Today’s smartphones can perform functions that were possible only with a computer just a few years ago. In fact, the tables have turned. Many applications are only supported on phones, with developers choosing to ignore cross-platform development for computers entirely, and this is understandable. While you may use your computer at work and at other intermittent times throughout the day, you don’t have constant access all the time as you do to the phone in your pocket, the constant companion.
Cell phones are used for everything from making calls and sending texts to transferring money and storing confidential documents. Cell phones store millions of data records in the form of emails, messages, pictures, location data, financial information, and thousands of others. Much of this data can be recovered even if it has been deleted.
Mobile Device Forensics
Our experts are certified and highly experienced in mobile device forensics. Coupled with access to state-of-the-art forensic hardware and software, our team possesses the technology and expertise to provide comprehensive consultation and analysis to help you achieve the best possible outcome in your case.
Our cell phone forensics experts can recover, analyze and report on the following common data types, among thousands of others:
- Text Messaging
- Social Media
- Location History
- Internet Activity
- Search Activity
- Email Communication
- Photos and Videos
- Voice Calls
- Application Data
- Biometric Data
- Financial Data
Cell Phone Forensics Expertise includes:
- XRY Certified Examiner (XRY)
- Cellebrite Certified Operator (CCO)
- Cellebrite Certified Physical Analyst (CCPA)
- Cellebrite Advanced Smartphone Analysis (CASA)
- Cellebrite Certified Mobile Examiner (CCME)
The Mobile Device Forensic Examination Process
Digital evidence is fragile and volatile. Improper handling of a mobile phone can alter or destroy the evidence contained on the device. Further, if the mobile phone is not handled following digital forensics best practices, it can be impossible to determine what data was changed and if those changes were intentional or unintentional. To protect the evidence and prevent spoilation, mobile devices need to be analyzed using mobile device forensic tools by a trained examiner.
The initial handling of digital evidence can be divided into four phases composed of identification, collection, acquisition, and preservation.
The identification phase’s purpose and scope are to identify the digital evidence relevant to the case that possibly spans multiple devices, systems, servers, and cloud accounts. With a mobile phone, the data is not isolated only to the device. The data contained in the device can be synced to cloud storage or another mobile device or backed up onto a computer,
Identification also requires comprehensive documentation. Documentation is critical throughout the entire investigative process, but especially in the beginning, as a mistake here can taint the evidence. The acquisition phase gives us a perfect snapshot in time (forensic copy) of how the data exists. Since identification is the first step and before the acquisition, mistakes made here are carried out throughout the process.
The collection phase denotes gathering physical devices, such as the smartphone and other mobile devices. Since digital evidence can span multiple devices, systems, and servers, It can become more complicated than securing more traditional forensic evidence. There are vital functions that should be performed to protect the evidence:
Isolate Device Users
The primary goal of the collection process, other than ensuring all relevant electronic items are collected, is to protect digital evidence from contamination. One way this is done is by isolating the devices from their respective users until a forensic acquisition of the mobile device can be performed. While in their custody, the user could delete, create, or change data before the forensic acquisition (the perfect snapshot in time of the mobile phone data) is performed at their whim. They also could factory reset or wipe the device, permanently destroying some data or potentially everything on the mobile phone.
Along with isolating the mobile phone from the user, we also need to isolate the device itself. By design, mobile phones are intended for communication, and they are continually sending and receiving data even when they are on the bedside table charging overnight. If data transmission occurs, even with no person physically touching the phone, data can be lost, changed, or destroyed.
Isolation of the device itself is achieved by eliminating all forms of data transmission, including the cellular network, Bluetooth, wireless networks (WiFi), and infrared connections. By isolating the phone from all networks, the mobile phone is prevented from receiving any new data that would cause other data to be deleted, or worse, overwritten.
The mobile phone’s integrity and the data on it need to be established to ensure that evidence is admissible in court. First, a chain of custody is necessary. The second is a hash calculation of the mobile phone data.
Chain of Custody
Evidence preservation aims to protect digital evidence from modification. This begins with the mobile phone’s proper handling by first responders, investigators, crime scene technicians, digital forensic experts, or anyone else who touches the device. A chain of custody must be maintained throughout the lifecycle of a case to demonstrate this.
