1

Mobile Device Investigations:

From Android to iPhone and Back

February 2017

2

Agenda

Introduction to Mobile Forensics

Mobile device 101

Different types of mobile devices

Preservation of data on mobile devices

Demonstration

Reporting and extracting

Demonstration

Searching and filtering

Demonstration

Preservation of data on mobile

Reporting and extracting

Searching and filtering

3

PearCo: Professional Personnel Recruitment

PearCo specializes in temporary employment services and is the industry leader due to its web-based infrastructure. PearCo’s website allows large companies to quickly find eager-to-work temporary employees.

PearCo’s CFO, Tyler Mueller, was discovered using PearCo’s recruitment services.Mr. Mueller and Carmen Fitz, PearCo’s CMO, meet once a month with a board of directors, but rarely outside of that meeting as the company is purely web-based.

As of late, Ms. Fitz has made complaints to PearCo’s HR department as she has received suggestive text messages from an unknown number. She has her suspicions that Mr. Mueller is behind the screen, as the mystery texter ends their messages with the same clever quote that is on Mr. Mueller’s work emails.

PearCo’s board of directors wants to learn more about the issue, and is willing to hand over Mr. Mueller’s and Ms. Fitz’ individual phones and laptops, which are company owned, to investigate the claims.

Hypothetical: Workplace Harassment Investigation

How can mobile forensics help?

4

Where to Start in an Investigation?

KNOWN

Follow the path

UNKNOWN

Time period when the text

messages were sento Carrier of the specific

number

o Content from Ms. Fitz’

deleted messages

o Whether or not photos

were sent

5

Mobile Device 101

Mobile devices store data in various applications in their operating systems

Consider the disparate nature of mobile data at the outset

Mobile devices offer a

variety of texting

options, including SMS,

MMS, Face Time,

Messenger, and

iMessage, among

others.

Each of these

messaging options

store content in

different locations on

the mobile device and

function in a slightly

different manner.

6

Mobile Device TypesA mobile ecosystem is growing and diversifying

International

• Different power considerations

• Subscription connectivity (texting apps)

Legacy

• Flip phones

• Old PDAs

Uncommon

• Pre-Paid phones aka “Burner phones”

Mainstream

• Android

• Apple

• Samsung

Cables and connectors:

We have binders and binders

of cords in order to access the

more complicated devices

Devices of the past could only manage a few

tasks, now phones are more agile than most

computers—all of that evidence may need to

be collected

7

Preservation of Data

Where is the data you are backing up?

• Requires phone in hand to administer forensics

Logical/Physical

• Whether on a laptop or removable media (external hard drive)

Backups

• Remote access, and is typically iTunes which requires a password

Cloud

8

Accessing Mobile Data

Collection from mobile devices generally requires an onsite collection

from a forensic collections engineer

Authorized, physical access to devices is typically necessary

Extraction attempts, including attempts to

recover deleted content, require

passwords, PIN numbers, or swipe

patterns to gain access to the device

The device is recommended to be

unencrypted and free from any mobile

device management software that would

prevent access to the device

Although these barriers may stunt

forensics, there are tools to get around

some encryptions

9

Preservation Demo

Preservation of mobile data

Reporting and extracting

Searching and filtering

10

Reporting and Extracting

Mobile devices are like a collection of databases that work together to present

data to the users

There is a disconnect between what you see when you have a phone in your

hand and what the report looks like after the extraction

Forensic tools have attempted to present the data in a human way through excel,

pdfs, html, or extraction into discreet files like a text thread into a text file

Forensics experts and attorneys need to understand the demands of both

binary data reports and the juries or judges who will view the evidence

What’s next?

11

Reporting and Extracting

Deleted data, lost cause?

Generally speaking, when a text message is deleted, the data may still be accessible on the device for a short time

Recovery is limited to the data that remains in the mobile device databases

The amount that is recoverable varies greatly by device and depends on the software that is used to attempt the recovery

There are a number of ways data can be unattainable:

Factory resets on a mobile phone

Destroyed phone

Remote wipe Some applications can erase data

after the phone has been confiscated

Faraday bags or putting the phone on airplane mode can block remote signals being sent to the phone

12

Reporting and Extracting Demo

Preservation of data on mobile

Reporting and extracting

Searching and filtering

13

Searching and Filtering

What was the export choice and why did you make it?

Native file and excel must work in tandem to coordinate high responsiveness

Addressing the needs of the investigation

ExcelNative files Great for early case review as an inventory is

given

Filtering makes it easy to work with the entirety of the information on the device that is recoverable

But if you do a discovery project with an excel file, you are taking everything together and it may be difficult to gauge responsiveness

Great for processing to review because the conversation threads are together as one thread remains intact as a separate file

Must load things to review so you can do the relationship searches, then look to the excel to authenticate

But family relationships are not kept for example: An mage with a text, as a family is responsive, however in native extraction that family relationship isn’t intact because of the MMS/SMS distinction

Responsiveness

14

Searching and Filtering Demo

Preservation of data on mobile

Reporting and extracting

Searching and filtering

15

Questions?

16

Jason Bergerson

Technological professional with over

20 years of experience performing

data recoveries, collections, forensic

analyses, expert reports and testimony

in hundreds of cases and on

thousands of pieces of media

Contact:jbergerson@krollontrack.com

Website: http://www.ediscovery.com/consulting/jason

-bergerson/

Director, Consulting Operations, Kroll Ontrack