Cell Phones, Mobile Device Forensics & Vestige

Articles

Cell Phones, Mobile Device Forensics & Vestige

Author photo
by Greg Kelley
Vestige Digital Investigations, CTO and Founder
BS, EnCE, DFCP

Many people associate Vestige with computers, servers, surveillance systems and cybersecurity services. Did you know Vestige also fields calls daily with requests for digital forensic analysis of cell phones and tablets? We provide cell phone and mobile device forensic investigations on iPhones, iPads, Samsung devices, Moto devices, LG devices, simple flip phones and even Blackberries (yes, Blackberries are still in use and not just something you buy at a fruit stand). You name it, it has probably been through our labs. In fact, Vestige has been performing digital forensic investigations on cell phones and other mobile devices since shortly after our inception in 2004.

What are clients looking for from mobile devices?

  • Keyword searches to find responsive texts, emails, calendar appointments, documents, etc.
  • Evidence that the mobile device was used for theft of client data or intellectual property theft
  • Evidence that the custodian maliciously deleted or wiped data from the phone
  • Understanding as to where the custodian may have been

So how does mobile device forensics work?

Just like an examination of a computer, the first step is preserving the data from the phone. Sometimes it is this first step, however, that can derail the investigation. Since mobile devices are carried around to restaurants, stores, entertainment events, etc. and since they are so small, mobile devices are a big target for theft. As a result, most, if not all of us, are putting PINs or passcodes on the phone. With most of these devices, not having the PIN is a show stopper and attempting to guess the PIN can result in the device wiping itself! While there are ways to circumvent this security on some devices, the short of it is, when you collect the phone, you better collect the PIN. You’d be surprised how many former employees “forget” the PIN on their phone two days after being terminated regardless of the fact that they put that PIN in dozens of times a day while employed.
To make matters worse, Apple has changed their iTunes software to prompt people to provide a password on their backups. If that password is implemented (a password that can be completely different from the PIN on their phone or their Apple ID), it can be difficult, if not impossible, to get the data from the iPhone. Thankfully, we are seeing this issue less than 10% of the time.

Preservation Is Key

In regards to preservation, mobile devices can take under an hour or they can take half a day. It all depends on the type of device and sometimes how much data is on it. Sometimes it takes specialized software and other times it can be done remotely without much specialized software, often the same day as the request.

Know the Email | Messaging Difference

Some of you reading this may be saying “I do business litigation, cell phones aren’t nearly as relevant as emails and business documents on my client’s computers.” I liken that statement to the ones we received about 10 years ago when attorneys said “I’ve been practicing for years, we have never needed to search computers and never will.” How’s that prediction working? The fact of the matter is that while EMAILS on cell phones may either not be present or may be duplicative of what a business has on its servers, MESSAGING on cell phones and documents contained on cell phones aren’t duplicative and are becoming highly relevant and much sought after (I could list the articles, or you can find them yourself). In fact messaging is becoming more prevalent in business especially among the younger generation. To cite an example, I’m working on a matter now where in a one week period the individual sent or received around 2000 messages. Assuming that person is awake 18 hours a day, that translates to nearly 16 messages an hour! Do you think that there might be something relevant there? And messaging is not just restricted to cell phones, it is common to find tablets being used for messaging as well.
Now, what about deleted data? Nearly every type of mobile device allows for some level of deleted data. The most common type of recoverable deleted data is usually messages. But depending on the type of phone and the operating system running on the phone, you may not be able to get deleted files or deleted pictures.
Important Considerations

Though, to say that cell phone and mobile device forensics or electronic discovery is not without its challenges is putting it mildly. There are multiple issues to consider:

  • If you have a review tool, does your review tool support text messages from cell phones? How does that data have to be formatted in order for it to work with your review tool?
  • For chat threads, if there is a responsive message in a thread between a group of people, do you want every message in that thread? To say “no” could mean that you won’t know whether “yes, Joseph” is in response to “are you free for lunch” or “should we hide that check”. But saying “yes” indiscriminately could mean that instead of 2000 messages, you may get 50 times that amount.
  • Are you working with an experienced examiner who knows what they are looking for and will go beyond pushing buttons? There are more apps available for mobile devices than there are lobbyists in D.C. and as a result there isn’t a single forensic or electronic discovery application that can claim it can handle all of them. We had a case recently where a good amount of messaging was done in an obscure application but it was the app of choice for our custodians for cultural reasons.

In summary

For investigations and litigations, you really need to be considering mobile devices. I’ll skip the discussion on BYOD (Bring Your Own Device) as that’s a future topic, but hopefully the above has given you some more food for thought. As I try to suggest to everyone, pick up the phone to call your favorite mobile device examiner and spend 5-10 minutes discussing the situation, you may be surprised as to what you’ll learn and what evidence you can recover – even if it’s believed to be deleted.

Greg Kelley - Vestige CTO lft smallby Greg Kelley, EnCE, DFCP, Chief Technology Officer at Vestige Digital Investigations
For more information CONTACT US.

This site uses cookies, for more information, review our privacy policy.