A mobile phone is the most popular communication device and also some of the most difficult to be able to retrieve and extract evidence from.
Though many forensics tools are available that have made data extraction, decoding and analysing the data easier, the Apple iOS, Google Android and Blackberry operating systems still pose significant challenges.
This article looks at what those challenges are for mobile phone forensics and the best way to currently deal with them.
1. A Mobile Phone is not just a Mobile Phone.
Manufacturers and operating systems vary widely, particularly with Android, but also within Apple iOS and Blackberry, there are more than 40 different versions of Apple iOS for example spread over 6 iPhones, 5 iPads, 5 iPod Touch devices.
2012 saw Google Android reported to hold nearly 75% of market share compared to less than 20% for Apple iOS devices and less than 10% for Blackberry.
The Google Android operating system is based on a Linux kernel that is able to run Java apps and each Google Android device family has a different operating system and architecture, requiring a different dedicated solution to allow for the extraction of data.
Furthermore, Alcatel, Huawei, and Motorola have started using non-standard Chinese chipsets, like MTK within their devices.
Differently to iPhone users, its unusual for Google Android users to upgrade their operating systems, for example version 2.3 ‘Gingerbread’ remains the most popular version being installed on nearly half of the devices currently used, whereas the current version 4.1 ‘jellybean’ is only used on around 10% of devices and Google Android 4.0, ‘Ice Cream Sandwich’ is currently installed on around 30% of Google Android devices.
It is also not possible to upgrade to the latest version from all previous versions.
2. Passwords and Encryption – User Data Protection
The data stored on a mobile phone can differ in architecture depending on make, model, operating system and version of operating system present, they can also be passcode and password protected and encrypted.
It is easier to extract data using mobile phone forensics when the phone does not not require a passcode, however, even that can depend upon the operating system present.
An Apple iOS operating system can require either a simple or a complex passcode, it is possible to identify a simple passcode from an Apple iPhone device up until version 4, however, subsequent models have seen improved security measures by Apple and, from iPhone 4S onwards, passcode extraction is not possible.
With complex passcodes more effort is required as this type of passcode must be manually entered and cannot be bypassed, therefore, it should be obtained from a suspect through interview of the suspect or close contacts. Some data can be extracted and decrypted without the passcode, but not protected files.
Another important element of Apple iOS password protection is the Keychain. The Keychain is a vault that stores passwords, social media accounts, WiFi connections and is encrypted and protected, however, it should be possible for a mobile phone forensic tool to decrypt and extract the data from the keychain and provide the investigator access to additional data.
Google Android devices can also be user locked, however, rather than a passcode the often use a pattern lock that is typically not complex and rooting the device cannot be done if it is locked unless debug mode is used and this can take considerable expertise on an investigators part.
Being able to bypass the pattern lock altogether is preferable and a file system or physical extraction of the mobile phone, once decoded, will provide the correct pattern used to gain access to the device. Alternatively, if it is not possible to decode the mobile phone through the extraction tool then it may be possible to carve the PIN.
If a physical extraction is possible then a file system extraction using the pattern lock and ADB mode may be possible, however, this may not be possible as chipsets can vary which affects whether the forensic tool is able to retrieve and reconstruct the file system.
When the passcode or pattern lock cannot be navigated around it can be possible to revealed the lock code, turn on ADB debugging and then complete a file system extraction which effectively removes the need to reconstruct the file system from a physical extraction.
A Blackberry mobile phone requires a code to lock the device and then encrypt the content. The user cannot encrypt the content of the device without first locking it.
Whilst it can be possible to extract some unencrypted data from prior to the device being locked, it is normally not possible to decrypt a Blackberry device without using the password and encryption key.
It may be possible to resent the encryption key through the Blackberry Enterprise Server if the mobile phone is part of an employer’s IT network. Whilst the device would still be encrypted it would be using a generic key and on devices running OS 4 to 6 it could then be possible to decrypt that content on the fly and show the data in a readable and accessible format.
3. Burner Mobile Phones
Prepaid mobile phones continue to cause problems for law enforcement and the disabled data port contained on the cannot be enabled and manufacturers do not make the APIs available to the developers of forensic tool developers.
A file system extraction has the benefit of making more data, including some deleted data, available quickly, however, it does not include unallocated data and is therefore limited. It can also involve a higher level of expertise due to the need for decoding data.
A physical extraction is a bit-for-bit copy of the mobile phone’s flash memory and provides the most complete forensic copy of the content of a mobile phone memory as it contains both allocated and unallocated space.
However, due to the amount of data involved, it can be time consuming and also requires decoding and can require the investigator to have a greater level of knowledge and expertise.
4. Different Apps Require Different Approaches
Different mobile phone operating systems contain different Apps and different mobile phones and service providers can also require applications to be bespoke to their particular format or structure.
An application can range from car navigation with traffic warnings, to social networking chat applications to video, TV and gaming apps.
Support for mobile applications within forensic tools have only been around since around 2011, however, they cover the most popular. iOS apps are sandboxed and therefore the data relating to an app will be in the folder relating to it, whereas with Android the app data can be located within different folders and directories, making it easier to retrieve at least some data if a logical or file system extraction can be completed.
In order to be able to examine app data via a physical extraction means that the data relating to it needs to be decoded and to do so the forensic tool needs to be able to reconstruct the file system. Once this has occurred then locations, Bluetooth connections, Internet activity et can be reviewed and considered.
The majority of applications hold data within SQLite databases and these can provide access to deleted entries as well as the ability to view tables and search the data present.
5. Obtaining Accurate and Reliable Data in a Forensic Manner
The most forensically sound method of conducting a physical extraction of data from a mobile phone is considered to be via a boot loader which, whilst they do involve loading a piece of code onto the device it happens before the forensic tool accesses any evidentiary data and replace the normal boot loader within the first set of operations that start the phones bootup process. This form of extraction also enables the data as read only.
A boot loader is also generic and applicable to entire device families rather than to specific models and allow for the reading and extraction of unallocated areas of the mobile phone.
However, in some devices it is not possible to use a boot loader and, therefore, it may be necessary to temporarily root the device to perform a physical extraction, this does not permanently change the administrative permissions or any other data on the mobile phone, however, it does provide access to the operating system so that the investigator can enable ADB debugging and then image the handsets Flash memory so that a full physical extraction can take place. Once this process has been completed, the device can be restarted and the device no longer rooted.
The rooting of the handset is not as forensically sound as using a boot loader as it loads the devices operating system and this is likely to be recorded within the device. Therefore, this procedure requires greater care to avoid any further and unnecessary alteration of data.
6. Forensic Tools Play Catch up To Mobile Phone Systems
When a mobile phone is locked and is not supported by forensic tools then it is possible to use alternative methods, such as a flasher box, JTAG or a chip off extraction.
These alternatives may allow a physical extraction to take place even though access to the device is not possible. However, even these techniques can be flawed, for example, an iPhone that is locked with a complex passcode will contain data that is encrypted and still cannot be read.
The JTAG and flasher box processes are device specific and require training as they can be destructive and may not be forensically sound as they may alter data in the way that they were designed to do.
The chip-off process is always invasive and destructive as it involves the removal of the memory chip from the main board of the device in order for it to be connected to an external reader.
Until recently, Blackberry devices contained data that was proprietary and no commercial tools could decrypt it, however, development in this area has allowed some vendors to provide decoding support for this type of extraction on Blackberry mobile phones.
Mobile Phone forensics is the result of research by many professionals ranging from reverse engineering the phones hardware, firmware to exploit vulnerabilities within the device’s operating system, firmware or encryption.
As mobile phones continue to develop and evolve, the forensic processes required to access the data contained on them will also change. Data carving and programming that can be added to commercial forensic software and other techniques such as JTAG, chip off and flasher box techniques will always be required to retrieve as much data from devices that are designed to be secure.
About Athena Forensics
For information on our digital forensic services or if you require any advice or assistance please contact a member of our team on 0845 882 7386 or via email on email@example.com, further details are available on our contact us page.
Our client’s confidentiality is of the utmost importance. All correspondence is treated with discretion, from initial contact to the conclusion of any computer forensics investigation.
Our digital forensics experts are fully aware of the significance and importance of the information that they encounter and we have been accredited to ISO 9001 for 10 years.
Our forensic experts are all security cleared and we offer non-disclosure agreements if required. Our premises along with our security procedures have been inspected and approved by law enforcement agencies.
Athena Forensics do not disclose personal information to other companies or suppliers.