Five continual challenges with smartphone forensics

By James Eichbaum

Mobile forensics is a continuously evolving science which involves using rapidly changing techniques to be able to access and analyze data from mobile devices.

More and more crime is committed digitally, leaving traces that can be important evidence in a criminal investigation. The advanced and constantly improving methods for analyzing technical evidence makes mobile forensics a rapidly growing field.

When considering a career in mobile forensics, it might be useful to consider how to overcome the challenges you will face. We’ve listed five key challenges here.

But first let’s take a closer look at the enchanting world of digital forensics.

What is digital forensics?

Digital forensics is the process of uncovering and interpreting electronic data. The goal of the process is to preserve any evidence in its original form while performing a structured investigation by collecting, identifying and validating the digital information for the purpose of reconstructing past events. The context is most often for usage of data in a court of law, though digital forensics can be used in other instances.

Mobile devices have become an integral part of peoples’ lives, and as such, are playing an important role in investigations. The value of a forensic examination typically lies in its ability to recreate what a user was doing on a digital device in the weeks or months leading up to a particular event. Given how people use their digital devices, it goes without saying that they inevitably leave electronic trails.

When a mobile device is encountered during an investigation, many questions arise: What is the best method to preserve the evidence? How should the device be handled? How should valuable or potentially relevant data contained on the device be extracted?

In this blog post, we will present some of the challenges facing forensic technicians today.

Password security and encryption

Securing mobile devices has been a focus of device manufacturers over the past several years and continues to be a priority as personal privacy is increasingly important to their markets. As a result, methods for securing and/or encrypting data vary widely from device to device and from one operating system to another. Extracting data from unlocked smartphones is a relatively straightforward task. But accessing locked devices can prove challenging. Manufacturers are developing password and encryption schemes that make it practically impossible for law enforcement agents to access the data. And almost as soon as security flaws are discovered, they are patched and tightened. Encryption will continue to strengthen and be the bane of law enforcement investigations.

Tools such as XRY Physical can help examiners bypass the operating system to dump all the raw data from the device. This memory dump gives them access to system, protected and deleted data, and also allows you to overcome security and encryption challenges on locked devices.

By combining XRY Physical with XAMN Spotlight, you can see the hex code quickly and by activating source mode, you can verify the original raw data.

Mobile operating systems

An Operating System (OS) is the software that enables the user to “operate” the mobile device. It uses a system to store and retrieve data as per the rules of that file system. It provides ways for the user to use the hardware components and essentially makes everything run. There are a variety of operating systems out there, but the most common mobile operating systems are Google Android and Apple iOS. Others operating systems have come and gone, such as Windows Mobile and SymbianOS. Many feature phones use unique, proprietary operating systems that are less well known to users.

At some point, a forensic examiner may have to face a feature phone forensic investigation, especially where people related to terrorism, hacking, secret agents, etc. are involved. In order to handle such phones, law enforcement members need proper training to ensure safe preservation of the extracted data.

Accidental reset

Proper handling of mobile devices is vital to maintaining the integrity of the data they contain. Mishandling the device can result in devastating effects, including, in the worst case, destroying data on the handset. Be sure to become familiar with the basic operation of the different operating systems to ensure you do not accidentally reset or wipe a device.

Lack of tools and equipment

There are a wide range of mobile devices. A single tool might not support all the devices or apps on the market, or perform all the necessary functions, so having multiple tools in your toolbox is essential for mobile forensics investigations. The more tools you have at your disposal the better chance you have of getting into the phones you will encounter and decode the data retrieved. This not only applies to the tools designed to extract data from mobile devices, including the myriad of cables available for different devices, but also the analytical tools used to make sense of the data retrieved.

Anti-forensic techniques

As privacy may be a concern for the general public, some app developers go above and beyond in an attempt to thwart law enforcement. Criminals will use otherwise legitimate apps to hide their criminal activity. Anti-forensics techniques attempt to circumvent mobile forensic examiners by hiding data, data obfuscation, data forgery, and secure wiping. As these products become more widely available and at a price point that makes them accessible to the average user, their use will in all probability dramatically increase.

The cloud-based messaging app, Telegram, became so popular because it offers a ‘Secret Chat’ function, which is increasingly exploited by criminals. The Secret Chat uses end-to-end encryption, but unlike regular messages, secret chats are not cloud-based and can only be accessed on the devices used.
Telegram is not the first app to be put to nefarious use. XRY now supports decoding of Secret Chats and enables examiners to access messages in a secret chat from the original device.

If you have a general educational background in law enforcement or criminal justice but would like to learn more about mobile forensics, training is essential. MSAB offers a full range of training courses and different ways to learn.