Heading to work in the morning it is sometimes difficult to avoid bumping into stray pedestrians, heads-down, their gaze fixated on their phone. Where once you may have been startled to see the odd reader (perhaps gripped by what they are reading in a paper-back) walk into a lamp post; it is now almost routine to see people crossing busy roads and messaging at the same time. This daily observable practice heat for the Darwin Awards may make you think that smartphones do not in fact make us all that smart. Nonetheless, it is a fact that people conduct a large part of their lives via smartphone – and as such they are likely to be a source of important evidence for litigation and investigations.
At the same time, they contain a lot of personal information, from family photos to private messages to passwords for bank accounts.
So, when dealing with smartphones in forensics, we need to be thoughtful, not so say, smart.
What makes smartphone extraction, smart?
Mobile phone forensics has always felt different from its computer counterpart. You need only consider the phrase “change nothing” to identify how it varies from the traditional standards that have been so central to the digital forensic process since the inception of the ACPO guidelines. The approach to mobile capture is often dictated by the complexities of a changing landscape: new operating system releases, the shift in behaviour around the use of applications (hello, end-to-end encryption!), relentless application updates and the age-old arms race with cryptography. So – what is it that makes smartphone extraction, smart?
To take the example of the iPhone. The original iPhone was introduced to the market as a “magic product” with device capability being limited only by the imagination of application software developers.
At the point of writing, there are now an estimated 1.81 million applications on AppStore and there have been 17 major releases of iOS well as an ever-evolving flow of hardware enhancements that have all challenged the forensic community to keep up. Welcome to the world of mobile forensics.
Collection Limitations
From a digital forensic perspective, the key point to consider has always been the concept of “best evidence”. By definition, best evidence will change according to the standards of the day, often driven by factors such as scope, legal constraint, accessibility of the data and the technical capability of a given set of tooling to successfully extract the necessary information. While no one factor should overrule the others, it is an unfortunate reality that the technical will often trump the others.
As a starting point, full physical captures have always been regarded as the gold standard. Unfortunately, for contemporary smartphones, gone are the days of bit-for-bit collections.
To spotlight iOS, the transition from Full Disk Encryption (FDE) to File Based Encryption (FBE) after the iPhone 4 now means that a Full File System (FFS) is now the highest standard of mobile phone capture available (In context with contemporary smart phones, excluding a handful of models).
FBE (File Based Encryption) and FDE (Full Disk Encryption) isn’t linked explicitly to iOS but is a standard across the smart phone extraction space as a whole.
The Android market, rooted in open-source principles, has created a vibrant family of products on a multitude of architectures. The assortment of Android flavours, paired with diverse hardware specifications has led to nuanced extraction techniques.
While FFS (Full File System) is the highest standard of capture for most contemporary smart phones, it isn’t always promised and neither is it always required. The light of ethics shines the brightest.
Moreover, a minor update to OS one day can rule out the possibility of a FFS the next, meaning the best standard of evidence could actually just be a logical extraction. This presents an obvious issue if the data required isn’t captured in the available extraction type.
Difficulties with mobile evidence are not just limited to the extraction stage. If we consider the 1.81 million applications currently on AppStore, or Play Store’s even higher global market share with an estimated 2.6million, it would be optimistic to expect that a single tool can decode and parse each and every application.
Dual-tooling is an approach common to all forensic practitioners, but even then, what options are available at the point of an unsuccessful decode?
Understanding Smartphone Data Variations: A Crucial Aspect for ‘Best Evidence’.
Interpreting the complexities of smartphone data is a parallel to deciphering a cryptic map. Beneath the fanciful interfaces lies a labyrinth of data – some obscured in secrecy.
Both iOS and Android platforms heavily rely on SQLite for application data, whether its first or third party. By employing manual decoding techniques and conducting advanced forensic examinations on intricate data structures – where many tools falter– we can transform unparsed smartphone data into readable formats. This includes both live and deleted data, extracted through the analysis of database files.
The methods used for data analysis depend on the acquisition techniques employed earlier. Whether it is raw data formats or .db files, understanding the dataset’s nuances is of paramount importance.
Remember, there is no substitute for understanding the data you’re dealing with. Navigating the mobile forensics battlefield can be a daunting task, especially for general users who tap, swipe and chat oblivious to the underlying mechanics of files and directories. Remember ACPO – be competent?
Technical competence alone won’t suffice. Recovering deleted data also raises ethical questions – a delicate balance between fact seeking and privacy. Knowing where the data is held is central to striking this balance, aligned to the principle of proportionality. There is a necessary trade-off between data minimisation and technology enabled decision making. Just because you can collect all data, doesn’t mean you should! This underscores the critical role of a specialist forensic examiner who possesses the expertise to provide the relevant assistance – whether that’s advisory or extraction.
In other scenarios where applications utilise encryption, capturing screenshots may be the primary method for obtaining critical information. Manually capturing screenshots of live data on the device, followed by a review that involves a blend of structured and unstructured datasets, can be painstaking and time-consuming (and expensive!). However, in some cases, this manual form of data capture remains the best form of examination available on the day.
In summary, the complex mobile ecosystem coupled with the collection limitations demands adaptive techniques, balancing technical capabilities with legal and practical considerations.
For more information, contact our experts here.