I attended a law enforcement presentation this evening on new forensics software for mobile phones. I’ve attended at least a dozen of these over the last 4 years and I’ve got to say I’m really disappointed. All mobile phone forensic software I have seen to date does not image the mobile or do a actual memory dump of the mobile independent of the mobile software. The software uses the API extract a copy of the data. The data is then stored in a file or database, which then permits you to search and view the information.
Extracting data in this way you are trusting the API to properly transmit all the information you requested. Maybe the code doesn’t transmit certain fields or data. What if this data is important to the investigation? How will the investigator know? In all presentation I’ve seen, when asked how the software handles records that are marked for deletion but not yet erased from memory, the answer is the API will ignore them, so they will not be transferred over for investigation.
Since the API on the target mobile is the actual interface used to extract the data from the mobile, it is not possible to ‘prove’ that what is on the phone is exactly what is on the copy. Suppose a judge asks an investigator “please prove to me that the extraction you used for analysis, exactly matches what you find on the mobile and show me that there is no way an error or bug in the software could have caused the data to be changed.” I wonder how many people would be comfortable swearing to that under oath? I would not be.
You would have to be sure the API doesn’t change, mis-interpret data, or have any bugs. Most mobile and personal data assistants (PDA) require a password to access any of the data. By going through the API, you are required to know this password in order to gain access. This makes it much more difficult, especially if the target is not aware they are under investigation and their mobile data is being extracted without their knowledge. You can’t ask the person under investigation for the password. If the mobile is ceased with a warrant, the owner may choose to not give up the password.
I’ve been waiting for mobile forensics companies to actually spend time and money to come up with ways to extract data from the different mobiles and PDAs directly and independently of the mobile API. How to analyze memory data and memory dumps from the mobiles. Instead, I keep seeing new GUI interfaces, new ways to connect to the mobile, new ways to store and transmit the data. No work seems to be done on the individual mobiles themselves and the problem of actual extraction with chain of custody preserved for evidence handling. Very disappointing.
