Damon Hacker, Vestige President, is presenting to the SAME Mt. Tacoma Post & engineering students at the University of Washington-Tacoma on April 9.

Mobile Device Analysis

Jump To

Mobile Device Solutions

The analysis of a mobile device can provide a wide range of insight into the individual’s activities, habits, communication patterns and more.  As mobile devices are so ingrained into the individual’s daily lives, they can sometimes serve as a proxy for understanding these behaviors.  Some of the types of information stored on mobile devices are as follows:

Data We Can Recover* | Common Requests

  • App Usage (are or were privacy applications installed?)
  • Calendar and Task List Entries
  • Call History Logs (Dialed, Missed, Received)
  • Cloud Storage (ex. is Google Drive or DropBox installed?)
  • Contacts and Phonebook
  • Deleted Data (texts, contacts, call history, photos, videos – sometimes)
  • Emails Stored**
  • Internet Browsing History (what sites visited? when?)
  • Location History
  • Party/Parties and Keywords
  • Person’s names (first, last or both)
  • Photo/Multimedia Messages
  • Pictures and Images
  • Recovery of User Handset Lock Code
  • Searches Conducted
  • Social Media / Networking Artifacts
  • Specific Phone Number(s)
  • Text Messages (SMS)
  • Video and Audio Recordings
  • Wiping and Factory Reset Indicators
* NOTE: This list contains typical items that Vestige is able to recover. There can be access limitations based upon restrictions of the user, the make/model of the device, software that has been installed and limitations of the carrier and/or device manufacturer, such as 2-Factor Authentication, encryption, additional passwords and general privacy considerations.
** NOTE: Email Searches – As email is generally available on the server, many of the phone models do not store the actual email on the local handset.Instead the device only pulls the “header” information (from, subject, first couple lines of message, etc.) to display in the inbox. When imaging and analyzing a mobile device, Vestige will pull down any email, if any, that is present. For comprehensive email preservation and analysis, Vestige has the capability to pull such email directly from the mailbox. Make sure to ask about this additional service if email is essential.

Other Services Available

  • Detailed forensic analysis of mobile device operating system and application artifacts
  • Device physical memory extraction including: TsOP and BGA Chip-Off Forensic Extractions, file system acquisitions and hex dumps

The Digital Forensic Process

Initial Call > Acquisition > Preservation > Analysis > Report

ACQUISITION — Access to the Device:

The first step is the acquisition of the mobile device where it is believed digital evidence resides.

  • The owner can voluntarily turn over the device to either the requesting party or make pick-up/shipping arrangements with Vestige; or
  • The device can be subpoenaed where the owner is required by court to turn over the device; or if the device is owned by a company performing an internal investigation, they can either require the employee in question to turn over the device(s), or covert imaging can be performed.
  • While Vestige can preserve all types of mobile devices, each make, model, version and even carrier introduces different variables that affect what all is captured and eventually what can be analyzed.  As such, for the most accurate cost estimate and determination of the extent of analysis that can take place it is best if you can provide as much of that information as possible (i.e. type of device – including the make and model of the mobile device(s). Ex: Apple iPhone 12, Android Samsung Galaxy, Blackberry, etc. before preserving a device as different mobile devices require different methods and digital forensic tools.

PRESERVATION of Data:

You can choose how you want to preserve your mobile device data:

  • On-Site – Vestige comes to your designated location; or
  • Remote – Vestige ships a Remote Kit and works with a custodian to preserve, or an Online Remote Collection that is internet connected with a reliable, secure Wi-Fi; or
  • In-Lab – send the device to Vestige’s Digital Forensics Lab

ON-SITE DATA PRESERVATION:

Apple devices are more consistently structured and are typically easier to work with; Androids require more tools in order to acquire a reliable pool of preserved data.

APPLE – ITEMS NEEDED:

    • Unlock Passcode – if one is set on the mobile device.
    • iTunes Backup Passcode – if one is set on the device.(When Vestige images the device we use the owner’s password to open, then we set our own password temporarily to make the copy; then we return it back to the owner’s password. This method allows us to get an encrypted backup that provides more data ex: health, password keychains, bluetooth, wifi, etc.)
    • FOR ONLINE PRESERVATION ONLY – IF there is an existing iCloud backup account & iTunes – the Email & Password is needed along with the 2-Factor Authentication Token, if it is enabled. If 2FA is enabled, it requires a code via phone to open; the device custodian requests the 2FA code (a unique code to the instance), once opened, then the iCloud backup can be downloaded. It is variable what data we can get from iCloud, dependent on what was set to get backed up. We can get messages, photos, etc.

