Mobile Devices Within Digital Forensics

In today's world, mobile devices are an increasingly powerful form of technology widely adopted worldwide. These mobile devices, such as smartphones, hold some of our most personal data and conversations deeply integrated into our daily lives. They are an absolute treasure trove of potential evidence for an analyst.

With mobile devices having the computing power to replace desktops and laptops, they hold a wide range of valuable artifacts, including:

• Call and chat logs

• GPS and navigation data

• Documents and downloads

• Pictures and video

• Browsing history

• WiFi history

• App-specific data

Mobile Device Landscape

When we discuss mobile devices, these include everything from smartphones to wearable technology such as smart watches. While this room will focus on smartphones, the acquisition methods and various protections covered extend to these.

It's a debate as old as time: Android vs. iPhone. In fact, as of the time of writing, Android holds a 72% market share, thanks to multiple manufacturers such as Samsung, Google, Motorola, and Xiaomi, which ship their products with Android installed due to how Android can be customized. We will learn the specifics of these two Operating Systems later, learning specific tooling and techniques for both.

Mobile Device Forensics in the Real World

Across the world, mobile devices have played a pivotal role in criminal, civil and incident response investigations. This has sparked a fiery debate between privacy and investigatory powers—more on that later. You may recall prolific police investigations in the news or heated courtrooms, where mobile devices have been the key to cracking the case.

For example, in a famous 2013 case in South Africa, health data such as step count was used to discredit a defense argument, showing that the person was indeed active at the time they claimed not to be.

In the private sector, smartphones are an ever-increasing technology used within businesses. From operations and logistics to business on the go (often holding business-critical data). With that, threat groups are catching on and shifting efforts to target these devices, often using them as entry points within the corporate environment or for data leaks.

Entrypoint

Mobile devices are a great initial access method for an attacker. When you go somewhere, what do you bring? Your wallet? Your keys? Your phone, perhaps?

Phones are constantly connecting to different networks. If you have a work phone, you might connect it to the WiFi at your house. You might connect your phone to the cafe or your friend's house. This provides an excellent opportunity for an attacker to assess and collect information about devices on various networks. Perhaps you leave your work laptop at work, but take your work phone home; suddenly, there's an entry point to the corporate network.

The same artefacts that are helpful to an analyst also extend to an attacker: building a timeline of behaviour, identifying associates, etc. Now, this section isn't to scare you, but to highlight how these devices are valuable assets to an attacker.

While mobile device security mechanisms are sophisticated, they are not fail-proof. We will discuss this shortly.