Achieving advanced smartphone and mobile
device forensics is a time-consuming, complex
process for many. Simply looking at a raw Hex
dump which displays the contents of a digital file
in Hexadecimal code is not enough. Investigators
must know how to manually convert everything
to a readable format through data decoding. They
need to know how each file system stores data and
how to decode it into a readable format. For investigators who are unfamiliar with a particular device,
research and development via reverse engineering
may be necessary to determine where data is stored
on that device’s file system. This process is costly
and time-consuming. Fortunately, training courses
exist that educate investigators on where to look
for data, how to verify data, and how to take raw
binary data and change it into a readable format.
The Importance of Forensic Analysis
The mobile device industry is evolving very quickly.
To stay current on the latest devices and the proper
techniques for acquiring and analyzing data, smartphone and mobile device forensic analysis training
courses are becoming more and more necessary.
These courses aren’t limited to law enforcement
either. Courses are available for those who work
in IT and believe corporate information may have
been compromised by an employee or those proactively looking to secure a device.
There are many training courses currently available. For example, most vendors offer vendor-specific courses for their toolkits. While these
courses are valuable, they are limited as attend-ees only learn how the vendor’s toolkit works.
Vendor-neutral training courses, however, teach
digital forensic examiners, law enforcement offi-
cers, and information security professionals how
to conduct smartphone forensic analysis using the
best tools for the device. Smartphone forensic tool
vendors often support the same devices, but the
underlying capabilities for each drastically differ.
Knowing which tool is currently the best one for
the smartphone in an investigation will aid in the
entire forensic process. Vendor-neutral forensic
analysis training courses provide the necessary
insight to deal with all of these variations.
When considering training courses, advanced
investigators should look for those that offer deep
dive analysis rather than push button forensics;
which is simply pushing a button and getting all the
answers. While push button forensics can get some
of the data, deep dive analysis is necessary to recover
data that a tool misses. These courses will show how
to handle the data that is missed by the tools and
provide detailed instruction on data validation,
which is required in any investigation. Otherwise,
without knowing how to handle the data, the data
is non-sensible (i.e. virtually useless). Data must
be understandable for it to add value to an investigation. Deep dive analysis training courses will
provide the necessary insight to leverage all data
that is available on a smartphone.
Too often smartphone devices are overlooked as
investigators focus solely on computer hard drives.
It is important to remember the smartphone might
actually be the key to an entire investigation for
those who know where to look. As the mobile
device market continues to grow and evolve, an investigator’s task of uncovering evidence will be that
much harder. Staying current through education
and hands-on training courses will enable digital
forensic examiners, law enforcement officers, and
information security professionals to handle investigations involving even the most complex smartphones available with the confidence of knowing
no data was left behind.
Heather Mahalik is a senior digital forensics analyst
at Basis Technology and a certified instructor for the
SANS Institute. Heather has worked in digital forensics for over ten years and has performed thousands of
forensic acquisitions and examinations on hard drives,
e-mail and file servers, mobile devices, and portable
Want to learn more? Heather will be presenting
Advanced Smartphone and Mobile Device
Forensics at SANS Security West 2014 in San
Diego, CA May 10-15, 2014. For more information visit www.sans.org/info/151150.
To stay current on the latest
devices and the proper techniques
for acquiring and analyzing data,
smartphone and mobile device
forensic analysis training courses are
becoming more and more necessary.