As a special feature of our blog –special guest postings by experts, clients, and other professionals –please enjoy this blog post by digital forensics experts James Whitehead and Arnold Garcia with iDiscovery Solutions. -Editor Robert Milligan
By James Whitehead and Arnold Garcia
Smartphones, tablets and other “Smart” mobile devices are becoming a mainstay within the corporate landscape. Today’s mobile devices are sleek, fast, secure, and highly capable within the corporate landscape. Currently it is expected mobile devices will lead all other computing devices for web access in 2013. C level executives are choosing a tablet or other mobile devices to replace the laptop in the field.
BYOD and corporate adoption of mobile devices coupled with secure policies and procedures leads us to believe that more devices such as Apple’s iPad or Samsung’s Galaxy Tab will continue to grow within corporate cultures for the next few years. There are tools currently in the market with mature development cycles providing enterprise management of both corporate owned devices and employee owned devices alike.
The increasing adoption of cloud technologies by companies both large and small stands ready to fuel the next wave of services and applications. The industry growth is likely to result in more devices showing up in active litigation matters.
As mobile device technology advances, the amount and types of data that can be stored and or accessed from a mobile device is constantly increasing. Corporate IT departments are adopting these technologies and more robust user services roll out seemingly daily. Mobile Devices used by today’s corporate end user is capable of managing several forms of communications including emails, SMS, MMS, and of course phone calls and voicemails. This however is but a limited view into the vast capability of these devices. Today’s devices coupled with cloud computing provide the capability for an end user to access, manage, or view the full catalog of enterprise applications. SAP, ERP, document management, and project management are but a few tools available on many Mobile Devices.
Cloud computing has pushed the paradigm of PC based computing back to “Terminal” based computing, or dummy terminals. In this instance the work is occurring on the remote cloud server, and your computer or “Mobile Device” acts as a terminal into that process. This enables the corporation to provide a fabric of support on the mobile platform similar to that of a laptop.
Apple and Android provide robust development platforms as well as full support for corporate development of internal applications as well as volume purchases of software and hardware. Apple recently surpassed 50 billion apps downloaded.
A simple search through the medical applications on iTunes turns up several familiar names offering full product lines to doctors, hospitals and other health care professionals. Companies offer electronic records, patient management, and medical imaging support on iPhones and iPads. There are applications that provide full medical office management tools with the mobile device having functionality surpassing the laptop.
Business applications abound as well. Many large software companies provide applications for collaboration and meeting management, as well as provide applications in support of their analysis and financial packages. IT departments can provide mobile support, VPN, remote desktop management, and document management from outside software vendors as well.
Evidence that can be potentially recovered from a mobile phone may come from several different sources, including the SIM card and attached memory cards. The SIM contains all information necessary to identify the subscriber plus a limited number of text messages and call log records. Most information is recorded in the handset. The memory card if present will tend to be used to store pictures, video, games, applications, and music and is generally much easier to view than the device itself.
There are forensic tools on the market today (hardware and software based) that can recover SMS and MMS messages, photos, video and audio recordings, as well as previous calls made, received and missed, contact lists and phone IMEI/ESN information. This could be considered low hanging fruit or the initial analysis reports to aid in deciding if further action need be taken. Often the market has created tools with which the owner could access this information for management of the mobile device. These tools would not be considered anti forensic tools. Rather they are the efforts of an informed consumer adapting to the evolving technology landscape.
There is further information that can be found from web browsing, wireless network settings and or locations, as well as e-mail. This includes important data now retained or replicated in corporate applications. Investigations of mobile devices can string together both the time and location of an activity of interest, often down to the GEO Location of the activity in question.
The existing generation of devices is sophisticated and increasingly difficult to examine however they can provide valuable evidence. Internal memory and external memory can be analyzed to gain an insight into the activities of the user. Information obtained from a phone or mobile device, after intensive analysis techniques can be suitable for the case.
With so much data that can be found on mobile devices it can be difficult to differentiate or associate what is valuable data. There are visualization tools to help build timelines showing when calls or messages were made and when. One can use the cell tower data to possibly pinpoint and locate where certain calls or messages were made.
Everywhere we look we see people consistently looking at their mobile devices. As these devices continue to evolve in storage capacity, processing power and Internet capabilities, they will begin to outnumber traditional computers two to one. It is becoming apparent and clear that ESI from these devices can be a goldmine for those attempting to discover relevant and valuable evidence. Manufacturers of mobile device hardware and software are constantly updating their forensic solutions to allow examiners the ability to acquire newer devices, in addition continued support on older devices.
The area is ever expanding and allows for cutting edge technology to be used to keep up with the growing array of mobile devices on the market today and the increasing feature list and applications. Mobile forensics will continue to be a specialized field while the forensic tools and technology progress rapidly.
Mr. James Whitehead, a Manager at iDiscovery Solutions (“iDS”), has more than 15 years of experience managing technology and projects related to computer forensics, electronic discovery, and information governance. He has extensive experience with project management, forensic data collection, computer forensic analysis, data remediation strategies, as well as consulting clients for litigation readiness across the scope of EDRM.
Mr. Arnold Garcia is a Senior Consultant at iDiscovery Solutions (“iDS”). Mr. Garcia holds a Bachelors Degree in Technical Management Computer Information Systems. Mr. Garcia provides services in digital forensics, electronic discovery, technical support and forensic lab management. Mr. Garcia has recorded, collected, and imaged over one thousand different data sources, as well as numerous mobile devices.
Please note that each case may be unique and this single blog post is not intended to fully cover everything related to mobile device computer forensics or constitute advice, legal or otherwise. It is always best to consult a qualified person to assist with any investigation.