What is cellular forensics?

Cellular phones and smartphones (Apple, Blackberry, Android) all carry data on them – often more than we realize. Cellular forensics is the science of retrieving what is seen as well as what has been erased. In most instances we are able to achieve full recovery of deleted text messages, WhatsApp conversations and images. Images frequently contain information about GPS co-ordinates relative to where the photo was taken, all this is recoverable.

What data can we actually retrieve during the Forensic process and how difficult is it? 

Today I’ll walk you through the basics steps of a forensic assessment of a cellular handset. Prepare to be astounded – and just a little bit intimidated!

On receipt of a device for assessment at our Cape Town office, the first priority is to protect the integrity of the device.

That means immediately placing it into a Faraday cage. A Faraday cage is a mesh construction that will prevent the handset from receiving or sending any signals (so that it can’t be remotely wiped for example) and so that it cannot log onto any wireless access points. Once this is done, the phone is charged by a clean power source to get the battery to 100%. 

With a fully charged battery and Faraday cage done, it’s time to get to work. This is where the tricky part starts. There are many different software and hardware processes that can be used to recover deleted information and hidden data from the handset. Sure, there are many programs available over the internet for around $50 that can recover the odd deleted photo – but that’s not we’re after.

We are talking about using state of the art technology that for a mere start bypasses passwords and screen locks on the majority of handsets. Typically, an android phone needs to have USB debugging mode active – without this option enabled you can’t go further (and without the pass code to the handset you can’t enable it).

The latest software and hardware in cellular forensics however doesn’t require this as it reads beyond the password immediately. With that little snag out of the way, it’s down to reading what’s on the phone.

With the software that we use, we’re able to move directly to a complete clone of the handset as an image file and can then switch off the phone. The clone file is a perfect copy of the handset and will allow us to interrogate and unlock hidden files, system files and of course deleted items. 

In the office test unit for example, we recovered images, video, sms messages, whatsapp messages and of course cellular tower information. Information highlighted the exact positioning of the cellular phone when photographs were taken, identified wifi hotspots that were used and the passwords used to access them. We also recovered facebook and other social media data including passwords and activity logs. 

Within the scope of a full forensic assessment we are also most often able to identify missed calls made and received as well as usernames and passwords to dropbox accounts, gmail etc.  

What cellular forensics software do you use?

We're often asked two questions, firstly "Can I watch while you work" - unless it's a pre-arranged demonstration or approved media function the answer is no, much like a mechanic wouldn't want you over his shoulder while reconditioning an engine. 

The second questions is of course - what forensic software do you use? Well, that's a hard one to answer. We use a combination of several products that are physical hardware and then of course software based for reporting. The hardware is where the real work takes place. Don't be fooled by "cheap" internet offers of magic hardware - if it's too good to be true, it probably is. Our equipment is imported under licence into South Africa and we use a variety of tools to cross verify our results. If you have a particular need or are considering acquiring hardware and software for an internal practice, by all means give us a call and we will advise accordingly

For bona fide investigators and attorneys, we are able to provide "sample" reports which will indicate the depth of information available during forensic assessment. Please contact us directly for further information.