Our smartphones are one of the most important and most personal items we carry today. They are the center of our digital life, housing our:
In fact, cellphones and mobile devices offer more information about a person than just about anything else. Given the amount of content and information on our smartphones, it’s no wonder security is a common issue. It’s also no wonder they’re a critical piece of evidence in a legal proceeding.
How to Extract Mobile Forensic Data
Mobile forensic professionals utilize two different types of extractions:
Unallocated space is critical because it represents the space not viewable to a computer user and requires special extraction software and training to view and analyze. This is where a professional cellphone or mobile forensic expert comes in.
When end users erase data and files, they’re not erasing anything. All that happens when a file or set of messages are deleted is that header information on a particular block of data is erased, so that the operating system knows that the space can now be overwritten by other applications, except for solid state devices (where data is actually erased).
Even in the case of users who are sophisticated enough to use a file program that erases blocks of data, information can be inferred from the empty space that data points to. Like any crime scene, forensic techniques can be used to gather information about the negative space of data.
So, having a device available upon which specialist software can be used is critical in investigations. In this case, a device is connected to a laptop or workstation that uses specialist forensics software to analyze what is on the device. A trained mobile forensics expert analyzes the data and not only extracts data but works to construct a complete picture of events that occurred involving the device.
The Impact of Mobile Forensics in Your Legal Proceeding
When an investigation is necessary, mobile forensics can turn a phone into a valuable witness. After all, the amount of data stored on a phone can offer an immense amount of information about a person. In fact, cellphones often tell us more about a person than any other piece of evidence, making them one of the most critical components in a court proceeding.
A key issue many attorneys face in litigation is the admissibility of forensic data. When a piece of digital evidence is used in court, its acquisition must be defensible. In other words, opposing counsel has to be convinced nothing was altered. Without the proper documentation and preservation methods, a cellphone is of no use in a court case.
That’s where mobile forensics comes into play. Through the use of third-party forensic professionals and mobile forensic tools, the cellphone becomes an integral piece of evidence in the eDiscovery process, providing critical analysis for investigations.
Originally, the field of technological forensics that involved computing devices was referred to as computer forensics. This term was first coined in the 1960s, in the age of tape drives and large minicomputers. These were non-networked devices that were stationary and less complex than modern laptops and mobile phones.
However, much has changed. Now, the field is referred to as mobile forensics. Not only does the term “mobile forensics” refer to the mobile and networked nature of communications today, it is also a much more disciplined and scientific process.
Computer forensics was carried out in an ad hoc manner by system administrators who did not investigate in a disciplined or scientific manner. Today, mobile forensics is carried out by dedicated professionals who use systematic methodologies and scientific procedures to assist government and law enforcement to construct a timeline of events. Professionals who conduct mobile forensics use a variety of titles, but their work is now a discrete discipline.
The field of mobile phone forensics differs from older forms of computer forensics in that systems are no longer isolated and discrete. Instead, devices like cars, refrigerators, doorbells, homes, heating systems and cameras are all interconnected.
Investigative professionals must be able to construct the history of events by tracing data and occurrences throughout all these devices and their associated network, which can potentially span the world. This also includes email, SMS texting and back-end communications.
A phone forensics specialist must be able to understand all these systems to provide a picture to stakeholders of how a set of events took place. Thirty years ago, the line between “computer,” “phone” and other forms of evidence gathering was much sharper. In our networked world, it is a much different web that must be navigated.
Today, organizations such as The Scientific Working Group on Digital Evidence create standards that professionals use in the work of smartphone forensics. These standards bring mobile forensics into line with the investigation standards of our modern law enforcement agencies and what is demanded by the legal system.
Mobile forensics tools and methods focus on the collection of data from cellphones and tablets. This includes deleted text messages, apps, social media, call logs, internet search history and more.
Mobile forensic professionals can aid a court case by extracting and preserving data available on a mobile device. They conduct forensic imaging, create mobile forensic reports, serve as expert witnesses in legal cases and download and recover mobile and digital data.
Cell phone forensics, or mobile forensics, is an ever-evolving science that requires a constant adaptation to technology, software, security and knowledge of what to look for across different phone makes, models and systems. Whether it's an iPhone, Android, Windows phone or other, a top mobile forensic professional will be trained on how to:
Furthermore, top mobile forensic firms will know how to not only extract and preserve your data in accordance with the necessary court requirements, but also how to help showcase this information.
Eide Bailly has a trained cellphone and mobile forensic team whose sole focus is helping you uncover the information you need, even if it’s deleted. We are leading innovators in the digital, computer and mobile forensic space. We currently support more than 23,000 devices and nearly 5,000 app versions. Our examiners work in Cellebrite, MPE+ and IEF and make data viewable on eDiscovery review platforms.
Our professionals have experience and capabilities in both technology and computer and mobile forensics, so you not only get the data you need, but you also get important and relevant information for litigation.
We can help find the digital fingerprint necessary to prove your case, and we ensure you have data that is admissible in a court of law. Our approach focuses on continual communication and timely response, prioritizing investigation and forensic preservation of the mobile data you need.
But this expertise doesn’t have to come with a hefty price tag. We work with clients to create cost-effective eDiscovery and mobile forensic plans to help meet their needs. Your data will be handled efficiently and cost-effectively, all with investigative expertise.
Here are a few important concepts, techniques and mobile device forensics tools that experts use when working:
A fundamental mobile forensics tool, CDRs give call start and end times, terminating and originating cell towers, outgoing or incoming call status and caller identity. Telco providers keep this data for around 18 months. Federal and state privacy regulations control access to this data by investigators.
Physical devices often carry GPS data, which means that an investigator can know where a device was at a certain time. This can be critically important, because this tells an investigator where a device was when certain recorded events on the phone take place.
SMS text messages always have the phone number of the sender and the receiver, and the date and time of each message. This is a fundamental record that mobile forensics experts seek. Contrary to popular belief, SMS messages can be entered as testimony into court proceedings.
These are, of course, prime pieces of evidence for investigators and can be entered into court proceedings.
Also called a phone dump, this is a method of physical extraction. A hex dump creates a copy of the raw image of the data from the mobile device. This is one of the best methods of physical extraction, since an entire image of all the data, apps and unallocated space are copied from the device onto a forensics workstation for analysis. Commercial tools include software such as XACT, Cellebrite UFED physical analyzer and Pandora’s Box.
This is similar to a hex dump, except a copy of the flash memory on a device is taken. Advanced technical knowledge is needed for this method, and it’s easy for the data to be corrupted if the flash data isn’t extracted correctly. Tools include iSeasamo Phone Opening Tool, Xytronic 988D Solder Rework Station and FEITA Digital inspection station.
One of the most common and most popular reports we provide our customers comes from the UFED Reader report for mobile devices. The following video will walk you through the steps on how to comfortably use your UFED Reader file to navigate the data presented to you in your particular case.
When you have a computer, server or laptop imaged by Eide Bailly, we will provide you with a thumb drive with the image file, as well as an image viewing tool. This image viewing tool, FTK Imager Lite, will allow you to browse the contents of the image. This allows you to review and track down the data yourself rather than pay for analysis, which can save you money.
Here's a tutorial on FTK Imager Lite to help you get started.
Director/Cybersecurity Practice Leader
If you’re looking for forensic recovery or digital evidence, we can help.
Cost-effective mobile forensics can make all the difference in many litigation cases.