Digital Forensics for Smartphones

If you ask anyone on the street what a smartphone is, most people will simply start listing devices or manufacturers, such as the Apple iPhone or Samsung Galaxy. Although these devices are indeed smartphones, they merely serve as examples rather than any sort of useful definition. So what is a smartphone? Although there is some ambiguity on where to draw the line for accurately classifying these devices, there are a few things that generally define a device as a smartphone rather than simply a ‘feature phone,’ the term used to describe cheaper, low-functionality phones like flip phones. Smartphones include advanced capabilities beyond a typical mobile phone, such as a complete operating system on the device as well as support for application programming interfaces (APIs) that allow third-party applications to be integrated with the OS and the hardware of the phone. With around 3.4 billion smartphone subscriptions in Q1 2016 (Ericsson mobility report), it is no surprise that the demand for smartphone forensics has grown so much in recent years.

Variation in Smartphones

Although there are a few big players in the smartphone market, the market as a whole is extremely diverse. According to IDC Research, the top five smartphone vendors by market share in Q4 2015 were Samsung (21.4%), Apple (18.7%), Huawei (8.1%), Lenovo (5.1%), and Xiaomi (4.6%). Beyond that, all other smartphone vendors combined compose 42.1% of the market. Consider that each of these vendors has a number of different models of phones, a variety of operating systems with legacy versions running on many devices, and new models and updates each year, and it becomes apparent just how varied smartphone forensics work can be.

One silver lining to the jumble of smartphone forensics work is that there is at least a measure of consistency in terms of operating system market share. As of Q2 2016, Android held a staggering 87.6% of the market, leading iOS (11.7%), Windows Phone (0.4%) and all others (0.3%) by a huge margin (IDC Research).

Experienced examiners have to know how each of these devices and operating systems function, the many locations that data can be on each different device/OS, as well as how to access and work with all of that information in a forensically sound manner. It’s this knowledge combined with significant experience, that separates average mobile forensics examiners from the experts.

What Services Does Gillware Digital Forensics Offer for Smartphone Forensics?

Our digital forensics experts have experience with a wide range of digital forensics cases, many of them involving smartphones. Sometimes the issue lies with the device itself, such as cases involving broken/damaged smartphones. Other times the data has been hidden or is otherwise inaccessible, such as smartphones with passcode locks or other device issues. Whatever the problem is, Gillware Digital Forensics is glad to help where we are able.

Burned phone from a previous case – data was recoverable.

Smartphone Forensics on Damaged Phones

Not every device arrives at our lab in pristine condition. Many of the devices we work on are either accidentally or intentionally damaged, including several devices from various criminal cases where the suspect did not want the data to be seen, and so attempted to physically destroy the smartphone. Our president, Cindy Murphy, has significant experience performing forensics work on these types of devices and although they involve some degree of physical repair work to access the data, this added work can often pay off in successful acquisition of needed data. Our data recovery lab has also had plenty of damaged smartphones come through its doors, including cases involving water, fire, and physical trauma such as smashed phones.

Smartphone Forensics on Locked Phones

One basic aspect of security on modern smartphones is the application of user created passcodes and passwords to get into the device. There are a number of different locking mechanisms, including simple 4 digit codes, 6 digit codes, fingerprint scanners, pattern-based passcodes, and complex passcodes with any combination of numbers, letters, and symbols. Depending on the device model and operating system, passcodes can often be one of the biggest barriers to performing forensics work on a smartphone. In any case, there are still plenty of situations where our experienced forensic examiners can work around passcode difficulties in the case of a locked smartphone.

Smartphone Forensics and Deleted Data

One other popular application of smartphone forensics work is in cases where data has been deleted from the smartphone. Sometimes this is accidental, but more often than not it is intentional. Locard’s Exchange Principle, which posits that every contact leaves a trace, is often cited in reference to forensics work such as this. In these cases, it means that depending on the level of acquisition examiners are able to get from the phone, forensic examiners might be able to see if and when data was deleted from the smartphone. For example, in the case of iOS devices, examiners can check timestamps as well file system artifacts and SQLite database entries to attempt to determine whether there was a deletion, and whether or not that data might be fully or partially recovered.

Since smartphones store much of their data in NAND flash memory, there are some situations where data has been deleted, but is still theoretically present in the memory and has simply been marked as unallocated space by the controller. Sometimes, examiners may be able to read the NAND directly and locate this data, though there are plenty of factors that impact the success of this. These factors include automatic processes such as garbage collection, wear-leveling, and other operations that solid-state technologies use.

Sometimes a forensic examiner can simply look for backups of the device to find legacy backups of data that has been subsequently deleted off the smartphone, but this is also contingent on a number of factors such as when the data was deleted, whether or not the backups are accessible, how recent the backups are, and other factors.

Even if the deleted data is truly unrecoverable and an experienced forensic examiner has tried unsuccessfully to recover it or find a copy of it, simply proving that data was deleted can sometimes be useful in a digital forensics case. With this in mind, extremely difficult cases involving data deletion need not be marked as total losses when it comes to smartphone forensics work.

Hidden Applications

One aspect of smartphone forensics that is unique from many other forms of digital forensics work is the possibility of hidden applications and data hiding applications being present on the device. There are essentially three main ways to use hidden apps, including using device manipulation to hide an app where it doesn’t typically belong, using an app to hide other apps inside, or using a “decoy app,” which appears to do one thing but is actually designed to do something else.

Even though experienced examiners can’t be expected to stay up to date on each and every new hidden application, merely knowing they exist can be helpful in an inquiry. As GDF President Cindy Murphy puts it, “in the world of forensics, just because you don’t see something initially, doesn’t mean nothing is there.” While understanding how to use forensics tools is useful in many ways, certain hidden applications can hide the storage location or meaning of the hidden data. This is where experienced examiners are needed, as knowledge and techniques beyond the scope of commercial forensics tools can be required in order to locate, manually parse, and in some cases decrypt the hidden data. In cases where the use of hidden applications is suspected, Gillware has the necessary experience and techniques to take on these challenges.

Mobile Malware

Mobile malware is another less common type of smartphone forensics work and involves working on mobile devices that are or are suspected to have been infected by some form of malware. It’s an unfortunate consequence of our increasingly smartphone-connected world that there have been a growing number of mobile malware infections to match, with an estimated 387 new threats every minute (IBM Security). There are plenty of different varieties too, each with varying levels of harm. This includes Trojans, worms, ransomware, adware, spyware, and more. If there is potential for an exploitation in an OS or application, there is a good chance that criminals have already come up with some malware to take advantage of it. And with new forms of mobile malware coming out all the time, forensic examiners and security experts have to stay ahead of the curve in order to work on each new type as they’re discovered. If you suspect a smartphone has been infected with mobile malware or spyware, Gillware Digital Forensics would be happy to assist you.

Gillware Digital Forensics Can Help with Your Smartphone Forensics Case

With world-class digital forensics experts, knowledgeable data recovery engineers, and the right tools to work on each of these issues, Gillware Digital Forensics is the right choice when it comes to smartphone forensics cases.

Follow the link below to get started with your smartphone forensics case: