Social media apps are easily the most popular and most widely used app category, and challenges and threats that exist in regards to the forensic extraction and investigation of these apps from mobile devices. Pedophiles, kidnappers, stalkers, and other criminals troll social media accounts via the apps installed on their mobile device, preying on current and potential victims. Criminals also use social media apps to upload incriminating data and brag of their criminal misdeeds.

There has been a recent steady increase in the capabilities of messaging capabilities in smart mobile devices. Native messaging apps, commonly referred to as SMS (short-message-service), enable users to send messages over a cellular network. The SMS method of messaging has existed for quite some time; however, many of these apps are now leveraging cloud features to push and/or allow simultaneous communication across multiple mobile devices and platforms. Platforms like Apple’s iMesssage will cache both sent and received messages on each device that is authenticated and is connected to the Internet. Users may also back up messages to the cloud. As an investigator, this means that evidentiary data can exist across multiple devices, and in some cases, may be more accessible or discoverable on one device over the other. To exemplify, iMessages that may be hard to get on one mobile iOS device due to encryption, passcodes, or otherwise may be easily attainable through a synced-up Macbook. In addition, full backups of native messaging databases may be available on a PC or laptop due to syncing and backup mechanisms that may have been automatically and/or manually initiated the last time the mobile device was plugged to that respective PC/laptop. Users can also send data other than SMS to include multimedia messaging service (MMS) video, photos, attachments, and even location information. Thus, it is important for the examiner to examine these potential avenues of evidence, and stay abreast on the changes made to how messaging data is transferred and/or backed up on devices.

Historically, mobile devices have and continue to provide voice communication capabilities and functionality over the cellular network. Records of this activity can be obtained by seeking call detail records from the cellular service provider in order to verify evidence of these communications. However, this is not the only method of voice communication on the device. Ever-increasing high-speed WiFi and 4G LTE data networks are enabling voice over IP (VoIP) apps like Skype and Google Hangouts to become increasingly popular and used on mobile device platforms. Also, streaming apps such as Livestream and Periscope can be of evidentiary value as well. The trending app Periscope is a live streaming app that is available as the mobile application itself as well as on Twitter. When connected to Twitter, Periscope users can allow other users to see links tweeted in order to view live-stream. Users of Periscope are able to choose whether or not to make their video public or simply viewable to certain users such as their friends or family. These videos can be viewed in a live realtime stream, with the replay of the stream available to viewers within the app for a period of 24 h. This ability to stream video substantiates the possibility of catching criminals engaging in criminal activity. Periscope streams depicting criminal activity such as drug use, discharging firearms, etc. have been discovered in recent months (H11, Fighting Crime with the Periscope App, 2015). One such example involved two San Diego men, Damon Batson and Carlos Gonzalez, who were arrested after posting a Periscope broadcast of their intentions to visit and hurt someone (Mejia, B. (2015)). Comments made by live viewers of the Periscope broadcast were also successful in enticing Gonzalez to discharge his weapon to prove that it was real. Both Batson and Gonzalez were arrested in connection to the live broadcast (Franzen, 2015).

With cloud-based services becoming increasingly popular, apps such as Dropbox, Box, and services offered by mobile device vendors (i.e., Apple iCloud, Microsoft OneDrive, and Google Cloud Platform) offer remote storage and syncing of user data. These apps are commonly used to quickly share files over multiple synced devices and for data redundancy. From an information security perspective, data contained within these services can be vulnerable due to weak authentication protocols, weak passwords, and improper permissions issues (i.e., inadvertently making private files public). For this reason, exploitation of these services will be an avenue of current and future criminal activity. In addition, those engaged in nefarious activities such as child pornography will utilize these services to covertly acquire and share images and videos within a vetted cohort. Therefore, it is important for the mobile forensic examiner to be well versed on “how” and “where” these devices sync. In addition, there are tools and scripts that are available to the examiner that will allow siphoning of the synced data out of apps like Dropbox. However, accessing such data on a mobile device may be challenging for the mobile forensic examiner due to the fact that the data are not actually stored on the mobile device but in the cloud. This trend seems to hint at the increasing trend of convergence of the mobile device and the personal computer – a relative “game changer” for how current digital forensic practices are performed.

