Forensic Data Analysis of Mobile Devices: A Primer

Mobile Device Data Types

Every mobile device contains a unique, rich and expansive set of information. While every device is unique, several categories of evidence are primary to forensic analysis. These data types represent the communications, geolocation and other event-based data found on smartphones and tablets.

The following are several of the major categories of mobile device data types and the primary sets of content that are examined as part of an investigation:

Every type of data found on a mobile device is collected during the forensic acquisition; however, the data types selected for analysis depend on the scope and focus of the analysis. Once the data has been extracted, the data is available for analysis. Kroll’s methodology involves advising clients on which data types are potentially relevant and extracting the relevant data to a unified database to analyze those data in concert. Even if text and chat messages are the focus, analyzing other data sources — such as the phone’s address book and geolocation data — alongside the communications records yields a deeper understanding of events. This can include, for example, knowing where the device’s custodian was physically located when a key message was sent or identifying additional individuals for analysis.

Primary Types of Analyses

The types of analyses that can be performed on mobile devices vary based on the data types that have been selected and the objectives of the analysis. The key to a successful analysis process is identifying the fastest approach to performing analysis that is exhaustive and yields immediate results to support the broader investigation. Investigations rarely only require analysis of mobile device data, so the analysis of mobile devices should support the broader investigation’s objectives and aid in accelerating those other areas (e.g., interviews and document review).

Kroll’s experts and analysts work with clients to select from a library of over 30 standard and bespoke mobile device analyses.

The following table lists several of the primary analyses that are typically performed in our investigations:

The analyses can be separated into the objectives of reducing results or expanding results.

For reducing results, analyses can be combined to segment and otherwise refine the results. For example, a timeline analysis can be used in conjunction with concept searches to show the types of communications and other data containing those concepts over a specific time period. This analysis, subsequently, can be further refined to be limited to specific individuals or geographic locations.

Expansion analysis can be performed to identify additional relevant data from a set of responsive results. For example, the analysis can fan out from a single device to multiple devices using the same criteria, or an analysis can be performed to identify communications from a newly identified individual of interest. Another form of expansion analysis is identifying additional data sources based on information found on a mobile device, such as web history or third-party app history, that indicates the usage of social media or other platforms, such as Facebook, Instagram, Twitter or Slack.

Cross-Device Analysis

Analyzing multiple mobile devices in concert offers advantages for complex matters. A cross-device analysis approach enables analysts to identify additional individuals and establish much more information about communications and other events. Several of the benefits of analyzing multiple devices together are:

• Mining devices’ address books to associate names with phone numbers and accounts
• Identifying physical locations of individuals at points in time
• Building a map of known participants and the relationships in visualized network graphs
• Determining whether additional data should be collected

Cross-device analysis can better identify when certain data was deleted or altered by individuals, but it can also pose challenges to legal teams if not addressed properly. While forensic experts can typically recover deleted content, representing this across devices is more definitive and powerful. Cross-device analysis can pose challenges for legal teams who follow traditional approaches of producing deduplicated data.

Consider the following example, where the devices for two chat participants were acquired. One custodian did not perform any deletions, while the other custodian selectively deleted messages. Both copies of the message threads contain valuable information, which is why Kroll develops an analysis strategy with legal teams in advance of any review and production. Performing a cross-device analysis ensures that situations like the one below are identified prior to document review and production.

A cross-device analysis requires rigorous auditing and metadata management to track source data and enable more powerful cross-device analysis. Several key points to consider when conducting a cross-device analysis are:

• Storing and tracking all available metadata about the devices, device collections and data is critical for evidence management
• Analysis across different data types requires precise data mapping and a deep understanding of mobile device data
• Data types and metadata across different iPhone and Android devices can impact unified analysis if not properly addressed
• Applying data across all devices, such as address books, can create issues if not properly performed

Kroll’s approach involves managing source data in a unified database and making the data available for legal teams through traditional document review platforms, such as Relativity, and through self-service analytics platforms for deeper analysis, visualizations and custom searching.

Designing a Mobile Device Analysis Strategy

Every mobile device investigation is unique, but there are common approaches to devising an analysis strategy. These steps begin with compiling known information regarding the investigation and isolating key facts or theories for further corroboration or analysis expansion. For example, if an investigation centers around three events at specific points in time, the analysis can be developed around those epochs to identify the individuals involved, whether any communications or other event-related data are found on the devices, and to begin culling or expanding the channels of communication and keywords/concepts involved in the investigation.

In parallel, mobile device data should be profiled to assess what information is available and whether anomalies or data gaps exist. One approach is to perform an automated data profiling to assess summary-level details on the data found on the mobile devices, generate data timelines and identify relationships between individuals. This type of profiling allows investigators and attorneys to quickly assess what information is available and begin identifying what data to further analyze.

A successful mobile device analysis typically has a defined stopping point when the analysis is complete or sufficient. Determining when to stop depends on the nature of the investigation, but there are several ways to gauge this. The first is establishing at the onset which and how the narrowing analyses will be performed, whereby narrowing filters are applied and the expected communications and other details are identified. That is, the analyses to filter out extraneous information and find key data is defined at the beginning. The second test is reviewing the expansion analyses to assess whether those are complete and that each finding from those was reviewed. Virtually no investigation can establish the precise stopping point criteria before the analysis is performed but having those criteria in mind throughout aids the investigation.

The analysis strategy should include an approach to how the data will ultimately be reviewed and reported. One approach is to transfer mobile device data to a document review system, such as Relativity, for review. These types of systems enable attorneys and other reviewers to review mobile device content in a common platform alongside email and electronic documents. One key consideration for this process is to determine how communications and other data are represented. Text messages and other communications can be printed to PDFs in formats to look like the original messages, and other data can similarly be printed to a file format based on the metadata to represent a document.

A second approach is to review the metadata and quantitative results of the analysis in a data visualization platform. A data visualization platform enables reviewers to examine information and apply filters to the data to identify data patterns. The visualizations can be printed and produced to represent the findings. This approach can be conducted in conjunction with or in lieu of reviewing data in a document review platform.

Conclusion

Mobile device analysis is a process rich with opportunities to examine data alongside one another and explore the variety of data types and devices. Advanced tools, such as self-service analytics and visualization platforms, enable investigators and legal teams to perform these analyses faster and with much more depth than is traditionally considered with document review tools. The keys to a successful mobile phone analysis are to properly scope the goals and known facts in a case and then systematically analyze the data.