SANS Digital Forensics and Incident Response Blog

Digital Forensics Case Leads: Mobile Device Digital Forensics

Due to the increasing number of identity theft incidents that occur in the corporate setting by disgruntled employees (e.g. stealing information via USB or mobile devices) or simply by the lack of proper security awareness training (encrypting sensitive information and/or what mobile devices can or can't be used), it's imperative for organizations to become better equipped and skilled in dealing with digital forensics on mobile devices.

So where do you start and what are the best tools to use?


Good Reads:

  • Casey, Michael Bann and John Doyle wrote Introduction to Windows Mobile Forensics. This paper provides an overview of Windows Mobile Forensics, describing various methods of acquiring and examining data on Windows Mobile devices. The locations and data formats of useful information on these systems are described, including text messages, multimedia, e-mail, Web browsing artifacts, and Registry entries. This paper concludes with an illustrative scenario involving MobileSpy monitoring software.
  • Here is a great article by Anup Ramabhadran investigations process model for Windows Mobile Forensics.
  • NIST has an excellent paper on PDA Forensics Tools that discusses the different procedures and techniques when performing Mobile forensics.
  • Benjamin Wright posted B2B Cyber Security Lawsuit | Guerrilla Publicity Dogs Bank Online, which looks at the lawsuit between Hillary Machine, Inc. and PlainsCapital Bank.


  • Oxygen Software releases Oxygen Forensic Suite 2010 version 2.6.5 today. New version introduces iPhone Password Breaker, the software that is able to perform password attack on iTunes backup files. Oxygen Forensic Suite 2010 also adds support for Google Nexus One, Blackberry Curve 8500 series and improves support for devices based on iPhone OS and Android OS.
  • NIST scientists detail their proof-of-concept research in a NIST Interagency Report, Mobile Forensic Reference Materials: A Methodology and Reification. They also developed an experimental application, called SIMfill, and a preliminary test dataset that follows the methodology described in the report. SIMfill can be used to automatically upload cell phone data such as phone numbers and text messages to "populate" test SIMs that can then be recovered by forensic cell phone tools. In this way, examiners can use SIMfill as one method to assess the quality of their off-the-shelf tool.

Coming Events:

Digital Forensics Case Leads for 20100225 was compiled by Jennie DeLucia. Jennie is the Manager of IT GRC for Excellus Heath Plan. In addition she is SANS Community 508 Instructor, an adjunct Professor at the Rochester Institute of Technology, as well as an independent computer forensic consultant.