It’s safe to say that most of the world’s adult (and child) population owns or has access to a mobile phone. These devices capture all kinds of private and sensitive data, some of which is generated by the user, while some is generated by an app or the device itself.
But data is inherently fragile and can easily and inadvertently be deleted or overwritten when inappropriate collection methods are used. The use of unreliable scraping tools and forensic methods coupled with ill-prepared practitioners can create authentication issues and, in the worst case scenario, lead to data being destroyed or altered, opening the door to the practice of the movement of spoliation.
When it comes to mobile devices, the best method is one that is forensically sound and provides lawyers with the tools and data needed to authenticate individual pieces of evidence. A mobile device can reveal key information during a forensic collection, including dates, times, locations, and people a person can communicate with, inside or outside an organization.
That said, not all mobile devices are created equal. Apple iPhones and Android phones all act differently, and what may or may not be collected often depends on the underlying operating system.
Ninety-eight percent of cell phone users have an iPhone or Android device. Both devices have their own unique challenges, multiple versions, various operating systems, and constant updates. As mobile devices are updated and operating systems change to make them more secure and increase their functionality, digital forensic technology is also updated.
The iPhone is the more user-friendly of the two as there are several options available to collect a complete image from the device. Unlike the Android device, an iPhone can only collect artifacts or complete and specific types of data. For example, text messages cannot be specifically targeted for collection. Instead, this information is taken from the full image.
The iPhone, like any computer, also overwrites data that the user identifies for deletion, but later versions of the iPhone operating system overwrite data with greater frequency. When it comes to retention and collection, knowing that deleted mobile data is frequently overwritten can mean the difference between having the message deleted and not. At the time of collection, the key factors for data deletion are the passage of time, movement of data across the device, and software updates. Even then, deleted data that can be restored is often incomplete.
Collecting mobile devices also presents a logistical challenge as no one wants to be without their phone for a given period of time. There are three options when it comes to harvesting mobile devices and they are the same three options for any data source: at a digital forensics lab, on-site with a digital forensics examiner, or at the using a remote collection kit sent directly to the owner or administrator of the phone.
For iPhones, you can also collect via iTunes backup or from iCloud. These options are sometimes useful when deleted data is involved, as earlier backups are sometimes stored.
Android devices run on Google’s ecosystems, but there are plenty of hardware choices from multiple manufacturers. Another challenge with Android is that these devices are open source, which means anyone can modify a device. Changes can include adding storage via a microSD card or changing data storage policies on the device. This could present significant challenges for digital forensic examiners during a collection.
Unlike iPhone, Android Collections can target specific data sets. For example, if you only need text messages or messages from another application stored on the phone, these can be surgically collected. But remember, no one wants to be without their phone, so collecting all the data the first time is the most efficient use of your customer’s time and money.
A common problem with mobile messaging apps is how to review the conversation outside of the device. In the device, messages appear in colorful bubbles that clearly identify the sender and the conversation thread. Once this message is removed from the device, the bubbles and colors disappear and the message thread appears in an Excel or other unfriendly reporting platform.
Using an app like Relativity can help. With scripts, a more linear report is generated where the reviewer can visualize the message thread and see colors and bubbles, restoring the conversation to a view similar to how it existed on the mobile device.
Ephemeral messages, generated on platforms such as WhatsApp, Telegram, WeChat and Signal, can quickly disappear, either manually or automatically. These apps are used by Apple IOS and Android users. What makes them ephemeral is that the user can choose to automatically delete the message after a certain amount of time. Users can also choose to remove ad hoc. When this option is set or actions are taken, messages are deleted and cannot be recovered.
In WhatsApp, for example, we can collect data from the device itself, but in cases where the data is deleted, there are options to potentially collect the data from the cloud using cloud-based exports and API connectors.
Every app is different, and while some apps store data on the device, others only store data in the cloud. There are a number of factors behind the success of collection from these types of apps; after all, they were created with the idea that data would be read and deleted without leaving any artifacts or remnants.
Mobile devices abound, and while collecting mobile devices can be difficult, they contain a significant amount of evidence and should always be requested upon discovery. Preserving the device early and having a digital forensic examiner create a preservation collection image of the device is good practice, and keep in mind that a mobile device is the main gateway to a mine of data. information in the cloud.