Mobile devices like cell phones and tablets are central to our daily lives. We use them to communicate by voice, text, and video and, in doing so, create a large amount of data. Essentially these devices are used like we use computers. Because they are so heavily relied on, they are an incredible repository of information for eDiscovery and investigation purposes.
Cell phones store electronic information, but it may seem as if their storage is limitless due to their ability to access synced, cloud-based, or application-based data. For example, Facebook has a large repository of pictures that aren't stored on the phone but can be accessed almost anytime. Many mobile devices create temporary cache files for information accessed outside of what may reside on the internal memory, which can be useful in a forensics scenario.
In the past, information like text messages would be quickly overwritten based on the limited storage capacity of a mobile device. That is no longer the case with most modern mobile devices. It is unlikely that devices will run out of storage capacity causing data to be overwritten; instead, the device prompts the user that there isn't enough space. Unaltered call history on a modern iPhone or Android will represent all the calls the device ever made; however, older phones might only show the last hundred calls.
Forensic collection and examination of a mobile device can typically return text and MMS messages, pictures, videos, call history (incoming, outgoing, and missed), contacts, voicemails, calendar appointments, email, and app usage. This is not an inclusive list, and some devices may include additional information. Some of this information can be retrieved even if it has been deleted.
The forensic collection of mobile devices has become more standardized. As mobile devices are hardware running on an operating system that accesses a file system, they mimic many of the qualities of computers. Like computers, they can be collected at a physical data level, a logical level, or the file system level.
Physical collection is similar to a forensic bit-by-bit acquisition of a hard drive. It is the most comprehensive extraction of a mobile device and gets everything in storage on the device. It allows for data carving, which retrieves files that have been previously discarded, like deleted pictures. The ability to perform a physical extraction is currently limited to Android or older iPhones (4S and earlier models). It is highly dependent on the type of Android phone and may only be feasible by essentially breaking the device and performing a function called rooting.
The next two methods for data extraction are logical and file system. Both of these are accomplished through forensics software asking the phone's operating system, "what do you have?" in two different ways.
Logical extraction collects at the file system level, which is active data. For iPhones, this is similar to the backup process used by iTunes. Logical extraction will not find deleted material that the operating system doesn't know about, such as an item that has been deleted but has not yet been removed from the file table. Depending on the device, that could be something like metadata associated with a contact or phone number.
File system acquisition is a type of logical extraction. It can give you access to some databases that logical extractions don't, but that is specific to the type and model of the phone. It is performed by interacting with the operating system.
Forensic investigators will use all three of these methods to extract data from mobile devices to find the most available data.
If iPhones are synced, forensic collection can retrieve some email header information (to, from, date, and time) but typically not the body of the email. Android phones usually show that an email was sent on a specific date but no additional information. The best way to forensically collect information for social media is to have the username and password; otherwise, search warrants and involvement by law enforcement are required.
With a modern locked device, it is necessary to have the proper access code to retrieve the most information possible. In some models, some data may be accessible without the pass code. But increasingly, encryption means that even if the data is acquirable, it may not be usable without the pass code. A physical copy might be available, but the data isn't readable or usable without the pass code.
The biggest challenge in mobile device forensics is the rapid change in devices, both in models themselves as well as their operating systems, cables, and connectors. Forensic acquisition requires a third-party company to create software that can retrieve all the necessary information. As such, there is a lag between device availability to the public and its collectability. Mobile devices also have many configurations, both manufacturer and user-controlled, which introduces additional variations of data that is retrievable.
Mobile devices are a goldmine of information in modern litigation and corporate investigation. The amount of interaction we have with these devices will continue to provide critical information for investigations and litigation in the future. Therefore, partnering with a provider that can accurately and quickly perform these collections is a key part of the toolkit for corporations and legal professionals.