© Association of Workplace Investigators, Inc. AWI JOURNAL | JANUARY 4/1 | 2013 9

Mobile Phone forensics

By Steve Robles

IntroductionThe first mobile phone I ever owned was about the size of a dollar bill and was as thick as a VHS tape. The display was barely large enough to read the pixelated letters and num-bers. It had no camera, an antenna that you had to manu-ally extend to make a call, only one ringtone, and no text messaging. Compare this to a modern-day mobile phone. It is amazing how far mobile phones have come in the past decade. With this in mind, would you say that your current mobile phone is more capable or less capable than your per-sonal computer? While mobile phones are more convenient since they will fit into a pocket, it would be inaccurate to say that mobile phones are less capable given the fact that a mobile phone can control a computer remotely.

Mobile phones and computers have largely replaced snail mail and telephones as our primary forms of communica-tion. As of the date of this publication, over 320 million mobile phones are utilized in the United States, yet the population is only around 314 million. This means that there are more mobile phones in the United States than

there are people. This is easier to process when one consid-ers how many people have a mobile phone for business and another mobile phone for personal use, but regardless of this fact, it is safe to say that for every workplace investiga-tion, at least one mobile phone may contain information pertinent to the case.

Preserve and extract the dataThe decision to retain an expert in mobile phone forensics could be one of the most important decisions to be made in an investigation. Modern mobile phones can contain gigabytes upon gigabytes of data, and as with all evidence, this data must be preserved in a manner that ensures the integrity of the information. Once the evidence has been preserved, it is necessary to perform an extraction of the device’s data, which would include any attached SD (secure digital)1 card or SIM (subscriber identity module)2 card, if

1 A secure digital (SD) card is a form of flash memory storage used to make storage portable across a variety of electronic devices.2 A subscriber identity module (SIM) card is a smart card that stores data such as user identity, location, phone number, network authorization data, personal security keys, contact lists, and stored text messages for global system for mobile communications (GSM) cellular telephone subscribers.

V o l U m e 4 | N U m b e R 1 | J A N U A R Y 2 0 1 3

10 AWI JOURNAL | JANUARY 4/1 | 2013 © Association of Workplace Investigators, Inc.

applicable. Next, a forensic analysis of the system files and user files would be necessary to locate and identify items pertinent to the investigation. The amount of system files and user files available for analysis could greatly depend on the type of extraction performed. However, this is not a cookie-cutter formula that can be applied across all investi-gations to all mobile phones.

Preserving the dataPreserving mobile data can be particularly tricky because mobile phones are designed to continuously attempt to communicate with their cellular network. If such com-munications to the network are established, then poten-tial evidence residing on the device could be lost and/or modified, which may negatively impact the investigation. Another reason why an investigator would want to pre-vent mobile phones from accessing cellular and wireless networks prior to forensic analysis is because many mobile phones are capable of being remotely accessed and could thus be wiped by the owner prior to the examination of the device. To prevent unauthorized access with the network, one could place the device into airplane mode or utilize a Faraday solution (a method used to block airwaves). While it is not uncommon for a Faraday solution to cost tens to thousands of dollars, a forensic expert (or even the inves-tigator) can easily create a Faraday solution for the price of a roll of heavy-duty aluminum foil by tightly wrapping the device in at least eight layers of heavy-duty aluminum foil, ensuring that no open pockets or tears are in the foil. As stated previously, turning off the device or removing the battery could also be effective; however, powering off the device could prevent future access to the mobile phone if the device requires authentication to access (pattern lock, PIN code, decryption credentials, etc.).

Extracting the dataOnce the mobile phone has been isolated from the net-work, the next step is to extract the data. A forensic image of any SD and/or SIM cards inside the phone (if appli-cable) should also be collected at this time. Numerous methods and tools are available to extract data from mobile phones and each has its strengths and weaknesses. For instance, a video recording device could be used to capture information immediately available on the mobile phone; however, this type of analysis will not include items that may have been deleted. This method can also be very time consuming.

Another method to extract and process the data is by using specialized software. However, the necessary software may not be readily available to an investigator, especially one out in the field. Hardware solutions can also be used to extract data from mobile phones. These solutions usually include everything one needs to perform mobile phone extractions, including dozens of specialized phone cables. However, if the mobile phone is a newer model, an older model, a

foreign model, or just a very uncommon model, then the expert may need to contact the manufacturer to obtain a cable compatible with the product. Hardware solutions can be very expensive. The best approach (in this author’s ex-perience) is to use multiple tools to perform the extraction. This could prove to be extremely expensive considering the number of solutions available, which could be another rea-son why it would be more cost efficient to hire an expert. The fact is that there is no one-tool-fits-all solution, so the more tools and methods you or the forensic expert employ, the more likely the desired material is retrievable. Remem-ber, regardless of the tool or method chosen, the extraction should be completed in a forensically sound manner, mean-ing the integrity of the evidence must be preserved and the results must be repeatable.

Similar to computers, the information available after an ex-traction generally varies between system files and user files. System files are needed by the mobile phone’s file system and installed applications in order to operate optimally. System files can also store network-type information, such as recent Wi-Fi connections, cell tower information, GPS data, and carrier information—all of which could be rel-evant in some investigations. Generally, users of the device create the user files, which can include pictures, videos, songs, recordings, emails, notes, appointments, documents, and the like. Both system files and user files can greatly contribute to the outcome of an investigation.

Usually deleted information from mobile phone extrac-tions can be recovered if the appropriate forensic extrac-tion is performed and the operating system of the device allows such. Two types of extraction processes exist—logical and physical. A logical extraction obtains what is resident within the phone’s file structure and is usually visible to the user from the device. A physical extraction copies the same information as a logical extraction, as well as the rest of the phone storage and unallocated space. In logical extrac-tions of mobile phones, it is not possible to recover deleted material because the extraction does not include the free (unallocated) space on the device. If deleted material is recovered from a logical extraction, it is often because the deleted file was located in a recycle-bin-type location on the mobile phone. Because a physical extraction of a mobile phone will include the unallocated space of a device, the examiner may be able to recover deleted items; which is why, in this author’s opinion, it is almost always better to perform a physical extraction rather than a logical extraction of a mobile phone.

ConclusionAn expert in forensic analysis of mobile phones will greatly increase efficiency as well as the likelihood of desired information being recovered from a mobile phone. As in any investigation, the preservation of evidence should be paramount. Mobile phones are constantly attempting to

© Association of Workplace Investigators, Inc. AWI JOURNAL | JANUARY 4/1 | 2013 11

establish communication links, so it is necessary to prevent those communications from occurring by isolating the mobile phone from the network. When it comes to extract-ing mobile phone data, no one-tool-fits-all solution exists, so it is best to perform multiple extractions using a variety of tools and methods. After extracting data from a mobile phone, the system files and user files can contain a wealth of information potentially pertinent to the investigation.

When inquiring about deleted data, it is imperative that a physical extraction be performed to capture deleted items. The world of mobile phone and computer forensics is con-stantly changing, and these changes bring more challenges. However, with the right tools, knowledge, expertise, and

experience a mobile phone and computer forensics expert can overcome such challenges and provide a service that will save investigators both time and money.

Steve Robles is a computer forensics examiner at Califorensics, a litigation support and investigative services firm in Roseville, CA. Mr. Robles served six years in the United States Air Force then graduated with honors from Champlain College with a Bachelor of Science degree in Computer Forensics and Digital Investigations. He holds certifications in both computer forensics and forensics involving

mobile devices. He can be reached at steve@califorensics.com.