• Mobile forensics are important to nearly all private investigations today. You are literally carrying around one of the best surveillance devices ever invented. In this post I’m going to discuss the forensic artifacts that can be obtained during a mobile forensics investigation.

    To set the stage for this, I set up an iPhone as device that was used to steal company secrets from an organization. I moved data to the device, took pictures, and stored the data in certain cloud services in an effort to try and conceal it.

    As part of the investigation I then processed the phone using Magnet Axiom to obtain the forensic artifacts and evidence contained on the device.

    Mobile Forensics Artifacts

    The first phase of forensic artifacts for review are the “Refined Results” that include:

    • Classifieds URLs
    • Cloud Services URLs
    • Dating Site URLs
    • Facebook URLs
    • Identifiers – Device
    • Identifiers – People
    • Social Media URLs
    • Web Chat URLs

    These artifacts give insight into the owner of the device, the type of device, and interesting activity for each category.

    Web Related Forensic Artifacts

    In the Web Related artifacts section of the forensic analysis I can determine reach Google searches, browser activity, bookmarks, deleted history, and sites accessed by third party applications installed on the device.

    Mobile Forensics Chat Artifacts

    During the forensic analysis chat artifacts can be important to an investigation. For example, the evidence may show premeditation, location evidence, and plans to commit a crime.

    The Chat forensic artifacts for this investigation include:

    • Facebook Messenger
    • iOS SMS
    • WhatsApp

    The forensic acquisition process shows me sender, recipients, and time stamps for each conversation.

    Media Artifacts

    As I get into the media artifacts, I can analyze Audio, Google WebP images, Live photos, Photo Albums, Pictures, and videos. The interesting part of Live Photos is that they are presented in movie format. This allows a forensic analyst to view the seconds before and after the actual still image that may contain evidence.

    In this investigation I deleted important images in an attempt to cover my tracks of stealing company data in this hypothetical scenario. During the analysis I was able to recover all deleted images.

    Documents

    A mobile forensics investigation can turn up a trove of documents that can be time consuming to process. Fortunately the tools we use allow searches for keywords, regular express, and even skin tone percentages for images.

    For this investigation the evidence stolen from this fictional organization was a Word Document which was stored in iCloud, Google Drive, and One Drive. I was able to forensically recover the document from each of these locations.

    Mobile Forensics Application Artifacts

    We are now getting into the core of the investigation with the actual applications installed on the device. In this part of the investigation I’m going to analyze the following forensic artifacts:

    • Apple Contacts: This contains all contacts with associated information and image files.
    • Apple Maps Searches: I will get all the location searches the subject performed within the application.
    • Apple Maps Trips: This will show all the actual map guidance provided by the application.
    • Calendar Events: This is self explanatory. The advantage here is that I can search and export what I need from the calendar in a forensically sound way.
    • Installed Applications: These artifacts are important to determine if a rogue application is installed on the device or was loaded from a side channel.

    The iOS Device Information and Owner Information are also self explanatory. This includes the iTunes account, username, serial, IMEI, and type of device I’m examining.

    Mobile Forensics Operating System Artifacts

    The forensic artifacts I’m most interested here in this section are the following:

    Apple Accounts: This shows me every Apple account that’s ever signed into the device. This is an important artifact that can show if a suspect has multiple accounts or if the device is shared across multiple people.

    Network Usage – Application Data: This logs network traffic for all applications that access the Internet even if they are removed from the device. This can show if an application was once installed on the device and also show what types of internet activity have been performed with the device.

    The Seen Bluetooth Devices are also important. Bluetooth devices send beacon requests that are observed and logged by the mobile device. In some cases I can prove if a mobile device has been in a certain location based on the Bluetooth MAC address that was beaconing out even if the phone did not connect to the device.

    In the above video I go into more granular detail about each of these artifacts and what they mean during a mobile forensics investigation.