Because they serve the public directly, in sheer volume, local law enforcement agencies investigate many more cases than state and federal authorities. This, in combination with tighter state and federal budgets, has forced law enforcement agencies to take on more digital forensic investigation activities at the local level. As the dispute between the federal government and Apple demonstrated, law enforcement agencies cannot assume full cooperation from makers or distributors of these technologies. Therefore, it is increasingly important that agencies remain vigilant and keep up with technology that, by design, is built to keep secrets and conceal certain data from ‘snooping’ eyes.
While hidden apps are typically associated with nefarious or inappropriate activities, there are wholly legitimate purposes for these apps. For example, some companies ask their employees to use certain hidden apps as a way to protect proprietary or competitive information and communications from accidental disclosure or access by unauthorized persons. The same holds true for private citizens living in countries whose governments do not honor or respect personal privacy, free speech or unlawful searches and seizures.
The most prevalent users of hidden apps are likely teens who want to hide videos, photos, forbidden apps, text messages, and other communications from the watchful eyes of parents. Unfortunately, these same applications that provide protections for a legitimate purpose or otherwise “non-criminal” purposes, are becoming increasingly popular among criminals to mask evidence of criminal activities and thwart the collection of evidence. At the local level, hidden apps can be used as a means to facilitate drug transactions, sexual assaults, upskirt/downblouse photos, images of nudity taken without consent, as well as data ex-filtration and theft. On a much larger and more dangerous international scale, ISIS and other terrorist groups could potentially use hidden apps for recruitment and communication.
Because hidden apps are becoming more common sources of evidentiary data in criminal cases, it is essential that forensic investigators take the time to learn about them. Otherwise, critical evidence could be missed.
When it comes to hidden apps, awareness is crucial. Law enforcement and related forensic examiners must know these apps exist and how to find them. While there are many hidden apps on the market today, new ones are introduced virtually every day. Along with knowledge of what’s out there, examiners must know how apps and data are being hidden to ensure they are not overlooked during a search.
How apps are hidden
There are three main ways to hide apps. Some users manipulate their phones to hide things in places where they don’t seemingly belong, nesting files deep within the file system of the device in unexpected places. Others use apps that are designed to hide other apps. Then there are “official” hidden apps (sometimes known as decoy apps), which appear to do one thing while they are actually designed to do something else.
One of the most popular hidden apps is the calculator app—”SpyCalc” and “Smart Hide Calculator” are two examples. These apps are fully functioning calculators with a twist. Once a password is entered, a new interface appears that allows users to access and store pictures, videos, documents or files that are otherwise hidden to someone reviewing data on the phone. “Audio Manager” is another favorite which as its name suggests, disguises itself as an audio manager that can be used to turn volumes up and down (ringer, alarm and other volumes). If a user presses and holds the title the actual hidden app, “Hide It Pro,” will appear.
“Best Secret Folder” hides the fact that other apps are installed on the phone. At first glance, the folder looks innocuous, even empty depending on how it is configured. However, with the right combination the user can access apps that are hidden within the folder. Similar apps such as “Vaulty” or “Hide It” allow the user to dump other apps into a folder, which then disappears to the unsuspecting eye. The apps re-appear after pressing a particular area on the screen or putting in a PIN number. Duress PINS can be set up by the user, designed to destroy data on the phone or within the hidden app when entered.
Hidden apps reinforce a valuable lesson in law enforcement: just because you do not see something initially, it doesn’t mean there is nothing there. While it is not realistic to expect investigators to stay current on each and every app, knowing that these apps exist and might be installed is essential. During an investigation, it is wise to consider a hidden app might be in use, which means a deeper dive might be necessary.
Examining data
Forensic tools are a good starting point for parsing data from mobile devices. However, on their own, they are no longer enough. Hidden apps may store their data in slightly different ways. They might store data in locations that are unexpected, or they might use data encryption or encoding. This can affect a forensic tool’s ability to recognize and parse data correctly, even if the tool can obtain the data associated with the app. As a result, examiners must dig deeper manually. They have to go through the file systems, dig through the databases and do more in-depth forensics work to find information, decode it, manually parse it, and report on it.
