Mobile Device Investigations
Mobile Device Investigations
The student will learn to effectively analyze and extract digital evidence from mobile devices.
They will become proficient in identifying, preserving, and presenting digital evidence in a legal manner.
Learning Objectives
Recognize data preservation techniques to ensure the integrity of digital evidence during mobile device investigations.
Identify various types of mobile devices and understand their operating systems.
Detect the legal and ethical considerations in mobile device investigations.
Analyze mobile device data to include relevant information, call logs, text messages, app usage, and location history.
Categorize current and emerging trends and technologies in mobile device security and forensics.
Identify techniques to document findings and prepare clear and comprehensive reports for legal proceedings.
Privacy Considerations
According to Oliver Markus Malloy, once you own a cell phone, you relinquish privacy. Cell phones can track location, record conversations, and monitor typed information.
Privacy is a "willful illusion."
Operating Systems
Operating systems manage resources and memory for desktop computers and laptops, enabling multi-tasking.
A mobile device operating system is the software platform a mobile device runs to allow users to perform tasks such as email, texting, and browsing.
It checks application compatibility and provides a consistent user interface.
Feature Characteristics of Mobile Devices
A battery that powers the device for several hours.
A physical or on-screen keyboard for entering information.
A touchscreen interface.
Wireless operations.
Mobile Operating Systems
Android
Based on Linux and other open-source software.
Designed primarily for touchscreen mobile devices.
Owned by Google.
Top operating system worldwide with approximately 70% market share.
Apple iOS
Developed by Apple exclusively for its hardware.
Powers most of the company’s mobile devices.
Second best-selling operating system for mobile phones.
LG webOS
Linux Kernel-based multitasking OS for smart devices.
Used mainly for smart TVs, but has been used as a mobile operating system.
Memory Management
Management of the main or primary memory.
The executed program must be present in the main memory.
Allocates and deallocates the memory.
Keeps a record of which part of primary memory is used.
Distributes the memory while multiprocessing.
Processor Management/Scheduling
When more than one process runs on the system, the OS decides how and when a process will use the CPU.
The OS allocates and deallocates the processor to the processes and keeps records of the CPU status.
Device Management
The OS allocates and deallocates devices to different processes.
Keeps records of the devices and decides which process can use which device and for how long.
File Management
Keeps records of the status and location of files.
Also allocates and deallocates resources.
Security
The OS keeps the systems and programs safe and secure through authentication.
A user ID and password decide the authenticity of the user.
Error Detection
Keeping a record of system performance.
Communication between different software.
Types of Mobile Devices
Smartphones
Portable computer device that combines mobile phone functions and personal computing functions into one unit.
Laptops/Notebook Computers
Small, portable, personal computer.
Tablet Computers
Mobile device with a mobile OS and touchscreen display processing circuitry and a rechargeable battery in a single, thin, and flat package.
Smartwatches
Track fitness goals, provide notifications from your smartphone, and allow you to make phone calls and send messages from your wrist.
Messaging Services
SMS (Short Messaging Service)
The most widely used and oldest text messaging service.
Sent over cellular networks, means you need a Wireless plan and carrier.
Every text message delivered to a cell phone has become known as an SMS.
Originally developed for GSM phones but is now supported by all major cellular networks.
MMS (Multimedia Messaging Service)
Standard method of delivering multimedia material including messages.
Used when a picture, video, slide show, or other media is embedded.
IoT (Internet of Things)
Collectively, tablets, smartphones, e-readers, and other Mobile devices, including wearable devices.
Global network of physical objects that have Embedded Processors of some sort that can communicate with Computers across the internet.
Includes household appliances like smart refrigerators, Digital thermostats, home automation devices.
EPO #2: Data Preservation
Recognize data preservation techniques to ensure the integrity of digital evidence during mobile device investigations.
Digital Evidence Preservation
A comprehensive endeavor that ensures the continued accessibility of valued digital information.
Aims to isolate and protect digital evidence exactly as it was found, without alteration, so that it can later be analyzed.
Smartphones and other devices have blurred the line between physical and digital evidence.
