Today's smartphones can perform functions that were possible only with a computer just a few years ago. In fact, the tables have turned. Many applications are only supported on phones, with developers choosing to ignore cross-platform development for computers entirely. While you may use your computer at work and at other intermittent times throughout the day, you don't have constant access all the time as you do to the phone in your pocket.
Cell phones are used for everything from making calls and sending texts to transferring money and storing confidential documents. Cell phones store millions of data records in the form of emails, messages, pictures, location data, financial information, and thousands of others. Much of this data can be recovered even if it has been deleted.
Mobile Device Forensics
Our experts are certified and highly experienced in mobile device forensics. Coupled with access to state-of-the-art forensic hardware and software, our team possesses the technology and expertise to provide comprehensive consultation and analysis to help you achieve the best possible outcome in your case.
Our cell phone forensics experts can recover, analyze and report on the following common data types, among thousands of others:
- Text messaging
- Social media
- Location history
- Internet activity
- Search activity
- Email communication
- Photos and videos
- Voice calls
- Application data
- Biometric data
- Financial data
Cell Phone Forensics Experts
Our cell phone forensics experts include, but are not limited to:
- XRY Certified Examiners [XRY]
- Cellebrite Certified Operators [CCO]
- Cellebrite Certified Physical Analysts [CCPA]
- Cellebrite Advanced Smartphone Analysis [CASA]
- Cellebrite Certified Mobile Examiners [CCME]
The Mobile Device Forensic Examination Process
Digital evidence is fragile and volatile. Improper handling of a mobile phone can alter or destroy the evidence contained on the device. Further, if the mobile phone is not handled following digital forensics best practices, it can be impossible to determine what data was changed and if those changes were intentional or unintentional. To protect the evidence and prevent spoilation, mobile devices need to be analyzed by a trained examiner using mobile device forensic tools.
The initial handling of digital evidence can be divided into four phases: identification, collection, acquisition, and preservation.
Identification
The identification phase's purpose and scope are to identify the digital evidence relevant to the case. It is possible that this evidence will span multiple devices, systems, servers, and cloud accounts. With a mobile phone, the data is not isolated only to the device. The data contained in the device can be synced to cloud storage or another mobile device or backed up onto a computer.
Identification also requires comprehensive documentation. Documentation is critical throughout the entire investigative process, but especially in the beginning, as any mistakes can taint the evidence. The acquisition phase gives us a perfect snapshot in time [forensic copy] of how the data exists. Since identification is the first step and before acquisition, mistakes made here are carried out throughout the process.
Collection
The collection phase involves gathering physical devices, such as the smartphone and other mobile devices. Since digital evidence can span multiple devices, systems, and servers, collecting it can become more complicated than securing more traditional forensic evidence. There are vital functions that should be performed to protect the evidence.
Isolating Device Users
The primary goal of the collection process, other than ensuring all relevant electronic items are collected, is to protect digital evidence from contamination. One way this is done is by isolating the devices from their respective users until a forensic acquisition of the mobile device can be performed. While in their custody, the user could delete, create, or change data before the forensic acquisition [the perfect snapshot in time of the mobile phone data] is performed. They could also factory reset or wipe the device, permanently destroying some data or potentially everything on the mobile phone.
Isolating Devices
Along with isolating the mobile phone from the user, we also need to isolate the device itself. By design, mobile phones are intended for communication, and they are continually sending and receiving data even when they are on the bedside table charging overnight. If data transmission occurs, even with no person physically touching the phone, data can be lost, changed, or destroyed.
Isolation of the device itself is achieved by eliminating all forms of data transmission, including the cellular network, Bluetooth, wireless networks, and infrared connections. By isolating the phone from all networks, the mobile phone is prevented from receiving any new data that would cause other data to be deleted or overwritten.
Acquisition
The acquisition process is where a digital forensic examiner acquires, or forensically copies, the data from a mobile device using a variety of methods.
Logical Extraction
A logical extraction of data from a mobile phone collects the files and folders contained on the device without any unallocated space. While what is commonly called "deleted space" is not recovered, deleted data on a mobile phone can be recovered using forensic tools and methods via a logical extraction. This data comes in the form of various database files, especially SQLite. Typically, data collected via a logical extraction includes messaging, pictures, video, audio, contacts, application data, some location data, internet history, search history, social media, and more.
File System Extraction
A file system extraction is an extension of a logical extraction. It collects much of the same data as a logical extraction along with additional file system data. During a file system extraction, the forensic tool accesses the internal memory of the mobile phone, which means that the forensic software can collect system files, logs, and database files from the device that a logical acquisition cannot.
Most applications store their data in database files on a mobile phone. Since a file system extraction recovers more of these database files, more deleted data like database files and data related to application usage on the device can be recovered.
Physical Extraction
The physical extraction of a mobile phone captures the entirety of the device's data, including all files, user content, deleted data, and unallocated space. While this extraction method is the most extensive, it is also the least supported. Like the forensic imaging of a computer hard drive, a physical extraction creates a bit-by-bit copy of the mobile phone's entire contents.
With a bit-by-bit copy, the logical and file system data are recovered, as well as unallocated space. This extraction method allows for the recovery of deleted data that would otherwise be inaccessible to a forensic examiner, including location information, email, messages, videos, photos, audio, applications, and almost any other data contained on a mobile phone.
