Cellphone Forensics

INSPIRED TO DELIVER THE STRONGEST CASE

Cost-effective mobile forensics make a difference in many cases.

Our smartphones are one of the most important and most personal items we carry today. Our phones hold:

  • Pictures
  • Videos
  • Calendars
  • Contacts
  • Emails
  • Call logs
  • Social media channels
  • Internet browsing history

In fact, cellphones and mobile devices offer more information about a person than just about anything else. Given the amount of content and information on our smartphones, it’s no wonder security is a common issue. It’s also no wonder they’re a critical piece of evidence in a legal proceeding.

Mobile Forensics vs Computer Forensics – Changes for The New Digital Era
Originally, the field of technological forensics that involved computing devices was referred to as computer forensics. This term was first coined in the 1960’s, in the age of tape drives and large minicomputers. These were non-networked devices that were stationary and less complex than modern laptops and mobile phones.

However, much has changed. Now, the field is referred to as mobile forensics. Not only does the term “mobile forensics” refer to the mobile and networked nature of communications today, it is also a much more disciplined and scientific process.

Computer forensics was carried out in an ad hoc manner by system administrators who did not investigate in a disciplined or scientific manner. Today, mobile forensics is carried out by dedicated professionals who use systematic methodologies and scientific procedures to assist government and law enforcement to construct a timeline of events. Professionals who conduct mobile forensics use a variety of titles, but their work is now a discrete discipline.

The Internet of Things and the Evolution of Mobile Device Forensics
The field of mobile phone forensics differs from older forms of computer forensics in that systems are no longer isolated and discrete. Instead, devices like cars, refrigerators, doorbells, homes, heating systems and cameras are all interconnected.

Investigative professionals must be able to construct the history of events by tracing data and occurrences throughout all these devices, which can potentially span the world. This also includes email, SMS texting and back-end communications.

A phone forensics specialist must be able to understand all these systems to provide to stakeholders a picture of how a set of events took place. Thirty years ago, the line between “computer”, “phone” and other forms of evidence gathering was much sharper. In our networked world, it is a much different web which must be navigated.

Today, organizations such as The Scientific Working Group on Digital Evidence create standards that professionals use in the work of smartphone forensics. These standards bring mobile forensics into line with the investigation standards of our modern law enforcement agencies and what is demanded by the legal system.

Get the Information You Need
Mobile forensics takes time and training. It’s also incredibly necessary if you want to use evidence in your court case. We can help

The Impact of Mobile Forensics in Your Legal Proceeding
When an investigation is necessary, mobile forensics can turn a phone into a valuable witness. After all, the amount of data stored on a phone can offer an immense amount of information about a person. In fact, cellphones often tell us more about a person than any other piece of evidence, making them one of the most critical components in a court proceeding.

A key issue many attorneys face in litigation is the admissibility of forensic data. When a piece of digital evidence is used in court, how it was collected must be defensible. In other words, opposing counsel has to be convinced nothing was altered. Without the proper documentation and preservation methods, a cellphone is of no use in a court case.

That’s where mobile forensics comes into play. Through the use of third-party forensic professionals and mobile forensic tools, the cellphone becomes an integral piece of evidence in the eDiscovery process, providing critical analysis for investigations.

How Mobile Forensics Help Uncover the Facts in a Court Case
Mobile forensics focuses on the collection of data from cellphones and tablets. This includes deleted text messages, apps, social media, call logs, internet search history and more.

Mobile forensic professionals can aid a court case by extracting and preserving data available on a mobile device. They conduct forensic imaging, create mobile forensic reports, serve as expert witnesses in legal cases and extract and recover mobile and digital data.

How to Extract Mobile Forensic Data
Mobile forensic professionals utilize two different types of extractions:

1: Logical extractions, where all information found on an operating system is extracted. This is a software-based method of data extraction where the files from a device are used to make a reconstruction of the state of the device and its information. While this method is easier and can be inferred from secondary sources (such as logs from cell phone towers), there are weaknesses to this method. The actual first-degree physical data from the device is not available, so that data that is not recorded by server logs or data dumps is not available.

2: Physical extraction, where all information found on an operating system is extracted, as well as the unallocated space.