Smartphones can store pertinent photos locally, connect to files in a cloud storage service, and carry trace evidence on the device itself.
Steps to Prevent Loss of Digital Evidence
Document the condition of the device.
Take pictures from all sides of the physical device.
Make note of any dents, scratches, or other blemishes.
Keeps a record of which part of primary memory is used
Avoid plugging any external storage media into the device
Do not alter the power status.
If the device is on, leave it on.
If the device is off, leave it off.
Leave battery-powered devices in their current state as long as possible, and consult the forensic team.
Keep the device secure and establish an internal chain of custody.
Ensure proper chain of custody for the hardware and data within a physically secure, climate-controlled area.
Don’t store the device in an open access area.
Log important information, such as where the device is, who has access, and when it was moved.
Get forensic experts involved.
From recovering deleted files to providing trial support, the process of preserving and analyzing data requires the expertise of forensic investigation specialists.
Drive Imaging
The act of creating a bit-by-bit duplicate of a device’s hard drive.
Hash Values
Chain of Custody
Forensic investigators document all steps conducted during the transfer of media and evidence.
Seizure
There are several “do’s and don’ts” that must be followed to properly recover and preserve cell phone evidence.
Acquisition Phase: Retrieving Data from a Mobile Device
A locked screen can be unlocked with the right PIN, password, pattern, or biometrics.
Note that biometric approaches while convenient are not always protected by the Fifth Amendment of the U.S. Constitution.
According to a ruling by the Virginia Circuit Court, passcodes are protected, but fingerprints are not.
Similar lock measures may exist on apps, images, SMS’s, or messenger.
Encryption provides security on a software and/or hardware level that is often impossible to circumvent.
Control of data on mobile devices is difficult because the data is also mobile.
Once communications or files are sent from a smartphone, control is lost.
Although there are different devices that have the capability to store considerable amounts of data, the data may physically be in another location.
Data synchronization among devices and applications can take place directly but also via the cloud.
Services such as Apple’s iCloud and Microsoft’s OneDrive are prevalent among mobile device users, which leaves open the possibility for data acquisition from there.
Investigators should be attentive to any indications that data may transcend the mobile device as a physical object, because such an occurrence may affect the collection and even preservation process.
Since data is constantly being synchronized, hardware and software may be able to bridge the data gap.
Regardless of the type of the device, identifying the location of the data can be further impeded due to the fragmentation of operating systems and item specifications.
After identifying the data sources, the next step is to collect the information properly.
Many mobile devices cannot be collected by creating an image and instead, they may have to undergo a process called acquisition of data.
There are various protocols for collecting data from mobile devices as certain design specifications may only allow one type of acquisition.
The forensic examiner should make use of SIM card imaging-a procedure that recreates a replica image of the SIM card content.
The original evidence will remain intact while the replica image is being used for analysis.
The investigator needs to know the type of mobile device, network, carrier, and service provider.
Service providers can be found by doing a reverse look-up.
The examiner may need to use numerous forensic tools to acquire and analyze data residing in the mobile device, e.g., Cellebrite, and GrayKey.
These are programs used by examiners that put the information to an easier-to-read report.
EPO #3: Relevant Information
Includes call records, call start times, call end times, duration, and who was called.
Mobile device analysis can be divided into several iterative phases.
Time-sensitive and can require multiple iterations and additional data collection or analysis rescoping.
Involves the compilation of data into visual and interactive platforms
Consolidate their findings and produce them in the form of documents, metadata, and/or visual reproductions
The types of analysis that can be performed on mobile devices
Vary based on the data types that have been selected and the objectives of the analysis
The key to a successful analysis process is Identifying The fastest approach to performing analysis that is Exhaustive and yields immediate results to support the investigation
Types of Analysis
Keyword and concept:
This is communication and other content queried text
Network/Link:
The relationship across and between Individuals and organizations
Data profiling:
The quantitative overview of available data by data type
Cross-device:
The different treatment of similar data by the custodian
Deleted/hidden data:
An effort to obfuscate or hide evidence
Geolocation:
Events tied to geographic locations
Timeline, or events occurring at specific times
Emoji and media, are relevant non-text-based communications
The address book identifies individuals’ names and contact information
Anomaly detection identifies non-standard communications or behavior
Helps to establish much more information about the communications and other events.
