How IT Can Prepare for Mobile Forensic Investigations

This is especially true of organizations subject to compliance with regulations like PCI-DSS or HIPAA, but any organization could find itself in trouble if it can't get its hands on emails and SMS messages during an ediscovery process.

"If a company faces litigation or some other incident, do they have the capabilities to get the answers that these devices potentially hold inside them, whether through insourcing or outsourcing? That preparation is often an afterthought," says David Nardoni, director of mobile device investigations with Pricewaterhousecooper. "It has to be part of the implementation of your mobile policy."

[ Related: BlackBerry CIO on Mobile Security, BYOD and the Modern CIO Role ]

"Mobile devices really are a whole different world for investigations," he adds. "You could have guys that just spend all their time keeping up with the nuances of mobile devices, just like you have specialists in PCs that focus on network intrusions, etc."

Your Policy Needs to Give You the Right to Examine Employee Devices

Nardoni notes first and foremost that organizations should include a stipulation in their mobile policy that gives the security organization the right to examine an employee's mobile device whether the device is corporate-owned or brought from home.

"Companies need to ensure they have the right authority to be able to examine any device that is brought into their environment," he says. "People are using these devices in a different way than they use their PC. They consider these devices much more personal. Even if it's a corporate-owned device, they still communicate in much more intimate ways than they would if they were on a computer."

Embrace BYOD But Still Limit Authorized Devices

Mobile forensics provide many challenges beyond privacy considerations. The sheer number of devices and mobile operating systems present another key difficulty. There are now more than 800 Android devices alone, running many versions of the operating system. Forensic tools that work on one device or operating system may not work on another. Worse, the tools may be incompatible with new versions of devices or operating systems.

[ Related: For BYOD Best Practices, Secure Data, Not Devices ]

"When it comes to mobile devices, we are constantly trying to get a hold of devices as soon as possible to take a look at what's changed," Nardoni says. "We tell our customers: Before adopting the latest and greatest, make sure that your process and approach is going to be able to adhere to any device you want to use."

Speaking in a broader context about BYOD, Brian Katz, head of mobility engineering at pharmaceutical firm Sanofi, says it is important that organizations pick and choose which devices it will support in its corporate environment, even if it allows BYOD.

"You don't need a BYOD strategy," Katz says while speaking at CITE Forum in New York last week. "Anybody who says you do is trying to sell you something. BYOD is who owns the device. What you care about is what they do with the device regardless of who owns it. I'm a big proponent of managed BYOD. You don't say 'bring whatever you want.' Based upon the controls built into the device, you get certain levels of access. We don't look at LG because LG doesn't have security controls that we can manage."

[ Related: BlackBerry CIO on Mobile Security, BYOD and the Modern CIO Role ]

Speaking at the same event, Steve Damadeo, IT operations manager at industrial control and automation firm Festo, agrees.

"You need to be selective about what you do allow," he says. "We block all Android devices for now because of some of the security concerns that have come up and ease of management."

Train Your IT Teams in the Tools

New security features are often the biggest problem for mobile forensic investigators, Nardoni says. A new version of a device or operating system may fully encrypt the disk, prevent investigators from bypassing a passcode or even stop them from imaging the device completely. Vendors of mobile forensics tools continue to make progress on all these fronts, Nardoni says, but they are still far from the sophistication and granularity offered by PC forensics tools.

Most tools these days can handle logical acquisition of data (resident email, contacts, etc.) from the device, but physical extraction of things like deleted SMS messages, actual files and folders, etc. is often trickier. Even tools that are capable of physical extraction tend to be specialized for a particular task.

"It's not a one tool fits all solution," Nardoni says. "It's really important to focus on which tool is going to give you the most complete picture of what you're trying to investigate. Maybe this one will pull the email, this one will pull the contacts and SMS and this one will pull the Internet history."

To deal with this plethora of tools and technologies, Nardoni says you must ensure that your security teams are trained in their use before they need to deploy them.

"The CISOs and CIOs and directors of security should be focused on talking with their teams and getting them trained on the various tools out there and what evidence can be retrieved from these devices," he says. "Try to standardize on a certain set of devices. Make sure your teams have adequate tools and training to investigate these devices. Even more importantly, make sure you have the proper policies in place from legal to allow them to investigate these devices."

Thor Olavsrud covers IT Security, Big Data, Open Source, Microsoft Tools and Servers for Follow Thor on Twitter @ThorOlavsrud. Follow everything from on Twitter @CIOonline and on Facebook. Email Thor at

Read more about mobile security in CIO's Mobile security Drilldown.

Join the CSO newsletter!

Error: Please check your email address.
Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Thor Olavsrud

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place