The Time Argument, Mobile Forensics

In the beginning there was a bit. The bit turned into a byte. That byte rapidly turned into a kilo. The kilo turned into a mega, the mega into a giga, and the giga into what we know today as a tera. Sounds like an interesting name game, but truthfully each name means extra time to the forensic examiner, extra data, and most of the time, extra headaches. As a digital examiner, I saw firsthand how the progression of large data sets in digital investigations put a damper on both information collection, as well as the investigator. The first examination of a floppy disk could be turned around in a day. A 500MB drive required a week turn around. A large gigabyte drive took multiple weeks, and larger data sets require longer processing times . Since the amount of cases involving Big Data did not stop I began to see backlogs stack up, causing frustration in many of the people requesting the examinations. We dealt with this problem by changing the way we conducted examinations, not by short-cutting the forensic process, but by focusing just on the information requested.

​     Mobile devices hit the scene requests for information began to pour in, and the same progression was seen. The mobile devices which contained only 10 kb of data were collected to yield the requested data of contacts, call logs, SMS, and media in a matter of minutes. The people requesting the data were so excited about this new technology that the requests for this data soon outnumbered requests for computer examinations. Grab the phone, dump the data, and create the report in 5 minutes or less. Since the requests began to pile up, doing 10 phones a day was not uncommon and those requesting the work soon grew tired of waiting in line, so the examination of mobile devices moved away from the lab and into the field. This shift is the most significant difference between a computer forensic examiner and a mobile device examiner. The problem with this shift is that the time taken to examine a 10 KB mobile device and a 64 GB iPhone is no different. Granted, the time to collect the data might be from 5 minutes to now 20 minutes but the outcome is the same, surface data. Agencies are now saving time and allowing the person in the field to conduct the collection and field triage. As you notice I did not say examination because most tools that extracted the first mobile devices give the same output as they do with the 64GB device. This is simply because the field only wants actionable intelligence and has grown accustomed to only getting that “tip of the iceberg” data. What is not yet obvious is that this does not have to be the case. Wouldn’t it be beneficial to extract all data, give a report of actionable intelligence and allow the examination of additional data at a later time? A detailed examination that can be conducted by investigator training in digital evidence that might have the time to look for that needle in the haystack? Using Mobile Phone Examiner Plus nFIELD™ (MPE+ nFIELD™) can do that.

MPE+ nFIELD allows the logical and physical collection of mobile devices with little training, little knowledge or experience. Select the item you will be collecting (Figure 1.) Select the items to extract (Figure 2.) and the data and report is then available at the saved location (Figure 3). The most important feature comes in the form of data integrity. All the collected data is then saved into an AD1 file. This AD1 file is an evidence locker that will allow the collected data to not only stand up in court, but will allow the information to be further analyzed in the full feature MPE+. The person collecting the data on-scene gets their report immediately to gain actionable intelligence while the integrity of the evidence is not compromised and a full exam is still possible.

nFIELD Device Selection

Figure 1. MPE+ nFIELD Evidence Collection

Extraction Capabilities

Figure 2 Select items to extract

Extraction Complete

Figure 3 Extraction complete!

​     TIME is very valuable in the age of digital device examinations, but obtaining critical data and allowing for full examinations if needed is mandatory. We all understand that mobile device examinations are becoming more and more important to any investigation, but we also recognize that the data recovered must survive the scrutiny of the court. AccessData responds to both challenges with the new MPE+ nFIELD solution.

Posted in Information, Products | Tagged , , , , , | 1 Comment

Mobile Security for a Nomadic Workforce

The corporate environment of today is reliant on the mobility of each of its employees or team members. By mobility I mean ,each member of the corporation’s team must  be in contact with each other at all times, at a moment’s notice. In order to maintain this connectivity,team members must use devices that can allow them to be untethered and unhooked from the standard ethernet cable, and out in the fast-paced land of device mobility. To do so, they have adopted the use of mobile devices ranging from the iPad and Galaxy Tab to smart cell phones such as iPhone and Motorola Droid.

