Cell Phone and Mobile Device Forensics

Today's smartphones can perform functions that were possible only with a computer just a few years ago. In fact, the tables have turned. Many applications are only supported on phones, with developers choosing to ignore cross-platform development for computers entirely. While you may use your computer at work and at other intermittent times throughout the day, you don't have constant access all the time as you do to the phone in your pocket.

Mobile phones are used for everything from making calls and sending texts to transferring money and storing confidential documents. Mobile phones store millions of data records in the form of emails, messages, pictures, location data, financial information, and thousands of others. Much of this data can be recovered even if it has been deleted.

Mobile Device Forensics

Our experts are certified and highly experienced in mobile device forensics. Coupled with access to state-of-the-art forensic hardware and software, our team possesses the technology and expertise to provide comprehensive consultation and analysis to help you achieve the best possible outcome in your case.

Our mobile phone forensics experts can recover, analyze and report on the following common data types, among thousands of others:

• Text messaging
• Social media
• Location history
• Internet activity
• Search activity
• Email communication
• Photos and videos
• Voice calls
• Application data
• Biometric data
• Financial data

Mobile Phone Forensics Experts

Our mobile phone forensics experts include, but are not limited to:

• XRY Certified Examiners (XRY)
• Cellebrite Certified Operators (CCO)
• Cellebrite Certified Physical Analysts (CCPA)
• Cellebrite Advanced Smartphone Analysis (CASA)
• Cellebrite Certified Mobile Examiners (CCME)

The Mobile Device Forensic Examination Process

Digital evidence is fragile and volatile. Improper handling of a mobile phone can alter or destroy the evidence contained on the device. Further, if the mobile phone is not handled following digital forensics best practices, it can be impossible to determine what data was changed and if those changes were intentional or unintentional. To protect the evidence and prevent spoilation, mobile devices need to be analyzed by a trained examiner using mobile device forensic tools.

The initial handling of digital evidence can be divided into four phases: identification, collection, acquisition, and preservation.

Identification

The identification phase's purpose and scope are to identify the digital evidence relevant to the case. It is possible that this evidence will span multiple devices, systems, servers, and cloud accounts. With a mobile phone, the data is not isolated only to the device. The data contained in the device can be synced to cloud storage or another mobile device or backed up onto a computer.

Identification also requires comprehensive documentation. Documentation is critical throughout the entire investigative process, but especially in the beginning, as any mistakes can taint the evidence. The acquisition phase gives us a perfect snapshot in time (forensic copy) of how the data exists. Since identification is the first step and before acquisition, mistakes made here are carried out throughout the process.

Collection

The collection phase involves gathering physical devices, such as the smartphone and other mobile devices. Since digital evidence can span multiple devices, systems, and servers, collecting it can become more complicated than securing more traditional forensic evidence. There are vital functions that should be performed to protect the evidence.

Isolating Device Users

The primary goal of the collection process, other than ensuring all relevant electronic items are collected, is to protect digital evidence from contamination. One way this is done is by isolating the devices from their respective users until a forensic acquisition of the mobile device can be performed. While in their custody, the user could delete, create, or change data before the forensic acquisition (the perfect snapshot in time of the mobile phone data) is performed. They could also factory reset or wipe the device, permanently destroying some data or potentially everything on the mobile phone. 

Isolating Devices

Along with isolating the mobile phone from the user, we also need to isolate the device itself. By design, mobile phones are intended for communication, and they are continually sending and receiving data even when they are on the bedside table charging overnight. If data transmission occurs, even with no person physically touching the phone, data can be lost, changed, or destroyed.  
 
Isolation of the device itself is achieved by eliminating all forms of data transmission, including the cellular network, Bluetooth, wireless networks, and infrared connections. By isolating the phone from all networks, the mobile phone is prevented from receiving any new data that would cause other data to be deleted or overwritten.

Acquisition

The acquisition process is where a digital forensic examiner acquires, or forensically copies, the data from a mobile device using a variety of methods.

