Data extracted from mobile devices is often key evidence in internal investigations, and civil and criminal proceedings. In this article Jordan Hare discusses the variety of methods forensics experts can use to extract the data, and the importance of understanding the potential limitations in your, or the opposition’s, evidence.
The CSI effect
It is a common misconception that handing over a mobile device and credentials to forensic experts guarantees that all data can be easily extracted in a matter of minutes. This misconception, sometimes referred to as the CSI effect, stems from the way digital forensics is portrayed in the media, and consequently, it is often what clients expect. For example, we have all watched TV shows where a phone is plugged into a box and, minutes later, the ‘encryption’ is cracked, all the data is readily available, and the critical message is revealed. The case is solved and the episode ends. In reality, digital forensics is more complex and methodical, and the time and effort depends on the nature of the evidence such as the device model, operating system, and the specific data required for the investigation.
Forensic tools: Not all are equal
The choice of forensic tools has a significant impact on the completeness of the data extracted. Just as cars share features but vary in performance, forensic tools differ in the granularity of data they can access. For example, forensic experts have access to freely available open-source tools developed by the community, and commercial tools developed by industry-leading vendors – both of which offer the ability to extract data from mobile devices. However, the capabilities of these tools differ significantly. For simplicity’s sake, we can categorise data extraction into two types:
Logical
- Often use built-in methods supplied by phone vendors or are inherently part of the phone's underlying operating system.
- This involves ‘asking’ the device for data using built-in device methods, such as an iTunes or Android Backup.
- Quicker, but has limitations, especially regarding deleted or residual data, and third-party applications.
Full filesystem
- This involves ‘telling’ the device you want the data and taking it.
- Exploits vulnerabilities to gain full access to the file system.
- Takes more time, but offers a more comprehensive data set, including deleted data and operating system artifacts.
Some providers will offer other types of extractions which may fall under categories such as: partial filesystem, logical+, and agent extraction.
To illustrate the differences, we can consider a very small dataset which includes standard SMS, calls and browser history, and third-party applications such as WhatsApp and Telegram on an iOS device. This dataset includes both live and deleted messages. A comparison of the data obtained through a logical and a full file system extraction can be seen below:
Number of records extracted
|
Data type |
Logical extraction |
Full filesystem extraction |
|
SMS |
6 |
9 |
|
Calls |
2 |
4 |
|
Internet browser history |
10 |
18 |
|
|
12 |
15 |
|
Telegram |
0 |
34 |
For every type of data, the full filesystem extracted a more comprehensive dataset. This is because a full filesystem can include recovered deleted data, whereas a logical extraction typically will not, and will only include a partial extraction of the data available (as demonstrated for SMS, calls, WhatsApp and browser history above). Relying solely on a logical extraction without understanding its limitations could mean missing critical information.
Furthermore, logical extractions are unable to retrieve data from many third-party applications; for instance, no Telegram data is extracted through a logical extraction, requiring a full filesystem to access and extract this data. This is similarly applicable to other chat applications such as Signal and Snapchat. Generally, if communication data (chats, calls and emails) are crucial to your case, you should always request a full filesystem extraction.
Why is this important? While you may assume that all forensic experts have access to the best commercial tools, the costs are significant and not all digital forensics firms, or law enforcement agencies, will purchase them. Therefore, it is important that you are aware of potential limitations in your evidence, or the evidence disclosed by the other side. Depending on the extraction level performed, key evidence could have been overlooked, and conclusions made on incomplete evidence.
At S-RM, our experts prioritise the accuracy and completeness of our evidence and will always use industry leading tools and techniques on our cases; ensuring we are able to offer full filesystem extractions as default where the case permits.
Qualified personnel
Beyond the tools, the expertise of the forensic examiners plays a pivotal role. It is important to engage experts who boast significant technical and investigative experience, enabling them to make informed decisions and provide advice on the tools and techniques required to reach your investigative objectives. This may seem obvious, but not all forensic examiners have the necessary expertise and experience to identify and advise when evidence is incomplete.
A simple example is emails stored on an Apple iPhone. These sit in an area of the device that is not extracted as part of a logical extraction. If this data is required, a more comprehensive extraction, such as full filesystem, would be necessary. Whilst in corporate investigations email data is generally preserved via the client’s corporate email environment, it is possible that a device may hold (deleted) email data that is no longer available in the corporate email environment.