These mobile devices are so powerful and versatile, that companies are no longer issuing laptops for employees to take into the field,but are now relying on mobile cellular devices or tablets to provide what is needed, work efficiency and mobility. Leading information technology influencers, like Gartner Research as well as renowned news sources like Forbes, and BusinessWeek, have all published reports on mobile devices vs. laptops/PCs in today’s work environment. These reports point to the demise of the outdated PC and the increased usage of new mobile devices. This blog is a perfect example of this statement, as it  is being generated, created and edited on a mobile device with a portable keyboard.

The power that a mobile device user has in his or her hands is unprecedented, however with that kind of power should also come responsibility, right?  So, what does the power of mobility, the device distribution, allowance, and governance, have to do with responsibility? It should come as no surprise that the mobile device of today is not the antiquated device of yesterday. Today’s mobile device user can send, transmit or even take a company to bankruptcy, anywhere in the world, with a single tweet, post or picture taken with his 10 megapixel mobile device camera. What are companies doing about it? Companies are using Mobile Device Management software, also known as MDM, in an effort to detect, monitor and prevent data breaches and information leaks. Is MDM the answer to the investigation of a data breach?

Let’s take a look of the Evolution of MDM.  MDM was first introduced in applications or wrappers which allowed the user to utilize the MDM application to conduct the “work” via the mobile device. This would assure all “work” would be safe within the MDM application. Both the user and the corporation felt safe that important company information was not being leaked or transmitted. MDM was a safe way to provide employees with the opportunity to work while on the road without the risks, other built-in unsafe applications used for email, SMS, etc., could bring to their security.

The next step in the MDM evolution was the introduction of a full administrative tool. When the MDM software application was installed, it would monitor the device for approved applications, reset the device should it be lost or stolen, monitor and capture data sent to an administrative server. This is not an exhaustive list of all of the features an MDM software can provide, but it does mimic what a BES (Blackberry Enterprise Server) has done with Blackberry devices for years.

The problem with the onslaught of MDM software in the corporate environment is the false sense of security it may bring when a critical incident occurs. MDM software providers should be the first to admit their software is not made for incident response. However MDM software will be a reported 16 billion dollar industry by 2016, so why would they rush to admit their shortcomings? In the BYOD world, the MDM solution cannot operate outside of the company’s predefined applications, leaving the other applications running on the devices open and unsecured.  So, where do you think insider threats, malware and security breaches are likely to come from?  How do companies maintain security outside of the MDM “wrapper” when a breach occurs? Quite simply, they cannot.  This is one of the main reasons AccessData has incorporated mobile endpoint monitoring (Mobile EM) capabilities into the ResolutionOne™ Platform.

Mobile EM integrates into the ResolutionOne and CIRT™ platforms to provide comprehensive visibility (detect threats and data leakage), data intelligence and resolution across mobile devices. It allows enterprises to utilize their current MDM or MAM software to set mobile device policies. As an industry first, it also enables real-time proactive mobile endpoint monitoring solution that MDM software solutions simply cannot provide.  The big key take-away is proactive.

Companies have suffered too long by reacting to security incidents resulting in enormous consequences.  A recent study sponsored by AccessData and the Ponemon Institute, shows that 86% of respondents found the detection of a cyber-attack takes too long putting companies at a significant risk. The study also found that 86% of respondents viewed mobile e-discovery and mobile analysis as a difficult process when tied to a company’s breach investigation.

Mobile EM agent is delivered to iOS and Android device/endpoints that are connected to the enterprise’s network via a MDM or MAM application catalog. The devices are then monitored by the ResolutionOne™ platform where network communications and mobile device data is captured at predefined intervals. The data is auto-correlated with the integrated, customizable ThreatBridge engine’s threat intel library to identify any known threats such as malicious IP addresses and Domains along with known malware. It also detects unknown threats by providing visibility into network communications and running processes, so anomalous activities can be identified and remediated.

