The Need for Speed in Mobile Forensics

When Bryan Adams, the Canadian rock singer, wrote his mega-hit “Summer of 69,” he probably didn’t imagine that it would be used as an analogy in a mobile forensics blog some 31 years later. In this track, he looks back on his past life with fondness and celebrates the innocence of youth. In essence, a time when everything was much easier paced and simpler. That is how those of us in this arena think of the industry back in the early 2000’s. Although let’s be honest, Summer of 2003 really doesn’t have the same ring to it does it?

In 2003, around the time MSAB was starting out in the mobile forensics industry, the Nokia 1100 was the handset of choice. It sold over 250 million units worldwide, making it the most successful mobile phone in history. But, as it was a phone of its time, storage was limited. In those handsets the SMS were stored on the SIM card. The phonebook (which was limited to 50 contacts) was stored on the handset, as were the call records. But they were limited to 10 dialed, 10 received and 10 missed calls. That was it.

Needless to say, even mobile forensics tools in their infancy had no issues with extracting and decoding such small data sets. And by virtue of this, data extraction times were very short and never an issue.

Fast forward just over 10 years. In a very short space of time the basic mobile phone had been developed into a smartphone. This was now a device with gigabytes of storage available that could access the internet and download applications, which added a huge amount of functionality to the handset for the users to utilise. In real terms, this meant the ability to store hundreds of thousands of pieces of data.

Recovery of artifacts from these devices was becoming so critical to law enforcement agencies in the rapidly advancing digital world that James Comey, Director of the FBI at the time, said in 2016  “The cell phone is probably the single most important piece of evidence you will find at a crime scene today.”

And so to today, late 2019. The iPhone 11 has just been released with a maximum internal storage of 512GB. Six months ago, Samsung released its new flagship Galaxy S10 Plus with a maximum internal memory of 1TB plus the ability to supplement that with an SD card up to 512GB in size.

So in order to extract the huge memory on mobile phones today, extraction speeds need to be faster than ever before. Having a data extraction software for Android, or a forensic analysis tool for iPhone is paramount. But it’s not just speed of extraction that law enforcement agencies require, it’s also recovery of as much of the data on the handset as possible. As time consuming as it is, forensic investigators and forensic data analysts want as much information in front of them as possible in attempting to build their case.

As manufacturers and application developers appear to increase their security with every release, it is a never ending challenge for those who provide mobile forensics solutions to keep gaining access to hardware and software and doing it as quickly as possible.

A long-standing capability that helps investigators speed up the recovery of data is the fact that XRY allows up to three simultaneous extractions. In addition to this, XRY also provides the option for investigators to ‘cherry pick’ potentially more relevant data categories via a triage profile rather than extracting everything. Using this method may also save time by allowing the data from the triage extraction to be analyzed whilst a full extraction is completed should there be a requirement for one. At MSAB, we are committed to finding ways of speeding up the recovery of data from mobile devices and to finding intuitive solutions to help investigators recover the data they need to build successful cases, even as data volumes on mobile devices continue to grow.