Obstacles & Opportunities in Mobile Forensic Collections October 2, 2014 Evidence Collection in the Mobile Age.

Obstacles & Opportunities in Mobile Forensic Collections

October 2, 2014

Evidence Collection in the Mobile Age

Trend: Mobile Device Ownership is Rising

© Elysium Digital 2014 2

Source: Pew Research Center (Internet & American Life Project)

3

Trend: Increasing Use of Smartphones

© Elysium Digital 2014

Source: Pew Research Center (Internet & American Life Project)

4

Trend: BYOD Popularity Increasing

© Elysium Digital 2014

Bring Your Own Device (BYOD) Support

Source: Good Technology Corporation. Good Technology’s 2nd Annual State of BYOD Report. (n=100)

5

Mobile: It is the Wild, Wild West of Tech

© Elysium Digital 2014

• Similar to early PC landscape– More Devices– More Varieties– More Connectivity– More Users

• Results in– Lack of Standards– Unsettled Marketplace

Image sources: www.securitypronews.com, www.gospotcheck.com

6

Types of Devices

© Elysium Digital 2014

Cellphones

Smartphones

Tablets

7

Agenda

© Elysium Digital 2014

• Traditional Computer Forensics• Mobile Collections Obstacles• Mobile Collections Opportunities• Other Issues• Quick Takeaways

8© Elysium Digital 2014

Traditional Computer Forensics

9

Traditional Computer Forensics:Non-volatile Storage

© Elysium Digital 2014

• Disk Drive & Solid State Drive (SSD)– “File” Abstraction – Blocks under the

abstraction

10

Traditional Computer Forensics: Files

© Elysium Digital 2014

• Files

• File-level operations

• Internal metadata

11

Traditional Computer Forensics: Filesystems

© Elysium Digital 2014

• Filesystem– Organizational system – Implemented in both storage structure & process– Examples: FAT, inodes

• Filesystem metadata– Creation time– Modification time– Access time

12

Traditional Computer Forensics: “Hidden” Data

© Elysium Digital 2014

• Block Reuse Principles– Conserve cycles– Conserve I/O traffic

• Breaking through the Abstraction– File slack– Deleted files

13© Elysium Digital 2014

Mobile Forensics: Obstacles

14

Mobile Forensics: Obstacles

© Elysium Digital 2014

• Designed for Loss / Theft• Modified by Carriers• Analysis software is less mature• Deleted data & metadata• Truncated email

15© Elysium Digital 2014

Mobile Forensics: Opportunities

16

Mobile Evidence Collection: Opportunities (1/3)

© Elysium Digital 2014

• Opportunities from Common Practices– Devices not centrally managed – Data policies not implemented– Data remains on old devices– Data is maintained in backups

17

Mobile Evidence Collection: Opportunities (2/3)

© Elysium Digital 2014

• Opportunities from Types of Data– Locational data available– Network connection information available

18

Mobile Evidence Collection: Opportunities (3/3)

© Elysium Digital 2014

• Opportunities yielded by the process– Broadening scope of discovery– Helping to find the “digital packrat”

19

Mobile Evidence Collection: Spoliation

© Elysium Digital 2014

• Devices viewed as a private, personal accessory• Spoliation 10x increase over laptops• Can yield obstacles and opportunities

20

Mobile Evidence Collection: Other Issues

© Elysium Digital 2014

• Cloud backups• Encrypted backups• Commingled personal data

21

Mobile Evidence Collection: Quick Takeaways (1/4)

© Elysium Digital 2014

Trends:– Mobile device usage increasing– Mobile evidence issues multiplying– Mobile evidence collection increasingly complex

Source: Pew Research Center (Internet & American Life Project)

Source: Good Technology Corp. 2nd Annual State of BYOD Report. (n=100)

22

Mobile Evidence Collection: Quick Takeaways (2/4)

© Elysium Digital 2014

Checklist: Collecting a Smartphone– Get the smartphone– Get it fast– Turn on airplane mode ASAP– Obtain charging device– Keep battery charged– Obtain password / unlock code– If Blackberry, have company/owner unlock it– Send device & charger to mobile forensics expert

23

Mobile Evidence Collection: Quick Takeaways (3/4)

© Elysium Digital 2014

Secure Confidential & Proprietary Data– Strong & enforced IT policy– Password protection or encryption– Watermarks, print banners, or hidden identifiers– Usage restrictions (print, copy, etc.)

24

Mobile Evidence Collection: Quick Takeaways (4/4)

© Elysium Digital 2014

Geographic information not limited to Carriers– XIF data records geographic location of pictures– Pictures themselves can document location– Network connections are tracked and can be mapped back to

geographic locations

25© Elysium Digital 2014

Q&A / Discussion

Have a matter involving mobile evidence collection? Ask.

Didn’t understand that? Ask.

Want more info? Ask.

Christian HicksPresident, Elysium Digital

[email protected]

617-621-3100 x100