The forensic expert should consider their capabilities and toolsets in the context of your objectives. They should use their experience to understand the various investigative opportunities available to obtain the necessary evidence, and advise you accordingly as to the best methodology and any potential limitations, as well as considering cost proportionality in the context of the case.
The same can be said for forensic artefacts such as log files, which are ephemeral. Logs may only track data for a fixed period, such as seven or thirty days. It is therefore critical that an expert has the requisite expertise to advise on the availability of certain types of evidence, and provide accurate and timely recommendations to their client in the initial stages of an investigation to avoid the loss of key evidence.
Forensic experts who fail to understand the distinctions between different tools and extraction techniques, their limitations, and the other available evidence sources (e.g., log retention policies), can be the silent barrier to you reaching your investigation objectives as you may be unaware of the limitations in your (or the opposition’s) evidence.
Key factors to consider
In the initial phase of an investigation, several considerations should immediately be addressed:
What type of device is it?
- Special equipment may be required for some devices, and some extraction methods are only available on older models of devices.
Where is the device located?
- Some extraction methods require direct physical access to devices, whereas others can be conducted remotely.
What timeframe are you interested in?
- Some extraction methods take longer than others. In time sensitive cases, it may be optimal to conduct a fast, more limited, extraction first to get quick answers and then follow up with the advanced extraction techniques to provide a comprehensive analysis of all available evidence.
What type of data are you interested in? Do you require deleted data?
- As discussed above, this has a significant impact on the extraction method as certain applications and deleted data is only included in more comprehensive methods (full file system).
Based on the answers to these questions the expert can advise on the most appropriate tools and techniques that will be required. Without the right tool and the necessary skill set—and often with only one opportunity to capture data—the investigation could be limited from the start. This emphasises the importance for forensic experts to liaise with their clients to obtain all the necessary information as early as possible.
But I only want one application?
Understandably, our clients often request specific data, for example: "We require WhatsApp messages” which, despite being a reasonable request, may inadvertently overlook other valuable information on the device.
It is important to consider that the scope of the investigation often naturally expands as it progresses. A client initially requesting WhatsApp data often expands their interest to other third-party platforms once new information is uncovered. It is also common for data, particularly deleted data, to become unrecoverable over time, therefore starting with a limited extraction (e.g., only WhatsApp) could miss crucial data from other applications which become important later in the investigation. This highlights the importance of obtaining a comprehensive extraction at the very beginning of the investigation to avoid potential data loss.
Furthermore, multiple requests of access to the client’s device for subsequent imaging not only incurs additional fees but also inconveniences clients and slows down the investigation. Open conversations between experts and their clients can mitigate against this to enables all parties to align on the objectives and allows the expert to advise on the forensic strategy from the beginning.
S-RM is often asked to accommodate remote requests for data acquisition, usually in order to reduce the impact on the device owner and potentially reduce cost if the device is in a remote location. However, remote data extractions will rarely be a full filesystem extraction due to the specialised hardware and software requirements needed for such comprehensive data captures. This is important to convey to the client as early as possible – the inconvenience of parting with their device for a few hours is usually outweighed by the importance of preserving the data they need.
Key takeaways
It is essential for legal professionals and clients to understand the difference between extraction methods, and the impact of making the right decisions early on in an investigation. This helps to ensure the necessary data is obtained, and, if you do not receive the data you expect, knowing the reasons behind this can help manage expectations and outcomes.
Not all extractions are the same.
- The tools a digital forensics provider has access to will dictate the level of data extraction they are able to perform.
- The absence of certain evidence may be due to the data not being extracted, rather than the evidence not existing, which can lead to incorrect conclusions being drawn in an investigation.
Forensic examiners need to be competent and understand the technical complexities to assess the options available and advise clients appropriately.
- Conducting a logical extraction that appears to encompass the desired data does not always provide the most comprehensive view of that data. The expert should advise the client of any limitations in the extraction method before proceeding.
Plan for future investigation needs.
- Investigations often start small and easily expand in scope. Taking a subset of data or using a limited extraction method frequently leads to data being missed and therefore evidence being incomplete in your investigation.
At S-RM, our digital forensics experts prioritise performing full filesystem extractions by default, despite slightly higher initial costs. This ensures access to the most complete data set possible, mitigating against the need for repeated access to the device. With mobile devices, data changes occur rapidly, meaning that a logical extraction today may not yield the same information tomorrow. Conducting a full filesystem extraction from the outset can provide continuity and completeness that might be unavailable later.
