they can work with you instead of against you. All right, so let me change. That is not the end here. Let me just reshare something else. All right, you should be able to see Digital Evidence Investigator up on your screen. This is Digital Evidence Investigator Pro, which means that does computer and mobile. You have choices pretty simple for people to use, Investigate Device, Review your Scanned Results or Setup your Key Management, and we’re on the computer side, your collection keys or customizing search profiles, when you are doing a logical acquisition and you want to pull specific things out of that case, you can customize, you can run hashes, keywords. Say, I just want to collect pictures, or I just want to run hashes, or I just want to run keywords, or I want to collect everything I possibly can out of it.

You have those options with customization. Investigate Devices, this is, again, simple choices, you want to scan, that’s what I call the all-in-one area, you connect the phone, you choose one of those profiles that you’ve customized or that we give you out of the box to process that. You give it a name. You have the ability to make screenshots and screen recordings. It makes the logical acquisition, the screenshots and screen recordings will be added to that logical acquisition, if you choose to make any. And then it parses it all out. So all-in-one connection to the end analysis. You have acquire, hey, I just want to make the logic acquisition and later, I will go into scan and add that acquisition. So just to show you, you have the ability to add phones, there’s a wizard to help get you through that process, and you have the ability to add phone acquisitions, so ones created by us. But you can also ingest a GrayKey or a UFED image here as well and scan those with our customized profiles.

So if you really have a physical and you want to pull specific items out of it quick, you’ll be able to do that as well. Let me go back to Investigate Devices, acquire, image, that’s on the computer side. Screencasting, this is where we are going to focus today. But just to show you, there’s also preview for those who are going out and have a lot of devices on scene and you’re trying to say, what am I bringing back? What am I not bringing back? I’m just going to show you this really quick, what I have here is a Google Pixel, where I’m saving the information to and the preview name, we hit proceed. I have the pixel sitting right next to me here.

So what it does is it makes the connection and it starts looking at the device right away. We’re starting to get some artifacts. Androids will give you artifacts upfront. iOS is more heavy on the multimedia. Here, it’s telling me it’s already collected about 200 files. However, if I go into my picture gallery, it’s already identified up in the upper right-hand corner, a 2,947 images on here, making the thumbnails, pulling the properties, pulling the metadata, and all the most recent images are up on top. So you can see right away within seconds, I am seeing what’s on this phone without having to thumb my way through it to start seeing everything that I may be able to make decisions. Now, if these pictures of the dogs were what I was looking for, theft case, their contraband, whatever you want to apply to these pictures, they’re drugs.

You can see I have it. I can stop my preview. I can go right into acquisition mode or just seize the phone here. Anything I’ve collected up to this point is saved and I can report on that as well. So that’s preview. We’re going to get into screencasting here. I have two phones to show you here today. I have that pixel that I was just showing you and I have an iPhone, a 14 Pro Max with iOS 17 on it. So latest and greatest. So screencasting, when we come into the screencasting area, you have a phone, like I said, I have two of them next to me, you have a victim, you have a witness, you have consent, you’re on a search warrant and you have the ability to go through it. These are the options that are going to be here for you.

You can see I already have these connected, but there is a wizard that helps walk you through the process no matter what screen you go into when you first connect the phone, you should come through the wizard process. You would connect what type of device it is. Airplane mode, that’s your choice, right? It’s not required in order to get the connection to the phone, but that’s up to your policy procedure and what you’re trying to get off of this device, if you’re working with a victim or a witness and what they have is in the cloud, you may have to leave that airplane mode on. So again, decisions get made here. You hit next and then it says, okay, connect the device and it walks through everything that needs to be done in order to get that phone connected. And if something needs to be done, it will tell you that you hit… you would hit next and it shows up here in your source.