As the technology of mobile equipment exponentially increases, so too will the capabilities of the embedded cameras on these devices. Most smart mobile devices are equipped with cameras that are capable of producing high-resolution images and true high-definition (HD) videos. In September 2015 Apple released the iPhone 6s, which was the first major mobile device to offer 4k (high-def) video embedded in the device. In addition, the front and rear-facing camera offered high-quality 12-megapixel resolution capabilities, which nearly rivals the video and image quality of a DSLR camera (AppleInsider, iOS 9 includes new iCloud Drive app, 2015). Traditionally, mobile devices offered low-resolution, low megapixel camera quality that produced highly compressed output images and video in order to save the limited amount of storage space on these devices. This poor frame rate and quality often produced poor quality video and images, and proved to be an issue when introduced as evidence of a given crime. However, this increased technology can prove to be beneficial to the mobile forensic examiner as it allows frames and detail to be captured that may have previously been overlooked or not caught at all just a few years back. Capturing of small detail such as subtle facial details and expressions and cartridge ejections from a weapon are a few of the beneficiaries of such increased enhancements.

The increased capabilities of location data included in mobile devices provide the opportunity for developers to create location-aware apps that can assist users in traveling more effectively and locating places of interest, and is heavily trending in the consumer world. This can be a jackpot of potential digital evidence as investigators can track latitude and longitude coordinates coupled with date and times that can be analyzed to prove location. Many devices and apps are now supporting location services, and data can be found in a number of places on a given mobile device, which include apps that store location, databases of saved Wi-Fi access points and hotspots, and media and reminder locations stored by the device. On most mobile devices, location services are measured by the following:

Many camera apps on most smart mobile devices are location aware and can tag latitudinal and longitudinal coordinates: a process known as geotagging. Geotagging refers to the process of adding geographical identification metadata to various types of media such as videos and photographs. Geotagging can help users to find a wide variety of location-specific information from a given mobile device. For instance, someone can find images taken near a given location by entering latitude and longitude coordinates into a suitable search engine (such as doing an image search in Google). Geotagging-enabled information services can also potentially be used to find location-based news, websites, or other resources (Bobbit, 2009). Geotagging can tell users the location of the content of a given picture or other media or the point of view, and conversely on some media platforms show media relevant to a given location. In addition, it can also reveal what type of camera and/or mobile device was used to take a certain image. In recent years, many social media sites such as Facebook, Twitter, and Instagram have updated their API to scrub these geotags when a user uploads a photo, but other sites such as Craigslist, Backpage, and certain message boards still retain the original geotagged metadata of the media. In addition, geotagged information is most often retained in SMS text message transfers and email attachments, thus creating an additional avenue of evidence for the mobile forensic examiner (Fig. 5.1).

Following the NSA data breach of Edward Snowden in 2013, both Apple and Google rolled out stronger and more stringent passcode and encryption standards for their respective operating systems. In a perfect world, the digital forensic examiner would desire to encounter a mobile device with no passcode, thus making it easy to extract information from the device. According to a 2013 global survey by McAfee and One Poll, 64 percent of consumers passcode protect their devices (Siciliano, 2013). In order for any forensic tool to successfully extract and decrypt all data in most cases, a successful passcode bypass must be achieved.

