Mobile Forensics - What should companies be doing?

08 May 2013 by Adrienn Toth

Mobile Forensics

Anyone who’s tempted by the ‘There’s an app for that’ message from Apple eventually succumbs to the lure of an iPad® or iPhone®, believing (usually correctly) that their home and work lives will be transformed forever.  But as the newer versions of Apple’s ubiquitous devices continue to take the personal and business worlds by storm, it becomes increasingly important to understand the unique way in which they retain and share information.  Companies need to be aware of the security risks they present and to keep in mind the evidence trails they create.  According to the Kroll Fraud Report information theft is one of the most widespread categories of fraud currently facing companies and it’s not just customer data being stolen but also internal strategic company data and internal financial plans or data.

What information can you get off these devices?

Most mobile devices use technology similar to that used on a personal computer. As a result, nearly any kind of file or program that can be saved and run on a computer can also be saved and run on a mobile device.  iPhones and iPads (and more generally, devices that use Apple's iOS operating system) are capable of being forensically analysed.  Exactly what you can get out of them varies depending on the particular version of iOS, how the device is set up with regard to encryption and other factors. There are, however, specific technical approaches and forensic protocols applicable to the IOS (and Android and Windows mobile) environments and companies like ours have made investments in the specific hardware and software needed to keep up with the evolution of these operating environments.

The challenges presented by mobile forensics

The iPad features solid-state device (SSD) memory and, similar to the iPhone, manages data within SQL database files. This storage process makes it difficult to forensically retrieve deleted information from an iPad, because the data is essentially locked down, requiring forensic investigators to gain access to raw data in order to retrieve the deleted information.  For the iPhone and iPad, tools to carry out this process have only recently become available to forensic investigators. The majority of commercially available forensic tools for the iPhone and iPad perform a backup of selected data contained on the device. This results in the partial extraction of user data, but does not allow forensic investigators to recover the majority of the deleted data.  Forensic tools that do allow for the recovery of deleted data have only recently appeared on the market.

Of the many “apps” these devices run, some are harmless, fun and useful, and others are poised to turn traditional forensic investigation on its head.   For example Dropbox® allows users to upload files into the Dropbox app from their mobile device. From there, the app automatically copies the files onto the user’s online Dropbox account, which is accessible from any device with internet access, anywhere in the world. In the corporate world, individuals could use this technology to capture and transfer confidential information. Even if the activity is suspected and the device can be seized for forensic examination, data transfer methods like Dropbox are often easily overlooked and instead investigators turn to email and the use of removable media.  Furthermore, iPads are equipped with the same remote wipe function found on the iPhone. If a seized device is not properly isolated from its network, this highly effective function allows users to send their device a command to permanently erase its contents – stopping any forensic investigation in its tracks.

And all of the signs are that Apple will continue to improve the safety and security aspects of the iPad as it competes for market share with other vendors such as Samsung. Mobile forensics experts are already anticipating new challenges from the introduction of next generation devices and iOS 6.

What should companies be doing?

Powerful tools such as the iPad emphasise the need for companies to fully understand the capabilities of the technology they choose to implement. If misconduct is suspected within a company (whether that be the theft of information or the involvement of employees in fraud, anti-competitive behaviour or corruption) it is important to determine quickly whether the subject of the investigation is using a tablet or smartphone device such as an iPad or iPhone.  If so, and the company has the ability to seize or access the device it should be handled by an expert in mobile forensics.  These devices provide additional ways in which individuals can take proprietary information with little to no trace left behind and also new evidence trails that forensic experts can tap into to work out what has been going on. As the usage of iPads in the BYOD corporate environment continues to grow, they will continue to present challenges to information security and opportunities to forensic investigators that companies cannot ignore.