When it comes to mobile forensics, it is nice to know that you followed the right path. As more of our digital fingerprint goes mobile each year, it is important to take note of the journey and what we have learned along the way.

Retro Imaging

In the beginning, a lot of imaging was all based-on backdoors that were accessible to the developers of the apps. Examiners had to do a form of hokey pokey to be able to get the device into the correct mode and then start the imaging. Examiners would get physical images of most of the devices and go through the process of weeding through the small load of megabytes of data. Devices were just emerging, with more and more coming into the market every few days, so we struggled to get data connections and cables.

Modern Imaging

Devices have consolidated so much now that we typically look at two types of devices with most examinations: Androids and iOS. With both of these manufacturers, the feelings towards DFIR have changed and now lean toward the cry of privacy, with many of the backdoors of our past having been closed. Manufacturers now actively work to block out the world of DFIR. Each fall, software manufacturers fight through the larger firmware releases to see what we can and cannot access, and the DFIR community determines if they have the best tool for the job. To make it a little easier, we can step back and look at what the overall imaging options are with each manufacturer.

Imaging with Android

Logical imaging via Android Backup is the most common way on the newer devices. Unfortunately, the limitations are all about the file system, and unfortunately, that limits access to most of the App data.

Logical imaging via root access is limited to very few tools, with Paraben being the leader in this area. The root access gives you access to the file system and does allow access to many of the App related data as well as some recovered data.

With Android, physical imaging is focused on specific manufacturers since the options for access into the physical system are based on how the manufacturers have implemented the firmware. This option is sometimes priced out as a separate tool with some companies, and other times it is just part of the tool like it is with Paraben. The process is longer but can yield great results with access to the file system, apps, and recovery of data. The other bonus is that this will get around locks done by the user.

Chip bypass for imaging is a new method that has become more popular over the last year and has ended up becoming an excellent option for not only physically imaging the devices but also bypassing encryption that was done by the user. Examiners get access to the file system, physical space, and get around passwords, so there are very few drawbacks. However, there are problems with if your tool that does this method can parse out the chip data since you start looking at partitions and more of the details of the raw device. With tools like Paraben, we support the primary chips of EDL (Qualcomm), MediaTek (Burner phones), and Spreadtrum.

Imaging with Apple

Logical imaging with Apple devices is by far the most common since it is the most accessible, and all the tools essentially provide the same image. Apple allows very few custom options or adjustments to the imaging, so everyone in DFIR does the image the same way. The logical image contains active and recoverable data, which is great and valuable to the examiner. However, sometimes there are limitations to what you can gain access to with Apps based on where they might be storing their data. Logical imaging done through a forensic tool is almost identical to what can be done doing an iTunes backup, so make sure you look for any backups that might exist on the desktop system as well. When it comes to logical imaging, your tool options come down to the parsing capabilities, and they can show you.

An iTunes backup is essentially a logical image, but when you do one for your image, the value comes from doing an encrypted backup with a known password. This extra step in your examination process can bring in a great deal of new information, from their keychain data, health data, Safari history (Firmware dependent), maps, and wallet. I always like to do a logical image and then do an encrypted backup as part of my process checklist. Doing so allows me to see the differences between the two images. From my perspective, keeping a virtual machine with iTunes on it is a great way to keep your process clean and simple when working with creating encrypted backups. I don’t keep iTunes on my forensic workstation to avoid any read/write issues with my normal imaging.

Physical imaging is pretty limited with iOS devices when compared to Android devices, but it is still available out there with some select tools or services. The advantage is, of course, that you can bypass passwords and get around locks, but it is very firmware dependent. The second side of physical imaging is the tool you use being able to parse the data.  Various tools, including Paraben’s tool, can also parse data from other physical images, so be sure to check your tool’s specs. It doesn’t do any good to recover a lot of data if you can’t get any evidence from it.

Jailbreaking with imaging has made a comeback, and it all comes down to access to the file system. Jailbreaking can be compared to the rooting options associated with Android devices. You can get access to a lot more data, but you do have to put a bit more work into the process. The Jailbreaking community, which has nothing to do with DFIR, has done a lot of great work with the newer firmware and has a lot of good options for dealing with the latest Apple devices. If you don’t have Jailbreaking as a process to consider in your examination, it is time to relook at this and see the wealth of App data you will get with this method.

So, in the end, have our imaging methods changed? In short, yes.  We have ended up with fewer device types that we are working with during an average examination, which means that we have limited options. The other change has been with the manufacturers pushing for privacy and changing out the security options prohibiting a lot of the old school hokey pokey methods of our past. All in all, when looking at tools, you have to look at the number of options available with each type of imaging and their data analytics once you have that image. It doesn’t do you any good to get into a device if you can’t find the data you are looking for.

 So, in the end, have our imaging methods changed? In short, yes.  We have ended up with fewer device types that we are working with during an average examination, which means that we have limited options. The other change has been with the manufacturers pushing for privacy and changing out the security options prohibiting a lot of the old school hokey pokey methods of our past. All in all, when looking at tools, you have to look at the number of options available with each type of imaging and their data analytics once you have that image. It doesn’t do you any good to get into a device if you can’t find the data you are looking for.