Prepaid “burner” phones, defined as cheap mobile devices that are used for a short period of time or for a particular purpose, then tossed away by the user, have been a problem for some time, in particularly law enforcement. This is due to the fact that in many cases the disabled data port on these devices cannot be enabled, and vendors do not make their own and/or have access to the devices’ APIs, which is the normal mode by which mobile forensic extractions are completed and made available to commercial forensic extraction tools’ developers (Engler, 2013). In addition, “knock-off” phones manufactured overseas also pose a threat to analysis due to their proprietary nature and overall lack of documentation, both from the software and hardware perspective. For example, iPhone devices manufactured as knock-offs in China may look and even operate like a legitimate iOS device, but closer inspection may reveal that the data connection is a USB connection rather than the standard lightening connection used by Apple. In addition, the operating system may be so proprietary in nature that even if a data connection is established, no tool or forensic process can read it. This leaves the tedious option of either JTAG and/or chip-off analysis (Fig. 5.2) (Engler, 2013).

Joint Test Action Group (JTAG) is the common name for what was later standardized as the IEEE 1149.1 Standard Test Access Port and Boundary-Scan Architecture. It was initially devised for testing printed circuit boards using boundary scan and is still widely used for this application. Forensic acquisition of a particular mobile device utilizing the JTAG method usually involves connecting to the standard test access port (TAP) on a device and instructing the processor to transfer the raw data stored on connected memory chips (a process known in slang terms as j-tagging). J-tagging supported phones can be an extremely effective technique to extract a full physical image from devices that cannot be acquired by other means (Forensicswiki, JTAG Forensics, 2015). In addition, JTAG requires a high-level of examiner knowledge and training, which can prove to be somewhat expensive. In addition, the equipment used to read the raw data only supports a limited number of devices per box, thus requiring multiple boxes to read data from the various chipsets extracted by the procedure. In addition, there are few publically available best practice guides for this procedure, mainly due to the fact that the JTAG procedure itself is constantly evolving and follows a different extraction procedure from device to device. This, in itself, makes it difficult and time-consuming for mobile forensic examiners. Moreover, decoding of acquired raw data may be difficult, if not, impossible to decode. However, it is still a highly favored avenue of forensic analysis and is gaining popularity in the mobile forensic community, as traditional extraction methods become obsolete and yield unfruitful results.

One of the more persistent challenges faced by mobile forensic examiners as of late is properly validating the forensic tools and procedures that are used on a day-to-day basis. Many examiners throughout the United States and world work in digital forensic laboratories that are accredited by either ISO 17025 or 17020, which is a common accreditation standard for forensic testing and forensic evaluation laboratories. Both of these accreditation requirements state that any method used within the laboratory setting must first be validated before use. This may prove to be difficult as mobile forensic processes and tools are constantly changing and updating with each new hardware and software version upgrade of a specific mobile device. In addition, in the case of JTAG, the process might be slightly different from device to device, although the same equipment is used for the investigation of the different mobile devices. Traditionally, the science of digital forensics is founded on the principles of repeatable processes and quality evidence. As the field of digital forensics continues to grow and evolve as a science, the importance of proper scientific validation will be more important than ever. This involves mobile examiners drafting validation test plans that outline the key functions of a particular tool or methodology (i.e., JTAG or chip-off) and testing those functions against a known dataset (Brunty, 2015). Validations must be repeatable and reproducible and, as such, may pose a significant threat to examiners tasked with such casework. Unlike other forensic science disciplines such as DNA, which follow uniform procedures and thus, can somewhat easily validate a method, mobile device forensics are working with methods which may significantly change by the month due to the simple fact that vendors are constantly updating hardware and software. This leads to the inherent challenge of maintaining uniform best practices and standard operating procedures (SOPs) for mobile device forensics. The National Institute of Standards and Technology (NIST) has published publication 800-11 Guidelines of Mobile Device Forensics, which outlines basic procedures to successfully perform a mobile forensics investigation (Ayers et al., 2013). In addition, the Scientific Working Group on Digital Evidence (http://swgde.org) has also published a Best Practices for Mobile Phone Forensics (2015), which provides a general overview of common terminology and procedures and methods used in the mobile device forensics field. Due to the rapid and changing nature of mobile device forensics, much of the verbiage in these documents is wide-ranging so as to anticipate rapid changes that may occur to how a certain device is examined after a new updated is realized by the vendor.