Digital Forensic Trails: Mobile Devices, Messages, and Apps

Mobile Devices

Mobile devices present certain challenges as compared to laptop and desktop computers. Not all data is stored on the device even though a user may have access to it. Daniel Ogden, Mobile Device Forensics: Beyond Call Logs and Text Messages, United States Attorneys’ Bulletin (Jan. 2017), at 11. Some of this will depend on whether data is being stored in the cloud or on remote storage. In the case of email, different service providers may have different default settings for archived material, depending on their policy regarding the length of time for which the provider will maintain logs for IP addresses. In a notable case out of Germany, a court forced a service provider, Posteo, to log traffic data despite the fact that the service’s business model was specifically designed not to do so. See David Meyer, Log-free email provider Posteo: “You must log user IP addresses,” court rules, ZDNet, Jan. 30, 2019.

Older email programs used POP3 (Post Office Protocol), software that downloaded the user’s emails and then deleted them. More commonly used now is Internet Message Access Protocol (IMAP), software that downloads the user’s emails and leaves them on the server, unless the user deletes them. Data on a device may be “deleted,” but unless the device has been wiped or reformatted, the data may still be available. Thus, the availability of data that has been transmitted using a mobile device will depend on web-based email accounts, social media accounts, and the type of file storage utilized by the user.

Text Messages

Text messages on a mobile device are stored in a database maintained on the device, which may include attachments (e.g., photos, videos, and audio). There are forensic tools that can extract such messages into standard formats for processing, storing, and analysis. How much data is stored and in what kinds of format the information can be retrieved may depend on the device’s make, model, capacity, storage, and condition. When a text is deleted, the message itself will disappear, but it may be recoverable for a period of time. Such messages may be overwritten as the user sends and deletes messages. Reproducing text messages for evidentiary purposes will depend on whether the device on which they were stored was forensically imaged within the relevant time frame and whether the relevant data can be captured. If an organization has a protocol in place to manage the messages of employees, commercial services are available to capture and archive such communications through direct carrier relationships.

Apps

WhatsApp, Facebook Messenger, and various encrypted message applications are attractive to consumers and some business users alike because users have an expectation of privacy regarding their electronic communications, and encrypted communications cannot be tampered with or accessed by third parties. End-to-end encryption is key to this feature because the information will be transmitted via code rather than plain text. The app maker, Internet service providers, and governmental entities are not supposed to be able to have access to the communication. WhatsApp communications are never stored on the WhatsApp server. With this kind of security, how can data be extracted in the event that it is required for an investigation? For iOS devices, WhatsApp data reportedly can be extracted using a basic iTunes backup procedure. For Android devices, physical extraction may be necessary to recover files.

Secure and Preserve

Mobile devices, texts, and messaging apps present challenges in preserving and extracting data. Securing and imaging a device is a critical step for the forensic recovery and analysis portion of an investigation.