Filling the gap between MDM and IT mobile security visibility, ResolutionOne Platform with mobile endpoint management delivers the first true mobile forensic and security solution needed in today’s nomadic workforce.

Posted in Information | Tagged , , , , , , , , , , | Leave a comment

Mobile Device Data In a Big Data World

Today’s world is becoming more and more mobile every day. In fact, 91% of all people own a mobile device and 56% own some type of smart device. It is no surprise that today there are more mobile devices on the earth than there are people! Equally impressive is that the amount of data we consume is becoming increasingly focused on mobile devices. In fact, according to Pew Research, 55% of all internet traffic in the United States is from a mobile device, which is a first for overall internet traffic.   Mobile data is not just a part of the Big Data world; it is one of the largest contributors. Mobile device data, particularly smart devices, will contribute to approximately 8 zettabytes of data by 2015. To put a zettabyte in perspective, think of 250 billion DVDs containing around 36 million years of HD video. The total data would equal approximately 1 zettabyte. With these statistics in mind, it would make sense that every digital investigation scenario will contain data from mobile devices. With that being said, collecting and analyzing mobile data is not only vital, but paramount to solving today’s crimes. Mobile device data, combined with data from other big data repositories, like hard drives, network shares, and offline servers paints a much better picture than relying on a single source. So, what types of mobile device data are most important to investigations? The answer to that is quite simple, everything! From the standard SMS, MMS, Contacts, and Call Logs to the meaty data involving the posting, sharing, commenting, chatting, bashing, liking, favoriting, tweeting, and browsing in social media to the locating, logging and storing files in applications. Factor in that all this data is stored on the device, and not on a network server, with your mobile provider, or your company. Now, multiply the fact that most of today’s communication occurs outside of the normal SMS/MMS via messaging applications, and you realize a mobile forensic solution that can effectively uncover this important data is now a necessity. A perfect example of this happened recently when I spoke to a group of over 200 forensic examiners. I simply asked them to raise their hands if they had examined a mobile device for an investigation. Immediately hands shot up from over 80% of the attendees. I asked them to continue to leave their hands up if during the last examination of a mobile device they looked at any application data from third party applications on the smart device. Only 5 hands remained up. That is less than 3% of the attendees, which is typical, if not a little high, for the normal educational seminar I conducted. Mobile device hardware, operating systems and applications are advancing at a pace never seen before. Should not our investigative tools and priorities advance as well? The ability to search and recover mobile data from applications on smart devices is difficult and often limited when using current mobile solutions. Research shows that only 5 to 10% of the entire user data area is examined by typical mobile forensics tools. This leaves 95% of application data unanalyzed, and a lot of times uncollected. The net result shows that most examiners have minimal insight into the mobile application data because of the lack of support of their current tool, the lack of time and the lack of training. Current software tools simply extract contacts, SMS/MMS, call logs, media and possibly email. Some go as far as capturing URL, browser data, Wi-Fi information, and some application data. As for analyzing applications, most solutions allow the parsing of only select applications, limiting examiners to obtain evidence from about .002% of all applications available. In other words, the average forensic tool supports about 30 applications out of a total of 1.6 million iOS and Android apps. Of those 30 applications, the forensic solution is at the mercy of the developers’ upgrades, schema changes and table changes. With these ongoing mobile device application updates, the application is no longer supported by the forensic tool and further technical development is needed. AccessData’s Mobile Phone ExaminerPlus™(MPE+)breaks this mold allowing the parsing, extracting and reporting of any and all mobile applications. MPE+’s SQLBuilder™ (Figure 1) allows examiner to parse the data of all applications containing a SQLite database. If the data is held in a JSON string, MPE+ allows you to customize scripts by utilizing the pythonScripter™ (Figure 2), a feature that helps you build python scripts easily and without any scripting experience. If the application’s files are new and unknown, examiners can build their own script to extract and analyze the application data. In today’s big data world, customizable user features are very important as they give power to the user to mold the analysis to the task, without allowing the software to dictate how and what they are to extract and analyze. Figure 1 – MPE+ SQLBuilder   Figure 2 – MPE+ pythonScripter   Understanding that we live in a big data world and realizing the fact that mobile forensic examinations now contain data in many different forms and formats will ultimately lead to investigative success. Data can arrive in physical image files, flat binary files, individual files or folders, and proprietary forensic tool formats. With this in mind, AccessData’s MPE+ allows the import of these many different images. MPE+ automatically recognizes the various formats, i.e. iOS and Android file systems, and quickly allows the critical user data to be extracted. Not only does MPE+ automatically parse the standard user profiles, but also allows for a deep analysis of the application data contained in the mobile device filesystem. Understanding that mobile device data is just a piece of the big data pie, any image can be included into the overall digital case while utilizing AccessData’s MPE+. This digital case can then be opened in AccessData’s Forensic Toolkit® (FTK®)if additional digital data images like computer hard drives, server data, RAM fragments, flash drive and any other digital data source. This allows the power of all the AccessData tools to work together to harvest the relationships and paint the collective picture of ALL the relevant data within a case. In today’s big data world being prepared for the collection and analysis of mobile device data is the first step to gaining a clearer picture of today’s data.In today’s Big Data world, AccessData’s MPE+ not only helps you obtain data other solutions miss, it also empowers your investigation with “industry first” advanced analysis capabilities no other mobile forensic tool offers.