It can also better identify when certain data was deleted or altered by individuals.
Enables analysts to identify additional individuals.
What now?
Once the data has been acquired, mobile forensics experts will need to analyze it
A typical smartphone has 64 GB of internal storage, which amounts to approximately 33,500 reams of paper
With that amount of astronomical data, the innocuous critical piece of evidence could be tiny and missed
Missed calls can be as important as sent text messages, and discarded email drafts are as important as selfies
Data Types of Relevant Information
Call detail records
GPS Information
An excellent source of empirical evidence.
If the subject has an active mobile device at the crime scene, GPS can pinpoint his location.
Also locates the movements of the suspect from a crime scene to other places
App data
Many apps store and access data the user is not aware of.
Many apps seek permission during the installation process to access this data.
Photo or video editing apps request permission to access media files, camera, and GPS for navigation
SMS Text
Messaging is a widely used way of communication.
They leave electronic records of dialogue that can be presented in court as evidence.
They also include the date and time of the message and the phone number of the sender and receiver
Other types of information (not an exhaustive list):
Phonebook or contact list
Pictures, videos, and audio files, sometimes voicemail
Internet browsing history, search history
Content Cookies
Analytical information
Documents
Spreadsheets
Presentation files
Passwords
Passcodes
Swipe codes
System files
EPO # 4: Legal and Ethical Considerations
What are the biggest barriers for law enforcement in the field of digital forensic investigations?
In 2016, the FBI demanded that Apple create a backdoor to access an iPhone belonging to the San Bernadino shooters.
Accuracy and Reliability
As technology continues to advance, it becomes easier to manipulate and falsify digital evidence, which can undermine the credibility of forensic investigations
For example, in 2017, researchers at the University of Washington created a software tool that can “synthesize” realistic video footage of public figures saying things they never actually said
This was an early example of deepfake technology. While the technology is still in its early stages, it raises questions about the ability of investigators to analyze digital evidence accurately and reliably.
Ensure that these investigations are conducted in an ethical manner that respects individuals’ rights to privacy and avoids biases and inaccuracies.
Requires a strong commitment to transparency, accountability, and oversight
The Fourth Amendment to the constitution grants citizens broad protections against the exercise of government power couched in remarkably simple language
To understand how and why law enforcement is legally and constitutionally able to access criminal communications data in specific cases, it is important to understand the law and extensive checks, balances, and safeguards that frame it
The rule of law requires a balance between protection and enforcement, privacy and security, and liberty and safety.
As a result, they sought to prevent only “unreasonable searches and seizures”
The framers of the constitution understood that banning all government searches was equally impractical, rendering enforcement of criminal law impossible
Where the law allowed a proper search, law enforcement was allowed to go further unimpeded in its pursuit of evidence
Additionally, case law has developed over the years allowing for warrantless searches in certain cases, such as emergencies
The judge independently decides whether to issue a warrant for the data
Today, when law enforcement investigators seek access to electronic information stored (data at rest) on a device, or data in transit (data in motion), they are bound by mandates of the Fourth Amendment.
Which typically requires them to demonstrate P.C. to a neutral judge
Law enforcement access to electronic and digital evidence is strictly governed by the Constitution, statutory law, and cases decided by the courts, as describe in the preceding section
A number of other legal standards are in place to more concisely define how and under what circumstances law enforcement can and should have access to digital communications and data
This section describes the levels of proof and legal demands that investigators must satisfy in order to gain lawful access to search for evidence
Some of the current debate over regulation of law enforcement conduct centers on what level of proof investigators must have before they can access different kinds of information
Levels of Proof
Reasonable suspicion
A specific and objective basis for suspecting someone of criminal activity
Probable cause
Defined as facts and circumstances, along with reasonable inferences drawn from them, that would lead a reasonable person in the officers’ position to believe that the fact at issue is probably true
“Preponderance of the evidence” standard
It is more likely than not that a particular point is true.
