Mobile Device Forensics

Evidence contained in smartphones, such as iPhone, Android, iPad and others is often essential for civil or criminal cases.  Text messages, e-mails, photos, and other similar evidence is often of extreme importance during criminal cases, divorce cases, employment cases, breach of contract, and many other matters.

At AVM Technology, we provide mobile device computer forensics expert services throughout Virginia and throughout the United States.  Sometimes the investigation involves verifying the reliability of the techniques, methods, and finding by the government during criminal cases, such as possession of illegal pornography, Internet solicitation, hacking, or theft.  Sometimes the task is investigating infidelity, sexting, employee theft or teenage misbehavior, or undeleting deleted data from a cell phone.

A mobile device forensic examination can also retrieve:

  • Deleted Text Messages
  • Deleted SMS Messages
  • Detailed Call Records; Dialed/ Received/ Times/ Durations
  • Deleted Photos
  • Deleted Video
  • Contact Names & Phone Numbers
  • Deleted Address Book
  • Email Addresses
  • Deleted Caller ID

In today’s world, mobile devices hold significant digital data.  Many people don’t realize the capabilities of an iPhone, Android device, iPad, tablet computer, iPod, an MP3 player, or BlackBerry.  With dual or quad-core processors, these devices are as powerful as some laptops.  Put another way, in the present time, the amount of forensic evidence contained in mobile devices rivals the amount of digital forensic evidence contained in a desktop or laptop computer.  In the near future, mobile devices will surpass their desktop counterparts.

Mobile devices present different challenges for a computer forensics examiner than desktops or laptop computers.  Most computer upgrades consist of increases in the amount of RAM or hard drive space, however, computers essentially use the same technology year after year.  Mobile devices are different.  Mobile devices frequently change operating systems, interface methods, hardware standards, and storage technologies.

Additionally, a computer forensics expert must also understand the way mobile devices communicate in trying to reconstruct events related to digital data.   The most common ways mobile devices communicate include wireless networks (whether cellular or Wi-Fi), Bluetooth, infrared, and RFID.  Understanding these protocols is essential to understanding where digital data came from or went to.   Simply stated, mobile forensics cannot be treated in the same way as static computer forensics and the tried and true computer forensics techniques do not necessarily work for mobile computing devices.

Mobile devices have also other differences from traditional computer devices.  These affect the manner in which the forensics analysis is performed.  Mobile devices have subscriber identifiers, used by the mobile phone network to authenticate the user to the network and also verify the services tied to the account.  Subscriber Identity Modules (SIM) are an example.  Subscriber identifiers contain valuable data for digital forensics analysis purposes.

Mobile devices also contain important log files, which lo everything including calls that were placed, missed, and received, GPS, network cell connection, and network cell termination information.  For cases involving the identification of an individual’s actions or whereabouts, this information is crucial.  Additionally mobile devices contain phone books and contact lists, which often yields investigative leads as well as potential witnesses.

Text messages are also a valuable source of digital forensics evidence and its retrieval is of critical importance.  Text messages often contain bits of evidence, as well as date and time stamps, that are invaluable to a case involving digital forensics evidence.  Many believe that, after these text messages are deleted, they’re gone forever. That is often not the case.

Mobile devices also maintain calendars, which can also provide valuable information related to a digital investigation.

E-mail evidence contained on mobile devices can often yield extremely valuable bits of evidence.  Similarly instant messages on mobile devices is of important evidentiary value, in both their content and their time-and-date information.

Other computer forensics digital evidence that can be recovered from mobile devices includes photos, audio recordings, multimedia messages, application files and evidence stored in external media (generally SD cards).

During investigations, even well-trained computer forensics examiners make serious mistakes.  Recently, we heard about a case where a government’s computer forensics investigator was browsing through a confiscated iPhone looking for evidence for a criminal case.  However, the suspect utilized the wipe feature that is included with the “find my iPhone” app to remotely wipe the device and the evidence.  This is not limited to iPhones.  Blackberry devices have provided remote wiping capabilities for a long time and Android devices are also capable of this.  In other words, what works for computer devices does not necessarily work for mobile devices.   Computer forensics experts must adjust to this reality.