Unallocated space is critical because it represents the space not viewable to a computer user and requires special extraction software and training to view and analyze. This is where a professional cellphone or mobile forensic expert comes in.

When end users erase data and files, they’re not erasing anything. All that happens when a file or set of messages are deleted is that header information on a particular block of data is erased, so that the operating system knows that the space can now be overwritten by other applications, except for solid state devices (where data is actually erased).

Even in the case of users who are sophisticated enough to use file software that erases blocks of data, information can even be inferred from the empty space that data points to. Like any crime scene, forensic techniques can be used to gather information about the negative space of data.

So, having a device available upon which specialist software can be used is critical in investigations. In this case, a device is connected to a laptop or workstation that uses specialist forensics software that can analyze what is on the device. A trained mobile forensics expert analyzes the data and not only extracts data but works to construct a picture of events that occurred involving the device.

Mobile Forensic Tools and Techniques
Here are a few important concepts, techniques and mobile device forensics tools, that experts use when working:

Call Detail Records
A fundamental mobile forensics tool, CDRs give call start and end times, terminating and originating cell towers, outgoing or incoming call status, and caller identity. Telco providers keep this data for around 18 months. Federal and state privacy regulations control access to this data by investigators.

GPS Data
Physical devices often carry GPS data, which means that an investigator can know where a device was at a certain time. This can be critically important because this tells an investigator where a device was when certain recorded events on the phone take place.

SMS Messages
SMS text messages always have the phone number of the sender and the receiver, and the date and time of each message. This is a fundamental record that mobile forensics experts seek. Contrary to popular belief, SMS messages can be entered as testimony into court proceedings.

Photos and Videos
These, are of course, prime pieces of evidence for investigators and can be entered into court proceedings

Hex Dump
Also called a phone dump, this is a method of physical extraction. A hex dump creates a copy of the raw image of the data from the mobile device. This is one of the best methods of physical extraction, since an entire image of all the data, apps and unallocated space are copied from the device onto a forensics workstation for analysis. Commercial tools include software such as XACT, Cellebrite UFED physical analyzer and Pandora’s Box.

Chip-Off
This is the same as a hex dump except a copy of the flash memory on a device is taken. In depth technical knowledge is needed for this method and it’s easy for the data to be corrupted if the flash data isn’t extracted correctly. Tools include iSeasamo Phone Opening Tool, Xytronic 988D Solder Rework Station and FEITA Digital inspection station.

What to Look for In a Top Mobile Forensic Firm
Cellphone forensics or mobile forensics is an ever-evolving science that requires a constant adaptation to technology, software, security and knowledge of what to look for across different phone makes, models and systems. Whether it's an iPhone, Android, Windows phone or other, a top mobile forensic professional will be trained on how to:

  • Get your data back
  • View your data on an eDiscovery platform
  • Preserve your data for use in an investigation or court case

Further, top mobile forensic firms will know how to not only extract and preserve your data in accordance with the necessary court requirements, but also how to help showcase this information.

Eide Bailly’s Mobile and Digital Forensic Expertise
Eide Bailly has trained cellphone and mobile forensic professionals whose sole focus is helping you uncover the information you need, even if it’s deleted. We are leading innovators in the digital, computer and mobile forensic space. We currently support more than 23,000 devices and nearly 5,000 app versions. Our examiners work in Cellebrite, MPE+ and IEF and make data viewable on eDiscovery review platforms.

Learn More: One of the most common and most popular reports we provide our clients comes from the UFED Reader report for mobile devices.

Our professionals have experience in both technology and computer and mobile forensics so you not only get the data you need, but also important and relevant information for your litigation needs.

We can help find the digital fingerprint necessary to prove your case. Further, we ensure you have data that is admissible in a court of law. Our approach focuses on continual communication and timely response, prioritizing investigation and forensic preservation of the mobile data you need.

But this expertise doesn’t have to come with a hefty price tag. We work with clients to create cost-effective eDiscovery and mobile forensic plans to help meet their needs. Your data will be handled efficiently and cost-effectively, all with investigative expertise.

Ready to put mobile forensics to use in your court case?
GET STARTED

What inspires you, inspires us. Let’s talk.

Contact

Trent L. Leavitt

Digital Forensics & eDiscovery Manager

385.282.5460

Find A Location