The Trouble with Mobile Device Forensics

By David Kalat

The first problem with mobile device forensics is the name. “Mobile devices” is a catch-all term meant to encompass cell phones, smartphones, tablets, and hybrid “phablets.” But even these terms are inherently misleading—they imply that we are talking about phones. In 2011, physicist Michio Kaku noted that today’s mobile “phones” have more computing power than all of the computers NASA used to land astronauts on the moon.[1] The average mobile “phone” today easily outstrips the power of the Cray, Deep Blue, or any supercomputer of a generation ago.[2] Current models have faster processors, access to more storage, better network connectivity, and more robust software than the average PC from just 10 years ago. We call them “phones” at our peril—they are powerful computers that just happen to be able to place calls as well.

These devices track our physical location, monitor our Web browsing, facilitate our text and email communication, store our documents, network us to social media, and do everything else you might expect from a supercomputer you carry with you everywhere you go.

With the advent of “Bring Your Own Device” policies, the majority of U.S. workers now use their mobile devices both personally and for work.[3] Google reports that search queries from mobile devices exceed the combined number of queries placed from all desktops and laptops.[4] Experts estimate that within the next five years, mobile device traffic will have quintupled its present volume.[5]

Excluding mobile devices from a collections’ scope can have serious repercussions. Consider for example the case of Small v. University Medical Center. This class action case alleging claims under the Fair Labor Standards Act led to a two-year battle over discovery issues—oral arguments, seven different discovery status conferences, the appointment of a Special Master, various all-day hearings with the Special Master, 14 telephone conferences, 20 different declarations, and an army of ESI consultants. The Special Master opined that defendant UMC had failed to identify mobile devices as a relevant source of responsive ESI, and delayed in preserving the Blackberry server. The Special Master called for “case-dispositive” sanctions; the court’s ruling is pending.[6]

This brings us to the second problem with mobile device forensics: the forensics part. Although mobile devices are computers in every sense of the term, are increasingly ubiquitous in their use and application, store ever greater volumes of data, and are increasingly expected to be included in the scope of eDiscovery preservation issues, unique technical issues complicate the ability to collect and analyze their contents. As technology advances, these technical problems have only increased. As manufacturers improve their users’ security, the avenues for forensic capture narrow.

Let’s Get Physical

The Sedona Conference defines a “forensic copy” as an “exact copy of an entire physical storage media . . . including all active and residual data and unallocated or slack space on the media.”[7] There are some $10 words in that sentence, but the key one is “physical.”

Physical data refers to the actual state of whatever digital storage medium you have—in other words, which bits are set to 1s and to 0s. The physical data is not necessarily the same as the informational content of that data. This is because a computer system does a lot of work behind the scenes to maintain its operations (including, but not limited to, clearing away deleted files), and this work takes place using the same storage media used to store the user’s files. A “physical” copy, then, is a copy that maintains all those hidden system files, deleted files, fragmented files, and other data scraps in their original state. The alternative is a copy of just the user’s data—this is called a “logical” copy. As far as the Sedona Conference is concerned, the physical copy is the one that counts as a forensic copy; a logical copy can at best hope to be a copy prepared “in a forensically sound manner.” As we shall see, this distinction leads to some tricky challenges when applied to mobile devices.

In traditional computer forensics, a physical copy is usually obtained by opening up the computer, removing the hard drive, and duplicating its contents using specialized forensic tools. Mobile devices present a radically different profile. They are engineered to be lightweight, compact units capable of functioning smoothly even when jostled in the user’s purse or pockets. They do not have removable drives. Their internal memory consists of circuit boards made of flash memory chips.

Over the years, several methods of collecting data from these flash chips became established forensic techniques. Problematically, recent technological developments have started to push each of these techniques towards obsolescence.

Cracking the Chips

The chip-off technique is exactly what the name describes: the examiner disassembles the device to de-solder the chips from the circuit board and analyze the data by using an external chip-reader.

It is a fundamentally invasive and destructive thing to do. The process cannot be performed on site but must instead be performed under tightly controlled conditions using specialized and expensive tools. It is time consuming and delicate, and risks damaging the data. Except in rare circumstances, the user’s device is destroyed in the process, and the chips cannot be reintegrated after being collected.

A slightly less destructive but still invasive alternative involves leveraging the testing ports on the circuit board. These ports, called JTAG for the “Joint Test Action Group” that designed them, are intended to be used to test and program the chips. Clever investigators learned how to repurpose them to read data off the chips. Connecting a chip-reader requires a schematic diagram of the device’s internal design, knowing how to recognize the ports, and having a deft hand at the soldering iron, but offers the ability to return the device to more or less its original condition when done.

However, new mobile devices are increasingly produced with full-disk encryption. The use of encryption—or even the possibility of its use—can take chip-off or JTAG procedures off the table.

Losing the Keys

Getting past a user’s lock screen means either knowing or cracking the user’s passcode, which can be a vexing challenge. Consider an iPhone locked with a simple alphanumeric passcode. According to Apple’s published specs, the passcode has to be entered directly through the device’s interface, which enforces a delay on each cycle that means running through all possible variations would take several years.[8] And since users have the option of configuring additional safeguards manually, after the first 10 incorrect entries the device might automatically wipe its contents entirely.

It is important to note that a lock screen is different from encryption. Most devices are protected by some kind of lock screen, into which a user inputs a passcode of some type to gain access to the device contents. When encryption is enabled on a device, a separate hardware-specific component within the device encodes or decodes the binary data as it is read from or written to the device’s internal memory. In other words, a lock screen provides protection by limiting unauthorized access; encryption provides protection by ensuring that even if the data is accessed by unauthorized users it cannot be understood.

Encryption causes the physical data stored on the internal memory to be incomprehensible on its own. The challenge here is that decrypting the data involves more than just knowing the user’s passcode. That hardware-specific component within the device combines the user’s passcode with a “secret sauce” recipe unique to that specific device and that cannot currently be replicated elsewhere.

Imagine you are handed a smartphone and told to collect the data from it. There is no way to tell from looking at the thing whether it is encrypted or not. If it is, the data cannot be decrypted from the forensic copy, even with the user’s passcode, because the passcode alone is insufficient. Performing a chip-off or JTAG acquisition may result in a “forensic” physical copy, but that copy cannot be analyzed in its encrypted state.

Boot(loader)s on the Ground

There are alternatives that can allow access to a device’s internal memory without disassembling the device. These methods are faster, less invasive, and less risky—but involve other tradeoffs.

A boot loader is a chunk of software code inserted into a device’s RAM at the moment of startup to influence or redirect the boot process. Although this does make changes to the device’s memory, it does so only to the active RAM, and only temporarily, leaving no evidence of its use on the mobile device. Many boot loader-based acquisition techniques can result in a full physical data capture from a range of devices without the risks and disadvantages of more invasive techniques.

Before getting too excited it is important to realize that fewer and fewer new devices permit the use of boot loaders. Current iOS devices and most current Android devices prohibit boot loaders, limiting that technique to older devices running older operating system versions.

Some sophisticated users choose to override the manufacturer’s security settings and obtain administrator-level privileges on their devices. In the iOS world, this is called “jailbreaking,” and in Android-speak, it is “rooting.” For devices that are already jailbroken or rooted, forensic software tools may be able to access user data for extraction, but this is a rare occurrence. Jailbreaking or rooting is technically advanced (that is, not an option for most casual users), likely voids the warranty, likely violates the user agreement, and may open the device to new categories of security vulnerabilities. That being said, some users opt to do so anyway.

Some forensic tools may obtain temporary root access to a device by installing a small client application in the unallocated space of the device memory. This technique does leave data on the device, which can be a great concern to forensic examiners for whom “leave no trace” is a professional mantra. In acknowledging the worries that forensic professionals would have about using a procedure that knowingly changes the data on a device, Cellebrite, a well-known maker of forensic software tools, likens this in its marketing to the necessity of an investigator leaving his own footprints in a snowy crime scene in order to retrieve a murder weapon.

API Credit

Accessing the contents of a mobile device without disassembling the machine and without using a boot loader means interfacing with it through the device’s I/O port. On most mobile devices, this will take the form of a USB connection of some variety, which serves to transmit data both to and from a given device, as well as to charge it.

Like any computer, a mobile device has an operating system that provides the basic working environment in which other software (such as third-party apps) function. The operating system interacts with those apps through an Application Programming Interface, or API. Forensic collection software can use the APIs to communicate with the device operating system, which responds by outputting the requested data through the USB port.

Interacting with the operating system in this way does not only mean obtaining a logical copy of the device contents; this logical data will be incomplete in various ways. APIs vary from device to device and change over time as software is updated. Mobile device manufacturers limit what kinds of data can be exported through the API. Apple, for example, does not allow email content to be transmitted through the API.

More significantly, for security reasons mobile device manufacturers isolate application data in their own private data islands. Depending on the app, data may be inaccessible even though it is part of the logical data of the device. Think of it like a shopping mall. Obtaining the business records from the office of the company that administers the mall is not the same as getting access to the business records of the individual stores. Of course, apps are where users do the things of greatest interest to investigators: send texts, go on Facebook, conduct online banking, take pictures, and so on. A data capture from a mobile device that omits much of the user’s app-based activity may be of limited value to an investigator.

The Future of Mobile Forensics

The forensic community appears to be gravitating towards boot loaders and API-based acquisition as the preferred solution to the challenges posed by mobile device forensics, as opposed to the highly specialized and risky use of JTAG or chip-off acquisitions. The providers of mobile device forensic software (e.g., Cellebrite’s UFED, MSAB’s XRY, Access Data’s MPE+, and Paraben’s Device Seizure) vie for market share by advertising the number of mobile devices their products can support. As impressive as those numbers may sound in a vacuum, the problem is that the list of supported devices barely scratches the surface.

