Mobile Device Forensics Overview
The importance and proliferation of mobile devices continue to increase in day-to-day life. Mobile devices have changed from a frivolous luxury item to an essential life tool in short order for the majority of people today. Gone are the days when a person carried around a bag phone on their shoulder to get an hour of talk time with a coverage area of almost nothing. People now tote around PC replacements in their pockets that can last for days. It is time to stop thinking of mobile devices as simply a phone and instead look at them as small computers with much more available information than the typical laptop or desktop PC.
Mobile devices can generate and save documents like PCs, but they also have added features such as GPS tracking, integrated cloud storage and numerous chat and social media applications, just to name a few possibilities. Accordingly, our increased use and reliance on mobile devices have created many new data points and potential associated pitfalls for discovery. The following are some considerations and helpful tips when preparing/collecting data from mobile devices:
Requirements for all devices
TYPES OF DEVICES
Apple’s closed software code and ecosystem make these devices easier to collect since the variations between each software and hardware version do not impact the overall process too greatly. Apple does not encrypt the physical data, but uses a software layer to encrypt data, so even encrypted phones can be disassembled (for about $15,000) and preserved when absolutely necessary.
Android’s flexibility and open source software have turned it into an extremely fragmented operating system with many different flavors and versions. XDD always recommends having an examiner take physical custody of the device to make a proper image.
Blackberry devices are one of the few where the data is encrypted at the physical level on the memory chips, whereas most other devices “encrypt” the data via software which can be defeated by simply taking the chip off of the board inside the phone. Blackberry is becoming more of a software and security company rather than a mobile device manufacturer. Expect these devices to get more secure and more difficult to collect.
Windows Tablets or Tablet PCs
Windows tablets tend to present more like a phone/tablet (similar to Apple’s iPad), while Windows tablet PCs are more like a computer and can offer data similar to mobile devices or computers. These hybrids are more of challenge because the tablet and PC version can have drastically different operating systems while presenting nearly identical appearances. Just be aware that a tablet isn’t always a tablet.
Standalone GPS Devices
GPS devices, such as those manufactured by Garmin or TomTom, also contain data, address books, marked locations and user’s custom points of interests (POI).
Wearable mobile devices may be (1) nearly 100 percent dependent upon their linked device, (2) may be completely independent of a linked device or (3) a hybrid. Apple Watch is almost 100 percent reliant upon the linked iPhone for data, location, time and information. Garmin’s line of watches can operate 100 percent independent of a linked phone or computer. Some devices can operate with either/or.
Vehicle Navigation and Infotainment Systems
Similar to standalone GPS devices, the computers in today’s vehicles can contain personal information management systems (PIMs), recent destinations, movies, pictures, POIs. Some are even full PCs!
Where did the data originate?
Mobile devices often blur the line between work and personal tools. It is not uncommon for activity to spill over between the two worlds, and the situation is further complicated by today’s syncing conveniences. Internet history on your iPad may have actually been generated by browsing on your MacBook or iPhone, but will show on all devices thanks to Apple’s iCloud Syncing and Continuity. It is important to look at the whole picture with preservation and investigation and not focus on one data source independent of other possible avenues.
GPS isn’t just location coordinates.
Phones track your location information utilizing GPS signals (receive only), cell phone towers and Wi-Fi hotspots. This is only a piece of the location information to investigate. Social media apps such as Foursquare/Swarm, Yelp, Twitter and Facebook, to name a few, often add your location to your uploads and updates. Once the location data is shared from the mobile device, it is important to look at other location sources that get preserved in near perpetuity online. Pictures and videos on the device may also have geotagging information available that logs where a particular event was captured.
Locked out and nowhere to go?
Device encryption can be defeated by rapidly trying passwords – brute force attacks – or through complicated devices to sequentially try PIN keys on the screen. Alternatives are to physically open the device and read the memory chips with special tools or to look at device backups.
It is also worth noting that in late 2014 a Virginia Circuit Court stated that passwords and PIN numbers are still protected by the Fifth Amendment, but fingerprints are not. The presiding judge stated that fingerprints are similar to compelling DNA or handwriting samples for analysis. This is great news if you need information from newer iPhones or newer Samsung Galaxy phones.