An Introduction to Mobile Forensics (Part Three)

Written By

Michael Neher

To effectively harness and present the data within mobile devices, you need to understand what data is found on the device, the different types of acquisition options available, and the various challenges presented in preserving and processing.

In the final part of our three-part series, we look at the different technical processes for acquiring data from a mobile device and the types of data implicated by different methods.

How do you get the data you need?

There are different approaches to and key considerations for extracting information from mobile devices. When dealing with mobile devices, there are varying layers of information that can be acquired.

On the most surface level, a digital forensics examiner can manually access the user interface to acquire information from the device. In practice, this means accessing the phone in the same manner that a casual user would and taking screenshots of the information available. While this is straightforward and does not require industry tools or expertise, it is also more susceptible to falsification and lacks the corroborating metadata, diminishing the persuasive authority and the evidentiary impact.

Going a step further would be a logical dump or an extraction of the directories and files available on the local storage within the mobile device. When an investigation requires call logs, address book contacts, SMS, pictures, video, audio recordings, and music files, the logical dump option will likely suffice. Logical extractions will be limited based upon the restrictions on a device. This means that some files will be unavailable as a result of the system API, including deleted items because they are not stored in the system files. Still, logical acquisition can be preferable in some scenarios as it will provide the extracted data in a logical and thus user-friendly format.

To go deeper than the file structure, the next option is a file system dump. With a file system dump, forensic examiners target the underlying database file of information within the phone. In addition to the folder structure obtained in a logical dump, a file system dump can give additional insight into Internet history and app usage. This database will also feature files that have been marked as deleted, but because they are not overwritten, they can still be identified. In such a case, it would be possible to recover deleted information with computer forensic tools.

In a recent development, mobile forensics specialists are now able to obtain a full file system dump of an iPhone or Android, something that would have been a tall order in years past. Before, examiners were limited to a logical dump, essentially an iCloud backup, but with a full file system. Accordingly, expect more evidence to be brought forth from iOS and Android devices That said, there may be some risks with these collections, including being unable to boot the iPhone device following the collection, or the risk that the iPhone will be jailbroken (although there is always a small chance of bricking any device with any extractions).

Finally, with a physical dump, a forensic specialist will pull down the file structure and a bit-by-bit copy of the device's memory. Accordingly, we not only acquire all available files for logical acquisition but all the data from a device; meaning a physical dump contains both allocated and unallocated space. Because the data is acquired in a raw format, we need additional parsers for different file systems to read and work with the data. If you are striving to uncover deleted data in unallocated space, a physical dump will provide the highest probability of uncovering deleted data in the captured unallocated space.

Another consideration for how the data is acquired is the physical condition of the mobile device. Often, we encounter varying degrees of damaged phones, ranging from a broken port to completely nonresponsive devices that no longer power on. Our experts navigate these issues by using forensic tools, hardware, and software, to bypass and access the data stored on the device.  

In many cases, the data available will depend on the type of extraction you can obtain. A file system dump may not include application files that a full system dump may contain, and the most comprehensive in most cases is the physical dump. Currently, improvements in forensics tools are allowing a much greater range of information from mobile devices.

Regardless of how the data is obtained, the goal in most cases is to be able to proffer forensically sound, reliable evidence to present in a legal proceeding. As with any forensics investigation, there are multiple approaches to acquiring and analyzing mobile device data. Accordingly, to obtain accurate and reliable results, you should always engage an experienced forensic examiner to ensure proper, forensically sound, and legally defensible methods are employed.