Mobile forensics is the field of digital forensics that focuses on recovering, analyzing, and preserving data from mobile devices. Given the integral role smartphones play in daily life, they are often central to criminal investigations, providing crucial digital evidence that can link suspects to criminal activities.
Mobile Devices and Tracking
Smartphones, especially those on monthly contracts, use strong authentication methods to link the user to their real identity. These devices track data usage, GPS locations, and interact with apps that may share data. While convenient for most users, this tracking can be a goldmine of information for investigators. Criminals, however, often use burner phones—disposable phones not linked to a contract and purchased with cash—to maintain anonymity.
Case Study: EncroChat
EncroChat was a secure mobile phone system used by criminals for encrypted communication. Despite strong encryption and limited phone functionality, law enforcement was able to dismantle the network, revealing significant digital evidence. Although users often used code names, cell tower analysis was instrumental in tracking their movements, linking them to crimes.
Challenges in Mobile Forensics
- Encryption and Access: Modern smartphones, like iPhones, are highly secure, often making it difficult for even law enforcement to access data. Encryption further complicates this, as companies like Apple claim they cannot access the data themselves.
- Data Extraction: If law enforcement possesses a phone, they may access data on the SIM card or external memory if not encrypted. However, accessing the phone’s internal data often requires specialized software, which could alter the original data, raising concerns under Principle 2 of the ACPO guidelines.
- User Authentication: Bypassing a phone’s security may involve asking the user to unlock the device. If refused, law enforcement can issue a Section 49 notice under the Regulation of Investigatory Powers Act 2000, compelling the user to unlock the device or face potential imprisonment.
- Network Isolation: Upon seizing a mobile device, it’s crucial to prevent it from connecting to any network to avoid remote data deletion. This is often done by placing the device in Faraday bags or boxes.
Digital Evidence from Photos
Smartphones with digital cameras embed metadata in photos, known as EXIF data (Exchangeable Image File Format). EXIF data can include the date, time, location, and camera settings, which can be invaluable in investigations. For example, investigators identified a crime group through a photo of a pet dog that displayed a name tag and phone number, leading them to the suspects.
Conclusion
Mobile forensics is a critical component of modern investigations, providing access to a wealth of digital evidence. However, the field is fraught with challenges, including strong encryption, locked devices, and the need for careful data handling to maintain evidence integrity. Despite these hurdles, mobile forensics remains a powerful tool in solving crimes, particularly when investigators can successfully access and analyze the data contained on these ubiquitous devices.
We love to share our knowledge on current technologies. Our motto is ‘Do our best so that we can’t blame ourselves for anything“.