Digital devices, like smartphones, mobile phones, cell phones and tablets are now prime sources of evidence. Many different types of data can be recovered, and can be combined with other evidence pulled from computers, the Internet and the Cloud to verify and strengthen a case.
The main concerns with recovering evidence from smartphones and other devices are:
- Can text messages and deleted text messages be recovered?
- Can social app chat data be recovered?
- Is there location data and GPS data that can be found and recovered?
- What happens if a phone is password locked?
Global Digital Forensics addresses these issues and more by providing complete digital device forensics services for law firms, businesses, governmental bodies, as well as private investigators.
Generally, most data can be recovered from a smart device unless it has been specifically and thoroughly wiped.
Password protected phones are handled on a case-by-case basis. Depending on the type of phone and the version of the software on it, the task ranges from easy to impossible. However, password locked phones are a rarity in most types of cyber forensics cases.
All digital device forensics work is performed by highly trained CISSP and CCE certified forensic examiners. GDF offers complete reporting and case support - from initial consultations, to expert witnessing in court, mediation, spoliation hearings, TRO motions, and any evidentiary hearings pertaining to the case.
Devices and the Cloud
Most smart devices make extensive use of the Cloud to expand their functionality. Indeed, for many smart phone apps, what is visible and usable on the device itself is really just a control panel for a much larger program which resides on the Internet in the Cloud. Even when the device seems disconnected from a Wi-Fi or a mobile data network, it can be uploading data, or saving data to upload when a connection can be made. These data connections are active even if your phone isn't set to backup. What this all means is that there is a tremendous amount of data from a smartphone, tablet or other smart device in storage on the Cloud.
When data from the actual physical device is combined with data from the Cloud, such as from Apple's iCloud or Google Cloud, the ability to piece together evidence and assemble a convincing narrative of crimes and events is greatly enhanced.
Mobile Device Data Recoverable as Evidence
- Text messages/SMS messages, including deleted messages
- Pictures, images and downloads, including deleted files and deleted images
- Multimedia messages/MMS messages, including deleted messages
- Data from service provider clouds - iCloud, Google Cloud, Verizon, Samsung, etc.
- Social app chat messages (Snapchat, Instagram, Facebook, etc.)
- Instant messages (IM)
- Internet browsing histories
- Audio and video recordings
- Call logs (call history, received calls, missed calls, dialed calls, etc.)
- Phone and email contact lists
- Calendars, appointment records, task lists, notes
- Email stored on the device and external storage cards
- Social media artifacts (Facebook, Twitter, LinkedIn, WhatsApp, Instagram, etc.)
- Synchronization Information
- Application artifacts from installed programs
- GPS and location data
- Installed software
- Mobile spyware
- Caller ID data
Devices and Carriers
GDF has successfully worked on cases involving almost every type of digital device imaginable, and with almost every manufacturer, carrier and service provider.
We've recovered data from:
- Apple iPhones and tablets
- Google Pixel
- Blackberry devices
- Garmin GPS units
- Pre-paid phones and services
Other Evidentiary Concerns
GPS Location Data Mapping
In many cases, smart phones are constantly in touch with GPS services, even in instances when phone is in standby or sleep modes. Because of this, location data can often be recovered, which can allow the reconstruction of a detailed and accurate "map" of the target phone's movement. This data can be recovered from the phone, as well as cell network records. In many cases, this can be invaluable evidence. Further, this sort of data can often be recovered from tablets, GPS systems and on-board car navigation systems.
Image EXIF Data
EXIF stands for EXchangeable Image Format and is related to metadata (data about data) in an image file. This file is established when a picture is taken with a smartphone (or a modern digital camera), and can include the date the photo was taken, as well as camera settings. More importantly, EXIF data can include geolocation information as well. This sort of evidence can be very strong in court: a picture, an exact time and date, and an exact location, all tied together electronically.
Getting Us the Device(s)
GDF can arrange drop off/courier/FedEx delivery of the subject device to one our forensic labs. Devices can be returned to you after imaging, or held in secure storage in our facility to be used in court as evidence later.
- The subject phone is received and logged.
- A proper chain-of-custody log is created.
- The subject phone is forensically duplicated (imaged) using court accepted procedures.
- The original evidence is properly stored in compliance with court approved procedures.
- All analysis will be performed on the copy, preserving the pristine state and evidentiary value of all data analyzed should more analysis be required at a later time.
Full Forensic Examinations
GDF analysts attempt to recover all data on the phone. You may only be interested in deleted texts, but we will find EVERYTHING on the phone that’s there to find, in many cases finding evidence that wasn't anticipated and which ultimately proves to be highly relevant to the case.
- All procedures are forensically sound
- Chain of custody is preserved (evidentiary value).
- Only court accepted tools and processes are used
- Extraction of both active and latent data (deleted files, emails, texts, instant messages, etc.) and artifacts to the extent forensically possible
- Keyword searches are performed using state-of-the-art forensic tools.
- Results supplied with Bates numbers and metadata
- Entire device is searched, including for deleted information, metadata, emails and texts
Once GDF has completed the analysis of the device, a full report detailing the findings can be prepared. This legal quality report includes full chain of custody documentation and meets the standards established by the US Department of Justice for digital forensic evidence submission.
- An analyst will explain the findings to the client and await further disposition.
- Our report will help identify the presence of any evidence or indicators to help the client determine evidentiary value.
- All findings can be uploaded to a secure server and downloaded by the client, so a thorough search for relevant evidence can be performed.
- Storage of the subject phone and forensic images for up to 1 year.
- Expert witnessing and courtroom support as required.
Contact GDF at 1-800-868-8189 to discuss your cyber forensics needs.