ANDROID – ITEM NEEDED:

    • Unlock Passcode – if one is set on the mobile device.

REMOTE DATA PRESERVATION:

For this method, Vestige ships a Remote Kit which includes:

  • Various USB connectors
  • Encrypted hard drives that are pre-loaded with the software needed to preserve the digital device(s).

Once the Remote Kit is received, the client must have access to a computer with adequate amount of free space (i.e. 100-250 GB of free space (depending on capacity of device).

Vestige then connects with the client via telephone or an online conference app. Here we direct the client through the entire Data Collection Process which includes:

  • Loading preservation software
  • Connecting to devices
  • Performing the preservation or data acquisition itself. NOTE: The time this takes will greatly vary from device to device, and is dependent upon how much data is on the mobile device and the speed of the computer hardware.
  • Upon completion, the files are transferred onto the Vestige provided encrypted harddrives.
  • The client then packs up the Remote Kit complete with the collected data on the harddrives and ships it backto Vestige.
  • Upon arrival, Vestige uses the secure pin to unlock the encrypted harddrive(s), assuring the data is securethrough each step.
  • We verify that it is the correct backup. Then Digital Forensic Data Analysis begins.
CAVEAT: iPhones work well for remote preservations, and we can acquire all the same data that we get from local preservations (outside of jailbreaking). Android Devices, however, can be troublesome when performing a remote preservation, and the amount of data that can be preserved from the phone can be limited (i.e. deleted messages are not available via remote preservation). Call Vestige today to ask questions and learn more.

Jailbreaking & Rooting

Jailbreaking is performed on an iPhone; Rooting is performed on an Android. Both are a means for bypassing the manufacturer’s restrictions placed on the operating system and allowing for full control of the device. The benefit of Jailbreaking or Rooting a mobile device is that it allows complete access to the data on the device. In many instances, a full physical image can be made, which acquires every bit of data on the device — exposing additional evidential data.

Additional data that can be gained through Jailbreaking & Rooting includes:

  • Additional Application Data
  • Additional GPS Data
  • Application and Operating System Log Files/Artifacts
  • Email Data
  • Deleted Messages on an Android, depending on the make and model
  • Some File System Data – made by the operating system but is not in ‘unallocated’ space
  • Deleted and unallocated data can also be made available but encryption can complicate forensic cell phone data recovery

ANALYSIS

Vestige takes the data that is preserved and processes it through analysis software.

Our Forensic Experts perform analysis to:

  • Gain Access to all “visible” user content
  • Access hidden, protected and deleted data
  • Perform artifact analysis to learn “how the device was used”
  • Perform keyword and other filter searches against user content
  • Extract and provide relevant data to investigating team

Our Analysts can dig deeper than just the artifacts captured by the forensic analysis tools. We frequently go beyond the capabilities of these tools employing software, applications and custom scripts resulting in extraction of artifacts that are missed by those with less expertise.

REPORTING — What You Receive

Once we have relevant evidence uncovered, it can be exported in a variety of formats. We provide the evidence in your requested format(s) and provide a Verbal Report.

  • Examples include MS Excel Workbooks, different load file formats for Relativity®, Concordance®, etc. or we can customize the export based on whatever the Review Tool Software requires(ie. lines, field delimiters, etc.)
  • Default: Excel Workbook with extracted information in related worksheets, including links to attachments or native files.
  • Optional: Written Report of Findings with Opinion

Specialized Solutions for Mobile Devices

Vestige also offers several SPECIALIZED SOLUTIONS FOR MOBILE DEVICES that include:

  • Mobile Device Location Service and E-911 Service
  • GPS – Global Positioning System Information from the Device
  • CDR – Call Detail Records
  • Spyware Checks
  • Application Artifact Recovery

For expert mobile device digital forensic services, contact Vestige today.

CONTACT US