Investigations - Obtaining Evidence from Mobile Devices

Investigations - Obtaining Evidence from Mobile Devices

  • Blog Post
  • Posted on 1 April 2019

By David Kerstjens, Digital Forensics Lead

Mobile phones are an integral part of life with thousands of models running different operating systems. The latest devices can store up to 512GB with an additional 512GB of expandable memory.

What sort of useable data can we get from a mobile phone?

In terms of an investigation, what steps do you take to secure the potential evidence on a work mobile and what type of evidence would you find?

Can you obtain the device?

What are your legal rights? Some companies issue employees a mobile device and others allow Bring Your Own Device. Certain states even allow surveillance of work mobiles using Wi-Fi technology. Sometimes, an employee provides consent for their mobile to be imaged and reviewed - ensure they provide written confirmation. Otherwise, you may need to rely on company policies or may have no right to the device. The key is the policy the staff member agreed to.

Secure the Evidence

If the device is on, keep it on and enable Airplane/Flight Mode. This ensures the staff member can’t remotely wipe the device. If the device is off, leave it off. You will usually need to obtain the PIN from the staff member. Some devices can be accessed using software without the PIN, but not in latest devices.

Forensically Acquire Device

It’s increasingly difficult to obtain data from mobiles so we recommend forensic software and hardware to image the device. Forensic software has varying levels of interactions with mobiles, which affects whether the data is defensible, so research the software and obtain training in case the matter goes to court. It should be possible to justify the actions taken in imaging the mobile and explain how the information was obtained.

Avenues of Investigation

Some potential avenues of investigation for data from a mobile device:

  • Correspondence between parties:
    • Call logs, SMS/MMS/iChat messages, chat applications, eg. WhatsApp, WeChat, Viber, Messenger etc.
  • Correspondence between the accused and third parties mentioning the defendant.
  • Internet history:
    • Searches for defendants’ address, social media accounts, etc.
  • Media:
    • Photos or videos of the defendant including time stamps and GPS coordinates.
  • Location data:
    • GPS coordinates for points of time showing the accused location in relation to the defendant.
  • Recover deleted data:
    • Sometimes deleted data can be recovered. Time is of the essence.
  • Linked devices:
    • Bluetooth history may indicate linked devices, eg. smartwatches, car entertainment units for further investigation.
  • Cloud storage:
    • A review of applications may provide further avenues to investigate, eg. cloud storage, individual applications.

Other avenues of investigation can be performed alongside the defendants’ statement and a forensic image of their mobile to corroborate or contradict their claims.

Forensic evidence can be key in deciphering between contradicting statements.

For more information, contact us.


Share this post