Obtaining Evidence: Smartphones, PCs and Tablets, Third Parties, Flash Drives and External Hard Drives, Cloud Storage
Types of electronics we can obtain information from & their use in criminal activates
In addition to social media there are many other avenues to obtain information such as computers, tablets, mobile phones, cloud storage, hard drives, and flash drives. These electronic devices have a wealth of information stored in them that can be used as digital evidence in criminal cases, civil cases and more.
Many criminals use their electronic devices to commit criminal activities such as computer fraud, child abuse, pornography, gang activity, financial fraud and counterfeiting, threats and harassment, identity theft and more.
Problems preventing us from obtaining information – What can’t we do
Reconfigured devices – digital evidence on mobile devices can be lost completely due to remote destruction commands received over wireless network to prevent communication
Signal jamming systems – prevent mobile devices from communicating with a network (this type of equipment is illegal in some jurisdiction).
Encrypted information – Investigative limitations are primarily due to encryption that requires decoding before data can be accessed.
When data is encrypted you are enable to view or change it unless you have the code. Which can be obtained either by approval of the device or a court order. Once we receive the code there are several private companies including ours that break the encryption.
New operating systems – Apple’s mobile operating system from iOS8 and on is designed and built in a way that Apple no longer has the ability to extract data even if presented with a court order. In addition to increasing the default passcode requirement from four digits to six digits making it even more difficult to obtain information Apple cannot bypass the IPhone’s passcode making the data inaccessible. Google followed suit and creating operating systems that it could no longer access.
Solutions – What type of information can we obtain & how it is done
Type of information that can be obtained: documents, photos, image files, emails, web browser, history, chat logs, event logs, transactions, account data, financial and asset, medical records, passwords, electronic signature and data from external devices associated with one’s computer.
Mobile phones have even more evidence such as call logs, text massages, calendars, memos, address book, passwords as well as access to the different social media apps. Additionally, photos taken on a device with GPS can provide exactly when and where the photo was taken.
Different technologies available to obtain data
Internet Evidence finder (IEF) – is a software application that can search a hard drive or files for internet related items, this is a data recovery tool.
Facebook JPG finder – is a tool that searches a selected folder for possible Facebook JPG images and is able to indicate which Facebook user the photo came from, by running several filters on the same file name which contains the Facebook user/profile ID.
CacheBack – is a leading forensic tool specializing in browser cache, history and chat discovery for generating compelling visual reports, criminal activity, and timelines.
XRY 5.0 – is a mobile device forensic system used on any window operating system to recover data from thousands of different mobiles and even deleted data and generates reports within minutes.
Solution systems that we use in our cases
Prianha – is a 2G, 3G, and 4G IMSI catcher that automatically captures mobile phone identifiers and can manipulate them to create the basis for smart intelligence and analysis. This system is able to take control over many of the mobile device’s features such as extracting GPS location from anywhere in the world, blocking communications and more.
UFED – is a PC application that is able to extract data from mobile devices such as phonebook contents, SMS massages, call logs, images, video and audio, the application then analyses the information and generates a comprehensive evidence report.
Data on mobile phones can often be found on linked desktop computers, when the device is synchronized with a desktop computer the data is stored in backup files indefinitely even if the items have been erased from the mobile device. Transferring data to a cloud based service for long term storage can also assist with obtaining the data even if its no longer available on the mobile device itself.
An electronic device that belongs to a company used by an individual employee may grant us permission to view and obtain all the content on the device without a court order.
Using Apps on Your Client’s Smartphone to Collect Evidence
Type of apps used to attain information
There is a wealth of information that can be obtained from applications installed on mobile devices that hold forensically relevant evidence available for investigators.
Types of apps we can obtain information from: WhatsApp, Facebook, LinkedIn, Google maps, Waze, Snapchat, Twitter, Instagram, Text Plus and many more.
Social media posts or photos may be stored on a third party site. For instance, Instagram and Twitter have many third party sites that mirror their content and may preserve that content even after the user has changed their privacy settings on the original site.
GPS enabled devices may also contain past locations, maps, waypoints, planned destinations and routs taken.
Problems obtaining the information
Facebook provides a feature that permitting users to encrypt massages on its platform, which may no longer be available to use in criminal proceedings like in the past.
WhatsApp, which is owned by Facebook and has more than 1 billion users has introduced an end-to-end encryption that making it almost impossible to decode and extract information even if one is able to gain access to WhatsApp servers they will not be able to read any massages or tap into private conversations.