Mobile Phone Forensics

Simple, second-generation (2G) mobile phones contained evidence like call histories, contact lists and short text messages, as well as user and device information. Now, 3G and 4G smartphones contain very rich evidence such as emails, photos, electronic documents, and browser and instant messaging history.

MOBILE EVIDENCE

Initially, examiners mainly used mobile phone forensics in criminal proceedings, but as organizations began supplying smartphones to executives, middle management and many other employees, these devices became valuable sources of fraud-examination evidence, such as:  

• Device and SIM (subscriber identity module) card data including identification numbers, devices’ phone numbers and phonebooks. 
• Call logs, which are actually the histories of incoming and outgoing calls. Some older models can store only 10 incoming or missed calls. 
• Short Message Service (SMS), or text messages, could be the most widely used data application. Often used as an "alternate communication channel," they can be useful sources of evidence in cases involving collusion and corruption. Text messages can be 160 characters long, including spaces, but some devices divide longer messages into multiple parts to meet the character limit. Forensic tools can allow investigators to also recover deleted SMS from either the SIM or the device. 
• With the advent of digital cameras embedded into mobile devices, Multimedia Messaging Service (MMS) allows users to send multimedia content from one phone to another. 
• Electronic mail services are also one of the core functionalities of smartphones. Examiners might discover emails not necessarily found on users’ laptops or desktops because they might have been deleted from users' mailboxes, or they are from different mailboxes.  
• Examiners can recover photos as well as the metadata contained in them. In some cases, the mobile device will include GPS coordinates, which indicate where the picture was taken. Furthermore, characteristics such as naming structure and metadata might indicate the device used to take the photo if the file is found on another medium.  
• The ability to surf the web, send instant messages and access social media are now de facto functionalities of mobile devices, so forensic examiners might recover histories from any or all these mobile applications.  
• Mobile devices might also include removable storage, such as microSD cards, which serve to augment the mobile devices storage capacity. These might contain various files and documents, which examiners can analyze using the same methods and tools used for examining other forms of removable storage media.  

FORENSIC METHODOLOGY

The forensic examination process for hard drives or mobile phones is quite similar: seizure, acquisition and analysis. However, examiners use different methodologies, tools and techniques for mobile devices.

In fact, mobile device forensics is a separate discipline in the world of digital forensics. Specific tools and techniques are required to extract and analyze evidence found on these devices.

Here are some of the specific considerations when examining mobile devices:   

• A single mobile forensic device tool might not be enough. Because of the wide variety of mobile devices, mobile forensic suites do not support all models of devices.  
• Cables and adapters: Many devices use proprietary adapters, so the examiner must seize or obtain the proper cables.  
• Protected devices: Although not always possible, examiners might need to compel users to provide their passwords on their protected devices to acquire stored information.  
• Shielding: Examiners should shield mobile devices from other mobile devices and the wireless network to prevent any alteration to the content of the examined devices.  

TOOLS

No single tool can allow the examiner to analyze all devices in circulation. It might be necessary to use more than one tool to perform forensic analysis of mobile devices. These tools are divided into three distinct categories:  

• Mobile-device analysis suites enable examiners to inspect contents and the SIM for those devices. (Devices need SIM for network access.)  
• SIM analysis tools allow examiners to perform in-depth analyses of SIM cards only.  
• Flasher box forensics enable examiners with advanced skills to perform physical extractions of devices' memories (often called "hex dumps"). This facilitates the recovery of deleted information, but it requires in-depth knowledge of the inner workings of mobile phones. 

When a mobile device is not supported by any tool, the examiner might, as a last resort, need to rely on manual acquisition - using the phone's user interface to extract information and then capturing pictures of the screen to collect evidence.

IMPORTANT SOURCES OF EVIDENCE

Mobile devices have become standard issue for most people in business, so fraud examiners have no other option but to consider evidence from them when investigating fraud in the workplace.

Jean-François Legault is a senior manager with Deloitte's Forensic & Dispute Services practice in Montreal, Canada. 

The Association of Certified Fraud Examiners assumes sole copyright of any article published on www.Fraud-Magazine.com or ACFE.com. Permission of the publisher is required before an article can be copied or reproduced.