“The Basics”

The smartphone thorny issue has not reared its head yet and I believe it is due to the lack of competition in the mobile phone tool arena. Most examiners have been pretty content in obtaining the minimum, the basics as some vendors call it. These basics usually involve the contacts, call logs, SMS, media and calendar entries. Here is my take on this reasoning.

Back when we first starting extracting data from cell phones in our training classes in beautiful Carlsbad California we were using tools that had been really developed for moving data onto cellphones not pulling data off. Cellphone users did not want to deal with the painstaking entry of 11 of their best friends, but use a tool to do it for them over a cable. I laugh because now I see very few phones that do not have over 100 entries in their contacts lists. Maybe we just have more friends now… The point is, we used these commercial data transfer tools in our MFI Training courses and of course the manufactures of the tools started to see the numbers in our classes grow. Soon the cartoon $$ started to appear in their eyes. Coupled with the fact ninety percent of our attendees in the early days were law enforcement officers; those $$ were even more tasty to the tool vendors. So these manufactures started to create a “forensic” version of the software to ease the stigma of the commercial data transfer/sync suite. Truly the underlying code and hardware was in essence the exact same as the transfer suite, but the fact only the READ button was visible made the price jump 1200% for some products! Like was mentioned earlier, the transfer/sync tools were not developed for the data LE (law enforcement) might be looking for, but really only the data the commercial users had in mind; backing up their contacts, SMS, call logs and great pics. Unfortunately, this is where most tools still sit and most have remained. In the following paragraphs I want to ask and answer some questions that arise when talking about tool vendors.

Could this be because some of the vendors have no expertise with forensic examinations?

The majority of cellphone software manufactures have never had to complete a forensic examination on digital evidence and simply just rely on feedback from their users on how it is done. This to me is like writing a cooking book without ever cooking, mixing, measuring or preparing a meal in your life and you just rely on people to tell you how it is done. There is no doubt that this has occurred, but I honestly would not like to try the receipes. You know why? The writer has no ownership in the project. Why should he/she write a great cooking book when they will never use it to prepare a meal! This is the same with a tool vendor that is managing the development project without ever processing a device to the scrutiny of a court system or peer review. Something will always be overlooked if you have no ownership in the project.

The vendors don’t see a large market share for forensic examinations whereas commercial data transfer is where the money is?

I can name only name a few companies in the cellphone forensic software business that do not have a commercial data sync software also being sold and developed alongside a forensic version. The vendors who only have forensic titles that immediatly come to mind are AccessData, Guidance Software and Paraben. Now, those that also sell software/hardware solutions for transfer/syncing user data onto the phone do not have a bad product; that is far from the truth. What I am indicating is that because they sell a commercial product most vendors make the most revenue in the commercial realm. By commercial I mean a tool the end user can update/alter data on the cellular device. And if the majority of revenue is made on a tool sold for data transfer/sync then the concentration would be on that product, that is just business. The second product, or forensic product, takes a back seat and gets the code via hand me down. Remember, the hand me down code will be from the sync side so the data extracted is typically limited to the items the user would want to backup or update/change on the device. This is another possible reason the forensic tool has limited support by the vendor.

Engineering of code for cellphone device data takes time to build from the ground up?

This goes hand in hand with the previous statement. Why reengineer software when your have already developed software that does it already. Sorta the “just add water” mentality. So the forensic examiner gets the same code base but in another package, look or user interface. Developing code and engineering every device is not only a daunting task but an expensive one as well. Using the rule of thumb that just in the United States alone two new cellphones come to market every two hours puts any software manufacture behind the curve right way. That is why I always begin my lectures explaining to attendees that there is no one cellphone software solution and most likely there never will be. Statistically it is an impossibility, due to the shear numbers of devices and their anomalies.

So what does all this vendor talk have to do with the smartphone dilemma? Why is it I can only get very limited data from these devices? I had once posed a question to a very prominent vendor in the industry after using their tool and only extracting contacts, calendar and media. I asked them if I could get support for the SMS and web history and was told, “that phone is no longer sold and is old.” The funny thing in my mind was that same phone was used by more “clients” than any other device in my area! Most of the individuals I deal with do not subscribe the the “new every two” plan. So what I did, and continue to do every exam, is to data mine for the artifacts not parsed by the tool, uncovering an unbelievable amount of data.

By taking an examiner’s role and not that of a cellphone user, the data you will uncover will open your eyes to what you missed in the many cases you simply relied on a tool that only extracted “the basics”.

Lee Reiber