Posted in Information | Tagged , , , , , , | Leave a comment

An Interview with Robert Dare on EDiscovery and ADUC

Today’s podcast was with Robert Dare a forensic examiner working in the corporate environment.  We talk about his views on mobile devices in the ediscovery world, his usage of AccessData’s Mobile Phone Examiner Plus (MPE+) and the Access Data Users Conference.

Posted in Podcasts | Tagged , , , , , , , , | Leave a comment

Interview with Terry Sneary

In today’s interview we are speaking with Terry Sneary one of America’s finest from Ohio. Terry works in digital forensics and speaks to us about real cases, real work and real actions using AccessData’s Mobile Phone Examiner Plus (MPE+).

Posted in Podcasts | Leave a comment

Interview with Bruce Downey

Bruce Downey had been doing forensics for many years in Ontario Canada and is seeing more mobile devices than computers now.   Listen to Bruce as we speak about a few cases he has seen, how he solved them and also the types of devices he is running into on a daily basis.

Posted in Podcasts | Leave a comment

The Forensic Snake: Using Python to Squeeze the Mobile Device

When I started my pilgrimage into mobile forensics, I did so with the goal of providing the law enforcement community with the tools and training that would assist investigators in extracting relevant data from cell phones. Back then, mobile forensics was limited to obtaining contact lists, SMS messages, and sometimes call logs. This information helped solve many cases. It also solidified the fact that data living on mobile devices was a potential source of evidence waiting to be discovered.

As my own mobile forensics training progressed, so did the technology of mobile devices. In a relatively short period of time, cell phones and mobile devices were no longer used only to send text messages and make phone calls. Mobile devices were now used to send and receive emails; send and receive MMS message with file attachments; take photos and videos using the device’s camera; store images, videos, and other media; browse the Internet; and communicate with others using an ever increasing number of software applications or apps. With these enhanced capabilities came the possibility of obtaining additional evidence such as EXIF data from images stored on a device, internet browser history, Wi-Fi locations used to access the Internet, stored passwords, and more.

A bottleneck in the forensic community was inevitable as we struggled with too many devices, too many data types, and too few options in the collection of mobile device data. The technology of mobile devices was progressing more rapidly than advancements in the development of mobile forensics tools. As a result, I was forced to rely on manually parsing the data.  I focused my training on extracting, manually locating and converting the data into a readable format, and making it presentable in court. This is where scripting for me started. I wanted to automate the repetitive task of manually parsing data.

