September 15,
2015
The Four Factors of Mobile Forensics
As with most
private-sector digital forensic practitioners in the modern market, a great
majority of our cases involve mobile device forensics. These cases range from employment disputes to
divorce. invariably, whenever we get an
intake consult for one of these cases, we are asked any or all of the following:
How long will it take? What can you
recover? What tools do you use? And of course, how much will it cost? I explain to attorneys and clients alike that
mobile forensics can be quite subjective and there is often no “cookie cutter”
answer to these questions. The answers
depend on four main factors (and a 5th factor, which we’ll touch on
too).
Factor #1: The Case
If you’ve
been doing forensics or investigation of any type for any appreciable amount of
time, you know very well that no two cases are alike. Just because you’ve worked one contested
divorce doesn’t mean the next one will be exactly the same. Your methodologies may not change much, but
the needs of the particular case are almost never the same.
In homicide
cases, not only are text messages and pictures likely sources of valuable data,
but it can extend to Bluetooth and WiFi connections to prove time and location
data. In employment cases, emails may be
especially relevant as well as any data gleaned from mobile device management
(MDM) apps. The device could provide
valuable information to expand searches into other areas, both physical and
digital, including any cloud or “hard” backups of the device(s). Regardless, the facts are never going to be the
same, nor are the needs of any one case to another. Even within the same case, you may have
multiple devices to be examined that will be prioritized and categorized
depending on the owner’s role in the case.
Knowing how to approach different cases appropriately is of paramount
importance in mobile forensics. Can this
be taught in a classroom? Perhaps a
little, but it really comes with experience.
Factor #2: The User
While currently
the mobile device market is dominated by Apple and Android devices (with some
Blackberry & Windows peppered in), that has no reflection on the multitude
of different types of users and user activity for these devices. For example, I
use my device for social media, photography and business applications. I get bored with my wallpaper and change it
frequently and I have three pages of apps in folders (most of which I don’t use,
but I have them just in case). In contrast,
my friend, who is a law enforcement agent has only two pages of apps (none in
folders), never changes his wallpaper or ringtone and doesn’t really take too
many pictures. The two devices we own
are almost identical.
Users
sometimes abuse their devices and sometimes take great care of them. Some users don’t know what Bluetooth is or
why anyone would need it. The point is
that the mobile device manufacturers make these devices versatile so they can
sell as many as possible on the consumer market. With each device comes a new set of variables
and those variables are almost entirely user-defined. Do you clear out text messages
regularly? Do you use more than one text
app? Do you use your device for banking
and management of finances? Dating? Shopping? The list is endless and until we know what the
user’s behavior is on the particular device in question, we’re somewhat grasping
at straws when asked what types of evidence we can obtain from it.
Factor #3: The Software
Along with
an innumerable amount of devices on the consumer market comes a diverse set of
software platforms on which these devices operate. It’s said that Apple iOS users update their
device software at a much higher percentage than Android users. The devices themselves can dictate this as
well. I purchased a pre-pay Android
phone last year for testing purposes and the operating system software on it
cannot be upgraded. If you still have an
iPhone 4 that you want to press into service, it’s software cannot be
upgraded. So what’s the big deal?
Mobile
forensic companies are constantly playing catch-up with the software
manufacturers. How that relates to our
abilities is that the older the device software, the more data we’re likely to
be able to obtain from it. Reverse-engineering
and testing takes time, sometimes a lot more time than mobile forensic software
developers have, so this can be a huge factor in our ability to obtain valuable
information from mobile devices. Factor
in the constantly changing nature of mobile apps and now we’re talking about a
whole new software subject area with regard to recovery and analysis of data. Many people communicate via Facebook and
Twitter just like they do via regular text message, so having access to those
messages might be crucial to your case.
Factor #4: The Examiner
For regular
readers of this blog, you probably get tired of hearing me preach that
experience is the key to a good examiner, but here I go again! I can’t stress enough how important
experience is, especially when dealing with multiple devices across multiple
platforms that incorporate multiple third-party apps. Along with experience at a practical level, a
competent examiner has to have a basic knowledge base of how data is stored,
the variations in operating systems and apps across different devices and how
to effectively report that information and testify to its veracity. It’s true that mobile forensics isn’t true
forensics because we need to alter the device in some way in order to obtain a
successful data extraction, but does your examiner know that? Can he/she articulate that? Have they testified before as an expert?
I’ll admit that
the reason I harp on experience so much is that I’ve seen examiners through the
years with more letters after their name than are actually in the alphabet, but
they can’t figure out that they can use a certain tool to bypass the swipe lock
on a piece of evidence. Further, they’ve
probably never been challenged in court or asked to explain highly technical
findings to someone who isn’t very technical like a judge or jury. Yes, friends, having an experienced examiner
is probably the most important factor in this whole equation. Without it, things have the potential to get
very, very bad.
The “Other” Factor
As I gain
more and more experience in mobile forensics and work more and more cases, I
have discovered that there’s one more factor that can affect the outcome of
your examination and help increase the likelihood that you’ll find what you
need – the forensic tools you choose to employ.
Now don’t get me wrong, you can do mobile forensics with open-source
tools, but everyone I know who does that is very much smarter than I. It can also be much more time-consuming. There are some powerful forensic tools
available on the market today, friends and I suggest you research them
thoroughly before choosing to invest in any of them. Certain companies concentrate mainly on doing
one thing and they do it quite well.
Others put a mountain of work into the tools on the research and
development end and, as such, they are very robust (and you pay for it, believe
me!).
Regardless,
I will offer one tip that I’ve heard ever since I got into this business – no one
tool will always get all of the evidence.
The variable nature of mobile forensics seems to prohibit this. Currently at Pro Digital, we employ three
different licensed mobile forensic tools in addition to any open source tools we may use. This
helps not only cover all the bases, but helps us better serve our clients. As time goes on, we’ll probably invest in
more because there’s no one catch-all to mobile forensics. If anyone tells you
there is, well… they’re probably just trying to sell you something!
Author:
Patrick J.
Siewert, SCERS, BCERT, LCE
Principal
Consultant
Professional
Digital Forensic Consulting, LLC
Based in
Richmond, Virginia
Available
Globally
About the Author:
Patrick Siewert is the Principal
Consultant of Pro Digital Forensic Consulting, based in Richmond,
Virginia. In 15 years of law
enforcement, he investigated hundreds of high-tech crimes, incorporating
digital forensics into the investigations, and was responsible for
investigating some of the highest jury and plea bargain child exploitation
cases in Virginia court history. A
graduate of both SCERS and BCERT (among others), Siewert continues to hone his
digital forensic expertise in the private sector while growing his consulting
business marketed toward litigators, professional investigators and
corporations.
