The Case for Ye Olde Phones
“Were there any other phones?” I’m sure many of you have asked this question as you receive a single device in a case. Any computers? Other devices? In with the new and out with the old? Right?
Well maybe not. I recently replaced my daughter’s phone and she kept the old one because it was full of pictures. I understand that some people turn them in to get a rebate and others may sell theirs. Yet we shouldn’t forget that many people will hold on to their old devices.
Many of you were able to obtain lock codes or passwords from older devices that allowed you to unlock the person’s new device. XAMN now allows you to export the parsed data into a dictionary. This dictionary can be good for reviewing key terms or to provide a list to use for a brute force attack, such as with an encrypted iTunes backup.
In my forensic data training classes, when I go over the XRY Security Code option for a device, I ask why would we want to know the security code of an unlocked older device. A common reply is: ‘in case the phone locks in the process.’ True.
However, another answer is that as people tend to use the same passwords, knowing the old one can help us get into other things. Not just the devices, but how about the wall safe or the storage locker padlock? Remember this code is personal to the user. Shouldn’t we obtain it if possible? So, if you see that Security Code is an option for a device with XRY, consider obtaining it.
Another thing personal to a user is his or her contacts. That’s right – the address book. A case in point: Two suspects, both denied knowing the other. In reviewing the new device’s address book there was no mention of the other suspect. However, the investigator had seized the older devices. And there, on an old device’s address book, was the other suspect’s details.
Remember, a person involved in criminal activity has more than likely previously engaged in similar activities. You will probably find evidence of this on the other devices. So, in this world of smartphones, don’t forget that the old phone or devices may have the data you are looking for. This could be media files, messages, or something as simple as the address book located on the device or SIM card.
You could break the case using the old phones and devices.
So, shouldn’t your forensic tools be able to handle these older devices and not just the Apple and Android operating systems?