For better or worse, smartphones have become the hub of our daily lives. We chat, schedule, email, search, and make purchases from a small device that fits in our pockets. As such, many attorneys often presume these devices contain treasure troves of information waiting to be excavated during digital forensic investigations.
Contrary to these expectations, extracting data from smartphones is not without significant barriers. This article aims to unpack the reality of these limitations, presenting an unvarnished view of the challenges encountered in smartphone digital forensics compared to hard drive forensics.
IT USED TO BE EASIER:
As the digital landscape evolves, so do the challenges digital forensic professionals face. Just a few years ago, forensic professionals could create file-system-level images of smartphones, which allowed us to peer deep into the storage bins and log files of many operating system functions and other third-party applications.
In that respect, forensically imaging a smartphone was similar to imaging a traditional hard drive. With a hard drive, we have access to every single bit of data recorded on the drive, often including information that has been “deleted.” Today, however, the forensic examination of smartphones is significantly different and comes with unique limitations.
SECURITY AND PRIVACY:
For many years, smartphone security was fairly lax. This allowed hackers to bypass traditional security measures by exploiting software and hardware vulnerabilities found in most digital devices. This also allowed forensic investigators broad access to information stored on the phone.
As phone manufacturers began to take user privacy and security more seriously, their efforts to lock down their products increased. With the release of the iPhone X (2017), Apple fixed fundamental security flaws endemic to the iPhone platform. Similarly, Google and Android device manufacturers have significantly improved their security. These measures are in place to safeguard the user’s data, but they inevitably impede the ability of forensic experts to conduct a comprehensive investigation.
As a result, significant limitations exist on the data types that can be collected from a modern smartphone. We are limited to some fundamental data types, often without access to associated metadata or timestamps that help us analyze usage patterns. Additionally, we are restricted from accessing most residual or deleted data created by third-party apps
As the years go by, more and more information is being stored and accessed directly from the Cloud. There was a time when you would download email to your phone. Today, however, you are more likely using an app that queries a Cloud server to present a view of your email without any actual emails being transferred and stored on your phone. Most modern applications keep their data in the Cloud, providing a temporary look at it when you access it.
Despite being the central hub of our modern-day lives, the physical phone is no longer the best source of information for most data types—the Cloud is. If you use an Apple device, you are likely backing up and synchronizing to iCloud. Android users synchronize to Google’s suite of services. As such, collecting the contents of these Cloud accounts when imaging a smartphone is considered a best practice.
One type of data that is still best collected directly from a smartphone is text messages. Traditional text messages (SMS, MMS) are not stored anywhere except on the devices that send and receive the message. (To understand more about collecting text messages or retrieving lost or deleted messages, check out this article: Can We Recover Deleted Text Messages?)
Finally, changes in how modern smartphones handle geolocation data have also affected the capacity of forensic investigations. Previously, smartphones stored extensive location history that could be collected during forensic investigations. However, updates to both Apple’s iOS and Android systems have seen more stringent privacy measures put in place, limiting the availability of this geolocation data.
Apple no longer keeps a log of locations a user visits, retaining only a minimal record of “significant locations.” For many years, Google devices kept extremely detailed geolocation data (See this article: The Astonishing Amount of Discoverable Data in the Cloud), but privacy settings now keep this to a minimum.
These changes reflect an evolving digital landscape where user privacy is increasingly prioritized. While this is a positive development for consumers, it poses additional challenges for those in the field of digital forensics.
WHAT WE CAN COLLECT:
Still, a great deal of information can be collected from a phone. Below is a sample of the information that can be found:
- Text Messages
- Limited Geolocation Data from Stored Locations, Photos, or Apple/Google Maps
- Web Browser History
- Web Search History
- WiFi Connection History
- Call History & Logs
- Some 3rd Party Data
- Locally-stored Email
A NOTE ABOUT LAW ENFORCEMENT:
It’s important to realize that law enforcement has access to tools that companies will not sell to the general public. Gray Key from Gray Shift is one such tool. It allows users to crack the password of specific models of Apple and Android phones and retrieve a system-level image of that device. For this reason, law enforcement has a significant advantage when collecting data from a modern smartphone.
In conclusion, smartphone digital forensics is a rapidly evolving field that presents unique challenges compared to traditional hard drive forensics. The constraints of accessing the file system, the growing reliance on Cloud storage, and the enhanced privacy measures for geolocation information necessitate continuous adaptation and innovative solutions from digital forensic professionals.
If you have questions concerning smartphone collections or the best way to collect information from digital devices and Cloud storage, don’t hesitate to call Data Narro. We advise attorneys on the most cost-effective way to collect the data they are looking for, especially when dealing with modern smartphones and digital devices. Our initial consultations are always free of obligation.