Backup Files
When you connect your mobile phone to a computer to make a backup of your device, it creates a file. This file can be ingested into cell phone forensics software and analyzed just like a forensic extraction of a mobile phone. Even if someone deleted the mobile phone data or the phone is missing, hope is not lost. The backup file can still contain the evidence you need in the case.
Cloud Data
Mobile phone forensic companies have developed tools that allow for accessing and acquiring data in the cloud. Cellebrite, the leading mobile phone forensic tool provider, can collect cloud data from cloud backups and the actual cloud-based applications themselves. While a forensic image of a mobile phone is a potential gold mine of evidence, the ability to use the mobile phone information to find even more evidence in the cloud is a significant force multiplier.
Preservation
The mobile phone's integrity and the data on it need to be established to ensure that evidence is admissible in court.
Chain of Custody
Evidence preservation aims to protect digital evidence from modification. This protection begins by ensuring that first responders, investigators, crime scene technicians, digital forensic experts, or anyone else who touches the device handles it properly. A chain of custody must be maintained throughout the entire life cycle of a case.
Mathematical Hashing Algorithm
The forensic data collection process from the mobile device is better called a "forensics extraction," as data is extracted from the device instead of a perfect bit-for-bit copy of the evidence item. With the mobile phone powered on, the forensic software cannot access some areas of data. However, data that is inaccessible because the mobile device is powered on is usually of little to no value evidentiarily. Following the forensic copying comes the hashing process. A mathematical algorithm is run against the copied data, producing a unique hash value. This hash value can be thought of as a digital fingerprint, uniquely identifying the copied evidence exactly as it exists at that point in time.
Reporting
If requested by the client, a report will be prepared of the data contained on the mobile device. Sometimes, it makes the most sense for our examiners to export all of the data from a cell phone for counsel's review. We format this export in such a way that makes it as accessible as possible, with the ability to search and filter the data.
Sometimes, when timelines, data types, or types of particular forensic artefacts need to be explained in order to tell the story of what happened in a case, a more in-depth report is needed.
Expert Testimony
Expert testimony is the culmination of everything that goes into a mobile device forensic examination. Selecting the expert with the appropriate technical expertise and experience is vital. It is also important that the expert is able to explain technical concepts, forensic procedures, and digital artefacts in plain language, as the use of jargon and acronyms can be detrimental to the triers of fact. Ultimately, if an expert has an airtight analysis but cannot communicate it effectively to a judge and jury, their words are meaningless. When selecting an expert, choose the one you can have a conversation with. If that expert cannot explain technical details to you in an accessible way, they likely don't understand what they are talking about themselves.
Need a Mobile Phone Forensics Consultant? Please visit our expert directory. Expert Directory
Featured Resources
Video
See More Experts
Read The Latest Articles
Industrial Equipment
Over-Temperature Losses in Data Centers
At Envista, our Equipment Loss Consulting team can identify how and why cooling systems have failed, which can be due...
03 November 2022
Catastrophe Response
Hurricane Ratings and Storm Surge Explained
In this installment, we’ll cover how hurricane strength is determined, while explaining one of the most dangerous...
25 October 2022
Catastrophe Response
3 Facts You Need to Know About Hurricanes
For Floridians, hurricane season is a fact of life when it comes to living in such proximity to the coast, but what...
07 October 2022
Equipment Loss Consulting
How Equipment Loss Consulting Can Produce Indemnity Savings
Whether a catastrophic incident affects equipment, or it undergoes a failure of some kind, an equipment loss...
29 August 2022
Renewable Wind Turbine Failures
Lightning Damage to Wind Turbine
A Texas wind turbine caught fire after a lightning strike. The fire was initiated towards the middle of the wind...
04 August 2022
Major Loss Investigation
Offshore Energy Disasters: Drilling Down into True Root Causes to Prevent Repeat Incidents
When analyzing a major loss event, experts need to look beyond the initial causal factors to identify the true root...
12 July 2022
Fire Origin and Cause
The Dangers Associated with Landscaping Material Fires
The mulch fire that occurred in Cleveland, Ohio last week reminded us that something as mundane as mulch can be a...
29 June 2022
Digital Forensics Services
Vehicle Infotainment Forensics: It’s About More Than Accidents
Hyper-connectivity is the future with connected vehicles, smart devices, wearable technology, and even entire smart...
29 April 2022
Marine Investigation
Inland River Allisions: Engaging the Right Expert
Vessel collisions with locks and dams can quickly become complicated, as the damage to the vessel and the impacted...
30 March 2022
Marine Investigation
BOT-3000 Tribometer Application in Marine Vessel Slips, Trips, and Falls
From recreational boats, fishing vessels, towing vessels, barges, and intercity water taxis, to the largest cruise and...
29 March 2022
Fire Investigation
Dryer Fires: Common Causes and Prevention Tips
Clothes dryer fires are more common than you might think. The NFPA reports that dryers and washing machines cause an...
03 March 2022
Digital Forensics Services
You Are Becoming Digital Evidence: Medical Ingestibles, Insertables, and Embeddables
New medical devices like wearables, ingestibles, and embeddable, use sensors to collect patient data. While data from...