chevron-down Created with Sketch Beta.

Law Technology Today


Mobile Device Forensics

Scott Polus


  • Mobile device data acquisition, in addition to traditional digital data sources, is a key component of any defensible discovery protocol.
  • As the personal and professional use of mobile device technology continues to grow, organizations involved with investigations, regulatory actions, and lawsuits must understand the steps they need to take and best practices involved with mobile forensic data collection.
  • Failing to do so can lead to missed opportunities, wasted time and money, and even increased legal trouble.
Mobile Device Forensics

Jump to:

Mobile device data acquisition, in addition to traditional digital data sources, is a key component of any defensible discovery protocol. However, acquisition of mobile device forensic data is often far more complicated than many people realize and can encompass much more than just cell phones. As the personal and professional use of mobile device technology continues to grow, organizations involved with investigations, regulatory actions, and lawsuits must understand the steps they need to take and best practices involved with mobile forensic data collection. Failing to do so can lead to missed opportunities, wasted time and money, and even increased legal trouble.

Defining Mobile Devices

Defining mobile devices might seem intuitive. But the field has grown increasingly complicated as mobile devices have evolved from novelties to almost fully integrated life partners. These devices, which can include mobile phones, tablets, GPS units, wearables, and PDAs, can contain a great deal of information about users.

Mobile devices do not just operate as stand-alone data sources, though. They can constantly synchronize with other devices and applications, either directly or via the cloud. This means data may exist in places where investigators might not think to look. Not only does this constant synchronization affect collection, but it also impacts preservation.

When dealing with mobile devices, forensic teams need to consider the requirements of the matter at hand. This includes the specific devices and potential security obstacles, along with other software and apps that may be part of the synchronization process, separate memory sources and volatile data. That involves asking many questions, covering how each specific device operates and what information the device may contain, such as calendars, communications, documents, activity, history, locations and apps.

Regardless of the device, identifying data can be complicated due to fragmentation of certain operating systems, different versions within each operating system, and different variations between carriers. This is particularly true with Android devices. There are several different versions of the open-source Android operating system. Even Apple’s iOS operating system can vary significantly from version to version. For example, the same model of phone may have different interfaces and different features enabled simply based upon where it was purchased. It can also be difficult to keep up with ever changing mobile apps, which can update on separate schedules on seemingly identical devices. Once you think you have the same device, with the same operating system, on the same carrier, with the same app version, you can find that users may also have enabled or disabled specific features. So, certain information that may appear in an app on one device may not be available from a different version on another.

Collecting Information

Once the different data sources have been identified, the next step involves collecting the information. Mobile devices present their own unique challenges in this area as well. While some mobile devices can be collected by creating an image – like traditional hard drive collections – many mobile device collections are not an image per se, rather an acquisition of data. As I will outline later, there are different protocols for gathering data from mobile devices and certain design features may only allow one type of acquisition.

Control of data is also much more fluid on mobile devices. Many people love to post on social media, and geotagging is often part of the posting process. Once a tweet, Facebook post, Snap or other communication has been sent from a phone, control is lost.

Not all forensic software can collect every possible piece of data; therefore, a perfect road map or process to identifying all data sources does not exist yet. It’s easy to get off on the wrong path, and you wouldn’t be the first. The forensic expert, along with the legal team, must be a digital painter to take different data points, locations and databases and weave them into story that is understandable and accurate.

Security On Mobile Devices

Security standards are always changing and can differ significantly across mobile devices. Some devices may be only locked, while others may be encrypted. When a device is locked, it’s closed from the front-end interface – the screen usually. Locked devices can be unlocked with a PIN or a password, or there may be ways to compel the custodian to open the device. Software can also run through all the different possible PIN combinations to unlock the device, given enough time and the appropriate operating system. Encryption, however, secures the data on a software and/or hardware level, and it may not be possible to access it.

When data is difficult or impossible to access through software because the device is locked, damaged or encrypted, manual efforts may be effective. These approaches can include using a JTAG (Joint Test Action Group) procedure to extract data from the phone. The memory chip may also be removed from the circuit board in a process known as a chip-off. Chip-offs and JTAGing are generally last resorts. They may not work on all devices and normally cannot crack encrypted hardware. They also tend to be expensive, and especially in the case of a chip-off, can destroy devices.

