Originally, the field of technological forensics that involved computing devices was referred to as computer forensics. This term was first coined in the 1960s, in the age of tape drives and large minicomputers. These were non-networked devices that were stationary and less complex than modern laptops and mobile phones.
However, much has changed. Now, the field is referred to as mobile forensics. Not only does the term “mobile forensics” refer to the mobile and networked nature of communications today, it is also a much more disciplined and scientific process.
Computer forensics was carried out in an ad hoc manner by system administrators who did not investigate in a disciplined or scientific manner. Today, mobile forensics is carried out by dedicated professionals who use systematic methodologies and scientific procedures to assist government and law enforcement to construct a timeline of events. Professionals who conduct mobile forensics use a variety of titles, but their work is now a discrete discipline.
The field of mobile phone forensics differs from older forms of computer forensics in that systems are no longer isolated and discrete. Instead, devices like cars, refrigerators, doorbells, homes, heating systems and cameras are all interconnected.
Investigative professionals must be able to construct the history of events by tracing data and occurrences throughout all these devices, which can potentially span the world. This also includes email, SMS texting and back-end communications.
A phone forensics specialist must be able to understand all these systems to provide a picture to stakeholders of how a set of events took place. Thirty years ago, the line between “computer,” “phone” and other forms of evidence gathering was much sharper. In our networked world, it is a much different web that must be navigated.
Today, organizations such as The Scientific Working Group on Digital Evidence create standards that professionals use in the work of smartphone forensics. These standards bring mobile forensics into line with the investigation standards of our modern law enforcement agencies and what is demanded by the legal system.
Mobile forensics focuses on the collection of data from cellphones and tablets. This includes deleted text messages, apps, social media, call logs, internet search history and more.
Mobile forensic professionals can aid a court case by extracting and preserving data available on a mobile device. They conduct forensic imaging, create mobile forensic reports, serve as expert witnesses in legal cases and extract and recover mobile and digital data.
Cellphone forensics, or mobile forensics, is an ever-evolving science that requires a constant adaptation to technology, software, security and knowledge of what to look for across different phone makes, models and systems. Whether it's an iPhone, Android, Windows phone or other, a top mobile forensic professional will be trained on how to:
Furthermore, top mobile forensic firms will know how to not only extract and preserve your data in accordance with the necessary court requirements, but also how to help showcase this information.
Eide Bailly has trained cellphone and mobile forensic professionals whose sole focus is helping you uncover the information you need, even if it’s deleted. We are leading innovators in the digital, computer and mobile forensic space. We currently support more than 23,000 devices and nearly 5,000 app versions. Our examiners work in Cellebrite, MPE+ and IEF and make data viewable on eDiscovery review platforms.
Our professionals have experience in both technology and computer and mobile forensics, so you not only get the data you need, but you also get important and relevant information for litigation.
We can help find the digital fingerprint necessary to prove your case, and we ensure you have data that is admissible in a court of law. Our approach focuses on continual communication and timely response, prioritizing investigation and forensic preservation of the mobile data you need.
But this expertise doesn’t have to come with a hefty price tag. We work with clients to create cost-effective eDiscovery and mobile forensic plans to help meet their needs. Your data will be handled efficiently and cost-effectively, all with investigative expertise.
Here are a few important concepts, techniques and mobile device forensics tools that experts use when working:
A fundamental mobile forensics tool, CDRs give call start and end times, terminating and originating cell towers, outgoing or incoming call status and caller identity. Telco providers keep this data for around 18 months. Federal and state privacy regulations control access to this data by investigators.
Physical devices often carry GPS data, which means that an investigator can know where a device was at a certain time. This can be critically important, because this tells an investigator where a device was when certain recorded events on the phone take place.
SMS text messages always have the phone number of the sender and the receiver, and the date and time of each message. This is a fundamental record that mobile forensics experts seek. Contrary to popular belief, SMS messages can be entered as testimony into court proceedings.
These are, of course, prime pieces of evidence for investigators and can be entered into court proceedings
Also called a phone dump, this is a method of physical extraction. A hex dump creates a copy of the raw image of the data from the mobile device. This is one of the best methods of physical extraction, since an entire image of all the data, apps and unallocated space are copied from the device onto a forensics workstation for analysis. Commercial tools include software such as XACT, Cellebrite UFED physical analyzer and Pandora’s Box.
This is similar to a hex dump, except a copy of the flash memory on a device is taken. In depth technical knowledge is needed for this method, and it’s easy for the data to be corrupted if the flash data isn’t extracted correctly. Tools include iSeasamo Phone Opening Tool, Xytronic 988D Solder Rework Station and FEITA Digital inspection station.
One of the most common and most popular reports we provide our customers comes from the UFED Reader report for mobile devices. The following video will walk you through the steps on how to comfortably use your UFED Reader file to navigate the data presented to you in your particular case.
When you have a computer, server or laptop imaged by Eide Bailly, we will provide you with a thumb drive with the image file, as well as an image viewing tool. This image viewing tool, FTK Imager Lite, will allow you to browse the contents of the image. This allows you to review and track down the data yourself rather than pay for analysis, which can save you money.
Here's a tutorial on FTK Imager Lite to help you get started.