This governs the outcome of civil trials
All three fall below the requirement of proof beyond a reasonable doubt that must sustain a valid conviction in a criminal trial
Types of Required Response Information
Subpoena
Low level of legal demand based on a law enforcement determination that records sought are relevant to an ongoing criminal investigation
The limits on this authority vary among federal and state agencies, but the common characteristic is that the authorization of a judge is not required
Pen Register Order
Low level of legal demand based on a law enforcement statement of jurisdiction and relevance, and a judge’s authorization
Allows the collection of data evidence, but not content evidence, in motion
Court Orders
A judge has to find reasonable suspicion to believe that the records sought are relevant to an ongoing criminal investigation
This level of demand is sometimes explained as a “Nexus” or a showing of “specific and articulable facts” to the issuing court that the records are relevant; something less than probable cause
Search Warrant
Legal demands based on a showing of probable cause to a judge
Can be used to authorize a range of activities from the production of content evidence at rest in the possession of a service provider to the real-time determination of a cell phone’s location
Emeregency/Exigent Circumstances
Trigger legal provisions that allow a service provider to disclose certain records without the immediate submission of legal process in response to a law enforcement demonstration that there is an immediate threat of death or serious physical injury
The determination of what constitutes an emergency is currently left up to the service provider, not the law enforcement officer who needs the records
There are currently exceptions built into existing law that allow law enforcement to request electronic evidence in the possession of a third party without a formal legal demand when human life or safety hangs in the balance.
These are referred to as emergency or exigent requests
The second term is derived from the “exigent circumstances” exception to the search warrant requirement
Legal Concepts
It is helpful to have a basic understanding of the following legal concepts when talking about the standards for law enforcement access to digital evidence at rest and evidence in motion
Third-Party Doctrine
Holds that if an individual gives property over to a third party, they are manifesting a reduced expectation of privacy in that information
Law enforcement would generally be required to obtain a search warrant to gather records in a person’s home, but a subpoena might suffice for documents left with their bank or accountant
Mosaic Theory
The “mosaic theory” of the Fourth Amendment is a series of actions by law enforcement that don’t amount to a search by themselves can rise to the level of a search, thereby requiring a search warrant, when they are collected together or looked at as a whole
These statutes and the cases interpreting them reflect a concerted congressional effort, overseen by an independent judiciary, to validate the principles enshrined in our Constitution and balance several, sometimes competing, yet equally legitimate social interests
Barriers to Access
The ability of law enforcement to conduct lawful intercepts on advanced communications services is a critical tool of public safety
Many of the existing statutes governing access to evidence at rest and evidence in motion have been outpaced by technology and need to be updated in a way that addresses privacy and public safety concerns
Data Encryption & Evidence at Rest
Currently, there exists no prohibition in the United States restricting the use of any encryption algorithm or key length (e.g., 256-bit) to secure one’s communications or stored information
Further complicating the landscape is the deployment of encryption technology by communication service providers
So, what does this mean?
When law enforcement lawfully seizes a mobile device pursuant to a search warrant, there exists an increasing likelihood that the device and all the information stored on the device depicting criminal activity will be encrypted and therefore inaccessible to law enforcement
Do not have to provide the password to law enforcement
Under the Fifth Amendment, defendants cannot be compelled to incriminate themselves
Electronic Communications Privacy Act (ECPA)
Applied during the initial stages of an investigation where few facts are known with certainty and the building blocks of probable cause are to be collected
Law enforcement has accessed stored historical location information by demonstrating to a court that reasonable suspicion supported by articulable facts relevant to a criminal investigation exists and merits an order to disclose the information
Law enforcement does not wish to gather more location information than is required to meet the immediate needs of an investigation
Applying lower standards of proof to building blocks of P.C. like location evidence allows agents to pursue early investigative leads and build up to the use of more intrusive tools to obtain more sensitive information protected by higher standards, like contents of communications
Law enforcement can meet a probable cause standard Of proof only by discovering, collecting, and logically Assembling relevant facts, statements, and observations
Elevating the proof requirement for different types of evidence poses problems in the investigative process
Advocates seek to extend the level of protection offered to a person’s home to more and more of the electronic evidence that they create
COL
The theory that a series of actions by law enforcement that don’t amount to a search by themselves can rise to the level of a search when they are collected together or looked at “as a whole” is known as the Mosaic Theory
EPO #5: Clear and Comprehensive Reports
What is it?
