Core Skills for the Investigation of Mobile Devices

mobile-devicesMobile devices are more common today than computers, with over a 100% saturation rate in the U.S. Many crimes are committed either directly by using a mobile device or are facilitated by a device. These devices can contain a wealth of evidence that will play into your investigation. But to conduct a thorough investigation, you need to know how to retrieve the digital data and then how to properly analyze it. Let us show you the tools and teach you the skills needed to successfully recover digital data and evidence from a mobile device. This course covers all angles of the investigation, including seizure, evidence recovery, and how to obtain relevant information from service providers. We demonstrate the importance of device manuals, and show you the role they play in your device research.

Audience: Law enforcement officers, investigators, analysts and forensic examiners
Prerequisites: Complete The Investigation of Computer Crime course. (Recommended)
Length: 3 days
Difficulty: Intermediate

Syllabus

Mobile Device Data Recovery Considerations

There is a serious need for this course, and we tell you why. We show how mobile device use by youngsters makes them prime targets for exploitation. We cover some of the capabilities of mobile devices and demonstrate some of the more popular apps for texting, chatting, photos, and file sharing. As an investigator, you will need to know how to find and analyze the data that is held within each of these mobile device features.

Mobile Device Seizure

We begin this block by showing you how to prevent data from being lost (by you) or destroyed remotely (by the suspect). Then we move into other seizure issues, like how to remove a device from a network. You’ll learn what can be recovered from a mobile device and the legal issues that you must consider. We show you how to work with a password-protected phone and demonstrate the tools that can help you get inside. We talk about vault apps—the forms they take and how to bypass them. You’ll learn how to determine a device’s IP address; this will lead you to the cellular provider. We show you how to prepare a preservation order to get information from the provider. We take a deeper dive into mobile device tracking and tower information as we show you how mobile device tracking works and talk about cell coverage and towers. We introduce you to the hardware and software tools that you’ll need to use for your mobile device investigations.

Mobile Device Data Recovery Resources

With so much information just a click away, it’s often hard for an investigator to know where to start. We show you how to download some of our favorite Firefox Add-ons that will help in your investigations. We also introduce you to the SEARCH Toolbar, another free and indispensible download. You’ll learn how to organize the information you discover about a device and how to document each step in your investigation. We show you other resources you can download to retrieve phone information and access device manuals. We introduce you to the online groups and list serves that law enforcement investigators frequent. You’ll see the types of information that can be gleaned from digital photos and learn the ins and outs of retrieving, viewing and mapping this exif data.

Cellebrite UFED Logical

As we have already established, there are many tools and resources available for mobile device investigation. One of our favorite tools for law enforcement investigators is the Cellebrite UFED (Universal Forensic Extraction Device). We demonstrate how the device works and show how you can use it to extract vital information such as phonebook, photos, videos, ringtones, SMS (text messages), calendar and more from a mobile device.

Secure View 3

After a quick review of what we covered yesterday, we launch into a full day of showing you more tools that will enhance your investigations. This time we explore a product called Secure View 3, made by Susteen. We show you how to use Secure View 3 to acquire and analyze data from many types of mobile devices, including Apple products and pre-paid cell phones. You will see how using this device can save your agency time and money by automating many of the tasks you likely do now by hand, like downloading call logs and contact lists. We also show you how the svProbe feature allows you to analyze the data contained on a mobile device.

BitPim

We realize that some of the products we demonstrate in our classes might be cost-prohibitive for some agencies. That’s why we also provide examples of free resources. BitPim is an open source, free software tool that you can use to view data on a mobile device. We walk you through the steps of downloading BitPim and show you how to use it to get information from a device’s phonebook, calendar, wallpaper, ringtone, memo, text messages, and call history fields. We show you how to use the tool to retrieve file system information that can later be parsed with a forensic utility. BitPim, while limited to non-smartphone CDMA devices, performs great for “throw-down” cell phones from carriers such as MetroPCS and Cricket, which oftentimes show up in investigations and have limited support from other mobile device data recovery tools.

Paraben

We move forward with yet another tool demonstration—Device Seizure, from the Paraben Corporation. This tool offers logical and physical data extraction of user data such as call logs, text messages, contacts and photos. We also show you how to get to the file system and deleted data. You’ll see how the tool can extract user passwords and GPS data points. Lastly, we show you how to generate reports that will help you to make sense of the data.

SIM Cards

SIM (Subscriber Identity Module) cards are those small, portable memory chips that are used mostly in mobile devices that operate on the Global System for Mobile Communications (GSM) network. They hold the personal information of the account holder, including phone number, address book, text messages, and other data. All of this is vital information for any investigation and you need to know how to access it. In this discussion we show you how to analyze a SIM card and document your findings to build your case.

Manual Data Extraction

Sometimes even technology isn’t enough. You may run into instances where data cannot be retrieved with automated data recovery software. Or the software may not be accessible. At times like these, you need to rely on “old-school” methods like taking notes or photos or videos. We walk you through the steps you should take to do a manual data recovery, and advise you of the pitfalls you’ll want to avoid. We demonstrate the video camera method using Windows Movie Maker, a free tool that saves time and energy over the traditional methods of taking photographs.

Practical Exercise

We bring the course to a close by giving you the opportunity to put your newfound skills to the test. We challenge you to work your way through some hands-on, real-world examples that will allow you to demonstrate that you have grasped the course content. You also have the option of bringing in an evidence phone from an active case and conducting an analysis of it.