Digital Forensics: What can investigators pull from your phone?
Digital forensics is a branch of forensics that deals with the recovery and investigation of data from digital devices. This can include everything from computers and smartphones to more specialized devices like drones and security cameras. As our lives become increasingly digital, investigative bodies have become more proficient at utilising digital forensic tools that can analyse smartphone data. A suspect’s own mobile device may well be the single best tool in the law enforcement arsenal for solving crime since forensic DNA testing began in the 1980s.
The use of digital forensic tools has become increasingly widespread in everything from terrorism and homicide investigations all the way down to minor drug offences. While members of the public are undoubtedly aware of their existence, not so many people are aware of what these tools are capable of.
Phone downloads
One of the most common questions we get asked is “What data can an investigator obtain from my phone?” The answer to this question is unfortunately not a simple one. The amount and type of data that can be recovered from a digital device depends on a number of factors such as the type of device, the operating system, how the data is stored, the tools available to the investigator, and the type of data extraction the investigators elect to utilise.
As a general rule, if a sophisticated investigator gains physical access to an unencrypted android or iOS device, they can see everything the user can see and more.
A phone is essentially a giant database. All the data on the phone can be extracted in binary form, analysed, and then displayed in an easy to search format through a software interface like the one shown below.
Source: Privacy International
Data recovered can be processed using various tools to view that data from a forensic perspective. Anything the user could see on the unlocked device at the time of the extraction would be available to the investigator. SMS messages, call logs, Snapchat data, messages, calendar entries, Bluetooth and WiFi connections, web history, step data, stored passwords, images, videos, notes and even WhatsApp and Signal messages can be recovered and viewed by the investigator. All this data will be timestamped.
What this means is investigators can build a picture of where your device is and what it was doing at any given time.
What about Deleted Data?
Investigators have access to deleted data as well. This data is presented in an easy to read and navigate format. Deleted data is essentially highlighted for an investigator. In both the above and below images, the red entries indicate the amount of deleted items in that particular category that have been recovered in the extraction process.
Source: zdnet.com
When you delete a file, message, image, or any data on a mobile device, the data itself is not “deleted”, it’s just deindexed from the database. Your phone essentially forgets where and what the data is and that sector of data is hidden from the user but not overwritten until new data is stored in the same sector. If you use your phone a lot, and your storage is near full, it is more likely that your data will be overwritten in a relatively short period of time. When an investigator completes a physical extraction of a device, all the data that has not yet been overwritten is often recoverable.
Some newer iPhones will automatically encrypt deleted data and not produce a decryption key making it impossible to recover, and some specialised Android platforms will automatically overwrite the deleted data with blank space, effectively purging it forever, but these are exceptions to the rule.
Data analysis
The extraction tools used by investigators also feature various data visualisation capabilities. This means that otherwise innocuous data can be presented in a forensic manner.
Every single action taken on a mobile device is logged, timestamped, stored in the devices database, and made accessible by investigators. Logs that are otherwise invisible to the user can prove to be valuable forensic material.
One example might be switching a phone to airplane mode. If an investigator analysed a phone extraction relating to a particular offence and determined the phone had turned airplane mode on before the offence and off again at the conclusion of the offence, that could constitute compelling circumstantial evidence.
Data that is often difficult to parse, such as metadata, is easily visualised by digital forensic tools in use by investigators. In the below example you can see the geolocation of every photo taken on the extracted mobile device visualised on a on a map.
Source: zdnet.com
A similar approach can be used with known WiFi connection points and telephone tower locations.
Collectively, this data can present investigators with an in-depth understanding of where a phone is and what it was doing at any particular time.
The vast amount of images, videos and other material present on mobile devices can also be analysed quickly and efficiently by investigators using digital forensic tools. One such example is facial and image recognition. Extracted images can be searched by software that uses machine learning and AI to identify particular subjects. If you have a newer iPhone, you can see a similar mechanism in play by searching your photos app for a particular category like “food”. Your device will automatically recognise which images fit that search term.
The software open to investigators, however, is trained using a different model. Their model aims to identify the presence of illicit substances, weapons, sexual content, and other categories of interest to an investigator. They also utilise powerful facial recognition software to group individuals and identify particular people of interest.
Source: Oxygen Forensics
I thought Signal, WhatsApp et al. are end-to-end encrypted?
They are, and this prevents access to data as it moves from one device to another. It does not prevent that data from being accessed if the investigator has physical access to the device itself.
Even if you have deleted the relevant app, all the relevant messages, and had disappearing messages turned on, it is still entirely possible that on some devices and operating systems those messages could be restored from the raw data if that deleted data has not been overwritten.
Is any of my information safe?
The short answer is no, not if a sophisticated forensic investigator has physical access to an unencrypted device. This refers a device with encryption turned off, or where the investigators have the passcode to access an encrypted device.
What should I do?
We will cover best practices for privacy and data security in another article, but if you want to keep your data secure you should keep devices encrypted and avoid doing anything that could lead to a forensic investigation of your devices in the first place.
If your device has been seized and analysed as part of an investigation and this is causing you concern, contact our office for legal advice.