Fortunately, there may be other alternative data sources if the information on a device is inaccessible. Since data is constantly being synced, hardware and software may be able to bridge the data gap. Consider Uber. It has both an app and a fully functional website. All the information that can be accessed through the Uber app on a phone may be pulled off the Uber website instead, or even the Uber software program installed on a computer. Windows 10 now has universal apps that will work on any Windows device to blend and provide continuity across devices.

Cloud syncing, such as with Microsoft’s OneDrive and Apple’s iCloud, is almost a given as well. When mobile device data also exists in the cloud, it may be possible to retrieve information, pictures and other data points without requiring access to a mobile device.

Along with built-in apps, many third-party apps can channel and archive data. There are apps that can back up all texts to a Gmail account, for example. Other avenues may include iTunes, which can create backups of Apple devices to computers and the cloud. BlackBerry devices can keep extensive log files on corporate servers.

When launching a multipronged collection, it’s important to create a plan first and follow it in the proper sequence. Certain built-in security features may destroy information as the result of an improper acquisitions protocol. For example, collecting a physical image before a logical image on certain devices can completely wipe a phone of all data, as can attempting to access a locked device and making too many password attempts.

Compiling The Data

Once the data has been collected, the next step is determining how to blend it together to create an accurate, thorough picture. Information must be produced in a readable, understandable format, and reporting and exporting information from mobile devices aren’t quite the same as for other legacy data sources. Text messages don’t technically have conversation identifications, but they do exist for certain message types or group messaging formats. So it’s possible to build conversations and export out the communications in .eml or .msg files. That way, traditional eDiscovery software can process the data, and reviewers can apply filters and search terms to assist with poring through massive amounts of information.

This process includes dealing with how apps sync across different devices. If something appears on a phone doesn’t mean that it originated on the phone. This becomes particularly important during the investigation phase. However, the syncing of apps can also be an advantage. Information that may be difficult to access on a highly secure device may also be synced to a less secure device, where it can be more easily accessed.

In many cases, it’s possible to create simple Excel or .csv dumps for mobile device data. These are often effective, but this format is more difficult to process.

Family relationships are another consideration. On mobile devices, family relationships may be less complete or obvious. Certain software can automatically remove or delete attachments and some communication will not sort into proper conversations. While this is an inevitable part of the process with mobile devices, investigators need to know that the challenges exist.
Simple investigations will rarely be sufficient for mobile devices. Reports should never be taken at face value. A full list of installed apps is critical. It’s not sufficient to rely on a single software application to report everything on a mobile device. Even if something doesn’t appear in a traditional report, that doesn’t mean that the data is not on the device.

Recent Case Law And Trends

Mobile devices often represent a trade-off between security and convenience. While a 16-digit PIN might be extremely secure, few users will be willing to type one in every time they want to check their email or make a phone call. Biometric approaches may be more convenient, but they are not necessarily legally protected the way passwords are. For example, the Virginia Circuit Court has ruled that pass codes are protected, while fingerprints are not. In Riley v. California, the U.S. Supreme Court ruled that a person can be compelled to unlock a device. And the recent shooting in San Bernardino, California, has raised First Amendment issues around Apple’s willingness to unlock a phone.

The increase in mobile virtual network operators (MVNOs) and mobile other licensed operators (MOLOs) has also raised legal issues. While someone may purchase a phone from Apple, Apple may lease out the bandwidth. In a recent decision from the Court of Appeals for the Fourth Circuit, it was determined that location data from this type of relationship can also be made available without a warrant.

One significant future trend involves “trust scores,” which will become more sophisticated and accepted. No one can remember 25 different passwords, so combinations of Wi-Fi networks, facial screening, fingerprints and other factors will become more common ways to appropriately secure devices. Soon, devices may be able to automatically “read” a particular network. If it recognizes a home network, the mobile device may automatically unlock. While this offers more ease and security, it requires more personal data. Privacy may be the trade-off for this convenience.

Mobile devices represent a constantly shifting landscape, with a different theater of operating systems and actors. Mobile data is also unique and diverse. That means that plans and technology that worked a month ago for mobile device forensics may already be outdated. The only way to effectively manage mobile device forensics is to be dynamic with plans, software and partners.