SANS Digital Forensics and Incident Response Blog

More is less: why the mobile forensics race to support the most phones is the wrong race

Before I co-founded viaForensics, I was the Chief Information Officer for a large international packaging company. We had a fair number of smart phones and we occasionally needed to examine a phone. I knew little about digital forensics at the time and as I researched the various offerings, I was overwhelmed.

My initial reaction was to find the tool that would support the most phones (when in fact I really only needed to support the Palm Treo running Windows Mobile). And so that's exactly what I bought?my shiny new forensics software supported over 1,800 phones at the time and I felt quite comfortable that if I ever needed to extract data from a CDMA phone operating in the Middle East with Farsi as the main language, I could do it (ok, I'm exaggerating a little bit but you get the idea). Of course, I never needed to do that but I had the cables and the software that said I could.

In retrospect, I certainly understand the rationale and for some examiners, they encounter a very diverse number of phones so wide support is necessary. But let's be honest, how well can one tool support both the widely popular iOS and Android platforms as well as a flip phone from the 1990's? The reality is it is very difficult to truly support 1,800 phones let alone the 3,000+ numbers I see in the release of current mobile forensic packages. The forensic package will likely have the physical connection to the phone but I've found that only sometimes can it extract data. And for many of the phones, if any data can be extracted at all, it's so nominal that you can sometimes gather more intelligence by simple visually inspecting the phone and perhaps documenting with a camera.

It would be very interesting to see statistics around a "typical" crime lab to determine over, say, the past 12 months the types and quantity of phones examined. Looking at the two most prevalent categories:

  1. Feature phone: phones that supply basic features such as phone calls, SMS, camera and a few other items. Minimal web, email or third-party app support.
  2. Smart phone: the wildly popular devices that are really portable computers that happen to make phone calls, and thus contain enormous amounts of data.

If the phone is a feature phone, then you can run it through any number of packages (and there are even several free and open source packages such as BitPIM) and extract the limited data. You can also examine the SIM card, subpoena the record from the cellular provider, visually inspect the device or if warranted look into flasher boxes, hex dumps or even JTAG/chip-off.

If the phone is a smart phone, then there is a tremendous potential for extracting a large quantity of valuable information. Take the two smart phone platforms mentioned previously, iOS and Android. Both contain vast amount of information that I am not going to try to list here (see our free iPhone Forensics white paper). Yet many mobile forensic packages only extract fairly basic information such as call logs, contacts, SMS and MMS. And therein lies the problem that reminds me of a cliche: jack of all trades, master of none.

My personal approach to mobile forensics has evolved from my early days. If I rarely or never have the need to extract data from an old CDMA phone, then I'm not going to spend time, energy and other precious resources preparing to support it. Instead, if I do come across that type of phone, I will look to one of solutions mentioned above or find the expert who is fully equipped and experienced to handle the phone. Likewise, if I come across smart phones (such as iOS and Android) and these devices are the ones which hold the greatest amount of data, then I want to use the best tools and techniques for those devices.

So, that's just my $0.02...why I think in mobile forensics, more is sometimes less. Of course, this post is a bit provocative so hopefully it will generate some good debate and interesting comments. I also wanted to quickly share some other ideas that have been on my mind about the evolution of forensics which I plan to address in future posts:

  • How crowdsourcing can drive innovation in mobile forensics
  • Why forensic firms must stop worrying and learn to love the virtual machine

Until then.

About the author

Andrew Hoog is a computer scientist, certified forensic analyst (GCFA and CCE), computer and mobile forensics researcher, author of two forensic and security books (Android and iOS), expert witness and co-founder of viaForensics, an innovative digital forensic and security firm. He divides his energies between investigations, forensic software development, research in digital forensics and security and has two patents pending in the areas of forensics and data recovery. viaForensics is noted for their research into mobile app security including their free appWatchdog service and appSecure, their sophisticated mobile app security audit and certification program.

He lives in Oak Park, IL, where he enjoys spending time with his family, traveling, great wine, science fiction, running and tinkering with geeky gadgets.