Mobile Forensics: How Digital Forensics Experts Extract Data from Phones

Perhaps nothing has changed the modern investigative procedure as much as mobile forensics. A subset of digital forensics, mobile forensics involves the retrieval of data from a mobile device, typically a cell phone or tablet, but potentially a smartwatch, camera, GPS device, or drone. With over 400 million mobile-cellular subscriptions in the United States today, it’s now unusual for a modern investigation to not involve mobile forensics in some fashion.

“When it comes to investigations, those devices are key,” says Mario Merendon, a computer forensic investigator for Denton County Criminal District Attorney’s Office and the mobile device forensics chairman for the International Association of Computer Investigative Specialists (IACIS). “The type of information that these devices hold helps us piece together a timeline of events. That timeline can give us a full picture of a conversation. It can give us the motive of a crime. It can give us location data. Compared to what was available to assist in solving crimes ten years ago, there’s just a vast amount of information that these mobile devices now hold.”

Mobile forensics is a complicated discipline. Today’s mobile forensics experts need to be trained in the best practices of mobile forensics and investigative procedure, but they also need to stay abreast of the changes and characteristics in cutting-edge technology.

“One of the biggest challenges we’re facing right now is the various types of encryption that each phone has,” Merendon says. “Different software and different operating systems have different go-to encryptions, whether it’s full-disk encryption, or file-based encryption, or password-protected devices. If we’re faced with that type of obstacle, then we have to explore different routes in order to extract that data.”

The complexity of the discipline extends beyond encryption. The proper procedure for investigating an Android phone may not be the same for investigating an Apple phone, and differences in software patches and network connectivity must be accounted for during a mobile forensics investigation. Two different phones seized on two different days may both have the same app, but an investigator’s level of access to the information in that app may be drastically different.

“What we have to do is learn to not solely depend on a single forensic tool, because it will be behind the curve in decoding certain applications,” Merendon says. “The more training that we have in recognizing behind the scenes how a phone works and how databases are created and put together, [the more] we’re able to dig in and get information without having to solely depend on the decoding of a particular forensic tool.”

There’s no one-size-fits-all approach to mobile forensics, as each investigation will have its own unique characteristics—that’s why training programs at IACIS focus on tool-agnostic skills. However, there is a somewhat standard process for mobile forensics: data needs to be seized, retrieved, and analyzed in a forensically sound manner. This ensures that evidence is collected in a way that ensures chain-of-evidence processes and avoids modification or destruction of the data in question.

Mobile Forensics Phase 1: Seizure

When a mobile device is seized, it usually needs to be isolated from the network, to prevent incoming data from overwriting older data. It can then be transported in a Faraday cage or a specialized Faraday bag. The seized device can also be placed in airplane mode (with Wi-Fi disabled), or the SIM card cloned, as circumstances dictate.

Ideally, the device should be seized while awake and unlocked and should be kept on at all times. In the case of a locked device, it’s important to remember that while PIN codes are protected by the 5th amendment, fingerprints may not be.

Mobile Forensics Phase 3: Analysis

Once the data has been acquired, mobile forensics experts will need to analyze it. But a typical smartphone has 64GB of internal storage, which amounts to approximately 33,500 reams of paper. Within that astronomical amount of data, the critical piece of evidence could be both tiny and innocuous: missed calls can be as important as sent text messages, discarded email drafts as important as selfies.

“Depending on the type of case, we may be interested in only a certain category of data,” Merendon says. “In child abuse cases, for example, we’re very interested in web search histories and pictures. When we’re only looking at certain categories, we’re able to filter out the other things we don’t need to look at.”

In big cases, though, where many different categories of data are potentially of interest—chats, pictures, contacts—the process can be much more time-intensive. To combat that swamp of data requires multiple technical solutions.

Each forensics tool comes with different analytic features, some in the form of timeline viewing and link analysis to aid data visualization for the forensic investigator. Further keyword search and targeted filtering can make the murky waters of data analysis a little more transparent and a little more shallow.

In any event, a mobile forensics investigator will likely need to be proficient with more than one analytical tool, and well-trained in preserving a proper chain of evidence.

The Future of Mobile Forensics

Mobile forensics is a rapidly evolving field—one that needs to keep pace with the innovations of the tech industry at large. The market share of certain hardware as well as certain operating systems can fluctuate significantly over a short timespan, changing the tools and procedures that mobile forensics need to use in order to acquire and analyze a smartphone’s data.

Additional security measures, such as two-factor authentication on cloud-stored data and an increasing level of base-layer encryption, add further layers of complexity. New generations of analytical toolkits and overlapping laws around jurisdiction call for today’s mobile forensics investigator to be expertly trained.

“A lot of colleges now are offering bachelor’s and master’s degrees in computer forensics,” Merendon says. “Some of our examiners have industry certifications, and then college degrees on top of it. Others come from a law enforcement background. It all ties in together—investigative skills along with computer certifications—to help pinpoint the type of information we need to solve crimes.”

Mobile forensics isn’t just about catching criminals, though. Merendon and his colleagues often use their mobile forensics skills on behalf of victims, too. The learning curve of mobile forensics may be high, but so are the stakes: truth and justice may be just a few clicks away.

“It’s an exciting career, and it’s very rewarding to work behind the scenes,” Merendon says. “To those who find themselves being tech-savvy, and also wanting to make a difference through everyday life and for victims of crimes, this is an excellent and growing career option.”