Avansic Whitepaper: How Mobile Device Forensics is a Goldmine
01-24-2017, Avansic - Corporate
Mobile devices (cell phones, tablets) are central to our daily lives. We use them to communicate by voice, text, and image and in doing so create a large amount of data; we essentially use them as we would computers. This means they are an incredible repository of information for e-discovery and investigation purposes.

Storage Capacity
Cell phones themselves can store electronic information but it may seem as if their storage is limitless due to their ability to access synced, cloud-based, or application-based data. For example, Facebook has a large repository of pictures that aren't stored on the phone, but can be accessed almost anytime. Many mobile devices create temporary cache files for information accessed outside of what may reside on the internal memory, which can be useful in a forensics scenario.

In the past, the storage capacity of mobile devices was such that information like text messages would be quickly overwritten. That is no longer the case with most modern mobile devices. It is unlikely that devices will run out of storage capacity to the point that data would be overwritten, rather, the device prompts the user that there isn't enough space. An unaltered call history on a modern iPhone or Android will represent all the calls the device ever made; however, older phones might have only showed the last hundred calls.

Basic Forensics Results
Forensics collection and examination of a mobile device can typically return text and MMS messages, pictures, videos, call history (incoming, outgoing, missed), contacts, voicemails, calendar appointments and email, and app usage. This is not an inclusive list and some devices may include additional information. Some of this information can be retrieved even if it has been deleted.

Forensics Collection Types
The forensics collection of mobile devices has become more standardized. As mobile devices are hardware running on an operating system that accesses a file system, they mimic many of the qualities of computers. Thus, like computers, they can be collected at a physical data level, a logical level, or at the file system level.

Physical collection is similar to a forensic bit by bit acquisition of a hard drive. It is the most comprehensive extraction of a mobile device and gets everything in storage on the device. It allows for data carving which retrieves files that have been previously discarded (i.e., deleted pictures). The ability to perform a physical extraction is currently limited to Android or older (4S and before) iPhones. It is highly dependent on the type of Android phone and may only be feasible by essentially breaking the device (performing a function called “rooting”.)

The next two methods for data extraction are logical and file system. Both of these are accomplished through forensics software asking the phone's operating system “what do you have?” in two different ways.
Logical extraction collects at the file system level, which is active data. For iPhones, this is similar to the backup process used by iTunes. This will not find deleted material that the operating system doesn't know about, for example an item that has been deleted but not yet removed from the file table. Depending on the device, that could be something like metadata associated with a contract or phone number.

File system acquisition is a type of logical extraction. It can give you access to some databases that logical extractions don't, but that is specific to the type and model of phone. It is performed by interacting with the operating system.

Forensics investigators will try and use all three of these methods to extract data from mobile devices in order to find the most available data.

If iPhones are synced, forensics collections can retrieve some email header information (to, from, date, time) but typically not the body of the email. Android phones typically show that an email was sent on a certain date but no additional information. For social media, the best way to forensically collect that information is to have the username and password; otherwise search warrants and involvement by law enforcement are required.

Locked Devices
With a modern locked device, it is necessary to have the proper access code to be able to retrieve the most information possible. In some models, some data may be accessible without the passcode. But increasingly, encryption means that even if the data is acquirable but may not be useable without the passcode. A physical copy might be available, but without the passcode the data isn't readable or useable.

The biggest challenge in mobile device forensics is the rapid change in devices, both in models themselves as well as their operating systems, cables and connectors. Forensic acquisition requires a third party company to create software that can retrieve all the necessary information and as such, there is a lag between device availability to the public and its collectability. Mobile devices also have a large number of configurations, both manufacturer and user-controlled, which introduces additional variation of data that is retrievable.

Mobile devices are a goldmine of information in modern litigation and corporate investigation. The amount of interaction we have with these devices will continue to provide critical information for investigations and litigations in the future; therefore, partnering with a provider than can accurately and quickly perform these collections is a key part of the toolkit for corporations and legal professionals.