Smartphones, the most popular mobile communications devices today, are also some of the most difficult to extract evidentiary data from. While many commercial forensic tools have made great strides in supporting data extraction, decoding, and analysis from iOS, Android, and BlackBerry devices, some challenges remain. What are they, and how are vendors responding?
1. A smartphone is never just a smartphone.
Vendors and operating systems can vary widely, particularly with Android, but also even within iOS and BlackBerry user groups. More than 40 iOS versions are commercially available, and are spread among six different iPhones, five iPads, and five iPod Touch devices.
As of 2012, the Google-owned Android is the rising star in the mobile industry. In the third quarter it was reported to have nearly 75% market share compared to less than 20% for iOS and less than 10% for BlackBerry. Based on a Linux kernel and able to run Java apps, each Android device family has a different operating system and architecture, and thus requires a dedicated solution. Complicating matters, some manufacturers—among them Alcatel, Huawei, and Motorola—have begun to use nonstandard Chinese chipsets, particularly MTK, in their Android devices.
Unlike iPhone users, it’s unusual for Android users to upgrade their operating systems. (Currently, the “old” Gingerbread, Android v2.3, remains the most popular OS; it’s installed on nearly half of all Android devices compared to Android 4.1, “Jelly Bean,” which runs on only about 10% of devices. Android 4.0, “Ice Cream Sandwich,” is installed on just under 30% of Android devices.) It’s also not possible to upgrade from just any version.
2. Data protection: passwords and encryption
Not only does data storage vary from device to device and OS to OS, but devices may also be passcode-protected and/or encrypted.
Obviously, it is easy to extract data from a smartphone with no passcode. iPhone passcodes fall into two categories: simple and complex. A mobile data extraction tool should be able to reveal a simple passcode automatically for all devices through iPhone 4; owing to improved Apple security measures, passcode extraction and bypass are not yet supported for iPhone 4s or iPhone 5. Following the passcode extraction process, it will be possible to extract and decrypt all data including protected files.
A complex iPhone passcode, however, takes more effort. The investigator needs to know, and manually insert, this type of passcode in order to extract and decrypt all data. This may take interviewing the subject or the subject’s close contacts. If the investigator cannot figure out what the passcode is, no mobile forensic tool exists that can bypass it. Some data can be extracted and decrypted, but not protected files.
Keychains are another important element of iOS password protections. The vault that stores passwords for any variety of services—social media accounts, WiFi connections, and so forth—the keychain is encrypted and protected. It should be possible for a mobile forensics tool to decrypt the keychain and thus provide the examiner with access to additional data, which may not be otherwise possible.
Like iPhones, Android devices can also be user-locked. Unlike iPhones, they often use a pattern lock which is typically not complex. Rooting the device, even temporarily, cannot be done with a locked device unless debug mode is enabled. This operation takes considerable expertise on the examiner’s part.
Bypassing the pattern lock altogether is optimal. A file system or physical extraction, once decoded, will provide the correct pattern or PIN code used to lock the device. Alternatively, if decoding is unsupported within the extraction tool, it should be possible to carve the PIN lock.
Following a physical extraction, a file system extraction using the pattern lock and ADB mode should be possible. However, not all physical extractions from every Android are also supported for decoding. That’s because chipsets and hardware can vary from device to device, which affects whether a forensic tool can reconstruct the file system.
In some cases, when the passcode or pattern lock cannot be bypassed, it may be possible to reveal the lock code, then turn on ADB debugging and perform a file system extraction. This effectively eliminates the need to reconstruct the file system from a physical extraction.
Encrypted content is a different matter. The BlackBerry, for example, requires codes to lock the device and then encrypt the content. The device lock is associated with encryption: the user can’t encrypt the content without first locking the device.
Although it may therefore be possible to extract some unencrypted data from before the device was locked, it is usually not possible to decrypt BlackBerry content without access to the password. Often, the examiner must get the user to provide the password and encryption key.
When the device belongs to an organization—the user’s employer—it may be possible to ask IT staff to reset the encryption key through the BlackBerry Enterprise Server (BES). The content will still be encrypted, but the device will be using a generic key. On devices running OS 4, 5, and 6, it may then be possible to decrypt the content on the fly, analyzing and then showing the data in readable format.
3. Prepaid “burner” phones
Prepaid phones have been a problem for some time, and continue to be a problem for law enforcement in particular. That’s because the disabled data port on these devices cannot be enabled, and vendors don’t make the devices’ APIs—the normal mode by which logical and file system extractions are completed—available to commercial forensic extraction tools’ developers.
File system extractions have the dual benefit of making more data—including some deleted data—available quickly. However, because it extracts only data from allocated space on a device’s memory, it still remains limited in some ways. It also requires a higher degree of expertise on the examiner’s part because it requires decoding.