Without knowledge of how hidden apps potentially encode or store data, crucial information may be easily missed. For example, if a forensic tool successfully pulls data from a hidden app, the data may be encrypted or encoded, and therefore not be in human readable format. For examiners who solely rely on what they see, it is easy to overlook this information or assume that it is not recoverable. Therefore, it is important that examiners not only know what they are looking for; they must also know how to transform obfuscated data into a readable format.
A time-consuming process
Getting results from hidden apps is not impossible, just potentially more time-consuming. If a hidden app was installed on a device, chances are the data associated within—which was intentionally hidden—is likely very relevant to an investigation.
While a forensic tool may allow an examiner to extract and access hidden data, it is not always obvious how to work with that data. Courses are available that teach investigators how to dig deeper, recognize obfuscated data, and convert it to a usable format. Learning how to work with various data types and to use additional tools to attack the problem can be the key to solving the puzzle. This is where vendor-specific training tends to fall short.
Vendor training is good for learning about the capabilities of a particular tool. However, broader awareness and skill sets are needed because no one tool supports every phone or every app. Furthermore, to properly validate findings can require the use of other tools. To get the most comprehensive and accurate view of data extracted from a device, and to validate results, investigators need to use multiple methods.
One of the biggest benefits of taking a vendor-neutral mobile forensics training is that they do not shy away from teaching what various commercial and open source tools are unable to do or don’t do well. Instead, these training courses offer advice on how to use a variety of methods to supplement each other and get the job done as quickly, accurately, and efficiently as possible, despite the shortcomings of any individual mobile forensic tool. Vendor-neutral training courses such as SANS FOR585: Advanced Smartphone Forensics show an examiner where various mobile forensic tools’ strengths and weaknesses lie, and how to use other tools to fill in for those deficiencies.
Hidden apps are becoming increasingly more common and more complex. This means basic mobile forensics techniques are no longer enough when dealing with mobile phones. With greater awareness, the proper education, and training, valuable case data can be extracted. Keeping current and knowing where to look is key.
Check Out These Related Products
5 Forensic Data Tools
Renaming “burner phones” as “evidence”
Secure View’s new “Burner Breaker” forensic tool is capable of breaking pincodes/passcodes and patterns on thousands of burner and throw-away phones. The company’s APEX Physical Explorer allows detectives to easily obtain, view and analyze physical dumps from cell phones.
Learn more at Officer.com/12204236
Data extraction and acquisition from the cloud for iOS and Microsoft mobile devices
The new Oxygen Forensics’ Detective 8.4 enables investigators to acquire all available information from iCloud Drive account. iCloud Drive is a file hosting service that allows users to store any kind of files, including photos, videos, documents, music, and other apps’ data and access them on any supported device. By default, every iOS device user gets 5 GB of storage for free and can expand it up to 1 TB with a monthly plan.
Learn more at Officer.com/12211290
Support for jailbroken Apple devices
ElcomSoft updated its iOS Forensic Toolkit by adding physical acquisition for Apple devices and enabling support for iOS 9 (jailbreak required).
Learn more at Officer.com/12201863
Forensic imaging appliance
- Faster SSD imaging and dual hashing performance
- Optimized HDD performance
- Source-side native USB 3.0 support
- Two destination-side USB 3.0 ports for imaging to USB 3.0 external devices
- SATA and PCIe/NVMe SSD data acquisition
- New PCIe port on the destination side, compatible with expansion modules
- PCIe expansion ports upgraded from x1 to x4
- Three Ethernet ports for network-based operations: input/source data, destination, and network-based operation
- Two USB 2.0 ports for USB devices such as keyboard or WiFi adaptor
- Easily visible DX Status Lightbar
Learn more at Officer.com/12210401
New feature lets you get deeper into case material than ever before
NetClean’s Analyze Digital Investigator (DI) 15.1 is the company’s newest version of its leading digital media investigation solution.
Learn more at Officer.com/12126036