Tuesday, September 15, 2015
The Four Factors of Mobile Forensics
September 15, 2015
The Four Factors of Mobile Forensics
As with most private-sector digital forensic practitioners in the modern market, a great majority of our cases involve mobile device forensics. These cases range from employment disputes to divorce. invariably, whenever we get an intake consult for one of these cases, we are asked any or all of the following: How long will it take? What can you recover? What tools do you use? And of course, how much will it cost? I explain to attorneys and clients alike that mobile forensics can be quite subjective and there is often no “cookie cutter” answer to these questions. The answers depend on four main factors (and a 5th factor, which we’ll touch on too).
Factor #1: The Case
If you’ve been doing forensics or investigation of any type for any appreciable amount of time, you know very well that no two cases are alike. Just because you’ve worked one contested divorce doesn’t mean the next one will be exactly the same. Your methodologies may not change much, but the needs of the particular case are almost never the same.
In homicide cases, not only are text messages and pictures likely sources of valuable data, but it can extend to Bluetooth and WiFi connections to prove time and location data. In employment cases, emails may be especially relevant as well as any data gleaned from mobile device management (MDM) apps. The device could provide valuable information to expand searches into other areas, both physical and digital, including any cloud or “hard” backups of the device(s). Regardless, the facts are never going to be the same, nor are the needs of any one case to another. Even within the same case, you may have multiple devices to be examined that will be prioritized and categorized depending on the owner’s role in the case. Knowing how to approach different cases appropriately is of paramount importance in mobile forensics. Can this be taught in a classroom? Perhaps a little, but it really comes with experience.
Factor #2: The User
While currently the mobile device market is dominated by Apple and Android devices (with some Blackberry & Windows peppered in), that has no reflection on the multitude of different types of users and user activity for these devices. For example, I use my device for social media, photography and business applications. I get bored with my wallpaper and change it frequently and I have three pages of apps in folders (most of which I don’t use, but I have them just in case). In contrast, my friend, who is a law enforcement agent has only two pages of apps (none in folders), never changes his wallpaper or ringtone and doesn’t really take too many pictures. The two devices we own are almost identical.
Users sometimes abuse their devices and sometimes take great care of them. Some users don’t know what Bluetooth is or why anyone would need it. The point is that the mobile device manufacturers make these devices versatile so they can sell as many as possible on the consumer market. With each device comes a new set of variables and those variables are almost entirely user-defined. Do you clear out text messages regularly? Do you use more than one text app? Do you use your device for banking and management of finances? Dating? Shopping? The list is endless and until we know what the user’s behavior is on the particular device in question, we’re somewhat grasping at straws when asked what types of evidence we can obtain from it.
Factor #3: The Software
Along with an innumerable amount of devices on the consumer market comes a diverse set of software platforms on which these devices operate. It’s said that Apple iOS users update their device software at a much higher percentage than Android users. The devices themselves can dictate this as well. I purchased a pre-pay Android phone last year for testing purposes and the operating system software on it cannot be upgraded. If you still have an iPhone 4 that you want to press into service, it’s software cannot be upgraded. So what’s the big deal?
Mobile forensic companies are constantly playing catch-up with the software manufacturers. How that relates to our abilities is that the older the device software, the more data we’re likely to be able to obtain from it. Reverse-engineering and testing takes time, sometimes a lot more time than mobile forensic software developers have, so this can be a huge factor in our ability to obtain valuable information from mobile devices. Factor in the constantly changing nature of mobile apps and now we’re talking about a whole new software subject area with regard to recovery and analysis of data. Many people communicate via Facebook and Twitter just like they do via regular text message, so having access to those messages might be crucial to your case.
Factor #4: The Examiner
For regular readers of this blog, you probably get tired of hearing me preach that experience is the key to a good examiner, but here I go again! I can’t stress enough how important experience is, especially when dealing with multiple devices across multiple platforms that incorporate multiple third-party apps. Along with experience at a practical level, a competent examiner has to have a basic knowledge base of how data is stored, the variations in operating systems and apps across different devices and how to effectively report that information and testify to its veracity. It’s true that mobile forensics isn’t true forensics because we need to alter the device in some way in order to obtain a successful data extraction, but does your examiner know that? Can he/she articulate that? Have they testified before as an expert?
I’ll admit that the reason I harp on experience so much is that I’ve seen examiners through the years with more letters after their name than are actually in the alphabet, but they can’t figure out that they can use a certain tool to bypass the swipe lock on a piece of evidence. Further, they’ve probably never been challenged in court or asked to explain highly technical findings to someone who isn’t very technical like a judge or jury. Yes, friends, having an experienced examiner is probably the most important factor in this whole equation. Without it, things have the potential to get very, very bad.
The “Other” Factor
As I gain more and more experience in mobile forensics and work more and more cases, I have discovered that there’s one more factor that can affect the outcome of your examination and help increase the likelihood that you’ll find what you need – the forensic tools you choose to employ. Now don’t get me wrong, you can do mobile forensics with open-source tools, but everyone I know who does that is very much smarter than I. It can also be much more time-consuming. There are some powerful forensic tools available on the market today, friends and I suggest you research them thoroughly before choosing to invest in any of them. Certain companies concentrate mainly on doing one thing and they do it quite well. Others put a mountain of work into the tools on the research and development end and, as such, they are very robust (and you pay for it, believe me!).
Regardless, I will offer one tip that I’ve heard ever since I got into this business – no one tool will always get all of the evidence. The variable nature of mobile forensics seems to prohibit this. Currently at Pro Digital, we employ three different licensed mobile forensic tools in addition to any open source tools we may use. This helps not only cover all the bases, but helps us better serve our clients. As time goes on, we’ll probably invest in more because there’s no one catch-all to mobile forensics. If anyone tells you there is, well… they’re probably just trying to sell you something!
Patrick J. Siewert, SCERS, BCERT, LCE
Professional Digital Forensic Consulting, LLC
Based in Richmond, Virginia