Forensic Overview of Mobile Devices

Mobile Device Forensics Overview

The importance and proliferation of mobile devices continue to increase in day-to-day life. Mobile devices have changed from a frivolous luxury item to an essential life tool in short order for the majority of people today. Gone are the days when a person carried around a bag phone on their shoulder to get an hour of talk time with a coverage area of almost nothing. People now tote around PC replacements in their pockets that can last for days. It is time to stop thinking of mobile devices as simply a phone and instead look at them as small computers with much more available information than the typical laptop or desktop PC.

Mobile devices can generate and save documents like PCs, but they also have added features such as GPS tracking, integrated cloud storage and numerous chat and social media applications, just to name a few possibilities. Accordingly, our increased use and reliance on mobile devices have created many new data points and potential associated pitfalls for discovery. The following are some considerations and helpful tips when preparing/collecting data from mobile devices:

Requirements for all devices

• The examiner usually needs: (a) physical device, USB cable, pin/pass for the device, OR (b) backups from a computer or the cloud.
• Mobile backups and devices will usually let an examiner collect everything EXCEPT email, with Blackberry being the exception. It is presumed that email resides elsewhere on a server and is being synced. Therefore, there is no reason to preserve it with a backup.
• Chat apps such as Viber, WhatsApp, Kik Messenger, Skype, etc., are prolific and easy to miss for an untrained examiner. Even games can have chat functionality. Don’t skip this!
• You can normally get chat apps/activity, social media apps/activity, address books, calendars, SMS/MMS messages, messaging apps, Internet history, GPS location info from phones, GPS location info from pictures, file sharing activity and Wi-Fi hotspots used (some with GPS).
• Certain devices have different security settings and can’t be addressed the same way. Contact an XDD specialist to determine the specific challenges, but overall the following apply:

TYPES OF DEVICES

Apple Devices

Apple’s closed software code and ecosystem make these devices easier to collect since the variations between each software and hardware version do not impact the overall process too greatly. Apple does not encrypt the physical data, but uses a software layer to encrypt data, so even encrypted phones can be disassembled (for about $15,000) and preserved when absolutely necessary.

• Can also be collected via an iTunes backup. The examiner really never needs the physical phone.
• Can also be collected via iCloud backups, but iCloud backups can be partial and not contain all items from the device.
• iMessage is Apple’s proprietary messaging app which integrates with FaceTime video and audio. Don’t forget to check for communications.
• Takes 30 minutes to 5 hours to collect (size and age dependent).

Android Devices

Android’s flexibility and open source software have turned it into an extremely fragmented operating system with many different flavors and versions. XDD always recommends having an examiner take physical custody of the device to make a proper image.

• Android backups exist and work similar to Apple backups but are not created as readily and easily as Apple backups.
• Takes 1 to 5 hours to collect (size and age dependent).

Blackberry Devices

Blackberry devices are one of the few where the data is encrypted at the physical level on the memory chips, whereas most other devices “encrypt” the data via software which can be defeated by simply taking the chip off of the board inside the phone. Blackberry is becoming more of a software and security company rather than a mobile device manufacturer. Expect these devices to get more secure and more difficult to collect.

• Emails DO get backed up with Blackberry, whereas with most devices they do not.
• BB10 model vs. legacy version (BB7 models and later) are VERY different to collect and process.
• BBM messenger was proprietary to Blackberry. Don’t skip it during the investigation for messages.
• Takes 2 to 3 hours to collect (size and age dependent).

Windows Tablets or Tablet PCs

Windows tablets tend to present more like a phone/tablet (similar to Apple’s iPad), while Windows tablet PCs are more like a computer and can offer data similar to mobile devices or computers. These hybrids are more of challenge because the tablet and PC version can have drastically different operating systems while presenting nearly identical appearances. Just be aware that a tablet isn’t always a tablet.

• There are no removable drives, and these are usually better encrypted than other tablets.
• Most do not have a CD/DVD drive, requiring specific USB tools.
• 1- to 2-day turnaround

Standalone GPS Devices

GPS devices, such as those manufactured by Garmin or TomTom, also contain data, address books, marked locations and user’s custom points of interests (POI).

• These usually require specific software to read or preserve.
• They may require physical disassembly resulting in irreparable damage.
• Processing requires a several-day turnaround, and the device is usually not returned.

Wearable Devices

Wearable mobile devices may be (1) nearly 100 percent dependent upon their linked device, (2) may be completely independent of a linked device or (3) a hybrid. Apple Watch is almost 100 percent reliant upon the linked iPhone for data, location, time and information. Garmin’s line of watches can operate 100 percent independent of a linked phone or computer. Some devices can operate with either/or.

• These are not as secure! The phone may be locked but wearable may not be.
• They can hold independent data from their linked device.
• Wearables can link to devices such as bike pedals. They don’t need to link to a phone.
• These can take minutes to days to preserve. The technology in this area is constantly changing, and techniques are constantly being revised to adapt.

Vehicle Navigation and Infotainment Systems

Similar to standalone GPS devices, the computers in today’s vehicles can contain personal information management systems (PIMs), recent destinations, movies, pictures, POIs. Some are even full PCs!

• Data extraction can be a challenge.
• Devices are designed not to leave the vehicle.
• They have proprietary connections.

Reminders

Where did the data originate?

Mobile devices often blur the line between work and personal tools. It is not uncommon for activity to spill over between the two worlds, and the situation is further complicated by today’s syncing conveniences. Internet history on your iPad may have actually been generated by browsing on your MacBook or iPhone, but will show on all devices thanks to Apple’s iCloud Syncing and Continuity. It is important to look at the whole picture with preservation and investigation and not focus on one data source independent of other possible avenues.

GPS isn’t just location coordinates.

Phones track your location information utilizing GPS signals (receive only), cell phone towers and Wi-Fi hotspots. This is only a piece of the location information to investigate. Social media apps such as Foursquare/Swarm, Yelp, Twitter and Facebook, to name a few, often add your location to your uploads and updates. Once the location data is shared from the mobile device, it is important to look at other location sources that get preserved in near perpetuity online. Pictures and videos on the device may also have geotagging information available that logs where a particular event was captured.

Locked out and nowhere to go?

Device encryption can be defeated by rapidly trying passwords – brute force attacks – or through complicated devices to sequentially try PIN keys on the screen. Alternatives are to physically open the device and read the memory chips with special tools or to look at device backups.

It is also worth noting that in late 2014 a Virginia Circuit Court stated that passwords and PIN numbers are still protected by the Fifth Amendment, but fingerprints are not. The presiding judge stated that fingerprints are similar to compelling DNA or handwriting samples for analysis. This is great news if you need information from newer iPhones or newer Samsung Galaxy phones.