Mobile Device Forensics – A Walk on the Wireless Side of Ediscovery

Thursday, December 30, 2010 by Thought Leadership Team

The world of ediscovery is not only evolving, it is also rapidly expanding.

New forms of electronic devices and media that were once thought to be beyond the scope of discovery now find themselves in the crosshairs of litigators as mobile phones, social networking sites and MP3 devices have become integral parts of today’s business. One prime example is the increased pervasiveness of text messaging. Texting overtook phone calls as the most popular form of mobile communication two years ago, and litigators and investigators are not waiting for the case law to catch up. Beyond the highly contentious legal and ethical considerations lie unique and daunting technological challenges to the collection and accessibility of text message data.

Collection of Mobile Device Data

Three major considerations must be addressed in any mobile device data collection: process efficacy, acquisition method selection and forensic tool selection.

First, the process of data retrieval from mobile devices is critical to ensuring data integrity. Mobile phone memory cannot be write-protected, resulting in frequent changes to the phone’s memory. This can occur when a device receives any kind of communication, including during the data collection process itself. Thus, an effective collection process preserves the initial data and accurately accounts for any subsequent changes. To do this, a device should be isolated from the network when it is seized. This can be accomplished by turning off the device and using faraday technology – unique material that blocks the transmission of incoming and outgoing communication – to ensure its isolation before and during processing. Once the actual collection process begins, it is important to thoroughly document all steps taken. Also, during the collection process, forensic investigators must perform comparisons or audit trails, because the volatile nature of mobile devices means hash values calculated at one time may not be the same when the values are calculated a second time.

Second, selecting the proper acquisition method is extremely important because the associated costs, risks and benefits can vary significantly. The two primary methods used to collect mobile device data are logical and physical acquisition. A logical acquisition is the most common method and is conducted by querying the device’s memory using standard protocols to retrieve information. The information that can be extracted varies according to predetermined forensic software capabilities, which can also vary based on the make and model of the device. The process primarily results in the capture of active data. In contrast, a physical acquisition results in an actual copy of the device’s memory, similar to a bit-by-bit hard drive copy. This method allows greater potential for recovery – especially for deleted data – but it is significantly more complicated and has limited capabilities. Selecting the most appropriate retrieval technique demands a high level of expertise to ensure efficacy of the acquisition and protection from data corruption.

Finally, proper forensic tool selection is crucial to controlling costs. The ever-expanding myriad of mobile devices and platforms they support has spawned an equally diverse range of forensic tools. Due to the constantly changing nature of the mobile industry, few tools provide a complete solution. Investigators may be forced to use multiple tools to extract the desired data, making retrieval time and expense unpredictable. It is therefore imperative that clients consult qualified service providers and communicate their needs early to ensure the right tools are selected and expectations are met.

Accessibility of Text Message Data: SMS vs. MMS

Retrieving mobile device data in general is difficult. Retrieving text message data can present an even greater challenge because of the accessibility of various message formats. The majority of text messages come in two forms: short message service (SMS) and multimedia messaging service (MMS). A standard text message is sent using SMS, which is confined to text only and capped at 160 characters. MMS communication is different since each message can contain not only text, but also images, video and sound.

Depending on the device, SMS and MMS message data may be stored in the embedded flash memory, a removable flash memory card or the subscriber identity module (SIM) card. While most forensic tools support the extraction of active SMS message data, few support MMS messages. This necessitates manual extraction – a complex and time-consuming process – which quickly translates into higher costs. The challenges associated with MMS extraction are further compounded by its ever-increasing popularity, driven by the rapid expansion of 3G networks.

Deleted SMS and MMS messages may both be recoverable from the device’s memory. Data deleted on solid-state drive (SSD) memory (used in mobile devices) is treated much the same way as traditional hard-disk drive (HDD) memory. If not “scrubbed” or overwritten, message information may still be present. Accessing deleted information, however, can be extremely difficult because of the unique nature of mobile devices. Alternatively, service providers may store message data on their servers, but retention time is usually limited and access requires subpoenas, which are typically difficult to obtain for such a purpose. Successful recovery will ultimately depend on the message format, elapsed time, specific device, recovery technique and skill of the forensic investigator.

New Challenges

The trend is clearly moving toward lower retention times for personal communications as security and privacy concerns are driven to the forefront amid high-profile exposés illustrating the damage text messages can cause. The casual nature of text messaging has traditionally fostered a more candid environment than found in other forms of written communication, and until recently most people have failed to appreciate the serious implications this can create. Running parallel to these concerns is a rapidly changing mobile landscape. The rise of “smart phones” and broadband mobile networks has allowed service providers and entrepreneurs to create unique solutions that are fundamentally changing the technical aspects of text messaging.

The latest development, TigerText, is an application that allows users to determine when their messages will expire. TigerText messages are not physically stored on the device’s memory, but instead reside on the company’s servers and are accessed remotely. Collecting messages sent using TigerText would likely require a subpoena of their servers. Although TigerText’s official privacy policy states it cannot guarantee all message data will be cleared, the affirmative efforts to delete the information coupled with the hurdles of acquiring subpoenas for such third party servers present serious challenges to the discoverability of text message data in the future.


Mobile device data retrieval is a unique segment of investigations and ediscovery that is becoming more prevalent in litigation. Recognizing that the nature of these devices differs significantly from that of traditional media is the key to developing adequate policies and conducting collection appropriately in the event of litigation. Effectively addressing mobile devices requires specialized skills and knowledge that are often beyond the capabilities of in-house resources. To ensure the efficacy of mobile device data collection, corporations and litigators should always consult qualified and experienced investigators.

Special thanks to Brian Rydstrom, Senior Computer Forensics Engineer at Kroll Ontrack. Mr. Rydstrom is an expert on mobile device forensics with extensive training and experience using the most cutting-edge tools available.