Digital forensics on mobile phones

Can digital forensics keep up with smartphone tech?

The explosive growth in both the use and capacity of smartphones has led to a sea change in digital forensics, creating technology challenges for the justice and law enforcement communities and raising legal questions that in some cases have gone to the Supreme Court.

“When I started doing forensics, mobile devices meant flip-phones and texting,” said Josh Moulin, a contractor doing forensics work for a federal agency. The information you could expect to get from a phone was a contact list, some text messages and calendar entries.

“Today they are computers, and we are getting everything off of them that we would expect from a computer. You have a great picture of what a person is doing and is interested in.”

But the sheer volume of data and devices can be overwhelming. Forensics labs within law enforcement agencies and in the private sector have backlogs from six to 24 months and are struggling to keep up with the pace of technical change in the devices being examined.

And it’s not just a matter of Android or Apple phones. Forensics professionals estimate there are more than 10,000 models of mobile phones being used today from as many as 3,000 manufacturers. About 150 new phones were released in April alone.

Inside forensics

Forensics is the science of developing or extracting information for use in investigations and in civil or criminal court cases. Digital forensics involves getting that information in a digital format, usually from a computer or some form of electronic media. It requires getting access to the device, locating the data, copying it and analyzing it to turn the data into information.

What’s more, if the resulting information is going to stand up in court, each step has to be documented, and care has to be taken not to alter the data being gathered – or the original data.

Digital forensics has been around for decades, but forensics on mobile digital devices is a relatively new and rapidly changing field. Although the two share similarities, “they are very different,” said John Carney, chief technology officer of Carney Forensics, which helps attorneys and investigators glean insights into their cases by retrieving digital forensic evidence.

The most obvious difference is that mobile devices are – well, mobile. “Mobile phones are far more aware of their surroundings,” Carney said. Many have location functions using GPS, which can leave traces on the phone or on applications loaded onto it.

Mobile devices also often have multiple networking options, including cellular, Wi-Fi and Bluetooth, which can keep track of available local networks even if they are not connecting, and providing another picture of where the user has been. The result can be a detailed picture of the owner.

“Mobile phones are a lifestyle,” Carney said, more so than a desktop or laptop computer.

Investigative hurdles

However, such connectivity can also pose a threat for investigators – or at the very least block access to devices by forensic analysts.

For instance, security tools intended to protect the device can let a remote administrator wipe or lock up a phone remotely. Although this is common in organizations that issue phones to employees, so far it is little used by consumers.

However, the California state senate has passed a bill that would require all smartphones to have a kill switch or shut-off function. The goal is to make the phones less attractive to thieves, but public and private investigators worry that it also could put evidence at risk after a phone has been seized.

To keep a phone from being wiped, locked or otherwise changed after it is seized, investigators now use a Faraday bag, a portable version of the 19th century Faraday cage that uses a mesh of conducting material to block radio signals and static electric fields. Carney isolates phones in a bag using three different metal oxides to block cellular, Wi-Fi and Bluetooth signals.

Faraday bag from Disklabs

“Now we actually examine them inside a Faraday bag,” Carney said, by connecting a USB cable to the phone while it is inside the bag to extract data.

Some issues facing forensic analysts are mundane. Keeping track of the USB and other connectors used to access power and data ports on different makes and models of phones is surprisingly difficult.

In fact, Joe Trickey, federal marketing manager for Dell, said that can be the biggest challenge in mobile device forensics. “The interpretation of the device – that part is easy,” Trickey said. “It’s the cable connections that are hard. You have to stock those and keep the inventory up.”

But there are far greater challenges. Analyzing data once it is extracted can be a daunting task. Investigating a single device can require up to a terabyte of space, and the tools for analyzing that data often are not cheap. And more devices are password protected and more data is being encrypted, complicating access to the data.

Since mid-2009, for instance, Apple has shipped all iOS devices with a cryptographic chip, incorporating encryption into the operating system.

The scheme “poses significant challenges to the forensics investigator,” according to set of guidelines on mobile device forensics published last month by the National Institutes of Standards and Technology.

And those challenges are not likely to ease any time soon. “The digital forensic community faces a constant challenge to stay abreast of the latest technologies that may be used to expose relevant clues in an investigation,” NIST.

Reader Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above