Fast forward to today.  Mobile forensic tools are still inept in properly parsing and displaying all the data that might be available on a mobile device. This is not the fault of the mobile forensic tool, but the fault of a rapidly changing mobile device environment. Since software is written by a developer in real time, developers are already behind before they even start coding a single line. This is a fact that no software company would deny. I have always believed that “in order to be prepared for tomorrow you have to think about tomorrow today.” Today is no different. This is the reason why MPE+ has evolved to allow the examiner to adapt to today’s problems in real time. MPE+ provides tools that can be customized to adapt to changes and address challenges faced by the examiner at any time. Investigators do not have to wait for a software upgrade, but can utilize MPE+’s tools already at their disposal.

With this in mind, MPE+ includes the pythonScripter. PythonScripter was developed to give the examiner a way to support data extraction, parsing and reporting of mobile device data without waiting for the software developer to create the code.  The MPE+ pythonScripter allows the examiner to create, import or use preconfigured python scripts against any data imported into the MPE+ interface. This allows MPE+ to support an unlimited amount of devices, unlimited data types for carving, unlimited extraction support of image location data, unlimited extraction support of meta data and more.  With pythonScripter, MPE+ can even support the parsing, conversion and reporting of data from a phone born today.
As an example, we can say MPE+ does not directly support GPS devices. However, utilizing a physical image of a GPS device obtained with MPE+, we can use the file system view to navigate the folder containing the GPX data.  Once the folder of interest is located, we can right click on the folder selected from the predefined selections and parse the GPX data. (Figure 1)

Run pythonScripter

pythonScripter Selection

Figure 1

Using the pythonScripter dialog we can select a predefined python script, or build one  to parse and display the critical data from the GPX file. (Figure 2)

pythonScripter Dialog

pythonScripter Dialog

Figure 2

Both waypoints (Figure 3) and track points (Figure 2) can be parsed. Therefore, artifacts like time, elevation, latitude, longitude and even waypoint name can be extracted.

Lat Long of gpx

Latitude and Longitude Output

Figure 3

 

The data can now be overlaid onto a map to visualize the waypoints, route or track. (Figure 4)

 

GPS Mapping

GPS Mapping of route

Figure 4

 

As we know, the location information can benefit any examination.  The location information is used not only in GPS devices, but applications on mobile devices and images taken by those devices as well. When using a python script that extracts location information from images, a user can identify the location where the picture was taken and quickly plot this location on the map.   Also beneficial is the fact that investigators can develop a script to look into every file on the mobile device; including file headers, file types, and even data and code strings.  Once these scripts are created they can be further customized or edited by the user at any time.

A perfect example of customized scripting would be, utilizing a previously written script to locate all the IP (Internet Protocol) addresses on a Facebook account by the use of regular expressions. To do this, users can simply right click on the com.facebook.katana folder and select pythonScripter.   Utilizing the browse button, users can choose the previously written script to iterate through all the files and folders and identify a particular pattern. The customized script we utilized for this example quickly located the IP pattern and displayed the file names containing various IP addresses found in the Facebook application files (Figure 5).  Users can then map these IP addresses to a map module for visualization.  (Figure 6).

IP Addresses

IP Addresses parsed

Figure 5

IP Addresses over Map

IP Pin Map

Figure 6

With the pythonScripter, the power of uncovering maximum data is at your fingertips. Prior to the development of MPE+’s pythonScripter, these advanced automated analysis capabilities were not possible.

Data carve any file, extract critical data no other tool can extract,  and put a mobile device at the scene by extracting location information quickly and automatically are just a few features that can be accomplished only with MPE+ and the pythonScripter.

The pythonScripter is just another example of how MPE+ is introducing an entirely new approach to mobile device forensics.

