Mobile device data acquisition, in addition to traditional digital data sources, is a key component of any defensible discovery protocol. However, acquisition of mobile device forensic data is often far more complicated than many people realize and can encompass much more than just cell phones. As the personal and professional use of mobile device technology continues to grow, organizations involved with investigations, regulatory actions, and lawsuits must understand the steps they need to take and best practices involved with mobile forensic data collection. Failing to do so can lead to missed opportunities, wasted time and money, and even increased legal trouble.
Once the different data sources have been identified, the next step involves collecting the information. Mobile devices present their own unique challenges in this area as well. While some mobile devices can be collected by creating an image – like traditional hard drive collections – many mobile device collections are not an image per se, rather an acquisition of data. As I will outline later, there are different protocols for gathering data from mobile devices and certain design features may only allow one type of acquisition.
Control of data is also much more fluid on mobile devices. Many people love to post on social media, and geotagging is often part of the posting process. Once a tweet, Facebook post, Snap or other communication has been sent from a phone, control is lost.
Not all forensic software can collect every possible piece of data; therefore, a perfect road map or process to identifying all data sources does not exist yet. It’s easy to get off on the wrong path, and you wouldn’t be the first. The forensic expert, along with the legal team, must be a digital painter to take different data points, locations and databases and weave them into story that is understandable and accurate.
Security On Mobile Devices
Security standards are always changing and can differ significantly across mobile devices. Some devices may be only locked, while others may be encrypted. When a device is locked, it’s closed from the front-end interface – the screen usually. Locked devices can be unlocked with a PIN or a password, or there may be ways to compel the custodian to open the device. Software can also run through all the different possible PIN combinations to unlock the device, given enough time and the appropriate operating system. Encryption, however, secures the data on a software and/or hardware level, and it may not be possible to access it.
When data is difficult or impossible to access through software because the device is locked, damaged or encrypted, manual efforts may be effective. These approaches can include using a JTAG (Joint Test Action Group) procedure to extract data from the phone. The memory chip may also be removed from the circuit board in a process known as a chip-off. Chip-offs and JTAGing are generally last resorts. They may not work on all devices and normally cannot crack encrypted hardware. They also tend to be expensive, and especially in the case of a chip-off, can destroy devices.
Fortunately, there may be other alternative data sources if the information on a device is inaccessible. Since data is constantly being synced, hardware and software may be able to bridge the data gap. Consider Uber. It has both an app and a fully functional website. All the information that can be accessed through the Uber app on a phone may be pulled off the Uber website instead, or even the Uber software program installed on a computer. Windows 10 now has universal apps that will work on any Windows device to blend and provide continuity across devices.
Cloud syncing, such as with Microsoft’s OneDrive and Apple’s iCloud, is almost a given as well. When mobile device data also exists in the cloud, it may be possible to retrieve information, pictures and other data points without requiring access to a mobile device.
Along with built-in apps, many third-party apps can channel and archive data. There are apps that can back up all texts to a Gmail account, for example. Other avenues may include iTunes, which can create backups of Apple devices to computers and the cloud. BlackBerry devices can keep extensive log files on corporate servers.
When launching a multipronged collection, it’s important to create a plan first and follow it in the proper sequence. Certain built-in security features may destroy information as the result of an improper acquisitions protocol. For example, collecting a physical image before a logical image on certain devices can completely wipe a phone of all data, as can attempting to access a locked device and making too many password attempts.
Compiling The Data
Once the data has been collected, the next step is determining how to blend it together to create an accurate, thorough picture. Information must be produced in a readable, understandable format, and reporting and exporting information from mobile devices aren’t quite the same as for other legacy data sources. Text messages don’t technically have conversation identifications, but they do exist for certain message types or group messaging formats. So it’s possible to build conversations and export out the communications in .eml or .msg files. That way, traditional eDiscovery software can process the data, and reviewers can apply filters and search terms to assist with poring through massive amounts of information.
This process includes dealing with how apps sync across different devices. If something appears on a phone doesn’t mean that it originated on the phone. This becomes particularly important during the investigation phase. However, the syncing of apps can also be an advantage. Information that may be difficult to access on a highly secure device may also be synced to a less secure device, where it can be more easily accessed.
In many cases, it’s possible to create simple Excel or .csv dumps for mobile device data. These are often effective, but this format is more difficult to process.
Family relationships are another consideration. On mobile devices, family relationships may be less complete or obvious. Certain software can automatically remove or delete attachments and some communication will not sort into proper conversations. While this is an inevitable part of the process with mobile devices, investigators need to know that the challenges exist.
Simple investigations will rarely be sufficient for mobile devices. Reports should never be taken at face value. A full list of installed apps is critical. It’s not sufficient to rely on a single software application to report everything on a mobile device. Even if something doesn’t appear in a traditional report, that doesn’t mean that the data is not on the device.