As Nick stated in his mobile device forensics post, what many of us refer to as “cell phones” here in 2014 amount to pocket-sized computers, complete with basic phone functions (calling, text messaging, contact storage, etc.) with the addition of some additional features (GPS, voice-to-text/talk services, camera integration, web browsing, etc.) that have turned cell phones into what are collectively referred to as “smartphones.” Of course, the older cell phones (affectionately referred to in the forensics industry as “dumb phones”) lack the capabilities of their newer brothers and sisters are not yet extinct. We can indeed still image and garner data from them, but the amount of cell phone artifacts that can be gleaned from smartphone forensic images far surpasses those from older models.
What kinds of cell phone artifacts do smart and dumb phones have in common? It simply depends on the capabilities of the phones themselves. Not all models of phones are alike, and not all operating systems/firmware versions on those phones – smart or dumb – are the same. The different versions of applications available for today’s smartphones can of course also leave an examiner with different artifacts.
Smartphones and dumb phones alike – most of them, at least, providing no resets have been made and the data hasn’t been overwritten – will usually provide us with at minimum call logs, text message logs, and contact lists. As with a computer, “deleted” data (including call logs/text messages/contacts) isn’t actually deleted until the data itself is overwritten by new data, which means that an examiner has the capability to recover deleted calls and text messages from points much earlier in time.
Call logs, text message logs, and contacts are the typical mobile device forensics we at Vestige get asked to dig into most often. We provide that information to our clients in the form of Microsoft Excel spreadsheets showing who the phone contacted, what the conversation was (if text messages), and when. However, generally speaking, the following cell phone artifacts may be available from smartphones (and some dumb phones or Blackberries):
- Email – Depending on the type of phone involved, this could be just metadata, or metadata plus the email’s contents and attachments
- iMessage/MMS data
- – Think of an iMessage as a special type of text/picture/video message sent between two Apple devices.
- – MMS is similar but between non-Apple devices and provides a richer experience than traditional SMS text (only) messages
- GPS location data – This can come from GPS applications or from pictures/videos taken by the phone. We can then take those GPS coordinates and resolve them to physical addresses.
- Calendar appointments and tasks
- Wireless networks the phone has connected to
- IP addresses used by the phone
- Phone browser history
- Notes taken on the phone
- Music, pictures, and videos
- Audio and video recordings
- Voicemails (metadata and the voicemails themselves)
- Intellectual property or other files, if the user chose to store them on the phone’s internal memory or on an SD card inserted into the phone
Finally, individual applications may store their own histories and data. That, of course, depends on a number of factors, such as the version of the application, its nature (what it chooses to store) and if it’s been uninstalled and its data already overwritten.
Vestige’s digital forensic investigators recently worked a case involving corporate fund misuse. We had already found numerous nuggets of evidence on the custodian’s machine, but we also had a forensic image of a particular company-issued smartphone. Our client had informed us of some illicit purchases that had taken place using company funds, and we were able to provide back to them some photos that provided proof of those purchases—these pictures were not found on the custodian’s computer, but instead on the smartphone. The metadata of those photos showed when and where they were taken as well as the make and model of the camera that was used.
Examining smartphones and dumb phones alike can provide more beneficial information to your case, as they can reveal actual communications and interactions that a custodian had with another person or group of individuals that examining a computer’s filesystem alone may very well not tell an examiner. If a mobile device is involved in an investigation, it should be analyzed along with any computers due to the sheer amount of cell phone artifacts available that can provide further insight. I would expect to see the amount of mobile devices we see here at Vestige (and industry-wide) to continue to increase as technology advances and more users rely on these devices in substantial ways.