Posted in Training | Tagged , , , , , , | 2 Comments

Building a Solution to Today’s Problem: Mobile Device Application Overload

Crime today is no longer confined to the streets. Crimes are increasingly committed in a cyber-world. Looking back, I recalled patrolling the streets as a young officer in a Pacific Northwest city, and responding to calls for service involving domestic disturbance, burglary, robbery, grand theft, battery, and homicide. Officers receiving calls from dispatch via radio eventually transitioned to officers receiving information on mobile data terminals (MDT). We arrived on scene, did the best we could to resolve the situation, and left; later documenting the event by pen. During these calls for service, we could really see the situation for what it was. There was no Facebook, Instagram, Twitter, Ask, Secret or any other social media. The event occurred in real time. Cyber bullying, cyber stalking, and any other cyber related crimes were not part of the equation. Cybercrimes, at that time, were chalked up to the darkest form of crime, the online sexual exploitation of children. When I transitioned to the computer crimes task force, I saw first-hand how this heinous crime had no boundaries or limits. It lived in a space that was un-policed, without jurisdiction and honestly infinite. It was at that time I realized that crime would, one day, move from the streets to the realm of the digital environment; an environment with infinite possibilities and no discernible edges.

Fast forward to today. Law enforcement has a better grasp of the fact that digital evidence exists for almost every crime imaginable. However, law enforcement does not have a grasp on the “mobility” shift; the world of the mobile device application or app, and the likelihood of evidence being contained within an application’s data on a mobile device.

Currently, 91% of people worldwide use some sort of mobile device, and 82% of mobile media time is spent via an application. There are over 800,000 applications available from the Apple Store, and over 800,000 applications available from the Google Play Store. Over 16 billion photos alone have been shared via Instagram. There are over 1 billion active Facebook users worldwide. Over 200,000 Google searches are conducted every minute of every day and over 600,000 emails are sent every minute of every day. These statistics are staggering. Data from these mobile applications are stored in that application’s SQL database, located on the mobile device. Considering that a crime can be facilitated, or committed via a mobile device or mobile application, it is imperative that law enforcement be able to quickly adapt to the ever evolving world of mobile applications and mobile forensics. Access Data’s Mobile Phone Examiner Plus (MPE+) provides law enforcement with that ability through the SQL Builder.

The MPE+ SQL Builder is not an add-on tool, but a feature built into AccessData’s Mobile Phone Examiner Plus (MPE+). This feature allows the user to build custom queries simply by selecting the SQL database, the relevant table or tables, and the associated rows containing the data. These queries can be built as soon as an application is available. Users of MPE+ do not need to wait for a software upgrade to be able to process the new application’s data. Once the query is built, a user simply executes the query and the data is pulled from the database into the interface. This data can then be published into the MPE+ interface and can be immediately reported on. This feature makes every app database open for investigation and the hidden data types exposed. All other mobile forensic solutions have a limited number of applications they support but they only allow users to visualize that data. Therefore, extracting the data with these other solutions is cumbersome and difficult. With MPE+ SQL Builder, users simply create their own queries and execute on ANY and ALL applications. In essence, all applications utilizing a SQL Database are supported by MPE+. What is even better, the user can also save those queries for later use, or share them with other MPE+ users!

For example, let’s talk about using KiK Messenger as a form of communication. KiK is one of many popular communication software apps available to both Android and iOS. When over 70% of communication is via apps and not built in messaging like SMS and MMS, it is important that users can extract the data they are seeking. Using the MPE+ SQL Builder a user simply right clicks on the database file, kik.sqlite and selects SQL Builder (Figure 1).


Figure 1

The SQL Builder then opens showing the various tables within the database. (Figure 2) The ZKIKMESSAGE Table is selected and the rows are shown in the adjacent column.

