April 18, 2016 Articles

Mobile Device Forensics: What Can Be Found?

The perspective of a digital forensics examiner.

By Joshua Dalman

We live in a mobile world. Most Americans now own smartphones. For us in the digital forensics community, we now have, for each person, a treasure trove of data that may have evidentiary value.

Digital forensics examiners have a number of tools to choose from when examining mobile devices. Some of the most popular mobile forensics tools are Cellebrite's UFED series, Micro Systemation's XRY, as well as several others. This short article will give you examples of what data your expert can obtain from mobile devices.

Smartphones can yield a vast amount of data. Before these data can be analyzed, a forensically sound method must be used to capture an image of the phone. There are several things to consider when accessing a phone, such as the type of encryption on the device, ensuring that the radio frequency signals are blocked with a Faraday bag so an individual cannot remotely wipe data from the phone beyond recovery, as well as the manufacturer and model of the phone. Due to the sheer numbers of mobile devices on the market, not all forensic tools will acquire and process every phone. Each phone must be checked against the models supported by the forensic tool to determine the types of data it can, or cannot, recover and analyze. Luckily, if one forensic tool will not support the model, another forensic tool may be able to access and analyze the device.

For many phone owners, the mere mention of encryption usually paints a picture of complete security. However, in a number of cases, it is possible to bypass or decrypt encrypted devices. For certain versions of Apple iOS, it is possible determine the simple four-digit pin by brute force. This can be done by placing the phone in Device Firmware Update (DFU) mode by holding the Home key and power button when powering up the phone, and the decryption process typically occurs in less than 30 minutes using a standard laptop computer.

Once the phone is accessed, hash algorithms can be used to help verify the authenticity of the image. A hash algorithm, which is a "digital fingerprint" of the data, allows the computer forensic expert to certify that the data recovered from the phone are the same as they were on the day the phone was accessed.

Smartphones can hold a tremendous amount of data about the user. The following types of data are stored by most phones:

  • locations
  • text messages
  • pictures
  • videos
  • music
  • voice mail
  • a list of wireless networks where the phone connected
  • address book
  • email
  • call logs
  • web history

Once the data are recovered, the examiner even has the ability to search across all of the data for keywords that may be relevant to your case. The following screen shot provides examples of the different types of data typically recovered by any forensic software.

 Figure 1

Click on image for enlarged version.

Most commercial cell phone forensic tools can create an easy-to-navigate report containing a table of contents, and then the data can be distributed to individuals involved throughout your case. A typical report is shown below.

Figure 2

Click on image for enlarged version.

In addition, a number of cutting-edge commercial forensics tools allow the forensic examiner to scan for malware on the phone. This can be important in plausible deniability cases and for general computer security analysis.

As the examples show, mobile devices and the evidentiary data recovered from them can have an important impact on your case. When your case involves a mobile device, consider finding a digital forensics expert with a background and training in mobile devices to determine how they may be able to assist you.

Keywords: litigation, expert witnesses, forensics, mobile device, smartphone, encryption

Joshua Dalman is a digital forensics examiner in the Baltimore, Maryland, area.

Copyright © 2016, American Bar Association. All rights reserved. This information or any portion thereof may not be copied or disseminated in any form or by any means or downloaded or stored in an electronic database or retrieval system without the express written consent of the American Bar Association. The views expressed in this article are those of the author(s) and do not necessarily reflect the positions or policies of the American Bar Association, the Section of Litigation, this committee, or the employer(s) of the author(s).