Mobile phone forensics is the process of preserving, extracting, analysing, and reporting the electronic data retrieved from mobile devices for use in criminal, civil and corporate matters.

Data retrieved from mobile devices is being used in almost every digital forensic case. This is predominantly due to the fast-developing capabilities of mobile phones – people are literally walking around with minicomputers in their pockets, some of which have the same storage capacity as the average laptop.

Data from mobile phones can be comprehensive and, depending on make and model, can show everything from communication between specific parties to someone’s location. This is not just cell site (ie mobile phone mast); certain activities undertaken on a device can result in location information being stored. In a recent case, for example, the police had not put the phone in flight mode on seizure. Our experts could therefore track the device from the point of seizure to the police station as it had location services enabled.

There are a vast number of applications (or apps) available for download from the App Store and Google Play. Many applications allow for communication and all work in slightly different ways. Examination of these can change a case around completely. Due to the increase in number of devices requiring examination, many police forces now allow police constables to conduct basic phone examinations. Where this has occurred, the reports provided are usually quite basic and provide little to no detail on specifics. They can overlook where information might come from, miss data that might be expected (ie potential deleted content), or fail to spot what is there that should not be there. Further, the average police constable downloading a phone out ‘in the field’ will likely not be reviewing the data in the detail required to identify records showing that information such as SMS (text messages) have been deleted. They rely solely on the tool to decode the data extracted.

In addition to data stored on mobile devices, cloud storage can hold a huge amount of information that is not available from a mobile handset. CYFOR has, for example, recently completed testing on accounts such as Uber and Facebook and the recoverable information is, to those untrained in digital forensics, surprising. For example, all journeys can be extracted from an Uber account including driver names, number plates and IP addresses used to log in to Facebook can reveal an approximate location.

The knowledge and training of lawyers and judges in this area is generally limited to their own personal use of a mobile device. Therefore, employing a digital forensics specialist to review devices and information can be paramount to ensuring that data is interpreted correctly, and that those prosecuting or defending understand what the data shows and how this can be used to their advantage.

Types of extraction process

The first stage of the process is to extract the data from the device in order that the data can then be used as evidence in court. Today’s myriad of makes and models of mobile phones are supported to varying levels by the available forensic software. This affects the type of data which can be extracted from the devices.

The ideal scenario is that the phone pertinent to the case is supported for a physical extraction, which is the most comprehensive form of data extraction that mobile forensic experts can achieve. A physical extraction creates a copy of the entire contents of the flash memory of a mobile device. It allows for the collection of all live data and also provides the potential to recover data that has been deleted or hidden, ie data residing outside the active user data and database files, including system created images, records of previously installed applications, location information, emails and more. (See also Computer Forensics Investigations Unlock Key Digital Evidence, Special Counsel Blog.)

Most mobile phones are usually supported for a logical extraction, which involves connecting the mobile device to forensic hardware or a forensic workstation. We would expect a logical extraction to include live data which was present on the device at the time the extraction process was undertaken. This could include call history, SMS, MMS (multimedia messaging service – text messages containing multimedia content eg picture, video and emoticons), images, videos, audio files, contacts, calendars and internet history.

A file system extraction is an extension of the logical extraction that allows forensic experts to examine the file system of the device, rather than just fragments of data. This can include hidden and deleted data if the method of storing such data was selected to be a database or logs within the file system. Unless specifically instructed otherwise, those carrying out the extraction will always choose the most comprehensive method, and sometimes multiple methods, to obtain the best extraction possible. For most devices, it is not possible to selectively extract data; a full extraction process must be carried out prior to the data being filtered.

Applications store their information in databases. There is generally a database for each application or function. For example, there is a database on an iPhone that stores iMessages and SMS. Other databases include those that hold the information for calendars or contacts. When a user deletes data that is stored in a database, the record within the database is marked as deleted and is no longer visible to the user; a deleted SMS would be a prime example. This deleted data remains intact within the database and is recoverable until the database is purged. Once the database is purged, the data is no longer recoverable. Some applications are not supported to be decoded by forensic software. When this occurs, examiners must manually examine the database and extract relevant data in a readable format.

There are occasions when examiners encounter mobile phones which unfortunately are not supported for forensic extraction. When dealing with these phones, examiners must conduct a manual inspection which involves viewing the data held on the phone directly through the screen. Data is documented using a digital camera. It is not possible to recover deleted data through this method of interrogation.

Methods of extraction

Just as there are several different types of extractions, there are also many methods by which forensic examiners can facilitate an extraction.

The extraction methods can be separated into destructive and non-destructive methods (also referred to as invasive and non-invasive). Non-destructive methods include the use of industry leading software by manufactures such as Cellebrite, MSAB and Magnet Forensics. Experts utilise the option of extracting data using forensic software in most cases; however, destructive options are available when dealing with damaged mobile phones or phones that meet certain criteria and all non-destructive methods have been exhausted.

Two premium forensic tools, Cellebrite Premium (mainly Android) and Graykey (mainly iOS) are available, but only to the law enforcement sector. These tools allow for advanced non-destructive techniques to try and obtain the most comprehensive extraction possible. They cost considerably more than the standard forensic tools and, as stated above, are only available for law enforcement. The main destructive options available to experts are techniques known as JTAG and Chip-Off.

JTAG involves the disassembly of a mobile phone and the connection to components on the device motherboard to read data from the handset. Connection can be made using specialist adapters, by micro-soldering wires or a combination of the two. Wires can be de-soldered after data extraction to return the handset to its prior state; however, it cannot be guaranteed that the phone will still function post this method. Using this method, an expert can extract data from handsets unsupported by forensic software including older devices that are PIN, pattern or password protected.

Chip-Off involves the removal of the flash memory chip from a mobile phone and the use of specialist hardware and software to read the data from it. Using this method, it is possible to extract data from handsets unsupported by forensic software or JTAG along with PIN, pattern or password protected phones and damaged or otherwise non-working handsets.

This is a destructive method, and the phone will be returned from the process in a non-workable condition. These methods are more successful with older phones. Encryption on newer devices makes it harder, and sometimes impossible, to read the data directly off the chip.