Figure 2

Once the rows are selected, users can add or remove a row using the navigational arrows between columns. Users can also assign the appropriate data type to the selected row. This is critical since the data types can vary between applications. Once the data type is assigned, users can execute the query to display the parsed data below. This query can be saved for later use by selecting the Save button. (Figure 3)

Figure 3

After the data is displayed, users can still change the data type if needed and press “execute” again. This is important since Android can have numerous date and time formats. Once the data executed is complete users can publish the results to the MPE+ interface to be included in the AD1 forensic image as well as the report. (Figure 4)

Figure 4

Today, criminals are assisted in the commission of their crimes by the mobile devices and applications they use. Application evidence is critical in any and all investigations. By allowing the user to pull this important and volatile data from any SQL database, AccessData’s MPE+ has given the upper hand to the law enforcement investigator. Using MPE+ SQL Builder, the relevant evidence can be extracted and a criminal’s intentions exposed.

Staying ahead of the app, MPE+ is changing the way mobile forensics is done by introducing an entirely different approach to mobile device forensics.

 

Posted in Information | Tagged , , , , | 1 Comment

The Failing “Find Evidence Button”

It has been quite evident during my R&D to develop a better solution to combat the rapidly changing dynamic of smart device collections one critical observation. The days of quick and dirty forensics is over. This theme resonated at this years LegalTech New York.

Data in today’s company environment cannot be watered down and honestly acceptable when given only half the story. “We support 50 of the most current applications and deliver the application data quickly” is the common mantra. What happens when your critical incident involves an application outside of the 50 most current applications? What happens when the mission critical data is within the supported application, but the solutions’ whambam incorrectly displays or misses the critical information? The kicker is that you can clearly see the data sitting within the database! There lies the thorn in automation. Automation leads to straight lines, no deviation, no human interaction. You get what you get, so don’t throw a fit. You are a victim of the then, but we live in the now.

With over 70% of smart device users using alternative forms of chat applications to communicate it takes a very different tool that the whambam – gotta-get-it-done-with-no-questions-asked solution can deliver. A tool is needed that can be steered and customized by an examiner; one that with the changing times can immediately be altered as needed. What if an application database schema changes, updates or a new application releases that is the next SnapChat? One cannot wait for the software to update, this information is needed now. We need a tool that can be molded in a way, programmed if you will, to be a chameleon. A mobile device collection tool that allows you to process data, assign data types and immediately publish the results. Results are what our customers demand and with the MPE+ SQL Builder the results you can obtain from any application are tremendous.

During the presentation in New York last week I presented the audience with a problem (there were of course several) during the application analysis session. A device comes into your practice missing SMS/MMS, but your information says the custodian chatted every second they could.  Understanding that in today’s dynamic there are many different ways to “chat” and using the standard SMS platform on the Android device is not the most common. So, using MPE+ SQL Builder we created our own queries to conform to the needed data and recovered chats from facebook, facebook messenger, pinterest and even images from snapchat. What is interesting to note. Some of these applications are “supported” by other solutions which all failed to recover the data we were looking for.

Using MPE+ we customized with surgical precision the data we wanted and what was requested by our customer; we even saved the query for later use if we run into the same request for that application data.

I want to put a new face on the collection of this data from smart devices. I want to put the examination in the hands of the examiner, to arm them with the tools necessary to adapt and overcome data in real time. Our cases cannot wait for an update or maintenance release.

If data/upgrades/updates are not going to wait for us why should we wait for them. Use a tool that takes a new approach to mobile device forensics.

Posted in Information, Products | Tagged , , , , , , | Leave a comment

Mobile Device and Social Media Raise Your Hand

As I travel and speak at various venues on social media applications and mobile devices I always open up with a question to the audience. Typically the audience is of the type that uses Electronically Stored Information (ESI) to help solve a crime, litigate a case or remedy a corporation “situation”. I first start out by asking the audience if they utilize the data from social media during ESI discovery. As the hands rise I see the same percentage of 20% holds true across the board no matter the venue. So let us look at the percentage of those using social media evidence in ESI collections to the percentage of actual users of social media on their mobile devices. I will look at statistics to come up with a conclusion stemming from a personal two prong question to the audience of “Do you own mobile device and if so do you use any type of social media?” I will put the polling numbers from my typical talk against those found globally in several categories to test my theory and hopefully gain a better picture of our current dilemma.