Mathematical Hashing Algorithm
The forensic data collection process from the mobile device is better called a “forensics extraction,” as data is extracted from the device instead of a perfect bit-for-bit copy of the evidence item. With the mobile phone powered on, the forensic software cannot access some areas of data. However, data that is inaccessible because the mobile device is powered on is usually of little to no value evidentiarily. Following the forensic copying comes the hashing process. A mathematical algorithm is run against the copied data, producing a unique hash value. This hash value can be thought of as a digital fingerprint, uniquely identifying the copied evidence exactly as it exists at that point in time.
The acquisition process is where a digital forensic examiner acquires, or forensically copies, the data from a mobile device. There are different methods of acquisition; some of these methods include:
A logical extraction of data from a mobile phone collects the files and folders contained on the device without any unallocated space. While what is commonly called “deleted space” is not recovered, deleted data on a mobile phone can be recovered using forensic tools and methods via a logical extraction. This data comes in the form of various database files, especially SQLite. Typically, data collected via a logical extraction includes messaging, pictures, video, audio, contacts, application data, some location data, internet history, search history, social media, and more.
File System Extraction
In effect, a file system extraction is an extension of a logical extraction. This extraction collects much of the same data as a logical extraction and additional file system data. A file system extraction allows the forensic tool to access the internal memory of the mobile phone.
Accessing the internal memory means the forensic software can collect system files, logs, and database files from the device that a logical acquisition cannot.
These additional files allow for more deleted data recovery from database files and more data related to application usage on the device. Most applications store their data in database files on a mobile phone. Simply put, since a file system extraction recovers more of these database files, more deleted inside of those files can be recovered.
The physical extraction of a mobile phone captures the entirety of the device’s data, including all files, user content, deleted data, and unallocated space. While this extraction method is the most extensive, it is also the least supported. Like the forensic imaging of a computer hard drive, a physical extraction creates a bit-by-bit copy of the mobile phone’s entire contents.
With a bit-by-bit copy, the logical and file system data are recovered, as well as unallocated space. This allows for the recovery of deleted data from database files and unallocated space. Deleted data that otherwise would be inaccessible to a forensic examiner is now available for recovery, including location information, email, messages, videos, photos, audio, applications, and just about any other data contained on a mobile phone.
When you connect your mobile phone to a computer to make a backup of your device, it creates a file. This file can be ingested into cell phone forensics software and analyzed just like a forensic extraction of a mobile phone. Even if someone deleted the mobile phone data or the phone is missing, hope is not lost. The backup file can still contain the evidence you need in the case.
Mobile phone forensic companies have developed tools that allow for accessing and acquiring data in the cloud. Cellebrite, the leading mobile phone forensic tool provider, can collect cloud data from cloud backups and the actual cloud-based applications themselves. While a forensic image of a mobile phone is a potential gold mine of evidence, the ability to use the mobile phone information to find even more evidence in the cloud is a significant force multiplier.
If requested by the client, a report will be prepared of the data contained on the mobile device. Sometimes, it makes the most sense for our examiners to export all of the data from a cell phone for counsel’s review. We do this in such a way to make it as accessible as possible, with the ability to search and filter the data.
In other instances, a more in-depth report is needed. Situations where this commonly arises are when timelines and what particular forensic artifacts, or data types, need to be explained to tell the story of what happened in a case.
Expert testimony is the culmination of everything that goes into a mobile device forensic examination, from consultation, acquisition, analysis, reporting, and finally to the courtroom. Selecting the expert with the appropriate technical expertise and experience is vital. Still, just as important is the expert’s ability to explain technical concepts, forensic procedures, and digital artifacts in plain language. The use of jargon and acronyms is detrimental to the triers of fact. At the end of the day, if an expert has an airtight analysis but cannot communicate effectively to a judge and jury, the words are meaningless. When selecting an expert, choose the one you can have a conversation with. If that expert cannot explain technical details to you in an accessible way, they likely don’t understand what they are talking about themselves.