Counterfeit mobile devices, made mainly in China but also in India and elsewhere, have begun to challenge law enforcers in Asia, the Middle East and Europe, and to a limited extent on the US West Coast. These devices pose an investigative challenge because they are structured differently from legitimate branded mobile devices. This makes them communicate differently (or not at all) with most commercial mobile forensics tools. Look for tools that can automatically recognize the “pin-out” connector to perform file system and/or physical extraction and decoding.
Some mobile devices back up or upload data to cloud services to save memory, meaning that some emails, images and other data are stored online—not necessarily on the device. In other words, many devices archive emails older than a certain point in time (say, one month) in the cloud.
This is different from the call detail records (and, occasionally, other limited data like contacts and text messages) which carriers store. Cloud storage backs up file system data from operating system: iPhone data to Apple’s iCloud, Android data to Google, BlackBerry to the BlackBerry Enterprise Server. In addition, some third-party apps—think Dropbox, Lookout, Evernote and others—enable cloud storage of files, notes, and images.
Data stored on the phone can help to support the paper you serve on carriers and cloud services, and corroborative data on both phone and cloud can strengthen your case—just as it can when data is backed up to PC, available to computer forensics. However, the reverse is the need to serve paper if you think data may be on the cloud instead of on the device.
Mobile device investigation is challenging and, at times, frustrating, but continues to become more and more necessary as general usage climbs. Understand the challenges, and you won’t be caught unawares during that high-profile case or emergency situation.