Physical extraction, the bit-for-bit copy of the device’s internal flash memory, provides the fullest amount of accurate data because it obtains information from both allocated and unallocated space. However, it can be time consuming even with a good forensic tool; it requires decoding, and therefore demands the examiner to have explicit training or expertise.
4. There’s no app for that
Apps, not just available for iPhone or Android but also through device vendors like Samsung, Nokia, and LG—as well as from mobile carriers like T-Mobile and retailers like Amazon—are another challenge.
Apps are diverse, ranging from travel tools like navigation, traffic information, and weather; to social networking and location sharing; to banking and finance; to communications tools such as chat, instant messaging, and voiceover IP; to entertainment tools like video, television and radio broadcasting, and gaming. Hundreds of thousands of apps exist; billions of downloads have occurred.
Forensic tools’ support for mobile apps has only just begun in the past year or so, and covers only the most popular apps. iOS apps are sandboxed, so all of a single app’s data will be in its particular folder. With Android, however, this is not the case. At least some app data will be available with a logical or file system extraction.
However, obtaining app data through physical extraction means decoding. To decode app data, the mobile forensic tool must be able to perform a file system reconstruction. This is a challenging process owing to the way Flash file systems are implemented: designed to avoid delete cycles, they keep deleted information in the device’s memory. However, once the Flash file system has been reconstructed, it’s possible to start decoding the content, including locations, Bluetooth devices, device information, cookies, installed apps, Web history, and so on.
Because the SQLite databases that compose iOS and Android file systems can provide access to available and deleted databases, including deleted entries from a database, the ability to view tables and content—and search the data—can be of great evidentiary value.
5. Accurate data, forensic soundness
Boot loaders are currently considered the most forensically sound physical extraction method. While they do involve loading a piece of code onto the device, this happens before the forensic tool accesses any evidentiary data.
That’s because they replace the device’s normal boot loader, or the first set of operations that kick off the phone’s startup process and hand off to the main controlling program, like the operating system, which supports the main or major device operations. In addition, the operation they enable—the extraction—is read-only.
Boot loaders have the additional advantages of being generic and therefore applicable to entire device families—not specific devices. And they enable access to unallocated areas for a fully accurate extraction.
In some Android devices, however, boot loader use is not supported, and it may become necessary to temporarily root the device to perform physical extraction. A temporary root does not permanently change administrative permissions or other data on the device. Rather, it provides access to the operating system so that the examiner can enable ADB debugging and from there, image the device’s Flash memory for a full physical extraction. Following this process, upon reboot, the device is no longer rooted.
Temporary rooting is not as forensically sound as a boot loader because it does load the device’s operating system, which may be logged within the device. Examiners using this method should plan to thoroughly document each step they take throughout the process, and their results, in order to maintain a record of their actions to which they can comfortably testify at trial.
6. Some smartphone extractions remain unsupported.
What happens when a smartphone is locked and unsupported by forensic tools? Flasher box, JTAG, or chip-off extraction methods become necessary. All three enable physical extraction—a logical examination cannot be performed on an unsupported locked device. However, even this capability can be limited. For example, although it’s possible to use the chip-off process on an iPhone locked with a complex passcode, the data will be encrypted and thus not much use.
Both JTAG and flasher box methods are device-specific, and JTAG processes are only minimally documented, so they require an examiner to be well trained. Flasher boxes also require training, as they can be destructive and were made to write data; thus, in the hands of an untrained examiner, they may not be forensically sound. Chip-off extraction, meanwhile, is always destructive, as it physically removes residual data from the memory chip.
This is often the case with BlackBerry devices that are locked with unknown passwords. Until recently, BlackBerry chip-off data format was proprietary, and no commercial tools could decode it. Ongoing research and development in this area has enabled some vendors to provide decoding support for chip-off extractions.
Indeed, smartphone forensics is the result of years of research by many dozens of professionals, both commercial and freelance. That research can range from reverse engineering the device’s hardware, firmware, and communication protocols; to exploiting vulnerabilities within the device’s firmware, operating system, or encryption algorithms (often the result of programming oversights).
As smartphones evolve, so will their persistent forensic challenges. Analysis skills like data carving, programming that can add functionality to commercial tools, and labor-intensive techniques such as JTAG, chip-off, and flasher box procedures will continue to be necessary—as will the tools that can support these efforts.
As Cellebrite USA’s Engineering Product Manager, Ronen Engler ensures that Cellebrite’s forensics-focused R&D teams issue new features and releases to meet customer needs. Having worked in Fortune 1000 companies as well as startups, Ronen has nearly 20 years of practical electrical engineering experience and an M.S.E.E degree from NYU-Poly.
Christa M. Miller is the Director of Mobile Forensics Marketing for Cellebrite USA. Christa has worked for more than 10 years as a journalist, specializing in digital forensics and other high tech topics for public safety trade magazines including Law Enforcement Technology, Police & Security News, NW3C’s The Informant, and others. Christa is based in South Carolina.