The article I collaborated on last month for Law Enforcement Technology, “Smartphone Overload,” went into considerable detail about the challenges of multiple mobile operating systems. In short:
- Multiple operating system versions across thousands of smartphone models.
- New mobile operating system versions released every few months.
- Multiple file systems.
- Popularity, data usage rates and legacy devices are not all the same thing.
- Differences in where and how smartphones store data (including “the cloud”).
- Security, including user lock codes and encryption.
There are a few other goodies in there, but the main idea is this: smartphones have made mobile device forensics a lot more complicated than touch-and-swipe interfaces would have you believe.
Add this to the fact that phones (and any associated removable storage cards) can store as many emails, images and videos as a computer, multiply it by the number of cases you work in a week or a month or a year, and you can start to see why “everything on the phone” has rapidly become unrealistic.
The answer to this is not to start manually thumbing through devices or storage media you seize. That can potentially get your evidence thrown out of court, leave you open to lawsuits, and other consequences that can ruin your day.
The answer, instead, is to build better relationships with the digital forensics specialists in your department or region, or to understand what’s involved with standing up your own capabilities. Here are a few things you should consider.
What’s involved with a mobile forensic exam?
A mobile forensics examination can take anywhere from a few hours to a few days, depending on a variety of factors--including examiner workload. Understanding the process can help you, and therefore the examiner, focus only on what you need.
First, you and the person performing the exam need the proper legal authority to do so. This involves a search warrant, or some exception to the Fourth Amendment. Talk to your prosecutor to be sure you understand how the courts in your area see certain exceptions. For example, search incident to arrest criteria vary from state to state.
Consent is one of those exceptions that can reduce the time it takes to get the data you need. Just ask. Obtain subjects’ written consent, and ask them for any passwords, swipe pattern codes or pass codes. Document these carefully for forensic examiners to refer to.
Also, remember that a warrant that covers a mobile device won’t extend to the carrier or to any data stored “in the cloud.” Any data you need from the wireless carrier or service provider, whether backups, call detail records or other forms of data, requires its own warrant.
Extractions acquire digital data from mobile devices. An extraction can be logical (the what-you-see-is-what-you-get phonebook, call history, text messages, photos, calendar entries, notes, pictures and videos you can see) or physical (data you can see plus data you can’t -- deleted data and metadata such as GPS data, email and SMS headers, etc.).
A file system extraction is a type of logical extraction that can retrieve existing data, along with limited deleted data from a smartphone’s databases. This can include app data like social networking contacts, content and so on. In many cases, physical and file system extractions can enable the examiner to bypass any pass codes, passwords, or swipe pattern codes.
Most mobile forensic tools can perform a basic logical extraction, which can take as little as 5 to 15 minutes. Several mobile forensic tools can perform file system and physical extractions, which can take as long as 36 or more hours. Extraction lengths depend on the tool, the amount of data and type of content.
Sometimes, no forensic tool can retrieve the data, so it may become necessary for an examiner to take pictures or video of the phone’s content, screen by screen. Other times -- when the device is damaged or access is not possible (as with some prepaid devices), no extraction tool will work, and the case is a high enough priority -- specialized chip-off or JTAG physical extraction may be needed.
Analysis explores the data acquired from the device during extraction. This can take days or weeks depending on the nature of the investigation, the amount of data, whether specialized data carving is needed, and the data’s relevance to the case.
Analyzing logical data may involve a review of not just content, but also usage patterns: whom the phone’s owner contacted most often, how they communicated with those people, activity at certain times of day or days of the week. Logical data analysis can also verify what a subject told you s/he saw on the device.
Analyzing physical or file system data is much more detailed. Not only can it corroborate statements and include usage patterns; it can also carve deleted image fragments, scan for malware, reconstruct deleted SMS, and other advanced capabilities. Needless to say, this takes more time than logical data analysis.
Validation ensures whether the extracted data is complete and accurate. This is an important step. Mobile forensic tools aren’t perfect, and while some are better than others, any of them can misreport the data. The report can be incomplete, might conflict--either with the subject’s statement or with the data viewed on the screen--or be plain wrong.
A good forensic examiner might use one or more additional tools, or simple manual methods, to verify the initial report. As you might have guessed from reading the paragraph about extraction, this can take additional time. However, validation is well worth the effort if it means being able to withstand cross-examination.
How to focus your request for data
Know what you need and communicate this to the forensic examiner, in person or over the phone if possible:
- Is this a suspect's, victim's or witness' device? How do they use the phone that suggests it may contain evidence?
- What types of evidentiary data are you looking for -- for instance, photos posted to social media, or call logs vs. SMS?
- Do you need intelligence about their contacts and movements, or evidence that may need to be presented at trial?
- Are there one or more specific time periods, or specific calls, messages or images you need?
- Are you charging for a misdemeanor or felony?
- What report format (PDF, HTML, XML or other formats) do you need the data in? This may be especially relevant if you or another investigator plan to plug the extracted data into some other tool, such as link analysis software.
It can also help to create a list of keywords—words that are related to your case. Keywords can be helpful in homicide, suicide, narcotics, human trafficking, missing-persons, and a variety of other cases. List key people’s names, drug brand and generic names, potential internet search terms, location names, and so on. Be sure to include misspellings.
Finally, property tags are as essential for mobile devices as they are for any other piece of evidence, and especially important when you seize multiple devices from a scene. They help forensic examiners track devices both during examination and within their reports. However, don’t affix a property tag to a device’s screen or keyboard. This affects the forensic exam itself.
Mobile forensics is not a push-button operation. It often takes considerable time and patience, especially as more people store ever more data on their mobile devices. Understanding what’s involved in the process, what kinds of data you need to make your case, and how to communicate with your forensics examiners and prosecutors will improve your chances of getting the mobile evidence you need, when you need it.
