Fazio says in this particular case, the mobile digital evidence was critical to the child molester’s conviction. “Basically, without those images, that case was pretty much dead in the water,” he notes. “He got [sentenced to] natural life without the possibility of parole, so that guy won’t be out bothering kids ever again.”
Extracting digital evidence from mobile devices is becoming a key aspect of forensic investigations for law enforcement. “In my own practice, I’ve definitely seen an uptick in smart device forensics requirements versus just a year or so ago,” said Paul Henry, senior course instructor at the SANS Institute, who spoke on the topic in a mobile forensics webinar.
The proliferation of apps requires that forensic investigators stay current because each app will have its own peculiarities and secret places where data can reside. “Many third-party apps installed on mobile devices leave forensically relevant artifacts for inspection; you simply have to know what to look for and where to look for it,” noted Henry, saying that along with those opportunities come challenges. “Current mobile forensic software tools typically address the normal telephonic data: SMS messages, contact lists, call logs, and voicemail messages. Very often [investigators are] overlooking this in-depth analysis of the information that’s saved in the third-party applications that may reside on the device,” he says.
For example, many people use third-party applications to communicate over the Internet via programs like SnapChat and Skype. When using such programs, people often freely type out conversations about crimes they have committed, not realizing that investigators will be able to see those conversations by using forensic tools, such as MagnetForensic’s Internet Evidence Finder or AccessData’s Mobile Phone Examiner (MPE) Plus.
In one homicide case, police had reason to believe that a suspect’s phone had incriminating text messages sent between him and another party, but when the suspect’s phone was confiscated and analyzed, the SMS data contained nothing of significance to the case, says Lee Reiber, director of mobile forensics at AccessData. On the theory that the messages resided in another application, his company assisted the police in getting third-party application information from the phone. “The automated tool failed to locate this information,” Reiber explains. “It was not until using our MPE Plus tool and its analysis tools for SQL databases that the application data was uncovered. We went into the level where the applications were stored; utilizing our tool, we were able to go in and pull out from these database files the chat, and it was actually occurring on Google Plus,” he says.