A client recently presented our Kroll Cyber Investigations team with a seemingly simple and straightforward request: Examine a collection of company-owned smartphones and get all of the data back, including deleted files.
Kroll’s cyber forensics team does this all the time with desktops and laptops, so in the client’s eyes, why would smartphones be any different? After all, people routinely use smartphones in all the ways they use computers, so don’t they work the same way? When it comes to conducting digital forensics, the answer is “no,” and what followed was an eye-opening experience for the client.
Forensic examiners used to be able to routinely access the raw storage on mobile devices and effect a physical bit-for-bit data extraction, much like experts regularly do with typical hard drives from computers. This allowed the examiner to process the imaged data with any number of forensic tools to explore the underlying file system and retrieve data.
However, modern smartphones, powered by more mature Android and iOS mobile operating systems, present new and far greater challenges for digital forensics. Raw access to the physical storage is becoming increasingly difficult without taking extreme measures such as penetrating the root software of the device or through more destructive processes which effectively require breaking open the device in order to expose the internal circuitry and data storage.
One more thing to keep in mind is that with today’s smartphones, recovering deleted data and “getting back all of the data” is becoming less of a reality. With iPhones, it’s nigh impossible as the data at rest is encrypted by default and the data extraction options provided by the manufacturer back up the data at a logical level, not the physical. With Android-powered devices, data extraction options are more varied and depend on the device and what it supports. Data recovery usually involves searching through databases scattered throughout the device’s storage. Further complicating retrieval is that these databases have their own internal file structures which have their own independent data deletion routines.
Three best practices that can help facilitate digital forensics on company-provided mobile devices.
While these issues are certainly not an exhaustive list of the technical challenges that can affect data retrieval from modern smartphones, they do give you a glimpse into the unique complexities associated with recovering data from these devices. More importantly, this awareness should prompt internal discussions on to how to better position your organization to respond if ever the need arises for conducting digital forensics on mobile devices.
Based on our experience, the ability to retrieve usable data from mobile devices increases significantly with the successful implementation of these best practices:
1. Establish and maintain defensible data access policies and consent/release/authorization forms.
Employers must have the proper paperwork in place whereby employees understand and consent to the company’s right to access data on their company-provided mobile devices before examiners can conduct digital forensics.
2. Know device passwords or control remote access with an enterprise security solution.
When Kroll conducts digital forensics on smartphones, we ideally want as many passwords as possible upfront. Your company can gather these in many ways, such as from employee exit interviews or from the organization’s Chief Security Officer or Chief Technical Officer.
3. Ensure device backups are available.
When devices are synchronized with computers over which your organization has ownership and control, these backups can potentially be a great source of valuable intelligence.
Smartphones can be great tools for enhancing employee productivity, but your organization should expect to encounter unique challenges if it later becomes necessary to access and examine data on these devices. But you don’t have to go it alone. Kroll’s Cyber experts can guide you through the complexities of modern digital forensics and incident response, including proper forensic handling and data recovery from mobile devices. We can help with everything from proactive measures you can take now, to providing a host of customized forensic strategies for retrieving data.