It seems nearly everyone owns some sort of mobile device these days. Therefore, it’s not surprising to learn that smartphone usage has exceeded computer usage. Given the rapid growth of these devices, it is rare for investigators to conduct a digital forensic investigation that does not include a smartphone or mobile device. For many, the smartphone is a welcome source of evidence as investigators often struggle to place a suspect behind a keyboard of a computer. That it is not the case with a smartphone as it is the most personal digital device in existence today. In addition to being the one device people don’t share, the information kept on a smartphone is typically specific to one user.
People use their smartphones for all sorts of communication including text messaging, phone calls, and e-mails. Smartphones are also used to post information to social media sites such as Facebook, Twitter, and LinkedIn. If a person wants to look something up on the Internet, their smartphone is right there for use, rather than going and sitting at a computer. It is for these reasons that smartphones and other mobile devices are becoming very valuable sources for evidence.
In many instances the smartphone is the only source of digital evidence available for tracing an individual’s movements and motives. It can provide access to the who, what, when, where, why, and how behind a case. Smartphones can be used to place the suspect or individual at the scene of a crime or as part of the crime (corporate theft and malware cases are two such examples). Today, smartphones are part of nearly every investigation.
Accessing the Data
Smartphone forensics has vastly improved over the years making it easier than ever for investigators to acquire physical evidence from these devices. For example, tools are available that allow investigators to connect a device and retrieve raw image files by simply pressing a few buttons or accessing the device’s internal memory prior to boot-up. However, with so many smartphone updates/versions, applications, and things people can do on their smartphones it has become impossible for one tool to catch all of the data. In fact, a tool may work perfectly on an iPhone 3 and not an iPhone 5 or an Android. While the data is on the device, these tools may only extract a fraction of the available data. That is why it is essential that investigators know a tool’s limitations and what data it can and cannot get. Investigators must also learn how to go beyond the capabilities of these tools to recover any evidence that may be missed. With thousands upon thousands of applications available, relying on a single tool to go in and pull all data is irresponsible. Remember, forensic acquisition is only half the battle.
To avoid the possibility of missing important evidence, digital forensic investigators must manually dive deeper into the file systems of smartphone devices. Yet many investigators lack the required skills for manually carving and decoding data from raw images. This includes the recovery of deleted data, decoding dates and times, and recovering location information from acquired applications.
Achieving advanced smartphone and mobile device forensics is a time-consuming, complex process for many. Simply looking at a raw Hex dump which displays the contents of a digital file in Hexadecimal code is not enough. Investigators must know how to manually convert everything to a readable format through data decoding. They need to know how each file system stores data and how to decode it into a readable format. For investigators who are unfamiliar with a particular device, research and development via reverse engineering may be necessary to determine where data is stored on that device’s file system. This process is costly and time-consuming. Fortunately, training courses exist that educate investigators on where to look for data, how to verify data, and how to take raw binary data and change it into a readable format.
The Importance of Forensic Analysis Training
The mobile device industry is evolving very quickly. To stay current on the latest devices and the proper techniques for acquiring and analyzing data, smartphone and mobile device forensic analysis training courses are becoming more and more necessary. These courses aren’t limited to law enforcement either. Courses are available for those who work in IT and believe corporate information may have been compromised by an employee or those proactively looking to secure a device.
There are many training courses currently available. For example, most vendors offer vendor-specific courses for their toolkits. While these courses are valuable, they are limited as attendees only learn how the vendor’s toolkit works. Vendor-neutral training courses, however, teach digital forensic examiners, law enforcement officers, and information security professionals how to conduct smartphone forensic analysis using the best tools for the device. Smartphone forensic tool vendors often support the same devices, but the underlying capabilities for each drastically differ. Knowing which tool is currently the best one for the smartphone in an investigation will aid in the entire forensic process. Vendor-neutral forensic analysis training courses provide the necessary insight to deal with all of these variations.
When considering training courses, advanced investigators should look for those that offer deep dive analysis rather than push button forensics; which is simply pushing a button and getting all the answers. While push button forensics can get some of the data, deep dive analysis is necessary to recover data that a tool misses. These courses will show how to handle the data that is missed by the tools and provide detailed instruction on data validation, which is required in any investigation. Otherwise, without knowing how to handle the data, the data is non-sensible (i.e. virtually useless). Data must be understandable for it to add value to an investigation. Deep dive analysis training courses will provide the necessary insight to leverage all data that is available on a smartphone.
Too often smartphone devices are overlooked as investigators focus solely on computer hard drives. It is important to remember the smartphone might actually be the key to an entire investigation for those who know where to look. As the mobile device market continues to grow and evolve, an investigator’s task of uncovering evidence will be that much harder. Staying current through education and hands-on training courses will enable digital forensic examiners, law enforcement officers, and information security professionals to handle investigations involving even the most complex smartphones available with the confidence of knowing no data was left behind.
Feel free to contact E-SPIN for end to end comprehensive digital forensics solution, from computer, mobile, database, live and network forensics.