MOBILE FORENSICS

The data held on mobile/cell phones is often the key to solving a crime. Mobile Device Forensics (MF) is an interdisciplinary field consisting of forensic techniques applied to a wide range of mobile devices, such as cell phones, tablets and GPS.

Digital Investigations team analyzes all mobile device data, using state-of-the-art tools and utilities to provide you with the necessary evidence in the shortest amount of time, since time is of the essence during investigations.

 

The mobile forensics process has three main categories: Seizure, Acquisition and Examination/Analysis.

SEIZURE AS EVIDENCE

The Digital Investigations team faces a different kind of challenge while seizing the mobile device as a source of evidence. The device in question (i.e. the device that holds critical data, or has taken part in a crime etc.) must be first identified, and different parameters such as the state of the device (on or off), screen information, ownership, handsets, SIM card holders, must be collected and documented. The device should be then placed in a sealed evidence bag.

However, leaving the phone in operation carries another risk, since the device can still be able to initiate a network connection. This means that new incoming data may overwrite evidence. To overcome that, our team will render the device unusable, by locking the touch screen and/or keypad.

 

Once the device is properly filed as evidence, forensic tools will be applied, to retrieve and analyze the data stored on the phone.

ACQUISITION OF DATA

Mobile device forensic data retrieval can be performed using a variety of tools. Each tool uses its own proprietary data extraction method. Should one tool fail, another will be applied. Multiple attempts and/or tools may be necessary in order to extract as much data as possible out of the mobile device.  


A Logical Extraction is generally easier to work with, as it does not produce a large amount of unallocated data.
In the case of File System Extraction, it is possible to recover deleted information regarding the  file system structure, web-browsing history, app usage etc.


Finally the Physical Extraction is the hardest way to extract data, but can produce better results. A full completion of this process might give the forensic investigator full access to the mobile device.


The Physical Extraction method is split into two steps, the dumping phase (extraction of unallocated data) and the decoding phase (re-allocating the extracted data).

EXAMINATION/ANALYSIS

Mobile devices are dynamic systems that present a lot of challenges to the examiner in extracting and analyzing digital evidence. Mobile devices are continuously evolving as existing technologies progress and new technologies are introduced.


A variety of embedded operating systems can be found among mobile devices. The Digital Investigations forensic team has the know-how and skills required in examining and analyzing the devices.


Evidence extraction and forensic examination of each mobile device may differ. In some cases not only CELLEBRITE (a powerful forensic tool) may be used, but also other forensic tools in order to get comparing results. In any case, by following a well-documented examination process, the forensic examiner ensures that the evidence extracted from any device is reproduceable and can withstand cross-examination in court.

REPORTING ANALYSIS

The forensic examiner is required to document throughout the examination process in the form of contemporaneous notes relating to what was done during the acquisition and examination.

The examiner’s note and documentation may include information such as the following:

  • Examination Start date and time

  • Physical condition of the device

  • Photos of the device

  • Device status when received- turned on and off

  • Tools used for the acquisition and data extraction

  • Tools used for the examination

  • Notes from peer-reviews