- User locks. On iOS devices, this might consist of a simple (4-digit) or complex (longer than four digits) passcode. On Android devices, it can be a PIN lock or password, or a “pattern lock”—a pattern swiped across a touch screen’s numerical keypad.
- Data/file protection. Individual directories, such as email, can be password-protected.
- Device encryption. iOS, BlackBerry, and newer Android versions (3.0 and above) allow users to enable device-level and file system encryption.
- File system encryption.
- App sandboxes. The operating system forces apps to ask the API for permission to access contacts, locations, and other information; the apps do not communicate directly, so data within each app is protected.
Mobile forensic password extraction or bypass exists for many of the most popular devices, but not for every device—including iPhone 4s and iPhone 5.
Decryption, too, is hit or miss. On BlackBerry devices, where different encryption exists for the different operating system versions, it is possible to decrypt the data if you know the password in OS 4-6. However, disabling the encryption only does so for future data. Data encrypted prior to disablement remains encrypted.
Jailbroken and rooted devices
At times, users jailbreak their iOS devices or root their Androids to access the underlying kernel—the controller between software and hardware—which removes security features designed to restrict app download only to signed certificates.
As a result, jailbreaking or rooting make a device more susceptible to malware from web browsers, non-App Store or Google Play apps, and malicious QR (scannable “quick response”) codes. Malware that would not otherwise have been able to run, can run.
Rooting and jailbreaking also remove the “sandboxing” that maintains barriers between apps. In a jailbroken or rooted device, all apps have access to all data—making it easy for embedded malware to siphon data. This may have direct relevance to identity theft and cyber harassment types of cases. The good news: the victim of domestic violence or credit card fraud is likely to provide you with consent to perform a full forensic examination of their device.
Encrypted data wiping
There’s a reason why isolating a mobile device from the network is considered a best practice for seizure: data wiping isn’t the same as deleted data—once data is wiped, it’s gone. On iPhone 3GS and above, there is no known way to decrypt and recover wiped data; wiping deletes the keys to the AES 256 decryption.
Four different methods wipe a BlackBerry: Desktop Manager, remote wipe through the BlackBerry Enterprise Server, entering the wrong password 10 times, and via the phone’s menu. iOS devices can also be set to wipe data if a password is incorrectly entered, or remote-wiped via iCloud. Android remote-wiping takes place via Google Sync; for Windows, it’s Find My Phone. Data Wiping is also available on Android, iOS and Windows devices, not only on Blackberry… (through settings menu)
Make sure first responders know to isolate a mobile device by putting it in Airplane Mode or in a Faraday container (and seizing its charger, too). You won’t always be able to crack encryption, but make sure the processes are in place to at least give yourself the chance.
Special cases: down-market prepaid “burner” and counterfeit devices
Android is the predominant operating system for prepaid smartphones, and fortunately, its open source nature makes it easier for mobile forensics vendors to support. However, “feature” phones’ use of the Java-based BREW platform complicates forensic extractions. Vendors disable their data ports, and don’t make their APIs available so that commercial forensic extraction tools’ can perform logical and file system extractions.
There are two ways to potentially get around the data port lock. First is to attempt to perform a physical extraction by selecting the postpaid device profile. However, the firmware differs from a prepaid to a postpaid device, and so this may or may not work—depending on the forensic tool’s ability to reconstruct the file system and/or parse the data.
Law enforcement may also attempt to obtain the MSL (Master Subsidiary Lock) code from the prepaid carrier, which unlocks the data port. Once unlocked, a logical or file system extraction can be run under the postpaid device profile, if it exists. However, it is subject to the same limitations as attempting physical extraction without the MSL code.