Number of Mobile Devices

How many people in the audience have one mobile device? 98%

How many people in the audience have at least two mobile devices; either a tablet or cellular phone? 30%

In 2013 Nielson conducted research on the mobile consumer showing that 61%users own a smartphone and 27% of the world own at least two mobile devices.

Figure 1 Nielson Global Smartphone Insights

Furthermore there are an estimated 6.8 billion mobile subscriptions worldwide estimates The International Telecommunication Union (February 2013). That equates to 96% of the world population.

Users of Social Media via Mobile Device

How many in the audience use social media on their smart device? 70%

Globally as indicated in both the Nielson 2013 report and marketingcharts.com over 55% of social networking consumption occurs on a mobile device. Percentage average for social networking globally is 67.5% as mentioned in the marketingcharts.com article.



Figure 2 Nielson report showing percentages of users and social media and application usage with smart devices. Nielson 2013

Usage of Social Media ESI from Mobile Devices

How many in the audience have used social media ESI from a mobile device as evidence? 20%

Today, more than 95% of all information is electronic and further research indicates that almost all cases today will involve some sort or electronic evidence.

What is extremely interesting as noted by x1discovery.com in an October 4, 2013 blog is that the pace of cases involving social media has so rapidly accelerated it has been very difficult to keep up. They identified 88 cases in just September 2013 where social media was key to the case and were published on Westlaw.

…only one percent of total cases result in published opinions…one can safely assume there were tens of thousands of more legal matters involving social media.

Further examination of the cases listed from 2010 and 2011 only two percent mention a mobile device and social media. 320 published cases so far for the first half of 2012 and only one percent mention mobile devices and social media. This is quite staggering and disappointing considering the numbers outlined below.

Putting This Together

Looking at the numbers we see that my polling numbers are very consistent with numbers gathered by marketing agencies.

98% of my attendees have a mobile device while 96% of people in the world have a mobile device.
70% of my attendees use social media on their mobile devices as compared to the 67.5% globally.
Whilst 95% of all ESI is electronic and 55% of the social media consumption occurs on a mobile device one would say this evidence is widely utilized. This is definitely not the case when looking at the mere 2% of published cases and a 20% usage by my attendees using mobile device social media evidence.

What This Comes Down To

I always follow up asking the attendees why there is such a low number of examiners, corporations, service providers and legal teams utilizing data from a mobile device. The differences in answers are quite enlightening which typically center on awareness. Some of the examples and my opinions are listed next.

  1. This ESI can be found somewhere else
    1. This is very common, but honestly Facebook data (or any data) on a mobile device is much different than on Facebook’s server or living on the custodian’s PC. Local images, cache and deleted posts along with associated applications are a few differences.
  2. Logistics
    1. Complexity, software, knowledge are but a few that can be lumped into logistics. There are very competent service providers that can help train, conduct collections and evidence analysis as well as testify to the procedures that need to be followed in a court of law.

The Take Away

Those conducting any type of investigations from legal and corporate review, HR, criminal and civil cases must understand information contained on a mobile device is much more relevant and often critical to the painted picture, especially when it comes to social media. This information can be obtained quickly and efficiently from these mobile devices, extracting critical data and analyzing the information to be used immediately or stored for retention. AccessData’s Mobile Phone Examiner Plus is one such tool.

The only question you need to ask yourself when determining if social media from a mobile device is critical to your case.

What did you do on your mobile device today?

 

 

 

Posted in Information | Tagged , , , , , , , | Leave a comment