Then hit proceed. And you can see I have the Google Pixel connected and it automatically starts mirroring what is on that device. So think victim, think witness, reluctant. Listen, I have this stuff on the phone but you’re not going in the other room with it. You’re not taking five hours to make an acquisition. I’m more than willing to give you what’s on this device. Just you’re not taking everything. Understandable when somebody’s sitting there holding 10 years of their life in their hands. Whenever I’m out doing these live, I always ask who’s going to put up their phone for me to show everybody in the class to demonstrate, and the only phones that ever get volunteered is somebody’s work phone. But you just got to think all the stuff that’s on there. I know, personally, with my phone, I’ve been 13 years as an iOS user.

So you can actually, with consent, get to some information that goes back that far on my device. So you can see here I’m using the phone, it’s sitting right next to me here. I know with my background, it’s tough to see here, but I have the pixel sitting next to me. If this is victim, witness consent, they can be sitting right next to me. The phone is sitting on the table and it’s being mirrored up on my device here, up on my laptop. So I’m using a Dell XPS 13 with 16 gigs of RAM today to show this. It’s more than enough to do anything I need to do even with doing a live presentation. So you can see everything that’s on the phone, on the left to the right is where anything I save is going to be. Up on top, I can group them.

So if I’m going to be grabbing from different apps or from different areas of the phone, I could put them into groups and down the bottom are my controls on what I want to do with the devices. So default group up here, I’m going to just change that to home screens. So I’m going to capture what’s on here. I’m working with my victim, hey, you mind? I just want to take screenshots to show what’s on your device here, what you had access to. I’m just going to hit the camera button and there you can see, it saved the screenshot of what’s on there. I’m going to scroll over. I’m going to take this. So victim sitting next to you, they can even control the phone if that’s what it takes for you to work together, or you can do it. The other thing is if you have a touch screen, you can also control the phone from the touch screen on the device or with my mouse.

So I’m dragging with my mouse here on the screen and I’m able to control the phone as well. So I could bring up the app Library and get a good idea now of everything that’s on that device. If I wanted to, I can go into settings. So I have all the settings in here. If I wanted to get anything specific, I can go to the about phone and take screenshots of that information as well. Like I said, if you could bring it up on the screen, start thinking about the story you need to tell, what do I need? What would I want out of… if I did the acquisition, what would I want?

What is the victim or witness willing to give up and will… as you’re going through, informed, capacity, all this information, voluntary, they’re getting to see exactly what you’re taking here as well. I’m just going to close back out of the settings. Let’s say, the problem… not the problem, but the issue or what I need to collect is Kik. So I’m just going to change my groups here to Kik and I can see Kiks on here. I already have Kik in the app Library and I show it on the homepages. So I’m going to open up Kik here.

All right, this comes up. I’m going to go into the chat areas. I can see I have one chat. I’m going to take a screenshot of that chat. So now I’m in just Kik group and those other screenshots, they’re saved. I can hit all and bring them all back, but now I’m just looking at what I’m saving here. Taking that, this may be my suspect, I can open up that chat. There’s the name up on top, if I go to the name… Sorry, let me click on that name. I now have their information, their Kik information, so if I needed to do any legal process, I now have that documented.

So simple. I’m not just going in and saying these chats are important. I’m going in and saying, listen, the phone’s important, about the phone is important. This person’s information is important for me to continue my case. Now let me go back and get the chats. So I’m at the bottom of the chat here and you can see with Android, this is Android feature. We have scroll buttons. So from the bottom of the chat, if I’m allowed to get everything, I can hit the scroll up button.

Mouse is a little finicky here. So you could take these one at a time. You can scroll. So it’ll scroll through and get all the pages all the way down to the bottom. If I wanted to open up a specific picture, we can do that as well, get any of the information that’s associated with it. If I hold my finger down in there, I can get the exact date and time that, that picture was sent, if that’s the one that I’m looking for. So a lot you can do, whatever you could bring up on the screen, you can screenshot or screen record. You’ve got a nice date and time here, when these are processed and they’re in your report, you’re going to have date and time, it was taken, device, it was taken from. You’re going to have a hash value of that digital fingerprint of that screenshot to show to go towards your chain of custody there. It’s going right from the phone into your case.

If I had a video that I was interested in, I’m just going to switch my name here to video. Go into my gallery here. I’ve got a couple of little videos here. We have a record button down the bottom, so I can start recording. You can see that it’s on and running. I can open the video that I want to play and let that play. Now I don’t know if you can hear it, I don’t know if I have it set up in here, but there is some audio associated with it. I can also grab that audio as well. You can see whatever I’m bringing up on the screen is being recorded.

Stop that and now you can see I have the video. If I click on it, on the right-hand side, it brings it back in for me to see so I can watch this. I’m going to hit the play button over here and you’ll be able to see that, that plays. It’s also has the audio associated with it. So no longer is it just a screenshot or a screen recording. It is as if you downloaded the actual video itself. So if the audio is important, you’ll be able to pull that off as well. So you can see here, I did my video, I did my Kik. I could bring everything back up in here to view, this hasn’t been processed yet. This is just the collection portion of it. I could zoom in if I wanted to see something specifically that were on the screens.

When you’re done, you have two choices, you can now take everything that I’ve collected and acquire it at logical acquisition. So all these screenshots and screen recordings would be added to my logical acquisition. Think about it, I’m collecting things that may not be in a logical acquisition, my WhatsApp, my Kik, my Telegram, any of these other chats that are end-to-end encrypted and I’d have to wait for a physical to get, or even if I do a logical, they’re not going to be available to me. So this puts that into that logical acquisition. You can have everything together at once. If you’re working with victim, witness consent and they say, no, I don’t want to give you a logical, you just get to gather what you… keep what you gathered, then I just hit finish and you can see it completed an acquisition. So it saves it as an acquisition.

The only thing you need to do from that point forward, just like with any tool, is you go to adding your phone back up or your acquisition, you would point it towards that acquisition. I believe I saved that here on the desktop. So I select that folder and there, Android, Google Pixel loaded up at the bottom. We have a search profile. You can see I customize a lot. I actually do this for users out there. So if you have the tool and you say, hey, I need help with creating a search profile to do A, B and C, we’ll create it for you and send it to you. But easy, mobile devices, screenshots, you select that profile, you give it a name, you hit scan and it processes those screenshots for you. So everything I just collected there is coming through. You can see them being brought in 11, 12.

What it’s doing is it’s putting it into the case format. It’s also running OCR, optical character recognition, against it and pulling out all the textual content. So everything I just took is searchable now. So if you take a thousand screenshots of something, you’ve got somebody who’s got Kik chat for months and you let it scroll and it collected everything, you’ll be able to go through and say, hey, show me the one that says this on it, show me the one that says that on it. And it’s that quick. So now you can see here I have my home screens, I have my Kik chats and I have my video, play here.

Here’s my settings, one, we’re just going to go on that. There’s the preview of it and then the textual content that was pulled out of that, that is searchable. And the properties, date and time that I took the screenshot, the device that it came from and the integrity hash of that as well. If I come back to the summary screen, I have the date and time that I did everything. I have more information on that target device. Here’s serial number and stuff. Operating system, phone, so you have that all going towards your chain of custody that you need rather than somebody sending you screenshots, or you are seeing it on device, you are bringing it right in. So helps you out that way. All the features, tag, sort, filter, comment, anything you need to do there, you can do.

Let me just come in here for a second. This is another one that I did. Same thing I showed you, I just wanted to come in and show you the screenshots here. I haven’t looked in here, but I know there’s a screenshot here where it’s John, that’s my smoking gun. I need to find that. I type in John and I find two results in it. The first one is the user, John McCready, Google Search. And then the second one is that screenshot that I took. So there’s the textual content, John, if I go to the preview, you can see, “Hey, John, what’s up? It’s Lex. Thanks for the dog pics.” And that’s my smoking gun, dogs in this case were contraband and you’ve got the trading, you’ve got whatever you need here is all in this one nice tight screenshot that I can now bookmark as well.

So with that, you can also see that Chrome history, I went in there and I was going through… saved all their history. I’m able to sort through that and see what they were doing. Chats, documents, feeds, social media feeds, if they’re in their phone and they say, hey, in the last couple days, check out my feed, you can screenshot through all that and save that as well. So if you could bring it up on the screen, you can do it page by page or you can scroll. So that was Android. Let me show you iOS. I know people have some issues with iOS, specifically with iOS 16 and the newer hardware, iPhone 14 Pro Max. So that used to be the latest and greatest up until the beginning of this month.

But this one has been upgraded to iOS 17 as well. So I have newer hardware, newer operating system. You can see it’s shown there in the source. It automatically comes up. That’s the acquisition name. It’s the device. You can change this, you can add to it and then where you’re going to save it. I’m going to hit proceed. So iOS is a little different. Remember, it’s a logical world. They don’t want you in their devices whatsoever. So where the problem comes is when you have to take screenshots, Apple threw that new Developer Mode on and it’s not just put on that phone where it’s a tick switch. You have to take the password off the device if it’s password protected, the phone has to be rebooted into Developer Mode. When you take the password, if you’re going to remove a password, it requires the Apple ID.

When you remove a password, it also empties the wallet. So victim, witness consent, they like, I don’t really want to go that far, so it becomes a big stumbling block. So you can do this, if it’s in Developer Mode, you can hit screenshots and just take screenshots of whatever’s on the device, you hit the screenshot button and you will save it, just like I showed you with the Android, but it won’t mirror. You’ll just be screenshotting and saving. If you want to mirror, you don’t have to worry about Developer Mode. So we go into screen recording and screenshots. And in order to do this, you need to either connect that device to the local wifi that you’re on. You can install a tool on your MDI laptop. That’s a private wifi network, so it’s not going out to the world, but you can connect the phone through that. There’s free programs for that, or you can tether the phone. This one open.

So you can go in and turn on your personal hotspot on that device, have it connected to your laptop that you’re using or your tablet. This can be installed on a tablet as well. Once you have that connection, you would go to your control panel and start using the screen mirroring and it shows you here, these are all the instructions on what you need to do. And this is going to mirror here in a second. There you go, you can see it. I connected it to the computer. The computer was ADF, it’s named MONGO, and it’s now mirroring what’s on this device. So this is the control panel that we brought up and there’s the mirroring button in order to make that connection. So now that I have the connection, you can see my screenshots work. No Developer Mode, no removing the password, nothing coming out of the wallet.

And the person I’m working with on the victim, witness consent side is happy that we didn’t have to go through all that and now happy victim, witness, happy I can start getting what I need out of this device. Again, if you need the settings on iOS, pretty simple, you come in, you start taking your screenshots. There’s the hotspot. I’m connected through my local wifi here at home, but you would come in here and turn on your personal hotspot and you’d make that connection. You can go to general about phone and start getting all the information there as well.

Screenshot away, a couple of differences from your Android to iOS. There’s no scroll feature. That’s a limitation on the iOS side. They don’t allow it, so we can’t get that done. And no touch screen. You have to manually use the phone here. So you can’t control the phone from the device or with your mouse when mirroring. You have to do it on the device itself. So when I was doing the Android, it was, you bring up the Library and all the apps are in the Library are very nice and you can scroll through and get everything.

IOS is a little harder because you have all these folders and you can have folders and folders and pages and pages and depending on how savvy this person is with their phone or how many times they actually keep it clean, may be difficult to go through and do that. So with iOS, if you keep swiping left, it brings you here to the folders and if you tap in that top box for app Library, you now have your Library in alphabetical order. And the nice thing about this as well, with phones, you can hide things… Get to that in a second. You can hide apps from the home screen, or you could just download them… instead of having it on the home screen or in one of those folders or windows, whatever you want to call them, you can have your apps just download to the Library.

That way, it’s not seen on the homepages. So if you come in here and bring this up and turn on your recorder or screenshot each page, so I could turn on my recorder here and just start slowly going through and grabbing everything that is in my library on the homepage or not, so much easier than the other way doing it. And again, remember, this is going to be OCR, so you’ll be able to search if you’re looking for specific apps as well. And again, even with the recording on, if there was something specific I wanted to grab, like, oh, there’s one of the apps that I’m thinking about. Let me come in here.

There’s Uber I’m interested in. Let me screenshot that page. There’s Telegram. Let me make sure I have that in there. Get you where you want to go. Stop my recording. I now have that recording of everything that’s in the app Library. Your probation, your parole, you have the ability to do this. There may be times that… or you have victim, witness consent and maybe you’re not sure if they’re… hey, are you sure you didn’t hide this app from me? If you got the phone open and you’re in consent, you go to their app store and click on their profile, you’ll notice there is a purchase and my purchases, this will show you as well as things that may have been on there and deleted.

So you can see PGA TOUR Golf Shootout there. The second one down says it’s downloadable again. First one’s on there, Apple support is there. You can open it. PGA, eShow Events, those two have been on the phone but have been deleted there. You can also hide these from here. So the person could have gone one more step, but these can be hidden as well, just for your knowledge. So you can come in there and screenshot things that may have been deleted. Did you have this app on there? Was this victim harassing you? You say it’s on this app but it’s not on here. So let’s go in there and look. Now you can document, yes, they had the app, they got rid of it. So you can still tell your story.

You can come into the Apple ID area here and you have purchase history down here and that is going to tell you the truth. If they hit it from there and if you can get them to bring you here, you can see the purchase. Now, I can come back here just to show you what I was talking about. If I go custom, you can now see I can go back to 2010 and see what apps were installed on this device back in 2010 because we’re looking at their personal iCloud information. So a couple of different ways to get things done when you have that consent, things you might not necessarily get, even with a physical, you’d have to do a search warrant for, so think about those types of things that you can get as you’re going through. Even with that, I went in there to the iCloud.

I didn’t have to sign in or do anything but it showed you all the devices that are associated with it as well. So if you see they have a MacBook, there may be information on there. If they deleted the app here, maybe there’s something over there. So keep that investigative mind going. I love digital evidence. I’ve been involved in it, like I said, since 2000. But digital evidence is only as good as what you can do as an investigator. You’re the one that needs to get access. You’re the one that needs to trace back where it is.

You’re the one that needs to talk and work with these people. So you’re the one who understands their mindset and whether you can trust them with this or whether you need to dig a little bit deeper to get what you want. Every phone that comes in doesn’t need a physical, every phone that comes in isn’t a homicide. Some of them are just simple harassments. Maybe you have a sexual assault or something. Really simple, I need this to back up my case. You’re going to get it and move on. Very, very simple.

A couple things to show you as well, and this is a full disclosure here. So we get Telegram. Let me just show you here. I have Telegram open, I can take my screenshots to Telegram. I moved the cable, so the video is a little bit strange here. If I open up one of my Telegram chats here, you can see I can get everything that’s in here. That’s a normal Telegram chat. I’m taking the screenshots and nobody’s being advised otherwise. However, full disclosure here, if you are using… if they’re using Telegram Secret Chat, if you go into the Secret Chat and bring that up, just to show you here, there are no conversations in here. I just brought up a blank screen, but you can see every time that I come in here because it’s Secret Chat only, it will advise that a screenshot was taken when you go in there.

Normal Telegram, no problem. Snapchat, no problem. It’s the Telegram Secret Chat that will tell them, even if you’re just mirroring and you don’t… Like, this one noticed, hey, this phone’s being mirrored, we’re going to tell them that a screenshot was taken on the other side. So full disclosure on that. But then you just drop back to other methods with your phone, with a camera, whatever you need to do, if you’re gathering everything else this way, it’s really not a far step to do that. So with that, I’m going to start wrapping this up here for a second, but if there’s any questions, please type them in here and I’d be more than happy to answer those. When these are done and you have your case, you would go back out to Review Scan Results. I showed you that before. We have our screenshot demo.

I think I have it in this one. And I copied an iPhone 7, heavily used, not a piece of demo equipment. And I acquired it on a Dell XPS that only had 8 gigs of RAM on it. And it took 25 minutes to make the full acquisition. Now, we’re talking logical, so logical is only what’s being used by the user. You’re not grabbing all 256 gigs. They can have a 256 gig phone but they only have 25 gigs of data on it. That’s all you’re going to be grabbing, is that 25 gigs of data and that’s what your acquisition times are going to go with. So it was 25 minutes to grab it and another hour and 11 minutes to parse out everything, like a full complete, show me everything you have here. So an hour and 35 minutes total.

So that gives you a good like, hey, I’m on scene, this is my victim’s phone, or this is my witness’s phone, or this is my suspect’s phone. You’re looking at an hour, 25 minutes for a heavily used hour and 35 minutes. So we made the logical acquisition that you can scan as many times as you want. Just keep pointing to it with a new profile. Early case assessment, think missing person, think, okay, let me get the logical, the logical took 25 minutes, now I just need contacts, messages, phone information, contacts, messages, call logs, phone information to get my case started.

So you could run a scan against it. 25 minutes for the acquisition, run the scan, 30 seconds later, I have the call logs, the contacts, the messages from iOS and the phone information. I can take that. We have what’s called a standalone viewer, which would take that entire scan and information, put it into a viewer that you can hand off to somebody else. They open it up on their laptop, they start going through that information working the case. Then you can start doing a more comprehensive scan or working on another device. So there’s all these different ways to time save as you’re going through it.

With that, let me just make sure that I’ve pretty much gone everything. So we want to make sure that there are more features that just screenshot, screen recording in here, but man, that is powerful. You can add your screenshots and screen recordings to a logical acquisition. You can work with your victims and witnesses and consent. You can grab, if you are limited to specific dates and times, you can do that with screenshots and screen recordings. But also, if you do a logical acquisition and you want to scan that logical acquisition, you’ll notice under search profile, you can limit your data collection to between specific dates. So if there’s an app on there, let’s say Kik hasn’t been used in two years, and I only want the apps that have been used in the last 30 days, that’s what it’s going to grab for you. So you can do that as well.

So we went over some of the techniques. If you could bring it up, you can screenshot it, Telegram Secret Chat, you’re going to have issues with that but there are other ways to fall back on it. It’s just knowing that information just helps go the long way. And maybe at that point, you don’t care. You’re like, hey, they’re done, this was a harassment, this was a threatening, let me grab it while it’s here in front of me. Again, those are all investigative choices that you have open to you. Preserving the audio, you can get the audio when you’re doing the screenshots. I think we’ve covered quite a bit of information.

We’re up to date. If you’re doing acquisitions, you can run your own hashes. You could bring in hashes. You got cyber tips. Google sent you 100 images, you can hash those, make those part of your search profile. You can bring in your own keywords. You can customize just to grab specific information. So there is a lot to this tool more than meets the eye. Let me just go back here. I want to say thank you. I really appreciate. I know you had choices today here. Depending on where you are, it’s early or it’s a little… maybe you just had lunch but I appreciate your time, appreciate you stopping in and coming to see me.

Try adf.com, if this is something that you’re interested in. Back here was my email address. I’d love to have a conversation with you to talk about anything technical with the tool, any use cases, anything we can do to help you further understand it. You want to spend a little bit more time one-on-one asking questions, hey, I’m up for it. That’s what we’re all about here. We work as a team and you, the customer is our number one priority. So again, thank you, appreciate your time and you have a great rest of your day.

Leave a Comment

Latest Videos

Digital Forensics News Round-Up, May 22 2024 #dfir #computerforensics

Forensic Focus 14 hours ago

Podcast Ep. 85 Recap: AI-Powered License Plate Reading With Amped DeepPlate #dfir #digitalforensics

Forensic Focus 21st May 2024 1:57 pm

This error message is only visible to WordPress admins

Important: No API Key Entered.

Many features are not available without adding an API Key. Please go to the YouTube Feeds settings page to add an API key after following these instructions.

Latest Articles