The Value of Mobile Device Forensic Examination During an Investigation

Steve Attwood, Califorensics

As a Human Resource professional, you are often brought in to situations where an investigation is required. This article discusses one aspect of the investigation that is often overlooked – information that is stored on the individual’s mobile device(s). The process of extracting this information is called mobile device forensics.

Mobile device forensics is a process of gathering Electronically Stored Information in a manner that, should it be necessary, is admissible in court. Extraction of mobile device information is the primary function of digital forensics companies like Califorensics. Examples of mobile devices are cell phones, tablets, laptops, digital cameras, digital media players and thumb drives. Just look around you right now! You probably have at least one mobile device within arm’s reach.

A mobile device forensic examination can extract information from email, voice mail, text messages, location data (maps, WiFi, apps, photos and latitude/longitude data) as well as network detail from the local network or carrier network. Information can also be extracted from device storage media such as SIM or SD cards, chip offs, or backup’s and cell site analysis.

As information is gathered, it must be forensically stored to ensure it is legally admissible, should the investigation go that direction, and prevent the deletion or damage of important information.

Challenges to the collection of information can come from the device manufacturers that frequently change mobile device form factors, operating system file structures, data storage, services, peripherals, and even pin connectors and cables. There is also an ever-increasing number of tools available to delete or corrupt the information on the mobile device available to those trying to hide their tracks. However, even if the user attempts to delete information from their device, it can often be retrieved though a thorough forensic examination.

registerToday, mobile devices are so pervasive, and because they are with us nearly 24 hours a day, a significant amount of information about our day-to-day lives can be extracted.

Mobile device forensic analysis can reveal a great deal of data, including:

• Dialed, incoming and missed calls (history logs)
• Text messages
• Instant message activity
• Email
• Internet activity including search histories
• Software, programs and apps
• Video and audio recordings
• Electronic documents and attachments
• Device setting information
• Device location information (using GPS) and cell phone tower triangulation

Mobile device forensics can be critical to an investigation and it’s clear that an ad hoc approach to the preservation of electronically stored information will not work. From a legal perspective, lawyers need to be equipped to adequately advise clients, and failure to properly preserve text messages or other mobile data could result in severe sanctions.

Mobile device analysis is not a quick or easy process, and not something that should be undertaken by an amateur – especially if it uncovers information that may be used in HR or legal proceedings. An individual that is not experienced in mobile device forensics might inadvertently destroy evidence, corrupt files or make the information inadmissible.

When you have any indication that mobile device forensics could be beneficial, be sure to consult with a professional organization like Califorensics. It’s far better to be safe and assured that data will be collected and stored within guidelines than to risk a successful outcome because proper procedures were not followed.

Steve Attwood has been at Califorensics since 2002. Founder and now Director of Digital Forensics for firm that emphasizes computer forensics, eDiscovery, and fact-finding in support of complex litigation or referral for prosecution. Representative clients include law firms, state and local government, high-tech firms, aircraft manufacturers, financial institutions and school districts.