This is the first blog post in a series of five about recovering third-party mobile chat applications for your digital forensics investigations.
Over the last few years, we have seen a massive shift in the mobile communications market. Smartphones have taken over the world, and mobile users spend the majority of time on their devices emailing, browsing the web, using social media and/or chatting with others using various applications.
I’m stating the obvious when I say that these behaviors have had an enormous impact on the world of mobile forensic investigations. Before I touch on what this means to today’s digital forensics investigator, let’s take a walk down memory lane…
Remember the Good Old Days of Mobile Forensics?
Do you remember the good old days of mobile forensics (pre-smartphone era) when the biggest obstacle was the acquisition of physical or logical images? The enormous variety of mobile handsets, platforms and chipsets made it challenging to acquire an image for each and every device that landed on your desk.
Tools like Cellebrite’s UFED and Micro Systemation’s XRY largely overcame this problem by offering broad support for thousands of different handsets. Once you acquired an image, the primary sources of evidence you needed to recover were standard; text messages (SMS and MMS), call logs, contact lists, photos and data from a handful of other native mobile phone applications.
Smartphones Have Changed the Game…and Created New Problems
Now that the mobile device market has mostly standardized on two operating systems (Android and iOS), we’re seeing a general decline in the variety of handsets and file systems. ‘Device variety’ is becoming less of an issue.
Today’s mobile forensics investigator has a new problem on their hands – recovering and analyzing data contained within thousands of widely-used third-party applications.
This problem was recently highlighted in an article by AccessData on Officer.com that went on to explain that ‘Law enforcement does not have a grasp on the ‘mobility’ shift; the world of the mobile device application, and the likelihood of evidence being contained within an application’s data on a mobile device.’
The sheer number of mobile apps out there is overwhelming, and it seems like new ones emerge and explode in popularity all of the time. Furthermore, each application (on each device) stores data in a different way. If an investigator isn’t up-to-date on the apps people are using, or doesn’t know where to look for data, critical evidence is likely being missed.
The Question
How can today’s investigator keep up with the rapidly evolving world of third-party applications? Then find, interpret and analyze the potential evidence they contain?
On the Magnet Forensics blog this month, we’ll start to tackle this problem by offering up tips and tricks on how to effectively find and analyze data contained within popular third-party mobile chat applications.
Why are we starting with this category? New world chat apps like Kik Messenger and WhatsApp have exploded worldwide, and usage is on pace to surpass old-world chat options like SMS.
The Rise of Mobile Messenger Apps vs. SMS
This data shows that it’s imperative that forensic professionals are prepared with the knowledge and tools necessary to efficiently recover data from third-party mobile chat applications. They are rich sources of evidence in the new world of mobile forensics that you don’t want to miss.
As always, please let me know if you have any questions, suggestions or comments. I can be reached by email at jamie(dot)mcquaid(at)magnetforensics(dot)com.
Here are some related resources you might also be interested in:
- Read the next blog in our series: Recovering Kik Messenger Forensic Artifacts
- See what IEF is all about: Attend a Demo
- Try IEF for Free:
- New to IEF: Request a 30-day trial
- Current customers: Request a 30-day trial of our Mobile Module
Jamie McQuaid
Forensics Consultant, Magnet Forensics
