Mobile Device Forensics Compared to Traditional Forensics
The Troubles of Imaging Cell Phones
Nowadays, cell phones are basically mini computers in the palm of your hand. People often wonder why it’s more difficult to extract data from cell phones than it is for computers because the devices “aren’t as complicated” as computers, well the people that think that couldn’t be more wrong. Every single computer has the basic parts that go into it, with the hard drive always storing all data from the computer, i.e. operating system, user documents, etc. Some of you may be asking, aren’t the fundamental technologies the same between cell phones as they are in computers? While the answer to that is yes, how they are actually implemented can be quite different, especially on the software side of things. Most cell phone manufacturers create their own hardware and Operating System, or license an Operating System such as Android or Windows Mobile and adapt it to work on their phones. With how diverse the implementations of software and hardware is on cell phones, one has to create a way to interface with each and every iteration out there, which can become quite the time consuming and a costly task. On top of the already complex issue of the various types of hardware and software, you also have to consider the security that manufacturers add in to both the hardware and software when talking about extracting data from cell phones.
For imaging purposes, a cell phone doesn’t have the standardization like computers do, especially interfacing with the storage, which is built into the phone itself instead of being removable like most computers. Some of you might be saying, well what about the SD Cards? Well, the SD Cards on a cell phone will hold photos, and apps installed, but it does not contain information such as text messages, call logs, and other important information on the phone that most people are interested in. That information is stored on built in Flash Memory (basically the same thing as a solid state hard drive). The fact that you can’t simply remove the Flash Memory from the cell phone to image the data means that, for the most part, you have to communicate with the phone via the USB port (depending on the phone, Apple’s has had their own proprietary port since they introduced the iPhone).To communicate with cell phones and extract the data stored on them, software for each of the different phone models needs to be created to interface with the cell phone, which is a very costly and time consuming process that is never completed because let’s face it, new phones come out every month (roughly 1500 new phones per month, Worldwide). Even if ways to communicate with the cell phones are created, it doesn’t necessarily mean that you’ll have access to all the data located on the phone or be able to create a forensic bit for bit image of the Flash Memory.Sometimes all you can do is extract the live data from the device, which means depending on the phone, you may not have access to any deleted data.
There have been many occasions, especially in the past, where no cell phone forensic or regular software solutions was able to interface with a cell phone to extract the data, which can obviously be a huge problem. A solution to this issue, which is still used here and there today, is taking photos and videos of the data on the cell phone. Some people may laugh at this, but sometimes there aren’t any other cell phone forensic techniques or solutions to preserving the data on a cell phone.
Cell Phone Forensic Vendor Information
At this moment in time, there are only a few vendors out there that offer cell phone data extraction software for a wide range of cell phones, each of which comes with a high price tag. A couple of the big names out there for forensically imaging cell phones are Cellebrite, XRY and Paraben, although there are other vendors available as well. Each of the different vendors have their own solution for communicating with cell phones.and One model of phone may be supported by one vendor, but not by another vendor. Furthermore, some cell phone data extraction vendors can parse only certain types of data (text messages or calendar appointments) on some phones but another vendor may parse different types of data on the same phone. Since each vendor has their own solution, they each format the data extracted differently, and for the most part, the extracted data is not transferrable between the different vendor’s products. This means, that if you image a cell phone with Cellebrite, most likely you won’t be able to load that image up in XRY’s software to analyze the phone. While this may not cause issues when one mobile device forensic company is doing the analysis, it may cause issues when transferring data from one forensic company to another, a situation that occurs frequently in litigation,when the two forensic companies use different cell phone forensic solution.
We get a lot of people who call in and ask about whether or not we can do remote acquisitions of cell phones, and it definitely is a tricky question. Without going into all the nitty gritty details, the answer right now is that for the most part it’s not possible to create remote images of cell phones like we can do remote imaging of computers. With cell phones, all forensic companies rely on the cell phone forensic software/hardware they purchase, and with the limited options out there, it’s not always possible to do this. Most cell phone forensic solutions either have a physical device used in the data extraction process from cell phones, or have software that is either tied to a computer or limited to usage with a USB Dongle, which all can create issues when trying to image cell phones remotely. There are some instances that it is possible to remotely image a cell phone depending on the type. For example, you can create a backup of an iPhone, iPod Touch, or iPad using iTunes remotely, and then load the backup into a cell phone forensic utility and you’ll not only have almost all the active data from the cell phone (minus a few things like music and emails) and even some deleted data. The issue with doing something similar on other types of cell phones is due to the large fragmentation of the manufacturer and the software they provide with the cell phone. Android, for example, while at its core is the same OS regardless of what phone it’s used on, can be very different depending on what the manufacturers do when implementing it on their phones, this fragmentation causes issues because there’s no unity between the devices. Plus, you have to take into account that not every manufacturer provides software to backup the cell phone, and even if they do, it isn’t guaranteed that the cell phone forensic solutions will have the ability to parse and analyze the data.
As stated above, Vestige has successfully made remote images of some types of phones. We are currently working on methods to remotely image more types to provide speed and flexibility when it comes to cell phone preservation.
In short, cell phone forensics can be a very tricky and frustrating game to play considering the fragmentation in the cell phone industry and in the cell phone forensics industry. Cell phone technology is constantly changing and the cell phone forensics industry is always trying to play catchup to the constantly evolving technology. For this reason, it is important to engage an expert who has spent time preserving and analyzing mobile devices. While the cell phone forensic options and success rate today is much higher than it was in the past, it is in no way perfect today.
by Nick Ventura, CCE, CFCA, Security+, A+
Senior Forensic Analyst
Vestige Digital Investigations