White Paper
Solving Common Problems with Mobile Device Data
Mobile devices - smartphones, tablets, GPS devices and the like - are so ubiquitous in societies worldwide that retrieving evidence from them should be simple. Yet, it is anything but: Mobile devices aren’t always what they seem. Inside, physical and file system structures may be very different, while an outwardly damaged device may still be recoverable. Mobile consumers demand better security controls and data privacy, along with the convenience of easy access to data across multiple devices. The data can be stored in more places than just on the mobile device-it could be backed up to the cloud, on a third-party app provider’s servers, or scattered across multiple devices. All of this complicates criminal investigators’ attempts to access actionable evidence and intelligence.
1
CHALLENGE 1: Mobile devices aren’t always what they seem As similar as smartphones look on the surface with their flat touch screens and colorful icon-based displays, they are often very different “under the hood.” Vendors and operating systems can vary widely, particularly with Android™, but also even within iOS, BlackBerry®, and Windows Phone® user groups: More than 40 iOS versions are commercially available, and are spread among 10 different iPhones, six iPad models, and five iPod Touch generations. Five Windows Phone versions and 12 Android operating system versions exist Each Android device family has a different operating system and architecture.
OpenSignal’s 2014 Android Fragmentation report1 stated that 18,796 “distinct Android devices” existed - nearly 7,000 more than did in the previous year - with 12 of the 13 most common Android devices being Samsung models.
Even the same device models may be different on the inside. Chips and other components can become obsolete, requiring manufacturers to source new ones. Manufacturers may also find cheaper parts throughout a device’s life. And wireless carriers may use the same basic handset, but differentiate based on design. Therefore, even with the same operating system installed, all these hardware differences may require different extraction and decoding methods from model to model. Software frequently changes, too. Possibly the best known example is when two of the same device models have different versions of one app installed. In addition, though, different manufacturers and carriers change systems in the name of competitive advantage. New versions of Android and Windows Phone devices both go first to device manufacturers, who may customize the OS, develop their own UI, or other overlay components before sending their devices to wireless carriers. In turn, carriers build out their versions of devices with their own apps, and compile system changes to ensure their apps work properly. The less-popular BlackBerry continues to present its own problems. In older systems up to OS 7, the device had no file system, and unstructured data could be found all over device memory; this forced forensic examiners to decode artifacts rather than reconstruct files that contained data. For OS 10 devices, chipoff extractions are still an option, as long as examiners have access to a forensic tool that decodes the data. The upshot for investigators: how devices store data, and therefore the amount of evidence available from each one, can be drastically different from model to model. As a result, what works for one device may not work for the next, even within the same family of devices. The type and amount of data available from any given smartphone is only as good as a forensic examiner’s knowledge of mobile device models and operating systems.
1
OpenSignal, “Android Fragmentation Visualized,” August 2014
2
On the opposite side of the coin, an outwardly damaged device doesn’t mean its data is unrecoverable. While criminals and other wrong-doers have taken unsophisticated, but effective, anti-forensic methods to hide their evidentiary tracks, including physically damaging - crushing, burning, soaking - their devices, or alternatively, using prepaid devices, new forensic methods can overcome these. Prepaid “burner” devices are anti-forensic because they are shipped with disabled data ports, which cannot be enabled after the fact. Furthermore, vendors don’t make the devices’ APIs - the normal mode by which logical and file system extractions are completed - available to commercial forensic extraction tools’ developers. Likewise, a device whose data port, screen, or buttons are damaged cannot be extracted by conventional mobile forensic tools. In these cases, as well as when an unencrypted smartphone is locked and forensic tools can’t unlock or bypass the user lock, then flasher box, JTAG or chip-off extraction methods become necessary.
SOLUTION To address these challenges, you need mobile forensics extraction and decoding tools that are flexible and responsive to shifts in market share and technological innovation. As user lock methods change together with operating and file system structures, it takes extensive expertise to examine a device’s underlying code to reverse engineer user lock methods, reconstruct file systems, and find data wherever it may be stored - e.g., the directory of a third-party app, a separate image directory, or in unallocated space. The tool’s engineers must also be able to respond to new forensic extraction
Both JTAG and flasher box methods are device-specific. Flasher boxes were made to write data; thus, in the hands of an untrained examiner, they may not be forensically sound. JTAG processes are generally non-destructive. Chip-off extraction, meanwhile, is always destructive, as it physically removes residual data from the memory chip. All three methods require an examiner to be well trained and experienced.
methods, whether they are automated or manual techniques. Raw data extracted from a wear-leveled Flash memory chip can look very different from the data extracted through a mobile device’s communication with extraction software, but it must be decoded the same way to make it make sense. Regardless, these methods must all be forensically sound - completed without changing the data on the device, and repeatable by other forensic examiners using the same processes. Access to a mobile device’s memory and the underlying hexadecimal code are particularly important, as they allow you to access data for manual parsing and validation. To that end, a good mobile forensics solution automates time-consuming processes such as decoding, more quickly affording access to data by translating the data into human-readable format. When the time comes to authenticate the data and prepare it to be a trial exhibit, manual decoding methods can be front and center, enabling you to validate the tool’s automated work. Equally important is the ability to understand - and explain in court - how the tool is extracting, decoding, and parsing data, no matter what extraction method you used. A tool that is as easy to use with self-initiated research as it is in a training class is in the best position to help you educate yourself, developing the necessary thorough understanding of how forensic tools operate.
3
CHALLENGE 2: Limitations in app and cloud data support OS-, carrier-, and vendor-specific apps have grown into a diverse ecosystem, ranging from travel tools like navigation, traffic information and weather; to social networking, location sharing and communications tools; to entertainment media apps and more. Hundreds of thousands of apps exist; billions of downloads have occurred2. The diversity of apps makes for a diversity of forensic challenges: Forensic tools’ support for mobile apps remains limited, often covering only the most popular apps. Examiners can write Python scripts to support new and less popular apps, but that requires time and programming expertise. Obtaining app data through a physical extraction means it must be decoded. That means the mobile forensic tool must be able to perform a file system reconstruction. When app data is inaccessible, fragmented on a mobile device or synced hard drive, and you lack the time to wait for a solution, the next step is often to seek the data that resides on cloud servers. One way to access this data is to obtain consent to access the locked data, or have the person download the items for you to peruse. However, this method fails when the victim or suspect can’t or won’t give consent to search their account. The next step is to request records from the service provider, most of whom have legal liaisons available to process court orders, subpoenas, and search warrants. However, it isn’t always possible to know what you don’t know - for instance, the specific date ranges and content to the extent the provider feels necessary to protect their customers’ privacy. Indeed, as debate rages over the nature and extent of privacy in a digital age, many cloud providers resist legal process to obtain their customers’ private data, either through unresponsiveness or outright hostility - in some cases informing suspects of law enforcement records requests and refusing to comply with foreign and domestic court orders and subpoenas. Either way, waiting for providers to respond - or for the mutual legal assistance treaty (MLAT) process - means your cases lose momentum. Even if a provider is willing to get back to you in exigent circumstances within a few days (not weeks), that response time can still be too slow.
2
Perez, Sarah, “iTunes App Store Now Has 1.2 Million Apps, Has Seen 75 Billion Downloads To Date,” TechCrunch, June 2, 2014
4
As a result, data can go stale. You lose the spark of why the information was relevant, and you can even forget key details in the 2-3 months (or more) it takes to get data returned. It then takes you a number of hours to reorient yourself once you do hear back. To make matters worse, delays risk that witnesses will retract their statements, or victims opt to withdraw charges.
SOLUTION Forensic software should be able to capture and preserve data across all the locations where it may be stored, from apps to the cloud. Ideally, the solution remains grounded in foundational forensic principles - validation, authentication, repeatability - while addressing new problems not yet addressed in courts of law. A solid cloud forensics solution starts with the mobile device, extracting both artifacts and user credentials from the app databases where social, filesharing, and other activity reside in device memory. Being able to view the tables and content - including deleted database entries - within available and deleted SQLite databases can be of great evidentiary value. This account-based approach uses data artifacts found on the subject device to narrow the scope of a search to certain date/time frames. A cloud forensics solution also promotes forensic best practices around validation and authentication by hashing each individual artifact and, separately, its associated metadata. Not only does this ensure repeatability; it also allows for proper validation using records obtained directly from the service provider. In turn, mobile app and cloud data - along with provider data, when applicable can be used to validate and authenticate one other, provide necessary context, and drive an investigation forward faster and with greater accuracy.
