Written by Lee Reiber, Vice President, Mobile Solutions, AccessData.
Not long ago, mobile device forensics was a relatively straightforward process. Contact lists, SMS messages and call logs were obtained and examined for evidence using specialized forensics technology. But with the blistering rate advances in mobile technology, the explosion of mobile data and devices, and all the ways in which they are used today—for working, engaging in social media, taking photos, making videos, conducting financial transactions and more—times have drastically changed. In addition, the digital world has become a breeding ground for new types of crimes, such as cyber stalking, cyber bullying, hacking and other offenses. Most mobile device forensics solutions simply cannot keep up.
What’s needed is a radically new approach to mobile device forensics: one that’s adaptive, intuitive and capable of supporting just about any mobile device on the market, as well as multiple operating systems and data types. The solution also must integrate with other forensics tools and address e-discovery requirements.
The Five Key Challenges to Mobile Forensics
Law enforcement agencies and enterprises are struggling with too many devices, too many mobile apps, and too many data types. Mobile applications are updated at blinding speeds, and the mobile OS’s are continually refreshed. Compounding all this complexity is the massive amount of data that’s accruing, and the increase in malware. All these add up to five critical challenges confronting the field of mobile forensics today.
The Increase in Mobile Devices
There were 1.8 billion mobile phones sold worldwide in 2013, according to mobiThinking, which compiles mobile statistics from multiple research firms including Gartner and IDC. More than half were smartphones; IDC estimates there were about 1 billion smartphones sold in 2013. It’s estimated there are as many mobile-cellular subscriptions as there are people living on earth today, according to the International Telecommunications Union (ITU). That means there are more than 7 billion subscriptions, some with more than one device!
At first glance, those figures are mind-boggling. Add in the fact that the ratio of subscriptions to people isn’t one to one, and things get even more overwhelming. According to the Cisco VNI Global IP Traffic Forecast, 2012-2017, by 2017 there will be 2.5 devices/connections for every person on earth, and 5 devices/connections for every Internet user. These multi-device, multi-subscription scenarios complicate mobile device forensics. Investigators are likely to find themselves analyzing data from more than one cellular phone, tablet, GPS device and other mobile media due to hit the shelves soon, not just per case but also per person. There are also competing mobile operating systems, although the two most popular are iOS and Android. Couple those complexities with the numerous hardware systems from the likes of Motorola, Acer and HTC and the permutations become overwhelming when conducting an investigation.
Rapidly Changing Technology
As of mid-2013, there were more than 900 million different Android devices in use, and there were, on average, 1.5 million Android devices activated daily. During that same period, about 2.5 billion apps are downloaded from Google Play each month. In May 2013, Apple had passed its 50 billionth (with a “B”) download from its App store. By March 2014, Apple had sold its 500 millionth iOS device. All of those devices are running various versions of their iOS operating system. While Apple reported in April 2014 that 87 percent of all iOS devices are now running iOS 7, Apple came out with 7 minor updates and in March 2014 delivered a major update, iOS 7.1. Apple has since delivered two minor updates to fix a few bugs, and iOS 8 isn’t too far off. The Android OS has gone through similar rapid updates. Device investigators and examiners also have to keep up with new limited feature phones, and disposable, sometimes counterfeit “knock-off” devices.
Mobile technology is progressing at such a rapid rate; it’s difficult for mobile forensic solutions to keep up. Most forensics tools require regular updates so they can keep pace with the latest and greatest mobile technologies, but those updates frequently fall behind. Add to that the learning curve with successive updates and busy investigative agencies face yet another bottleneck.
The Increase in Application Usage
According to digitalbuzzblog, half of the mobile phone users use their mobile devices as their primary Internet source, and 80 percent of their time is spent inside mobile apps. A large majority—80 percent—of consumers plan to conduct mobile commerce in the next year, digitalbuzzblog says.
There are other equally weighty stats to consider. More than 800,000 applications are available from the Apple store, and just as many are available from the Google Play Store. According to mobiThinking, analyst estimates for downloads of mobile apps in 2013 range from 56 to 82 billion. In 2017, there could be 200 billion downloads, the company says.
