MOBILE FORENSICS
Mobile devices contain our lives on them. And according to the Pew Research Center, approximately 96% of adults in the United States own cellphones.* Most people know the usual types of content you can get from mobile devices, such as call history, chat communications, photos, web history, etc. But there is additional, fascinating data that may also be available: heart rate, steps and stairs taken, frequent locations, date and time a device is locked/unlocked/plugged-in/unplugged, location data recorded in apps, audio recordings from personal assistants (Alexa, Siri) and much more, all of which can play an important role in a case. Most of this data is stored in certain types of database files. These files, however, may be unreadable or even inaccessible if the examiner is not able to extract them from the device.
The challenges to obtaining mobile device content are well-documented in the news headlines. It seems we regularly hear about one law enforcement agency or another imploring mobile device manufacturers like Apple to find a way into a defendant’s locked phone. There is almost no technology that evolves and improves as rapidly as mobile device technology. The manufacturers are intent on providing their customers with the most secure devices possible. Even when the device is unlocked, the manufacturers and software developers still have methods for preventing the content from being extracted from the phone. Fortunately – at least for forensics professionals – there are equally passionate and talented people who work on finding ways into these secured devices. This is where a skilled digital forensic practitioner shows his value, knowing how to obtain the data and analyze it, in spite of the challenges put forth by device manufacturers and software developers.
Our first few years in digital forensics were devoted almost exclusively to learning how to extract and analyze the contents from mobile devices. We have stayed up-to-date with each new evolution of mobile device security, and we train and learn continuously about the latest forensic advancements. We employ multiple cutting-edge solutions to assist us with obtaining that mobile data. If you ask our colleagues in law enforcement and civilian sectors, they will likely concur: our expertise in mobile forensics is among the best in the area.
CHIP-OFF AND ISP (and JTAG TOO!)
If the traditional forensic methods for acquiring mobile device content are not successful, we offer several advanced services: chip-off, ISP (In-System Programming) and JTAG (Joint Test Action Group). They are typically used when the forensic applications do not support the device, extract only part of the phone content needed, or when the device is locked or not functioning for one reason or another, such as water damage, broken pieces, and so on. Each method is unique in how it is used.
During the chip-off process, the memory chip containing the contents of the phone – the phone calls, text messages, photos, etc. – is physically removed from the rest of the phone. The chip, which is typically the size of a square dime (if such a thing exists), is then put into another piece of hardware that can read the contents from it. The benefit of this is we can read the chip’s memory without needing the phone or having to deal with any other hardware restrictions put in place by the phone manufacturer. Since the phone is often destroyed during the chip-off process, we do this only if we have no other options.
The ISP (In-System Programming) process is a non-destructive method for obtaining phone content. ISP essentially involves opening the mobile device, soldering thin wires to specific points on the device’s “motherboard,” and then using a hardware appliance to connect a computer to the phone to read and copy the device contents to the computer. The process is more time-consuming and complex than chip-off, but it is more widely supported.
A third method available to our clients is JTAG (Joint Test Action Group). This process is similar to ISP in that it involves soldering to the device and reading the device contents using a hardware appliance. It is much less common today due to changes in phone hardware, but it may be an option for older phones or other types of devices.
Hardware and software encryption have impacted the usefulness of these advanced methods, but they remain viable options in many situations.
There is a tremendous amount of content available from mobile devices. Are you getting all that content for your cases?
If you have any questions about mobile forensics, please contact us. We’d be happy to help you decide if any of these services can help you.