We would like to keep you up to date with the latest news from Digitalisation World by sending you push notifications.
Digital Newsletter
Each week our editor Phil Alsop rounds up the most popular articles, videos and expert opinions. We compile this into a Digital Newsletter and send it straight to your inbox every week.
Digital Magazines
We'll let you know each time a new edition of Digitalisation World is released so that you're always kept up-to-date with the latest and greatest news and press releases.
Video Magazines
The Digitalisation World Video magazine contains the latest Zoom interviews with experts in the industry.
Mobile devices can be a rich source of evidence about the individuals that use them. Handled properly, a forensic examination can yield evidence that may change the course of an investigation. Handled wrongly, and this evidence can be forever lost.
There are many different ways to analyse a mobile device and underlying technologies, device forensic techniques and legislation are constantly changing. A long-standing technique is decidedly low�tech: simply manipulating the phone (by navigating through the email, photographs, or contacts list, for example) while recording or photographing the results. While this may be sufficient for some cases, obvious disadvantages include the fact that it involves manipulating and changing the very evidence you may be looking to preserve. A more extensive, but much more difficult, option is to create a complete physical copy of the memory store on the device, which could allow the examination of deleted files and data remnants.
Unlikely most desktop computers in a corporate environment, the mobile device ecosystem is one of a multitude of different operating systems, communications protocols and data storage technologies. Though this technological diversity and constant innovation may be good for end users, it makes the task of forensic examiners more difficult.
At present, there is not a true ‘standard’ approach to mobile device forensics. Therefore, it is especially important to work with a skilled and experienced examiner. The initial stages of an investigation could have significant impact on the type of data the investigation may unearth. Because mobile devices can communicate constantly, a very real concern exists that the data of interest, for example. email, texts and Internet history, could be crowded out by newlyâ€?arriving data and disappear if the device is not rendered incommunicative. While disabling communications could be as simple as turning the device off, this approach could have unintended consequences, as turning off the device can lead to the loss of some data and the activation of password protection, which could make it impossible to subsequently access the device. Clearly, the same problem will arise if the batteries run out, which underlines the importance of collecting any cables and chargers at the time the phone is taken into custody.
Whatever collection technique or method of analysis is used, organisations should be prepared to justify and document the use and approach that they select. Some methods of collection and analysis can involve alteration of the underlying data, which may cause authentication and/or admissibility problems in legal proceedings if not handled properly. There may also be significant privacy considerations. For example, across many European jurisdictions, legislation stipulate that personal information remains private, even if it is contained on a company’s computer, device or network.
While mobile device forensics can present many challenges, the potential payoff can be significant. Mobile devices typically contain call logs, texts, contacts, calendar items, multimedia, memos, notes and potentially email. They may contain a user’s Internet browsing history, screenshots, voicemails, information regarding mobile apps, (including when they were purchased or used), videos, map histories, geolocation information, including coordinates stored in photographs taken with the device, as well as records of access to wireless networks. Sometimes it is possible to recover deleted information from mobile devices. While all of this information could be useful in various cases, perhaps the most interesting information – or at least the type of information that sets mobile device evidence apart from traditional PC evidence – is the location data. Some cases hinge on the location of a particular person at a particular time, and this information can be gleaned from various sources on a mobile device.
The method of collection and preservation of mobile device evidence is crucial to its later admissibility and may even have other collateral effects in litigation. With mobile device technology so diverse and constantly changing, the particular forensic technique used may be relatively novel and untested. A key question is, therefore, whether it can withstand scrutiny?
With the rise in BYOD adoption set to continue, organisations must ensure the evidence these devices contain is preserved and analysed appropriately. Mobile device forensics will play an increasingly important role in this new landscape.