Social media usage on mobile devices is exploding. There are 802 million daily, active Facebook users on average and 609 million mobile daily, active Facebook users on average. On a typical day, people send out more than 500 million tweets — averaging 5,700 tweets per second. More than 20 billion photos have been shared on Instagram, and on average there are 60 million Instagram photos posted per day.
The result? Data living in social applications has become critically important as the number of criminal investigations involving data collected from these applications is rising significantly.
The Increase in Data
It’s called Big Data, and it’s everywhere: on enterprise servers, in applications and of course, on mobile devices. It’s estimated that by 2017, 50 percent of all IP traffic will be generated from non-PCs, and traffic from wireless and mobile devices will exceed traffic from wired devices by 2016. With the amount of digital evidence growing from gigabytes to terabytes in many cases, data analytics and data visualization becomes even more crucial in understanding evidence. But research shows that only 5 to 10 percent of the entire corpus of user data is examined by typical mobile device forensics tools. This leaves as much as 95 percent of application data uncollected, and therefore unanalyzed.
Investigators need to be able to separate relevant data from the inconsequential, and then easily understand and explain the differences to themselves, colleagues, barristers/attorneys and jurors. However, most mobile forensic tools on the market today are still inept in properly parsing and displaying all the different data that might be available on a mobile device.
The Increase in Mobile Malware
A recent release from Russian information technology (IT) security firm Kaspersky Lab says nearly 100,000 new malicious programs for mobile devices were detected in 2013, which is more than double the 2012 figure of 40,059 samples. As of January 1, 2014, Kaspersky Lab has collected 143,211 mobile malware samples. The report also found that majority of mobile malware in 2013 was used to gain access to consumers’ money, and the number of mobile malware modifications designed for phishing, stealing bank card information and money from bank accounts increased by a factor of almost 20.
There’s no question, mobility has upended and drastically altered nearly every aspect of our day-to-day lives. It definitely has complicated mobile device forensics. Considering that a crime can be now be facilitated entirely targeting a mobile device, it is imperative that law enforcement be able to quickly adapt to the ever evolving world of mobility and mobile device forensics.
The rising tide of mobile malware is forcing forensics examiners to understand how to recognize and analyze it together with other evidence. Mobile malware can harm the integrity of evidence presented in a court of law at worst and introduce a delay in the investigation at a minimum. Consequently, this can result in dismissal of charges or even the dismissal of the entire civil/criminal case.
Mobile device forensics has become an increasingly complex and difficult process, mainly because the tools available to examiners and investigators have not kept pace with all the mobile technology advances, the mobile malware, and the ever-growing numbers of mobile data and devices and all the ways in which they are used today: surfing the Internet, playing games, taking photos, tweeting, texting and more. Moreover, mobility has spawned new types of crimes, such as cyber stalking, cyber bullying, hacking and other offenses.
Law enforcement agencies and enterprises are struggling with these rapid-fire changes, all of which are threatening the efficacy of criminal and civilian investigations. To solve this problem, they need to put a plan in place that allows the support of almost any mobile device, operating system and data type that allows them to quickly and effectively collect, identify and uncover the key data—often the key data needed to crack the case.
About the Author
Lee Reiber is the Vice President of Mobile Forensic Solutions in charge of overseeing all mobile forensic activities for the AccessData mobile forensic line. Shortly after joining the company in 2009, Lee refocused AccessData’s mobile forensics software and re-engineered the mobile phone tool Mobile Phone Examiner (MPE) to what is now Mobile Phone Examiner Plus (MPE+). Since then, MPE+ has grown to be an essential tool used by many Law Enforcement and Government agencies, eDiscovery firms and private corporations. Lee’s extensive experience and knowledge of the mobile forensic industry continues to be the key to MPE+ technology advancements. Prior to joining AccessData, Lee was the CEO and owner of one of the most prominent mobile phone training companies in the United States, Mobile Forensics Inc. (MFI). The MFI training curriculum was adopted by AccessData’s training group in 2009 and is one of the most comprehensive mobile device forensics training available today. Prior to MFI, Lee worked for the Boise Police Department where he specialized in the extraction, recovery, methodology and investigation of mobile devices. Lee frequently contributes to Law Officer Magazine as a writer dealing with electronic data discovery from mobile devices and cellular phone carriers. He also conducts presentations on various mobile device forensic topics at conferences around the world. Lee is an active member of IACIS, HTCC and HTCIA.