Once upon a time, phones were only used to make calls. For most of us, our phone is a mobile office; central to a great deal of our daily activity, our phones are the hub through which our email, text messages, news, social media, calendars, driving directions, fitness goals, and so much more are all brought to us, organized, recorded, and shared.

As a result, mobile device data is becoming increasingly more voluminous, and its relevance and inclusion in legal matters is on the rise. However, it's important to realize that matters involving mobile devices are far more fluid and dynamic than traditional computer forensic matters (think: hard drives) because the technology involved, and the data itself, can be quite dynamic.

In this post, I'll offer a high-level overview of some of the key facets of mobile device technologies and data, and how they intersect with the needs and goals of the e-discovery process.

Mobile Data Basics

First and foremost, it's important to realize that the data stored on a mobile device changes constantly. So, any given collection (or "acquisition," in forensic examiners' terms) of a mobile device's data is a snapshot in time, and no two separate acquisitions will ever yield exactly the same information. If nothing else, the dates and times associated with data items will almost always be different from one acquisition to the next.

Second, it's helpful to understand the basics of mobile device hardware. Tablets and phones contain very small solid-state chips for memory functions and storage (as opposed to the hard drives and spinning platters of traditional computers). Mobile chip technology is small, cheap, and quite fast; however, by virtue of its nature, the mobile chip is inherently "volatile" – in a state of almost constant change. This is a side effect of its design: to extend the useful lifespan of their chips, developers employ a method called "wear leveling," which essentially spreads the writing of data across the chip so that no single area takes all of the abuse. The end result is a longer-lasting chip, and data that is overwritten both frequently and partially (which can pose a real problem during electronic discovery).

How is Mobile Data Stored?

Much of the data that cell phones and other kinds of mobile devices store resides in databases - typically SQL Lite. Mobile forensic tools and standalone database forensic software are used to parse the contents of these databases so that findings and reports are easy to read. Importantly, SQL Lite databases may also contain deleted records which have not yet been purged, so it may be possible to recover information, even though the user "deleted" it.

Moreover, data can often be found in areas outside the device itself. For example, devices which have been configured to do so will create data backups in the cloud, or on an associated laptop or desktop (think: iTunes.)

Acquisitions

Forensic examiners have a variety of options when acquiring data from mobile devices. Popular software platforms used for acquiring data include Cellebrite, Oxygen Forensic, Blacklight, and others. Additionally, examiners may opt to use one or more approaches to collect evidence. In order of least thorough to most complete:

  • Logical acquisition: captures active data only, from call log databases, SMS messages, etc.
  • File System acquisition: captures active data, and also retains all file system(s) information, the databases themselves, and other items. This is a better option for purposes of analysis.
  • Physical acquisition: captures both active and deleted data, file systems in their entirety, and free space (on a hard drive, "slack space") on the device's flash chip.
  • However, this method cannot be performed on all devices.
  • Manual acquisition: for devices or scenarios where no other means of acquisition is possible, the examiner can scroll through information displayed by the device and photograph or video record it.

Of course, given the volatility of mobile device data, the examiner should use more than one method and more than one software tool, and then cross-validate findings to ensure s/he has captured as complete a picture of the user's activities as possible.

Limitations

Often, iOS devices pose special challenges for forensic examiners. Here are a few key issues to be aware of:

a. The iPhone 4S+ and the iPad 2+ encrypt email data so examiners cannot extract that information from those models. Earlier devices were not encrypted and will yield emails and attachments.
b. When acquiring from and iOS device, the examiner must have the PIN codes for the home screen - there is no way to circumvent the PIN code in most cases (unless the device was previously jail-broken by an end user).
c. If a backup password was set, it will be required to extract file system or logical data.
d. iOS backups are sometimes created automatically by iTunes when a device is attached to a computer; examiners can parse these backups with forensic tools.
These same types of backups can be gathered from iCloud if this option was enabled.
e. Consider putting the device in airplane mode when you seize it. This will offer some protection from the accidental or intentional wiping of a device.

Conclusion

There are now more connected devices in circulation than people in the world, and as use of these devices and their accompanying applications continues to expand, so too will the use of data forensics as an invaluable tool for gathering evidence.



About the Author: Warren Kruse is a Vice President with Altep Inc., a national provider of e-discovery and computer forensic services. He has spent the last twenty-five years between law enforcement and as a consultant supporting various agencies with incident response, computer forensics and eDiscovery. Warren will present "Mobile Forensics – Tools for Investigation in a BYOD World" at InfoSec World 2016 in Orlando on Weednesday, April 6, 2016.