Bunting Digital Forensics, LLC
Digital Forensic Examinations
Mobile Device Forensic Examinations - Bunting Digital Forensics, LLC
With each passing day, more and more data is being migrated to and stored on mobile devices (smart phones) and / or the various cloud storage services. Let's face it, a smart phone is nothing more than a hand-held computer that just happens to make phone calls.
Many claim to be able to do mobile device forensics, but once again there are few that do them well. Steve Bunting not only engages in the practice of mobile device forensics, but he teaches others as well. He is currently the only U.S.-based contract instructor for MSAB, the makers of the XRY Ecosystem of Mobile Forensic Software. He has taught hundreds of mobile device examiners in the US and in several other countries as well. So do you want someone who just claims to do mobile device forensics, or do you want someone who does it well enough to teach others?
There are many methods of extracting data from a smart phone. Sometimes the mobile forensic tool (XRY for example) can do so and sometimes it can't. When the tool fails to do the job, there are other methods. Sometimes the data can be found in backups on computers. Sometimes the backups are in the cloud. When the backups are on a computer, you need someone who can not only do mobile forensics, but someone who can do traditional computer forensics as well. Often times old smartphone backups can be recovered from Windows Volume Shadow Copies or OS X Time Machine snapshots.
Sometimes you don't have backups of the data, you are locked out of the phone, and you have to get a physical image of the phone. On some smart phones (Androids, Blackberry, etc) usually JTAG or Chip-off techniques can provide the data.
JTAG involves taking the phone apart and connecting to JTAG ports, which are in turn connected to a RIFF-style box and onward to a computer. Though this communications circuit, a physical image of the on-board memory can be extracted. It is a slow process, often taking a couple of days, but the phone is usually not damaged by this process.
Chip-off is a destructive process for the phone by which the PCB (printed circuit board) is heated as well as the memory chip. Once the temperature melts the glue and solder, the chip is removed, excess solder is removed from the chip, and then the chip is read in a chip reader. Usually chip-off is quicker to achieve and significantly faster to image the data, taking minutes or hours vs days for JTAG. The downside, naturally, is that the phone will not be useful once the chip is removed.
There is another technique that can be employed that has the speed of chip-off coupled with the phone-saving benefit of JTAG. That technique is dubbed ISP by some and on-board eMMC by others. Depending on whether or not the contact points for the PCB by which to connect to the chip are known or readily available, it could require the time and expense of acquiring a like version of the phone from eBay. The copy of the phone must be destroyed (chip removed) to map the contact points for the the chip on the PCB. So the cost and time involved can be higher.
There are other methods, depending on make, model, and version, that can be employed. Some phones will allow the replacement of the stock recovery partition with one that has features that will allow a backup of the data partition.
Regardless of which method that is eventually used, you need an examiner who can readily deploy any of the techniques that are required to get at your data. If you have a spoliation case and you want to get at deleted data, some form of physical extraction will be needed, be that software, JTAG, chip-off, onboard eMMC, or other technique. Regardless of the type of case you have, you need an expert. Contact Steve right away and we can discuss your needs.