Logical Extraction

A logical extraction of data from a mobile phone collects the files and folders contained on the device without any unallocated space. While what is commonly called "deleted space" is not recovered, deleted data on a mobile phone can be recovered using forensic tools and methods via a logical extraction. This data comes in the form of various database files, especially SQLite. Typically, data collected via a logical extraction includes messaging, pictures, video, audio, contacts, application data, some location data, internet history, search history, social media, and more.

File System Extraction

A file system extraction is an extension of a logical extraction. It collects much of the same data as a logical extraction along with additional file system data. During a file system extraction, the forensic tool accesses the internal memory of the mobile phone, which means that the forensic software can collect system files, logs, and database files from the device that a logical acquisition cannot.

Most applications store their data in database files on a mobile phone. Since a file system extraction recovers more of these database files, more deleted data like database files and data related to application usage on the device can be recovered.

Physical Extraction

The physical extraction of a mobile phone captures the entirety of the device's data, including all files, user content, deleted data, and unallocated space. While this extraction method is the most extensive, it is also the least supported. Like the forensic imaging of a computer hard drive, a physical extraction creates a bit-by-bit copy of the mobile phone's entire contents.

With a bit-by-bit copy, the logical and file system data are recovered, as well as unallocated space. This extraction method allows for the recovery of deleted data that would otherwise be inaccessible to a forensic examiner, including location information, email, messages, videos, photos, audio, applications, and almost any other data contained on a mobile phone.

Backup Files

When you connect your mobile phone to a computer to make a backup of your device, it creates a file. This file can be ingested into mobile phone forensics software and analyzed just like a forensic extraction of a mobile phone. Even if someone deleted the mobile phone data or the phone is missing, hope is not lost. The backup file can still contain the evidence you need in the case.

Cloud Data

Mobile phone forensic companies have developed tools that allow for accessing and acquiring data in the cloud. Cellebrite, the leading mobile phone forensic tool provider, can collect cloud data from cloud backups and the actual cloud-based applications themselves. While a forensic image of a mobile phone is a potential gold mine of evidence, the ability to use the mobile phone information to find even more evidence in the cloud is a significant force multiplier.

Preservation

The mobile phone's integrity and the data on it need to be established to ensure that evidence is admissible in court. 

Chain of Custody

Evidence preservation aims to protect digital evidence from modification. This protection begins by ensuring that first responders, investigators, crime scene technicians, digital forensic experts, or anyone else who touches the device handles it properly. A chain of custody must be maintained throughout the entire life cycle of a case.

Mathematical Hashing Algorithm

The forensic data collection process from the mobile device is better called a "forensics extraction," as data is extracted from the device instead of a perfect bit-for-bit copy of the evidence item. With the mobile phone powered on, the forensic software cannot access some areas of data. However, data that is inaccessible because the mobile device is powered on is usually of little to no value evidentiarily. Following the forensic copying comes the hashing process. A mathematical algorithm is run against the copied data, producing a unique hash value. This hash value can be thought of as a digital fingerprint, uniquely identifying the copied evidence exactly as it exists at that point in time.

Reporting

If requested by the client, a report will be prepared of the data contained on the mobile device. Sometimes, it makes the most sense for our examiners to export all of the data from a mobile phone for counsel's review. We format this export in such a way that makes it as accessible as possible, with the ability to search and filter the data.

Sometimes, when timelines, data types, or types of particular forensic artefacts need to be explained in order to tell the story of what happened in a case, a more in-depth report is needed.

Expert Testimony

Expert testimony is the culmination of everything that goes into a mobile device forensic examination. Selecting the expert with the appropriate technical expertise and experience is vital. It is also important that the expert is able to explain technical concepts, forensic procedures, and digital artefacts in plain language, as the use of jargon and acronyms can be detrimental to the triers of fact. Ultimately, if an expert has an airtight analysis but cannot communicate it effectively to a judge and jury, their words are meaningless. When selecting an expert, choose the one you can have a conversation with. If that expert cannot explain technical details to you in an accessible way, they likely don't understand what they are talking about themselves.