Specialist Acquisition Techniques

Specialist Utilities

Specialist hardware and software suites are available to specific organisations. For example, Cellebrite UFED is an advanced acquisition and analysis hardware and software suite only accessible to law enforcement, government agencies, and similar organisations. It uses sophisticated techniques to bypass security mechanisms and analyse mobile devices.

Other specialist utilities include the Oxygen Suite, which can extract cloud data as well as data within the device and bypass certain security mechanisms.

Jailbreaking

Jailbreaking involves exploiting a known vulnerability within the mobile device's Operating System to provide what's known as "root-level" access, allowing complete control over the device. This technique provides unfiltered access to the device but permanently modifies it, so it is not forensically sound.

While jailbreaking is still possible, it is usually only possible on older Operating System versions once an exploit is discovered, if, for example, the device does not have the latest updates.

Custom Boot Loading

This technique involves getting the mobile device to boot into a temporary, custom Operating System that provides low-level access to the device and bypasses security mechanisms. It differs from others, such as Jailbreaking, as it does not permanently alter the device, making it forensically sound.

However, security mechanisms such as encryption may still be in place, especially with modern devices storing encryption keys in a dedicated hardware component. Moreover, modern devices use what's known as a "Secure Boot" chain to ensure only trusted and verified code will execute, making custom boot loading much harder.

JTAG

JTAG (Joint Test Action Group) was initially used to diagnose circuit board components. However, it has made its way into mobile forensics by physically extracting data directly from the mobile device's hardware components. JTAGing is now considered obsolete for modern mobile devices, primarily due to the risks, tools and knowledge required.

Brute-forcing

While we previously mentioned in this room that modern devices have security mechanisms against brute-forcing things like the PIN code, the user must set these up. If they are not, tooling can be used to guess the PIN code to unlock the device randomly. While incredibly time-consuming, if you're motivated enough, you will eventually get it—even if it's in 10 years.

Mobile devices usually include protections such as rate-limiting and lockout for x time after y attempts, which increase each time they are triggered.

Cloud Extraction

A much more law-based approach, cloud extraction involves submitting legal requests to manufacturers, app developers, etc., to retrieve application-specific information or backups. In most cases, this can be a more fruitful approach to retrieving data rather than bypassing security mechanisms.