My current position at work is that of supervisor of anything and everything associateed with the forensic examination of mobile phones (cell phones to those on the other side of the Atlantic). This has, over the past two years, been a part of my work, but has recently become pretty much all of it.
Lee, who as listeners will know, works next to me, has often commented jokingly to our phone examiners that they are involved in “play forensics” and that they would someday graduate to “real forensics” in examining computers and disk images. Everyone has found such comments amusing and taken them well, but the past few weeks have made me consider the forensic examination of mobile phones.
It may have been the case a year or two ago that mobile phone forensics was not as in-depth, complicated or interesting as computer forensics, but I don’t think that is really the case anymore.
With the advent of the Apple iPhone, the Nokia N95 (and other Symbian v9 based devices) and the wider acceptance of new HTC handsets like the Touch Diamond, the G1 and the Touch HD, mobille phone examinations are now considerably more complex.
Even if these phones are discounted, the average storage and capabilities of phones has been increasing. In the past two years I’ve seen the average size of a phone examination (what we archive following Â completion of the job) increase from 50-150 megabytes to more than half a gigabyte. That doesn’t sound like much, but when you consider the bulk of phones are still the smaller, older phones, this means anything newer has an average content size of a gigabyte or more, especially when considering the memory card. New HTC handsets (such as the Touch HD for example) can accept MicroSDHC card upto 32GB.
Phone forensic examinations used to consist of extracting all handset data and providing the client with it. This will have to change to include an in-depth analysis when an examiner considers and requires more specific case requirements when larger, more complex handsets are to be examined.
My first mobile phone could make and receive calls, send and receive SMS messages, and unusually for the time, access WAP content. “Smartphones” can do anything from word processing to accessing full web pages and uploading and downloading video via YouTube, reading ebooks and uploading content directly to the likes of Facebook, Bebo and MySpace. Anyone not up-to-date on these mobile devices will miss eventually something that would have strengthened a case.
While the basics remain the same, standard mobile phone content may be the same, but the way it is stored is changing. SMS messages can be stored on memory cards on a number of handsets. When you think of the size of commercially available memory cards (as previously mentioned), the amount of messages that can be stored in this manner is massive. If a handset is examined and the memory card is not treated correctly, this kind of content can easily be missed.
With the ever-increasing array of mobile software or “apps”, it is becoming possible to do almost anything with a new mobile device. When you consider Java applications and the number of handsets that support them, this encompasses an almost unlimited number of handsets.
I think there is little doubt that the gulf between PC and phone examinations has become a line that is becoming smaller and smaller. As phone forensics establishes itself more, and as more handsets are released with more features, we will soon see the day where forensic examinations of any device will be treated in the same way as computers and other similar media. I think phone forensics itself has graduated, and is now as much a part of digital forensics as any work that can be undertaken on a PC.