Text

Mobile ForensicsThe Basics

– http://en.wikipedia.org/wiki/Forensic

“Mobile device forensics is a branch of digital forensics relating to recovery of digital evidence or data from a mobile device under forensically sound conditions. The phrase mobile device usually refers to mobile phones; however, it can also relate to any

digital device that has both internal memory and communication ability, including PDA devices, GPS

devices and tablet computers.”

Variables Smart Phone firmware and software varies by carrier (Verizon, AT&T, Sprint, etc)

Android phone firmware and software varies by manufacturer (LG, HTC, Samsung, etc)

Android software versions are Alpha, Beta, Cupcake, Donut, Eclair, Froyo, Gingerbread, Honeycomb, Ice Cream Sandwich, Jelly Bean, KitKat, Lollipop

iPhone versions 1x thru 8x

Some Android phones have internal memory as well as external memory

iPhones, iPads and iPods have internal memory only (16gb-128gb)

There are millions of Apps available from Google Play, App Store, and third party websites ( including jail breaking).

Other Variables “Jail Breaking”

Decoy Apps

Pre-paid phones

Spyware

Malware

User Apps created via open source SDK

Wifi only users (no carrier)

Users

Encryption

Screen locks / Passwords

Our Mobile Lab

XRY

Cellbrite

Lantern

Mobiledit

EnCase

MPE+

dSolo

IEF

Data Pilot

Hex-editor

Wireless sand box

Faraday bags/cages

Packet capturing software

Open source tools

No one program does the job!

Before you choose a mobile forensics lab?

In theory, a mobile forensics lab can process the subject device with one tool and truthfully state that they conducted a forensic examination

Some tools are better at uncovering deleted texts, other tools are better at recovering photos. Those tools may not uncover third party apps

A reputable lab will process the subject device with multiple tools to validate their findings

Alternative Data CollectionAndroid data can be extracted from a SD card using an APK

f-Respose provides forensic extraction over the Internet

iTunes back up from computer and or iCloud backup

Wireless sand boxingA controlled environment that allows the examiner to monitor communications from the subject device

Allows examiner to see which websites/IP addresses the phone is communicating with

Provides insight to hidden apps and spyware

FAQsQ: Can we bypass the screen lock code?

A: Depends on the of the phone and software version

Q: How far back can we go to collect deleted text messages?

A: Text messages are stored in a SQL-lite database and the text history is relevant to how often the user deletes and receives text as well as the memory size

Q: Can an iDevice that was remotely wiped be recovered?

A: No, as such it’s imperative to keep devices in a faraday cage or in airplane mode

Q: Can spyware be installed without physical access to the phone?

A: Yes and No. Androids phones are vulnerable to remote spyware deployment. iDevices are not, however new spyware tools can collect data via iCloud

Q: Can the fingerprint reader be bypassed?

A: Yes, particularly if you are a heavy sleeper. Also a judge can compel you to place your finger on the phone

Text

Cyber Bullying and StalkingWe offer free mobile forensics to parents who believe that their children are victims of these offenses.

What should you do if you suspect evidence is on a mobile device?

Immediately place the phone in airplane mode

The battery should only be removed if you can’t figure out how to place the phone in airplane mode

Never attempt to conduct your own investigation by looking through the device

Read our guide for first responders

Your Questions

Other questions can be emailed to:

client.Services@DataSpecialistGroup.com