All Posts

Things You Should Know About Mobile Forensics

Mobile forensics is an ever-changing science that is becoming especially important in digital forensics court cases. Mobile forensics can help prove whether a person was in an area of a crime or not. Mobile devices store a growing amount of information about our daily lives and the actions we take day to day. In this article, we will discuss things you should know about mobile forensics.

A small smartphone often has a storage capacity of 32 to 64 GB. This is enough storage if printed out to be equivalent to as much as 16,750,000 pieces of paper printed out with data. Over the years we have been increasingly using our phones for more things. Crimes like fraud and intellectual property theft often leave a trail of evidence on our digital devices and especially our mobile phones.

Even in divorce cases where one spouse is trying to prove the other has been cheating phone devices usually have a tremendous amount of evidence that if extracted carefully can be used in court to prove one’s case.

What Kinds of Information Can Be Found on the Average Mobile Device?

Mobile forensics investigators can retrieve data that has been deleted from a device as well as often find many types of evidence still on the device itself. Most people have no clue as to how much data is left on their phones daily. For instance, investigators can find out

  • Including who has called the phone, who the phone has called, and what numbers were missed calls.
  • Get a list of contacts off the phone.
  • View text or SMS messages, and multimedia messaging content.
  • See deleted texts and messages.
  • Access photos, videos, audio files, and sometimes even voicemail messages.
  • Find passwords. Passcodes, PINS, swipe codes, and other information about various accounts.
  • Gather data from your various apps.
  • Look at internet browsing history.
  • Look at cookies collected on your phone.
  • Look at the content on your phone.
  • Check your calendar.
  • Look through your notes left on your phone.
  • Check for geolocation data such as your cell phone tower information and Wi-Fi connections.
  • They can check your system files, usage logs, and other pertinent information.
  • If you use Microsoft Word or some other word processor and spreadsheet software, they can access your documents and spreadsheets to look for evidence.
  • Social media posts.

All of these will also be checked to see what you deleted from these sources or what you may have tried to hide.

Why Do Investigators Want These Types of Information from A Phone?

Let us look at some of the items listed above and how they may help prove a case.

GPS Data

GPS data allows investigators to know precisely where a device was or at least have a general area. This information can tell investigators if the suspect was in the area or the crime during the time a crime was committed. Sometimes this will help eliminate a person or can support the theory they were there.

SMS Messages

On each message, it records the number it was sent to and if you received a message, it records who it was from which can lead to people of interest who may be able to give investigators more information they need. It will also have the time and the length of the message which can help eliminate or support the evidence. Text messages are admissible as evidence in court.

Photos or Videos

Depending on the type of crime being investigated photos and videos can be extremely important evidence. Crimes such as child pornography rely heavily on these types of evidence.

There are, of course, more types of evidence that can be found and presented in court besides these.

How Can Investigators Find These Types of Information?

Mobile forensics has grown in recent years to accommodate all the latest brands, models, and types of systems of mobile devices on the market. They know how to extract the information without making it inadmissible in court. Software and other tools have been developed to help gather this information in the safest way possible to not contaminate the evidence.

Sometimes investigators will do a phone dump, sometimes referred to as a Hex dump. This is where investigators will use a method to physically dump or extract all the information off the phone at once by copying everything at once. Some tools used to perform this dump of data include XACT, Pandoras Box, and a UFED physical analyzer. This is a non-invasive method of extraction that is inexpensive compared to some of the others. It does require someone that has a technical education to analyze the information.

Another tool to extract data from a digital device is called a Chip-Off., In this instance, a copy of the flash memory is taken. This is a more advanced type of memory dump and must be done carefully to prevent corrupting the data. Some tools used for this are the iSeasons Phone Opening Tool, FEITA Digital Inspection station, or the Xytronic 9880 Solder Rework Station. This process is an invasive method for extracting information. Investigators will use the Chip-Off method when other methods of extraction have already been tried, or if it is important to keep the device’s memory intact. It is recommended if the device is damaged and the only left intact is the memory chip.

The Mobile Forensics Process

For mobile forensics to be useful in court a specific process must be followed to ensure that the evidence is preserved and processed carefully so that it remains admissible in a court of law.

Seizure and Acquisition of Evidence

The first step is to obtain the device through a seizure. When seizing a device there are risks that must be taken into consideration. The first is that lock activation may occur either by the user, a suspect, or a third party to try to prevent the evidence from being extracted from the device. Another risk is that the device will connect to a network or cellular tower which can alter the evidence unless this is prevented from occurring.

When seizing a device, it is advisable to isolate the network. Investigators will use airplane mode and disable wi-fi and any hotspots to prevent this. They may also decide to clone the sim card. Replicating the sim card allows the replica to be used to extract data while leaving the original still intact.

Most devices once seized are placed into a Faraday Bag to help prevent them from connecting to cell towers. The Faraday bag is designed to isolate mobile devices from communicating with their network. They help devices be safely transported back to a lab where they can begin extracting the evidence from the phone or other device. Some Faraday bags will have a power source embedded in them to disconnect them from their network and prevent them from connecting with any other networks to preserve the evidence.

Examination and Analysis

With thousands of different models, systems, and brands on the market investigators will need to familiarize themselves with the one they are working on to make sure they choose the best tools for not only extraction but when analyzing the evidence.

There are several choices of tools an investigator may choose depending on the device. Some well-known ones are AccessData, Sleuthkit, and Encase. These software tools include analytical capabilities which are unbelievably valuable to investigators.

Once all the evidence is extracted it must be carefully analyzed. Then each piece of evidence must be carefully presented in an understandable and clear way for presentation in court.

To Conclude

In today’s modern world with everyone having a mobile device, mobile forensics is more important than ever before. Our daily lives are closely depicted on our mobile devices. Mobile devices contain so much information about our every move that it is no wonder investigators use them to look for evidence when trying to solve crimes and find out other useful information that can be used in courts of law or in social injustices.

Scroll to Top