Three Things to Know About Modern Mobile Forensics

mobile forensicsWhen digital forensics started many years ago, the computer was “king” for the valuable information we sought for our clients. Times have definitely changed over the past few years. While computers still provide great value in our investigations, mobile devices such as tablets and smart phones are now becoming a valuable asset in many cases. We are finding that mobile devices are proving to be a very valuable source of information, in addition to essential technologies for obtaining all “electronic communications” that is often requested. With that, let’s delve into the three things you need to know about modern mobile forensics.

The first thing to know about modern mobile forensics is that, while we are finding more personal information than ever on mobile devices, the expected data of value still exists. Information such as call logs, call duration, contact information, calendars, and text messages exist on the mobile phones and continue to be foundational artifacts for most mobile device investigations. These are the same artifacts we leveraged years ago when analyzing mobile devices. However, we are finding that this information is the tip of the iceberg as we employ more advanced techniques and tools for both mobile phones and tablet devices used today.

The second thing to know about mobile device forensics is that we can confirm that mobile devices are the most “personal” technology to date. While it may have been named the “personal computer”, we don’t see computers in people’s pockets and in their faces continually throughout the day. This level of intimacy produces a wealth of valuable information. Chief Justice John G. Roberts Jr., writing for the court, was keenly alert to the central role that mobile devices play in contemporary life. They are, he  stated, “such a pervasive and insistent part of daily life that the proverbial visitor from Mars might conclude they were an important feature of human anatomy.” Without a doubt, mobile devices are now the #1 method of communications. Where email formerly reigned as the most popular form, text messaging is now king. To quantify this claim, Americans on average, send and receive approximately 4000 text messages a month. Keep in mind that this statistic does not include mobile messaging through applications such as WhatsApp, Snapchat, and Kik, which are gaining popularity over conventional text messaging. It has been determined that more time is spent on the Internet from mobile devices rather than computers. From a social network perspective, 30 percent of users access Facebook exclusively from their mobile phone.

The third thing to know about mobile forensics; what users see on their mobile device screens is nothing compared to the information available for analysis. Mobile devices are capable of storing a wealth of personal information, often intentionally, and sometimes unintentionally. A simple example would be Internet histories. When analyzing both computers and mobile devices in a case for the same user, we find that many times the Internet activity can be drastically different. Another example that seems to always provide great value is the ability to recover deleted text messages. While deleted data from mobile devices is not as plentiful as computers, text messages are often recoverable. In addition, deleted voicemails also often fall into this category. One of the more controversial artifacts from mobile devices that arguably played a role in the Supreme Court’s ruling on requiring warrants to search mobile devices are the tracking capabilities. George Orwell predicted this; he didn’t predict we would be doing it to ourselves. Today’s mobile devices often maintain information related to where we are at a particular time, via location services. Google maps is an example of this. When you open Google maps, it knows where you are and that data is often logged to the phone. With the proper tools, this data can be extracted and analyzed. Even the Wi-Fi networks the device has connected to are logged in chronological order.

There is one last thing we want you to know about mobile forensics. I know I said there would be three, so consider this a bonus. You don’t always need the physical phone to perform an analysis. I am serious. By default, Apple iTunes creates a backup of iPhones and iPads when they are connected to the computer. That backup, in the right hands, can be almost as valuable as the physical phone itself. In addition, Apple iCloud often “syncs” across devices using the same account. This was a key piece of information in a domestic matter that we worked. One of the parties in this case logged into their child’s iPad to continue a conversation that began on their iPhone. This conversation synchronized to the iPad in its entirety after connecting to the iCloud providing all the evidence needed to be successful for our client.

There you have it. Three things to know about modern mobile forensics. While the expected data exists, mobile devices are extremely personal and the related artifacts are extremely valuable in many investigations. What continues to astonish me are the unknown pieces of information that mobile devices contain. It is our experience that, to get the full picture, both computers and mobile devices need to be analyzed for the full digital story. If your eDiscovery request requires producing “any and all electronic communications”, mobile devices should always be included to fulfill this request.

Sword & Shield partners with you to provide expert mobile forensics services using state-of-the-art equipment. Request a consultation to learn more.


Comments are closed.