MOBILE DEVICE FORENSICS OVERVIEW
Mobile Device Forensics is essentially the application of computer forensic methodology and protocols to mobile devices.
Vast quantities of data are constantly being saved on mobile devices, which makes them particularly useful to Forensic Examiners. Frequently, they contain information not found on computers such as location information from GPS receivers in smartphones.
WHY IS MOBILE DEVICE FORENSICS SO IMPORTANT?
In this day and age, it is a known fact that the use of mobile devices runs on a high increase, and because of this so does (or so should!) the need for mobile forensic services that can retrieve and analyze their valuable data.
With the continuing evolution of mobile devices, including smartphones and tablets, people are using them more frequently than desktop computers and laptops. As a result, mobile devices are now more frequently examined for forensic evidence than computers. These devices hold evidence that can answer the ‘break it or make it‘ questions of your case.
So, one of the crucial reasons why Mobile Device Forensics is so important is because mobile devices are a continually growing risk or danger factor to an organization’s security profile.
These risks factors relate to:
- Confidential Information
- Intellectual Property
- User Privacy
WHAT TYPE OF DATA CAN BE RETRIEVED FROM MOBILE DEVICES AND HOW?
Like computers, mobile devices contain data, meta-data, and even deleted data that can often be accessed by our Forensic Experts.
The following mobile device data can be extracted:
- Call logs — dialed, incoming & missed calls
- Photos/videos & audio recordings
- Internet browsing & search history
- Emails & text messages
- GPS locations, Including date & time
- Chat Applications such as (WhatsApp, WeChat and FB Messenger)
- Application data such as usage and install date etc.
- Documents, spreadsheets (any data created by the user)
- User account credentials (passwords, swipe codes)
- System files
The mobile forensics’ vital role is to recover digital evidence, meaning all relevant data from a mobile device in a way that will maintain the evidence in a forensically reliable condition. This means that the data or evidence retrieved is authentic and original.
These are some of the devices our services commonly examine:
- Flash drives
- GPS devices
- Digital cameras
- Game systems
The way the data is retrieved and examined varies from non-invasive forensic methods to more invasive means.
The non-invasive techniques include the following:
- Manual Extraction: this is a very simple process, where the forensic expert simply uses the device’s touchscreen (or keypad for the more classical) to look through the data.
- Logical Extraction: this method requires a means of connection for the data to be accessed, such as a USB cable or Bluetooth, where valuable data is being exchanged between the computer and the memory of the device under examination.
- JTAG Method: from the physical point of view, this means is non-invasive, which makes it possible to retrieve data when the data could not be accessed through the method of a software (this happens in the case of an encrypted, locked, or damaged device).
- Hex Dump: the way important data is retrieved through this method is through a connection between the forensic examination end to the device under investigation by tunneling an unsigned code into the device. What this means is that, through a code from the expert’s computer, the mobile device is being told to give its memory to the computer, and the phone ‘listens’ and follows these instructions.
The non-invasive methods sound pretty cool. But let’s have a look at some of the invasive methods. Because let’s face it. Many things don’t come easy, even in the field of forensics.
The invasive techniques are known for their complexities and the longer time frame they require to get the work done. This happens when the device that may be containing critical evidence is deemed non-functional because of more severe damages.
So, invasive means include some of the following:
- Micro Read: this technique requires a high level of expertise. An electron microscope is being used to examine the all-around field and to analyze the data on the memory chip.
- Chip-off: through this technique, the data is being taken directly from the memory chip of the device. It may sound simple and easy, but an expert is also needed here. The mobile market has an overflowing variety of chip types, so in this case, not one size fits all. This technique requires a sequence of steps such as: detecting the memory chip typology, the extraction of the chip, the interfacing of the chip through software, then transferring the data on the chip unto the computer and the final step deals with interpreting the retrieved data through reverse engineering.
The great news? You don’t have to do any of it. Let the experts do it for you.
THE REASON WHY TCS FORENSICS IS AMONG THE MOST QUALIFIED
Our certified examiners at TCS Forensics use a wide range of forensic tools, including Cellebrite Mobile Forensic equipment, to extract data from over 18,000 different types of mobile devices.
Our state-of-the-art Digital Forensic Software guarantees the discovery of vital evidence that may be overlooked by traditional methods.
Contact us for a free consultation:
Tel: (604) 370-4336