A document that provides details on the findings of your investigations
Include all pertinent information about the case and any evidence that has been gathered
Important because it serves as a written record of an entire investigation and can be used in court as evidence
Reports
They include communicating your investigation findings to a judge or jury and coming up with the right recommendations for further action based on the key findings
Orginize info
An example of an investigative report template includes who, what, where, when, why, and how.
It is useful for investigations that focus on a specific incident or issue
Follow Timeline
If the investigation involves a timeline of events, create a visual timeline to accompany the investigative report.
This will help make it easier for readers to understand the sequence of events
Use Visual aids
Engaging visual aids might be helpful in illustrating the investigation findings.
Consider using graphs that would support your investigation claims and findings and help readers better comprehend the full picture
Check for Biases
When listing the findings of your investigation, be aware of any biases that might influence the investigation conclusions.
You might want to look for an alternative explanation for the evidence gathered.
Be Objective
You must ensure that you stay objective and only stick to the facts that are supported by evidence in your writing
Avoid making assumptions or drawing Conclusions that are not supported by evidence
Know Limitations
Be transparent about any limitations in your investigation. If there are any gaps in the evidence or limitations in the scope of your investigation, make sure to mention them in your report
COL
What document provides details on the findings of your investigations?
Comprehensive Investigative Report
EPO #6: Current and Emerging Trends
Current Trends
The biggest challenge in mobile forensics is keeping up with the rapid pace of change in mobile technology
New devices and operating systems are constantly being released, each with its unique file system and data storage methods
This makes it challenging for mobile forensics experts to stay current with the latest changes
With more data being stored in the cloud, investigators must learn how to access and analyze this information effectively
Cloud forensics requires understanding various cloud-based services’ structures and the legal implications of accessing data stored off-premises
Build expertise in the area by deepening your understanding of cloud environments
Cloud Security
The cloud has revolutionized the way people and businesses store and share information Facilitating streamlined multi-site management, integrated security technology solutions, and enabling fully remote security operations
When writing an affidavit for a search warrant, include language in the warrant that requests the information from the cloud of the device you wish to search
Advanced Biometrics
Facial recognition, iris scans, and fingerprint authentication will become prevalent, providing an even higher level of security
Artificial intelligence and Machine learning
AI and ML will increasingly be used in mobile security solutions to continuously monitor, detect, and prevent threats in real-time
Mobile Application Shielding
Mobile apps will use advanced encryption
Code obfuscation
Runtime protection to prevent tampering, reverse engineering, and other malicious activity
IoT Security
IoT, or Internet of Things, is a network of connected devices ranging from smart appliances to vehicles.
It presents a rich data source for investigators. However, extracting and interpreting data from these devices can be complex.
With the growing popularity, mobile security will focus on securing connections between these devices and mobile apps, ensuring data privacy and integrity.
As technology rapidly evolves, mobile security trends also transform in order to maintain the integrity of our digital infrastructure
The shift towards multifactor authentication will strengthen security by requiring various forms of verification, while advanced biometrics will provide an additional layer of protection via facial recognition and fingerprint authentication
COL
What is the biggest challenge facing law enforcement in the field of mobile forensics?
The rapid pace of change in mobile technology
Objectives Revisited
Recognize data preservation techniques to ensure the integrity of digital evidence during mobile device investigations
Identify various types of mobile devices and understand their operating systems
Detect the legal and ethical considerations in mobile device investigations
Analyze mobile device data to include relevant information, call logs, text messages, app usage, and location history
Categorize current and emerging trends and technologies in mobile device security and forensics
Identify techniques to document findings and prepare clear and comprehensive reports for legal proceedings