Our Views:
This month’s theme is “Mobile Device Forensics”.
Research suggests that there are now more active mobile devices on Earth than people. Mobile devices such as smart phones and tablets are commonly used to save personal information such as contacts, photos, notes, messages, video, and email. They are also increasingly used for work purposes, to store and transmit corporate information and facilitate online transactions.
This usage results in a rich source of data that may be used as forensic evidence when investigating incidents such as intellectual property theft, harassment and inappropriate social media activity. Collecting data from these devices in a defensible manner is critical when later examining the data to establish activities, timelines, and the intent of the user for forensic purposes. Mobile device forensics is a field aimed at recovering digital evidence in a forensically sound manner. This field has evolved quickly in line with the growing proliferation of mobile devices.
Mobile device evidence can be extremely detailed and the amount and types of different data that can be found is increasing. Evidence may come from various sources such as the local handset memory, attached memory cards or the SIM card. A non-exhaustive list of data that can be recovered from a mobile device and used as evidence includes:
| SMS and MMS messages Instant Messaging Call logs (incoming, outgoing, missed) Contact Lists IMEI/ESN information | Web Browsing artefacts Wireless Network settings Geolocation information Images and video Emails and attachments | Documents Stored payment data Online portals Social Networking Posts and Contacts |
We have found that the examination of mobile devices in an investigation often provides crucial information pertinent to the inquiry and should never be overlooked. These devices can also present unique technical challenges when trying to obtain digital evidence. Examples of the opportunities and challenges that exist when examining a mobile device include:
Fast pace of technology change – Manufacturers are updating their systems at an astounding pace. This creates new streams of evidence, but makes that collection and examination more complex, including the operating system and mobile application data. Ensuring all data sources are identified and located is critical for successful retrieval.
Data Synchronisation – Mobile devices store a lot of data, but also connect with data located in the ‘cloud’. Again, this additional data can create a new source of evidence, but care is required to obtain this, both legally and technically. For example, social media information that may have been created on a mobile but since deleted, may still reside in the cloud service. Also, a similar situation can arise when a social media post has been deleted from the cloud, but may be still recoverable from the mobile device.
Large volumes of data – Mobile devices commonly have around 64 Gigabytes or more of data storage, which is equivalent to 33,500 reams of paper. This volume of data potentially offers more detailed evidence.
Constant connectivity and activity – Mobile devices and tablets use an “always-connected” operandi. They hibernate, suspending services when idle whilst remaining active, however a significant number of activities may still be creating data in the background even when they are seemingly inert.
Advanced security features – Security functions on mobile devices are evolving and many contain features such as remote wiping. Care must be taken not to trigger these security features and destroy any potential data and evidence the device holds.
Specialised Tools – No single forensic tool can be relied on to guarantee that all data is collected from any given mobile device. We recommend using specialised commercial tools to assist in the mobile forensic process. Certain tools enhance the ability to obtain a robust set of data and offer significant advantages to obtain critical information on many device models. Advanced automated tools can also recover artifacts that may be unknown to the investigator or typically difficult to find. As mobile devices have become a common business tool, the data they hold can be crucial to uncovering the facts surrounding any given incident. Careful handling of these devices in each stage of the process is required to ensure any possible evidence is forensically maintained. Whilst challenges exist when retrieving data from mobile devices, our experience confirms that when approached correctly, results derived from mobile forensics can be invaluable to any investigation.
About the Bulletin:
The NZ Incident Response Bulletin is a monthly high-level executive summary containing some of the most important news articles that have been published on Forensic and Cyber Security matters during the last month. Also included are articles written by Incident Response Solutions, covering topical matters. Each article contains a brief summary and if possible, includes a linked reference on the web for detailed information. The purpose of this resource is to assist Executives in keeping up to date from a high-level perspective with a sample of the latest Forensic and Cyber Security news.
To subscribe or to submit a contribution for an upcoming Bulletin, please either visit https://incidentresponse.co.nz/bulletin or send an email to bulletin@incidentresponse.co.nz with the subject line either “Subscribe”, “Unsubscribe”, or if you think there is something worth reporting, “Contribution”, along with the Webpage or URL in the contents. Access our Privacy Policy.
This Bulletin is prepared for general guidance and does not constitute formal advice. This information should not be relied on without obtaining specific formal advice. We do not make any representation as to the accuracy or completeness of the information contained within this Bulletin. Incident Response Solutions Limited does not accept any liability, responsibility or duty of care for any consequences of you or anyone else acting, or refraining to act, when relying on the information contained in this Bulletin or for any decision based on it.
Incident Response Solutions 