In August 2014, it was reported there were at least 18,769 known distinct Android device types alone,[9] and that does not account for meaningful variations in operating system version, firmware, and telecom carrier, each of which introduce new variables. Every year hundreds of new devices come to market, exponentially increasing the bewildering diversity of device combinations.[10] It is a regular occurrence for forensic technologists to be given a commonly used smartphone, only to find that no forensic tool works on that specific combination of device hardware and software. As implausible or frustrating as it may sound, a forensic investigator may have full authorized access to a smartphone, can log in and see the content of all applications, including emails and other communications, but can neither save nor export that information. Meanwhile, the makers of forensic tools may labor long hours to engineer a specialized solution to a specific device, only for that device to be abandoned by users in favor of the next new version, and the cycle begins again.

In 2014, there were over 900 million Android devices in use, with Apple’s iOS in second place with 500 million users. There are reportedly 100 million users of MIUI (mostly in China), while Windows Phones and Blackberries remain smaller but still significant players. To say that each of those billion-plus devices represents a unique set of forensic challenges is an exaggeration—but not much of one.

There is no single best solution for mobile device image acquisition. Unfortunately, many devices cannot be imaged at all with standard forensic software; many other devices can only be imaged in part. Developing new software or workarounds, where possible, can be cost prohibitive.

Mobile device forensics has always been a science replete with challenges. Investigators must know a variety of technological strategies to extract data, as each device represents unique challenges. The various techniques traditionally used by experts offered a range of options for investigators to balance their case needs against levels of risk, budgetary concerns, deadlines, and other factors. Meanwhile, manufacturers of mobile devices have been increasing the levels of protection given to users’ data to secure it from access by third parties, including forensic experts. Those security protections have now precluded many previously viable forensic options. This has significantly affected the ability of forensic experts to collect data from mobile devices.

In light of these developments and challenges, litigators and business leaders who need to access mobile device content require the services of experienced forensic professionals who are familiar with these issues. In turn, those forensic investigators will need to be increasingly flexible and realistic about what data they can expect to obtain. As mobile devices continue to overtake traditional computers, the ability to obtain a viable physical copy of the device’s flash memory slips farther away. Although obtaining a physical image of a device’s internal memory may be preferable in theory, in practice collecting any data at all may be a challenge, and obtaining (a possibly incomplete set of) logical data from a device may be the best available option.

The problem with building better mousetraps is that they just breed smarter mice.

The views and opinions expressed in this article are those of the author and do not necessarily reflect the opinions, position, or policy of Berkeley Research Group, LLC or its other employees and affiliates.

[1] Kaku, Michio, Physics of the Future: How Science Will Shape Human Destiny and Our Daily Lives by the Year 2100, Knopf Doubleday Publishing Group (March 15, 2011).

[2] “A Modern Smartphone or a Vintage Supercomputer: Which is More Powerful?” PhoneArena.com (June 14, 2014), accessed at http://www.phonearena.com/news/A-modern-smartphone-or-a-vintage-supercomputer-which-is-more-powerful_id57149

[3] Sullivan, Laurie, “Smartphones, Tablets Become Essential Work/Home Tools,” Media Post.com (July 25, 2013), accessed at http://www.mediapost.com/publications/article/205358/smartphones-tablets-become-essential-workhome-to.html#axzz2aC70nOtd

[4] Dischler, Jerry, “Building for the next moment,” Google – Inside AdWords (May 5, 2015), accessed at http://adwords.blogspot.com/2015/05/building-for-next-moment.html

[5] “Cisco Visual Networking Index: Forecast and Methodology, 2014-2019 White Paper,” (May 27, 2015) accessed at http://www.cisco.com/c/en/us/solutions/collateral/service-provider/ip-ngn-ip-next-generation-network/white_paper_c11-481360.html and “Ericsson Mobility Report: On the Pulse of the Networked Society,” (February 2015), accessed at http://www.ericsson.com/res/docs/2015/ericsson-mobility-report-feb-2015-interim.pdf

[6] Small v. University Medical Center, 2:13-cv-00298 (D. Nev. 2013), available at: http://www.recommind.com/wp-content/uploads/2014/09/Small_v._Univ._Med._Ctr._of_S._Nev.pdf

[8] “iOS Security: iOS 9.0 or later,” Apple.com (September 2015), accessed at https://www.apple.com/business/docs/iOS_Security_Guide.pdf

[9] “Android Fragmentation 2014,” OpenSignal.com, (August 2014) accessed at http://opensignal.com/reports/2014/android-fragmentation/

[10] Amadeo, Ron, “Samsung decides 56 smartphones a year is too many, will cut lineup by 30%,” Ars technical.com (November 18, 2014), accessed at http://arstechnica.com/gadgets/2014/11/samsung-decides-56-smartphones-a-year-is-too-many-will-cut-lineup-by-30/

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s