Mobile devices can crack open a case – if you have the right experts
Mobile devices can provide pivotal evidence for investigations, but you need properly trained examiners to make sure evidence isn’t destroyed and remains admissible, according to a recent thought piece by HKA partner and digital forensic expert Andy Antunez.
Mobile devices are at the center of most people’s digital activity – making them extremely valuable items in investigations. Phones and tablets can store millions of data records, and if processed in a forensically sound manner, can provide crucial evidence for investigations in IP, employment matters, trade secrets, and data exfiltration, among other areas.
Even if data has been deleted, much of the information can be recovered through mobile forensics, Antunez says.
The most common types of data that digital forensic experts look for on mobile devices include contacts, call logs, text messages, emails, web browser and data history, GPS location data, photos and videos, app data, and cloud storage.
These data points can help reveal a person’s actions, where the actions took place, and who else was involved. In a recent high-profile case, phone messages were a key part in building a timeline that ultimately exonerated Karen Read for the alleged murder of her husband.
Mobile device data, however, needs to be properly captured and managed to ensure it is forensically sound and can hold up in court as evidence. Digital evidence is fragile and can be destroyed through improper handling, and failing to follow best practices makes it impossible to determine what data was altered.
Antunez says there are three common modes for extracting and recovering data from mobile devices. Targeted extraction is the quickest one, copying granular data such as messages, pictures, and contacts related to specific data or apps. Advanced logical extraction is the most used method, backing up data from the device and collecting relevant files and folders.
Full file system (FFS) extraction is the most thorough method, and allows forensic examiners to bypass security features to gain root-level access to the entire internal memory of a device. FFS was previously only available to government agencies, but is now accessible to select private sector forensic teams via tools such as Magnet Graykey and Cellebrite Premium.
FFS enables examiners to even retrieve deleted records, system logs, write-ahead logging, and encrypted app data. The extraction method also collects hidden system files, crash logs, locations caches, databases stored in private directories – meaning examiners can uncover deleted conversations and location trails.
If a device has been factory reset, data cannot be collected using extraction methods. In such cases, examiners can seek out local and cloud backups to look for evidence, Antunez says.
Once data is acquired, forensic experts can use several techniques to search and analyze the information. These include MD5 hash value, a digital fingerprint of content represented by 32-digit hexadecimal numbers; file and folder names on servers, devices, or the cloud; specific terms such as client names or projects; and key dates to identify data created or accessed at important milestones related to the case.
“Ultimately, the quality of this data and the realities that surface from synthesizing various proof points rely on the capabilities of the forensic experts leading the effort,” Antunez concludes.
