Who Is

watching out for you?

In today's world you need to understand a few more things...

Who Is

knocking on your virtual front door?

It could be someone down the block or from the Bloc

Uncovering digital nuggets from mobile devices

Lee Reiber, Access Data

12-Feb-2015 Forensic investigation of mobile devices

Read Part 1 here

Mobile devices hold the same type of information as a computer… plus applications. How does a forensic investigator handle all of these 2 million+ apps?

“The problem with devices is they don’t operate as a hard drive,” said Lee Reiber, VP of Mobile Forensic Solutions, Access Data. “They contain flash like an SSD drive, however the problem was how to collect the data. I’d have to have the device, connect it to a computer, and use software that communicates like a modem, serial drive, media storage… communication that doesn’t allow us to make a bit-by-bit image. So we had to approach these devices differently.”

From an Android or iPhone one only sees what the device wants to give, as imposed by Google or Apple. Analyzing that information puts an examiner at the stage of bringing in iOS and Android encryption of the data. 

Apps use different types of encryption to encrypt images and lock the files. Now investigating is not only about extracting the data, but also examining the data that lets an examiner move forward with an investigation.

“Once we figure out the algorithm, the developer gets excited and rewrites it,” Reiber said. “Applications update daily; some of the automatic parsings break. There’s a lot of manual data with mobile forensic tools necessary to uncover data from those devices.”

There are over 12,000 different Android devices, with varying OS versions. Trying to keep up is extremely difficult. So a lot of companies have invested heavily into analysis of the data, using automated forensic search tools.

And because much is automated, info is being missed. For example, the majority of video evidence in law enforcement comes from mobile devices.

“With automated forensic data scanning, if you’re running hashes to search for photos, and the photo size is changed, you might miss it,” said Reiber. “Now we look at the pixel level, doing mathematical equations based on the pixels, say for flesh-toned images. Using forensic analysis of video, we break them up into frames. You can authenticate if it was taken with a certain device, looking for duplicate frames and deterioration. Some tools can determine how authentic a video can be, but still it’s a lot of manual labor.”

Your geolocation is in the data, and you can turn that information broadcasting off. What’s still in an image is the make and model in the metadata of the image. Log files of video and thumbnails are recoverable.

“Even if they delete the video, we can recover it from the storage data,” Reiber said. “Say they ate the SD card… there’s still information and sometimes a thumbnail that indicates that video was taken. Suppose an investigator is trying to place a person behind the device. Unless there’s a camera recording, how can we say it was them?”

The collective analysis of the data can show for example, yes 30 seconds later there was an Instagram or snapchat from this particular phone.

Although he realizes the importance of automated forensic searches, Reiber is not a proponent of full automation.

“We automate the tools to make the job easier. We’re the ones who code to automate your tasks. If you’re the examiner, it comes down to training –  understanding what you need to look for as you see this information in front of you. We can make examination of digital data easy. It’s more important to know what to look for.”