WHY PRIVATE DATA STORED ON CLOUD SERVICES? Data that is publicly available from a social media feed is relatively easy to preserve and authenticate. Even this method, though, is limited. Openly available tweets or status updates might allude to a past incident or future plan, but it’s the locked file-sharing account, hidden posts, or private messages that may contain the “smoking gun” details which the suspect shared with associates. Private cloud-based data can also provide important context. It’s possible for a subject to present a very different persona behind locked accounts than who they appear to be publicly. A full picture of their interests and contacts can impart important clues about their relationship to a crime or individual.
5
CHALLENGE 3: Data analysis is unwieldy and at risk of human error Many investigations today involve multiple data sources, which is a double-edged sword for investigators. On the one hand, more data enhances the ability to obtain valuable evidence; if it’s missing from one location, it may be available in another. In turn, this range of data helps to support a case. It’s also important to have different data from different sources in case one type of evidence gets excluded from trial proceedings. On the other hand, more data sources can also complicate an investigation. Different data from different providers - all the communications channels needed to find leads and build your case - means different formats. Spreadsheets in tab-delimited or proprietary formats, XML files, and mobile forensic extraction reports all add to an array of data that can quickly turn unwieldy. Not only does it take more time trying to analyze the data in multiple formats; you also risk missing something important as you struggle to keep track of relevant pieces of data and how they relate to one another. Either way, due diligence suffers. While a variety of tools exist that ingest multiple data formats, many are overly complex. Even with training, these tools’ interfaces are not designed to optimize an investigative workflow. The time it takes to search on and organize all the data often adds time to investigations, rather than saving it.
SOLUTION To deliver truly actionable data within the time you need it, the right mobile data analysis software allows you to organize, search, map and carve data easily to find patterns and reveal meaningful connections between one or more subjects. Dynamic visualization capabilities ideally include timeline and map-based views, among other analytic tools that empower investigators to uncover common connections and correlate critical evidence. This is possible when the solution can normalize evidence from multiple accounts and disparate data formats, reducing the risk of human error missing content and context. A straightforward and simple interface presents data in a highly visual, unified format that enables you to focus on relevant leads. At the same time, you should also be able to drill from the visual representation into the data itself, analyzing the context and meaning of data to confirm or disprove the relationships which visual analytics appear to show. Advanced search and filter capabilities should make it possible to pinpoint data not only as it appeared on the mobile device, but also where it’s located within the device’s memory. Finally, an ideal mobile forensics solution enables you to generate and share easy-toread, custom reports in different file formats-whichever the recipient prefers. From crime and intelligence analysts who want to import data into larger databases, to supervisors who seek to gather metrics and understand investigator workloads, to attorneys building fact patterns for trial, report recipients deserve a solution that can meet their unique needs as readily as yours.
6
Solving common investigative problems with the UFED PRO Series The challenges associated with smartphones and apps, wireless industry privacy measures, cloud providers, and data analysis are persistent - and growing - but not insurmountable. The UFED Pro Series delivers the most comprehensive mobile forensics extraction and decoding capabilities in the industry, empowering you to access and import data from the widest variety of mobile and GPS devices, as well as from private cloud data sources and mobile operators. In this way, you can uncover the deep insights needed to accelerate investigations and streamline workflows. By combining the UFED Ultimate’s deep forensic extraction and analysis capabilities, UFED Cloud Analyzer’s forensically sound cloud extraction methodology, and UFED Link Analysis’ simplified data visualization, the UFED Pro Series simplifies the most complex analytical tasks, empowering you to stay in step with-and successfully overcome-many of the most pressing problems in mobile forensics. To find out how your organization can deploy the UFED Pro Series to accelerate investigations, visit www.ufedseries.com.
About Cellebrite Cellebrite is the world leader in delivering cutting-edge mobile forensic solutions. Cellebrite provides flexible, field–proven and innovative cross–platform solutions for lab and field via its UFED Pro and UFED Field Series. The company’s comprehensive Universal Forensic Extraction Device (UFED) is designed to meet the challenges of unveiling the massive amount of data stored in the modern mobile device. The UFED Series is able to extract, decode, analyze and report data from thousands of mobile devices, including, smartphones, legacy and feature phones, portable GPS devices, tablets, memory cards and phones manufactured with Chinese chipsets. With more than 30,000 units deployed across 100 countries, UFED Series is the primary choice for forensic specialists in law enforcement, military, intelligence, corporate security and eDiscovery. Founded in 1999, Cellebrite is a subsidiary of the Sun Corporation, a publicly traded Japanese company (6736/JQ)
To learn more, visit
www.cellebrite.com
For more information contact sales
© 2015 Cellebrite Mobile Synchronization LTD. All rights reserved.
7
