Thursday, October 19, 2017
As a follow-on to some of my shorter blog posts on both difficult devices and difficult data, we now move to mobile devices and the challenges they present. I wrote an article about the difficulties that mobile chats pose to investigations, and a white paper about investigative techniques, mobile device management, and the volatility of mobile device data, and now offer additional situations and challenges for your consideration.
Often, the “features” touted by handset manufacturers are in fact an impediment, as far as disclosure/discovery are concerned. Mobile device security has evolved beyond the rigidity of Blackberry, and now coexists alongside the sleek and shiny user experience offered by Samsung, Apple and others. Usability and convenience are no longer detached from privacy and security-by-design implementations, and the notion that a Blackberry is much more secure than an iPhone, for instance, is now much harder to defend.
As consumers, we should all love these features; if you left your mobile on the Tube here in London, wouldn’t you rest easier knowing it’s not going to be accessed or exploited? And yet, these same security features create a variety of challenges for Forensic Examiners and eDisclosure practitioners alike. I’ve broken some of the key considerations out into categories below.
Unlocking the Handset
The main screen (or “home screen”) of the device is the first barrier to entry for the user, potential thieves, and yes, even Forensic Examiners. As phones evolve, methods for user authentication are subject to improvement, but the following are the norms, with newer implementations in italics.
The majority of popular devices require knowledge of the home screen passcodes to further exploit or interrogate their content. This is particularly true for Apple devices; however, there is another, large subset of devices on the market, of all breeds (LG, Samsung, HTC etc.), which allow the home screen passcode to be bypassed – in other words, no passcode? No problem! This is typically accomplished by loading a piece of code onto the handset directly, which can be done by booting the phone in a certain way. Once launched, the code exploits vulnerabilities in the handset’s software and firmware so you can access its content without having entered the PIN.
Once you get past the password screen, one way to access whatever evidence the device might hold is to acquire its backup. Another way is to directly access the contents, including files, folders, and applications. However, devices often present another significant barrier to data acquisition: namely, device encryption. To wit, the backup might be encrypted, the whole device might be encrypted, or individual applications and/or files might be encrypted.
So-called “handset encryption” encapsulates the whole device in a cryptographic scramble, while happens at a more exploitable level.
Think of the handset and its elements as a series of nested boxes. The biggest box is the handset itself and its NAND chip(s) or SD cards, which provide data storage. Within that is a smaller box: the device’s operating system, be it an Android variant, an Apple iOS, or what have you. Within the OS, applications such as your texting platform, and individual files – photos, emails, SMS messages and the like – are represented as even smaller boxes. The advantage here, for the Forensic Examiner, is that you may not have to decrypt the entire device simply to get a look at files, pictures, and text messages which might comprise important evidence.
Mobile devices are, and will likely remain some of the most difficult targets examiners will contend with. They change and evolve much more dynamically than traditional computers, and complete, defensible acquisition of the data and evidence they hold requires extensive reverse engineering, testing, and trial-and-error on the part of forensic practitioners. However, by staying up-to-date with emerging technologies, and relying on best practices for acquisition, analysis, and reporting, we can help ensure the success and value of our clients’ investigative efforts, no matter how many different kinds of difficult devices might be involved.
Subscribe to receive our
Experts’ Insights Blog feed.