Key trends for digital forensics on mobile devices

Analysis 25 Sept 2024

Michael D'Angelo

Americas United States of America Digital Forensics eDiscovery Forensic Data Analytics

Nearly every adult in the US owns at least one mobile device, making them relevant in virtually all disputes and investigations. Data from mobile devices is often a fruitful source, but accessing this data is increasingly challenging due to evolving technologies, applications and services.

For professionals involved in disputes and investigations, staying on top of trends related to mobile devices is critical. Michael D’Angelo, our lead investigator for the US and Latin America, spoke about staying on top of trends in the ACEDS DC Chapter webinar on ‘Updated Trends Around Digital Forensics on Mobile Devices’.

Here are some key highlights from the webinar.

Typical complexities

There are three main considerations when dealing with mobile devices: variations between devices, data issues and privacy.

Variation between devices

Mobile devices vary in applications, security settings, operating systems (OS), manufacturers and service providers. This variability affects the success rates of imaging devices. Device and application updates create problems as well. Updates can lead to changes in data storage locations and methods and add ephemeral messaging or enhanced encryption protocol features.

Advancements in user privacy also pose significant challenges for forensic data collection and downstream discovery. Accessing data on newer mobile devices without pins or passcodes is nearly impossible. And applications have been enhancing their security layers, with features like iTunes backup encryption adding an extra layer of protection. Tools like Samsung KNOX further complicate data access by separating personal and business data.

Another complicating factor is the range of connections used by mobile devices: Airdrop, USB, Android Share, NFC, Wi-Fi and Bluetooth. These are all challenging to isolate or disconnect – but doing so is crucial to avoid data changes, updates or remote deletions.

Data issues

Data can change with application launches, device restarts, notifications and updates. Data can also change daily with OS and individual app updates, which can reconfigure the technologies and impact data storage and availability.

Digital forensics requires long collection times, especially for on-site or covert collections. The increased usage of smartphones is making collection times even longer, as there is an ever-growing amount of data to collect.

Privacy

Consent requirements vary by jurisdiction, adding a layer of legal complexity on top of the technical complexity outlined above. When personal devices are used for business, issues around privacy can enter grey areas.

Mobile device encryption: emerging issues and complexities

File-based encryption (FBE)

Most devices now use FBE, which locks user data until unlocked at startup. Some manufacturers are adding password requirements at startup, making data access more difficult.

End-to-end encryption

Encrypting individual messages and making them inaccessible without proper authorisation is becoming standard in messaging applications. Not only do the applications sit behind a security layer, but individual messages within a conversation are encrypted and often inaccessible.

Rapid updates and new models

Mobile device manufacturers, application developers and operating systems are releasing updates and new models at increasingly faster rates. This accelerated pace creates challenges for digital forensic analysts who need to know and understand the changes that are occurring, particularly their effect on data, where data is stored and new security enhancements that may be in play.

Data synchronisation and formats

Mobile devices often synchronise data with cloud accounts or across multiple devices. This can cause issues and have a direct impact on the viability or accessibility of mobile data in disputes and investigations.

Third-party apps store data in proprietary formats that are not standardised across devices or platforms. Forensic tools must be specifically designed to handle these proprietary formats, which can vary widely between apps and versions.

Artificial intelligence (AI): changing the game

AI is becoming more integrated into products and services. Everyday users are already taking advantage of AI features. This integration and adaptation will likely grow drastically in the coming years.

Some emerging issues from a litigation and investigation viewpoint:

Leaking of corporate data through AI summarisation/querying
Originality of data due to summarisation and tools like image generation or editing
Automatic summarisation of phone calls or meetings hosted online – the accuracy of those notes as well as potential privacy violations
Inadvertent sharing of personally identifiable information (PII)

Evolving AI features

New AI editing features can edit and transform data seamlessly, calling into question authenticity, origin, and user intent. This creates major challenges in verifying the integrity and context of digital evidence, making it harder to accurately attribute actions and content.

AI features to watch:

Mobile AI services
Generative text
Facial recognition
Text recognition
AI-created media
Email summaries

Mobile devices: what’s to come?

States and federal governments are increasingly interested in new data protection and privacy laws, leading to more scrutiny and responsibilities for businesses.
AI systems in mobile devices will bring more daily automation, raising questions about human vs automated actions.
Mobile devices will standardise peer-to-peer communication and improve satellite connectivity, making internet access universal and cheaper.
Trust indicators will enhance information safety, while generative AI will emphasise data security and privacy.
Mobile devices are on their way to becoming as sophisticated as computers, potentially becoming the primary device for all personal and professional needs.