Getting forensics data off smartphones, tablets can be tough, experts say

Trying to get computer forensics data out of mobile smartphones and tablets in order to conduct investigations is hard -- often much harder than on PCs, laptops or Macs -- and experts say that forensics tools need to improve.

"The investigation tools for mobile are not at the same level of granularity you can get on tools for desktops," says David Nardoni, director of mobile-device investigations at consultancy Pricewaterhousecooper. Other experts agree, and also note that the BYOD trend only adds to the problem.

IN THE NEWS: Symantec targets partners to develop better mobile security

Forensics experts say they want to do both "physical" and "logical" acquisition of data. This means grabbing operating system files, device memory and other technical information, plus personal email or documents or phone data. They typically need a PIN code to access the device. But the state of the art in computer forensics tools and the proliferation of mobile devices all makes this hard. And unlike with Windows-based computers, for example, you can't just take out the hard drive, they note.

There are mobile-device forensics tools out there, such as Ufed from Cellebrite, the Katana Forensics tool Lantern, Blacklight Forensics Software, Paraben's Device Seizure, and Micro Sytemation's XRY. But they aren't comprehensive in the exact make and model of Google Android, Apple iOS device or other mobile device models they can tackle, says Darren Hayes, a professor at Pace University who teaches computer forensics courses.

It's all a bit hit-and-miss, and Hayes estimates that less than 40% of the smartphone models out there today can be imaged. The way that Android manufacturers have fragmented that operating system is a factor, and on the Apple iOS side, the security is proving so effective that bypassing the PIN is a challenge for investigators, he notes.

This comes at a time when both corporate examiners who conduct this forensics work, as well as law enforcement, have greater need than ever to get accurate, complete images off mobile devices as part of an investigation that will hold up under legal scrutiny.

Hayes notes that law enforcement officials are known to be meeting with Apple and manufacturers of Android mobile devices to talk about the issues. So far there's been little indication of any answers, he says.

Andrew Hoog, co-founder and chief investigative officer at Chicago-based startup viaForensics, which specializes in mobile-device forensics services, agrees that the fragmentation of the Android operating system -- there are now well over 800 Android devices without the same OS -- contributes to the forensics problem. Android is generally easier to break into than Apple iOS, though, he adds.

Jailbroken Apple iOS devices are easier to do forensics on than ones not jailbroken, he notes, but points out that Apple's iOS 6 is now presenting "a big barrier" because Apple's security has so far been quite good, and viaForensics, which has a tool called Extract, hasn't broken through the passcode control and the encryption. "We cracked Android encryption," he adds.

The Department of Homeland Security has recognized that there are insufficient tools for mobile-device forensics, and viaForensics picked up some funding toward that. The startup has open-sourced some technology and commercial products are coming out, such as a planned agent software for Android that could be used as a forensics tool.

Hoog says he's involved in several cases with businesses trying to get into mobile devices to find out about possible data theft, for example. The BYOD trend, in which employees uses their own mobile devices at work, is really complicating forensics work, he emphasizes. "You don't have ownership of that device," he says, and by allowing BYOD, the business may have "lost control. And you can't just grab control -- you need policies that include security and auditing of the device."

Ellen Messmer is senior editor at Network World, an IDG publication and website, where she covers news and technology trends related to information security. Twitter: @MessmerE. Email:

Read more about wide area network in Network World's Wide Area Network section.

Join the CSO newsletter!

Error: Please check your email address.
Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Ellen Messmer

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts