Mobile Device Forensics: Part 2

by: Janet Smith

This article continues mobile device forensics part 1. In Part 1, I discussed what I consider when obtaining my case authorization and documentation. In this article, I'll walk through the rest of my process, including what I do to prepare, extract, and report on a new mobile device forensics case.

Preparation

 I usually wait until I have the mobile device before beginning this step. This keeps me from wasting my time if the client is a no-show. Now, the preparation phase begins. Mobile devices constantly evolve in terms of hardware and software. Keeping up with it all is challenging. A few hundred companies sell mobile devices.. (https://en.wikipedia.org/wiki/List_of_mobile_phone_brands_by_country#:~:text=). This list contains some of the significant smartphone brands. Each strives to innovate and gain market share.  If you're like me, you upgrade your phone annually or at least every other year. Manufacturers release new devices frequently. For example, in late 2023, I purchased my daughter an Apple iPhone 15 to replace her broken iPhone 14, which was purchased less than a year earlier. Software updates occur even more often. Some are security-related, and others are new features. Apple's iOS and Google's Android tend to have significant version updates annually, with incremental patches rolled out to fix bugs or improve security several times a year. And you never know when one of these updates will tank your collection.

Forensic tools must keep up with changes to extract, analyze, and preserve data. The appropriate software and hardware are needed to access and extract data from a mobile device, and the latest software version should be used to collect it.  I often use two different tools to collect and analyze mobile device data. My favorites are Cellebrite, Oxygen Forensics, and Magnet AXIOM. The best part is that our organization invests heavily in our tools, but I realize not all organizations can do this.

My office requires that I download and update my mobile device forensics software for data extractions. But first, I need to validate that the latest forensic software functions properly. This is done with a baseline test extraction. Because this is part of our preparation process, our clients are charged our standard hourly rate. I update my system and then run it against my baseline. This process checks the data extraction process on known good data. It validates that my data extraction is accurate and reduces inconsistencies. I also archive a copy of the software update in the case. This allows me to go back to a previous version at a future time. This would be ideal for a script - ah, just dreaming.

This process is only done once daily when I have to run extractions or process new evidence. Some clients questioned the work, so we put a short write-up into our standard statement of work. The test extraction is run against the data, and the results are compared.  As long as everything checks out, I can begin my case. The process goes a long way to maintaining the integrity of our findings, which is essential when presenting evidence in court. It also ensures that my work meets our office's standards for accuracy and reliability. No matter what the forensic software is, I encourage you to use the latest version; remember to validate it. This validation must be stored with your case evidence so you can refer to it in the future.

For example, I validate documents such as the number of SMS messages, pictures, emails, calls, etc. Then, the same device could be connected to the updated version of the forensic software, and the same process would be followed. It is validated when both sets of software reach the same results.

Read more on here.