Difficult Devices: Mobile Edition

Thursday, October 19, 2017

As a follow-on to some of my shorter blog posts on both difficult devices and difficult data, we now move to mobile devices and the challenges they present.  I wrote an article about the difficulties that mobile chats pose to investigations, and a white paper about investigative techniques, mobile device management, and the volatility of mobile device data, and now offer additional situations and challenges for your consideration.

Often, the “features” touted by handset manufacturers are in fact an impediment, as far as disclosure/discovery are concerned. Mobile device security has evolved beyond the rigidity of Blackberry, and now coexists alongside the sleek and shiny user experience offered by Samsung, Apple and others. Usability and convenience are no longer detached from privacy and security-by-design implementations, and the notion that a Blackberry is much more secure than an iPhone, for instance, is now much harder to defend.

As consumers, we should all love these features; if you left your mobile on the Tube here in London, wouldn’t you rest easier knowing it’s not going to be accessed or exploited? And yet, these same security features create a variety of challenges for Forensic Examiners and eDisclosure practitioners alike. I’ve broken some of the key considerations out into categories below.

Unlocking the Handset

The main screen (or “home screen”) of the device is the first barrier to entry for the user, potential thieves, and yes, even Forensic Examiners. As phones evolve, methods for user authentication are subject to improvement, but the following are the norms, with newer implementations in italics.

  • Passcode (standard phrase, letters and/or numbers)
  • Swipe pattern (Android devices) – this is where the passcode is drawn as a small shape.
  • Fingerprint identification (‘Touch ID’ on Apple devices)
  • Facial recognition

The majority of popular devices require knowledge of the home screen passcodes to further exploit or interrogate their content. This is particularly true for Apple devices; however, there is another, large subset of devices on the market, of all breeds (LG, Samsung, HTC etc.), which allow the home screen passcode to be bypassed – in other words, no passcode? No problem! This is typically accomplished by loading a piece of code onto the handset directly, which can be done by booting the phone in a certain way. Once launched, the code exploits vulnerabilities in the handset’s software and firmware so you can access its content without having entered the PIN.

Once you get past the password screen, one way to access whatever evidence the device might hold is to acquire its backup. Another way is to directly access the contents, including files, folders, and applications. However, devices often present another significant barrier to data acquisition: namely, device encryption. To wit, the backup might be encrypted, the whole device might be encrypted, or individual applications and/or files might be encrypted.

So-called “handset encryption” encapsulates the whole device in a cryptographic scramble, while happens at a more exploitable level.

Think of the handset and its elements as a series of nested boxes. The biggest box is the handset itself and its NAND chip(s) or SD cards, which provide data storage. Within that is a smaller box: the device’s operating system, be it an Android variant, an Apple iOS, or what have you. Within the OS, applications such as your texting platform, and individual files – photos, emails, SMS messages and the like – are represented as even smaller boxes. The advantage here, for the Forensic Examiner, is that you may not have to decrypt the entire device simply to get a look at files, pictures, and text messages which might comprise important evidence.

Mobile devices are, and will likely remain some of the most difficult targets examiners will contend with. They change and evolve much more dynamically than traditional computers, and complete, defensible acquisition of the data and evidence they hold requires extensive reverse engineering, testing, and trial-and-error on the part of forensic practitioners. However, by staying up-to-date with emerging technologies, and relying on best practices for acquisition, analysis, and reporting, we can help ensure the success and value of our clients’ investigative efforts, no matter how many different kinds of difficult devices might be involved.



Author: Timothy LaTulippe, EnCE, CCE, MiCFE, CCPA, DFCP

Tim LaTulippe is a Certified Forensic Examiner and a Senior Consultant with Advanced Discovery’s UK division. Timothy holds a variety of certifications including EnCE, CCE and CCPA, as well a BS in Computer and Digital Forensics and a Master of Science in Data Forensics Management (MSc (Hon)). He has assisted in complex investigations in both the public and private sectors, working with government agencies, Fortune 100 corporations and AM Law 100 firms to provide complete, correct analysis of incidents and issues, and specializes in complex investigations, data privacy, and information security.

Formerly a Senior Forensic Examiner with Digital Forensics, Inc., Timothy has served as an expert witness in a variety of State, Federal and military proceedings. His broad experience includes matters involving trade secret theft, medical malpractice, intellectual property theft, unfair business practice, fraud and internal investigations. Additionally, Timothy is the author of “Working Inside the Box: Real Life Example of GDS in a Forensic Examination,” which was published in The Journal of Digital Forensics Security & Law, and “The Need for Targeted Collections in a Diminished Economy.” He is a member of the Digital Forensics Certification Board, the International Association of Financial Crimes Investigators, the High Tech Crime Consortium, and the International Association of Computer Investigative Specialists.

More Posts

View all Posts


    Subscribe to receive our
    Experts’ Insights Blog feed.

  • Get in Touch