An Introduction to Mobile Device Forensics (Part Two)

How much information is your cell phone retaining? And how much of that data can be gathered with digital forensics? As computer forensics specialists and eDiscovery consultants, Capsicum’s team routinely engages with mobile device data as a critical piece of digital investigations. Today, the wealth of information that can be found on a mobile device may far exceed what can be obtained from a computer.

In part two of our three-part series, we look at which types of information can be obtained from your device, as well as how privacy concerns are implicated in mobile device collections.

What types of data can you retrieve from a mobile device? 

Where early model mobile phones contained little more than an address book and a phone ledger, smartphones today are much more akin to personal computers, with a complex archive of multiple applications and files. A digital forensic specialist can sort through data to help preserve and interpret reliable evidence. With mobile devices, this often includes detailed analysis and investigation of data that is not normally used or visible, such as metadata.

The most requested data from mobile devices is text and other short-form message data. This can include the text, emoji, voice recorded messages, videos, images, gifs, and other attachments. Beyond the content of the message, forensics can reveal the metadata, including the participants, time and date, read and unread status, group chat titles, and deletion status of messages. These contextual details can be pivotal and may convey proof that a given custodian was irrefutably involved in a discussion of legal interest. As to deleted texts, currently, it depends on when the message was deleted, and other factors. While it is notoriously difficult to recover deleted media from iOS devices and other mobile media, it has been possible in certain scenarios.

Short-form messaging data comprises only a drop-in-the-bucket of data available in a mobile device. For instance, powerful artifacts can be found in a phone’s call history. Some valuable call history metadata includes: who placed the call to whom; time, date, and duration data; call status, such as incoming, outgoing, dropped, failed, or canceled call; call type, such as video or facetime; deletion status; and source, meaning whether a call was placed from the phone application or a third-party application such as WhatsApp, Teams, Zoom, or Skype.

Likewise, evidence can be overlooked in one of the most common phone apps: the camera. Consider how many documents you have quickly photographed, messages that you have “screenshotted”, and images that you have saved to your camera roll. Some valuable metadata to be harvested from the camera can include whether a picture originated from the device or was imported from elsewhere, the created time, modified time, capture time, capture device, capture location, resolution, and deleted status.

Custodians often conceal certain accounts and applications that may have been in use at the time of interest. But by looking at the digital identifiers on the device, a digital forensic specialist can locate the list of associated accounts (for cloud, applications, etc) that you will need for a complete collection. Common areas that pop up are:

• Third-Party Messaging Apps. WhatsApp, Snapchat, and more recently Telegram, are apps that have been elusive in mobile forensics. Capturing ephemeral -or “disappearing”- messages will be dependent on the level of export you can obtain from the phone (see below for details). A full file dump can often indicate the message exists, but not its content.
• Application Usage. Metadata includes the application name, installation time, uninstall time, usage time. Was the custodian removing apps before turning the device over? How long was the custodian using message-concealing apps? Have conversations been spread across different chat applications?
• Location Data. GPS based? Wi-Fi based? Cell-tower based? When? The interplay of sources of location data can be illustrative of activity over time and paint a clear picture of a custodian’s behaviors.
• Web Search and History Content. Web URL, site title, searched content. Metadata can include: When? How long? What browser (i.e. Safari, Chrome)? People may reveal intentions in their browsing history, particularly if a timely search indicated an intent related to a legal cause of action.

Significantly, each of these separate artifacts can be woven together, illuminating a comprehensive timeline of events: i.e. first the custodian placed a call to a person of interest, then proceeded to search google search using keywords of interest, etc. 

How does Capsicum ensure a custodian’s privacy will be respected in a mobile device collection? 

While courts are growing seemingly more liberal with digging into cell phone data, custodians are often and unsurprisingly less thrilled about the prospect of having a forensic expert peek under the covers of their personal data. While forensic tools are simplifying the extraction and review process, custodians and phone manufacturers continue to take steps to hunker down and hold on to the semblance of privacy. Not to mention the changing culture around instant messages, including ephemeral messages, communicating using animated facial reactions, as well as the ever-elusive and evolving meaning of emojis. The tension between these two interests will likely keep the industry on shifting sands for the foreseeable future.

The primary way to ensure privacy is to bifurcate the data that is obtained by the forensic collection from what is ultimately reviewed. This can mean only certain, partial data is obtained from the device, although this can diminish the soundness of the data collection. Alternatively, the entire data set can be collected, and the complete set can be culled and filtered using relevant forensics tools (including date filters and others). Selective data decoding can be run against the entire dataset, which can group related data and only result in the production only of the relevant dataset to the reviewer.  

The common solution to these privacy considerations is to involve an invested team of forensic specialists and eDiscovery professionals who will look at the data and ensure the parameters are appropriate for your case.