By: Lee Reiber, Vice President of Mobile Forensic Solutions at AccessData
Today’s world is becoming more and more mobile every day. In fact, 91% of all people own a mobile device and 56% own some type of smart device. It is no surprise that today there are more mobile devices on the earth than there are people! Equally impressive is that the amount of data we consume is becoming increasingly focused on mobile devices. In fact, according to Pew Research, 55% of all internet traffic in the United States is from a mobile device, which is a first for overall internet traffic.
Mobile data is not just a part of the Big Data world; it is one of the largest contributors. Mobile device data, particularly smart devices, will contribute to approximately 8 zettabytes of data by 2015. To put a zettabyte in perspective, think of 250 billion DVDs containing around 36 million years of HD video. The total data would equal approximately 1 zettabyte.
With these statistics in mind, it would make sense that every digital investigation scenario will contain data from mobile devices. With that being said, collecting and analyzing mobile data is not only vital, but paramount to solving today’s crimes. Mobile device data, combined with data from other big data repositories, like hard drives, network shares, and offline servers paints a much better picture than relying on a single source.
So, what types of mobile device data are most important to investigations? The answer to that is quite simple, everything! From the standard SMS, MMS, Contacts, and Call Logs to the meaty data involving the posting, sharing, commenting, chatting, bashing, liking, favoriting, tweeting, and browsing in social media to the locating, logging and storing files in applications. Factor in that all this data is stored on the device, and not on a network server, with your mobile provider, or your company. Now, multiply the fact that most of today’s communication occurs outside of the normal SMS/MMS via messaging applications, and you realize a mobile forensic solution that can effectively uncover this important data is now a necessity.
A perfect example of this happened recently when I spoke to a group of over 200 forensic examiners. I simply asked them to raise their hands if they had examined a mobile device for an investigation. Immediately hands shot up from over 80% of the attendees. I asked them to continue to leave their hands up if during the last examination of a mobile device they looked at any application data from third party applications on the smart device. Only 5 hands remained up. That is less than 3% of the attendees, which is typical, if not a little high, for the normal educational seminar I conducted. Mobile device hardware, operating systems and applications are advancing at a pace never seen before. Should not our investigative tools and priorities advance as well?
The ability to search and recover mobile data from applications on smart devices is difficult and often limited when using current mobile solutions. Research shows that only 5 to 10% of the entire user data area is examined by typical mobile forensics tools. This leaves 95% of application data unanalyzed, and a lot of times uncollected. The net result shows that most examiners have minimal insight into the mobile application data because of the lack of support of their current tool, the lack of time and the lack of training.
Current software tools simply extract contacts, SMS/MMS, call logs, media and possibly email. Some go as far as capturing URL, browser data, Wi-Fi information, and some application data. As for analyzing applications, most solutions allow the parsing of only select applications, limiting examiners to obtain evidence from about .002% of all applications available. In other words, the average forensic tool supports about 30 applications out of a total of 1.6 million iOS and Android apps. Of those 30 applications, the forensic solution is at the mercy of the developers’ upgrades, schema changes and table changes. With these ongoing mobile device application updates, the application is no longer supported by the forensic tool and further technical development is needed. AccessData’s Mobile Phone Examiner Plus™ (MPE+) breaks this mold allowing the parsing, extracting and reporting of any and all mobile applications. MPE+’s SQLBuilder™ (Figure 1) allows examiner to parse the data of all applications containing a SQLite database. If the data is held in a JSON string, MPE+ allows you to customize scripts by utilizing the pythonScripter™ (Figure 2), a feature that helps you build python scripts easily and without any scripting experience. If the application’s files are new and unknown, examiners can build their own script to extract and analyze the application data. In today’s big data world, customizable user features are very important as they give power to the user to mold the analysis to the task, without allowing the software to dictate how and what they are to extract and analyze.
Understanding that we live in a big data world and realizing the fact that mobile forensic examinations now contain data in many different forms and formats will ultimately lead to investigative success. Data can arrive in physical image files, flat binary files, individual files or folders, and proprietary forensic tool formats. With this in mind, AccessData’s MPE+ allows the import of these many different images. MPE+ automatically recognizes the various formats, i.e. iOS and Android file systems, and quickly allows the critical user data to be extracted. Not only does MPE+ automatically parse the standard user profiles, but also allows for a deep analysis of the application data contained in the mobile device file system. Understanding that mobile device data is just a piece of the big data pie, any image can be included into the overall digital case while utilizing AccessData’s MPE+. This digital case can then be opened in AccessData’s Forensic Toolkit® (FTK®) if additional digital data images like computer hard drives, server data, RAM fragments, flash drive and any other digital data source. This allows the power of all the AccessData tools to work together to harvest the relationships and paint the collective picture of ALL the relevant data within a case. In today’s big data world being prepared for the collection and analysis of mobile device data is the first step to gaining a clearer picture of today’s data. In today’s Big Data world, AccessData’s MPE+ not only helps you obtain data other solutions miss, it also empowers your investigation with “industry first” advanced analysis capabilities no other mobile forensic tool offers.