The article I collaborated on last month for Law Enforcement Technology, “Smartphone Overload,” went into considerable detail about the challenges of multiple mobile operating systems. In short:
- Multiple operating system versions across thousands of smartphone models.
- New mobile operating system versions released every few months.
- Multiple file systems.
- Popularity, data usage rates and legacy devices are not all the same thing.
- Differences in where and how smartphones store data (including “the cloud”).
- Security, including user lock codes and encryption.
There are a few other goodies in there, but the main idea is this: smartphones have made mobile device forensics a lot more complicated than touch-and-swipe interfaces would have you believe.
Add this to the fact that phones (and any associated removable storage cards) can store as many emails, images and videos as a computer, multiply it by the number of cases you work in a week or a month or a year, and you can start to see why “everything on the phone” has rapidly become unrealistic.
The answer to this is not to start manually thumbing through devices or storage media you seize. That can potentially get your evidence thrown out of court, leave you open to lawsuits, and other consequences that can ruin your day.
The answer, instead, is to build better relationships with the digital forensics specialists in your department or region, or to understand what’s involved with standing up your own capabilities. Here are a few things you should consider.
What’s involved with a mobile forensic exam?
A mobile forensics examination can take anywhere from a few hours to a few days, depending on a variety of factors--including examiner workload. Understanding the process can help you, and therefore the examiner, focus only on what you need.
First, you and the person performing the exam need the proper legal authority to do so. This involves a search warrant, or some exception to the Fourth Amendment. Talk to your prosecutor to be sure you understand how the courts in your area see certain exceptions. For example, search incident to arrest criteria vary from state to state.
Consent is one of those exceptions that can reduce the time it takes to get the data you need. Just ask. Obtain subjects’ written consent, and ask them for any passwords, swipe pattern codes or pass codes. Document these carefully for forensic examiners to refer to.
Also, remember that a warrant that covers a mobile device won’t extend to the carrier or to any data stored “in the cloud.” Any data you need from the wireless carrier or service provider, whether backups, call detail records or other forms of data, requires its own warrant.
Extractions acquire digital data from mobile devices. An extraction can be logical (the what-you-see-is-what-you-get phonebook, call history, text messages, photos, calendar entries, notes, pictures and videos you can see) or physical (data you can see plus data you can’t -- deleted data and metadata such as GPS data, email and SMS headers, etc.).
A file system extraction is a type of logical extraction that can retrieve existing data, along with limited deleted data from a smartphone’s databases. This can include app data like social networking contacts, content and so on. In many cases, physical and file system extractions can enable the examiner to bypass any pass codes, passwords, or swipe pattern codes.
Most mobile forensic tools can perform a basic logical extraction, which can take as little as 5 to 15 minutes. Several mobile forensic tools can perform file system and physical extractions, which can take as long as 36 or more hours. Extraction lengths depend on the tool, the amount of data and type of content.
Sometimes, no forensic tool can retrieve the data, so it may become necessary for an examiner to take pictures or video of the phone’s content, screen by screen. Other times -- when the device is damaged or access is not possible (as with some prepaid devices), no extraction tool will work, and the case is a high enough priority -- specialized chip-off or JTAG physical extraction may be needed.