Intro
Modern tools and techniques for mobile device forensics have dramatically changed how investigators and attorneys approach investigations, with mobile devices often being at the forefront of the investigation. The new approaches provide better options for quickly and efficiently analyzing tens or hundreds of devices in parallel while incorporating a wider array of information from the devices. Mobile devices have been a prominent part of disputes and investigations for over a decade, and with the ubiquity and intermixing of mobile devices for business and personal use, comes a wealth of data that is more data-rich and accessible than any other data source. That coupled with the frequency of usage and users’ sense of privacy makes mobile devices incredibly valuable in any investigative analysis.
Kroll’s advanced approach to mobile device analysis is to perform unified analysis across data types and devices that enables attorneys and investigators to interrogate and present all forms of mobile device data. The traditional approach has been to perform mobile device analysis in by-device isolation or to perform a traditional analysis whereby communication data (e.g., SMS) is treated like “documents.” Indeed, modern analysis tools and techniques allow for a faster, more powerful approach. In this piece, we present an introduction to performing modern mobile device forensic analysis.
Phases of Mobile Device Analysis
Mobile device analysis can be divided into several iterative phases. Every matter involving mobile device analysis begins with a process scoping, which critically includes steps to identify the goals of the analysis, selecting the data types to analyze (e.g., text messages), fact-pattern development, and establishing other logistical considerations. The second phase is the forensic collection of the devices, which can be performed via different means, such as Cellebrite or Oxygen Forensics, cloud-based collection or a logical collection of the device contents.
Once acquired, the mobile device data can be extracted and analyzed with a variety of tools. In simpler matters involving a small set of devices and limited or known issues, the data can be analyzed manually in spreadsheets or through traditional document review platforms. In complex matters, however, a unified analysis approach utilizing data analysis techniques is required. This approach involves the extraction of specific data types and the import of data across multiple mobile devices into a unified database for consolidated analysis.
The next phases — analysis and reporting — are more time-intensive and can require multiple iterations and additional data collection or analysis rescoping. As later discussed, the types of analysis used can vary, but the objective is to apply techniques based on known facts to accelerate the analysis and reduce time sifting through irrelevant data. The analysis phase can involve multiple iterations, with each iteration adjusting or refining the analysis based on newly gained information from prior analyses. The review and production phase involves the compilation of data into a visual and interactive platform for reviewers to consolidate their findings and produce them in the form of documents, metadata and/or visual representations.
The following chart illustrates this phased approach: