Skip to Main Content
Official Seal - Department of Defense Cyber Crime Center (DC3)

DC3

Department of Defense
Cyber Crime Center

A Federal Cyber Center

CFL Conquers Mobile Device Barriers

mobile_device_forensics-1 Smart phones awaiting examination at the DC3 Cyber Forensics Laboratory. Examiners must have specific knowledge regarding each mobile device to perform acquisition and data recovery in a forensically sound manner. Without the appropriate skill set, a digital forensic examiner is at risk of making mistakes that could miss or even destroy important data. (Photo by Stephen Murphy)

By Stephen Murphy, DC3 Public Affairs

So far during fiscal year 2019, law enforcement and other cyber forensics customers have submitted more than 500 cellphones and other mobile devices to the DoD Cyber Crime Center (DC3) Cyber Forensic Laboratory (CFL) for examination.

Despite the challenges associated with extracting data from mobile devices, the CFL has successfully retrieved data from more than 90 percent of the devices received.

“CFL’s mobile device acquisition success rate is due in part to the use of COTS (commercial-off-the-shelf) tools and our extremely specialized examiners,” said David Lutzow, CFL Chief of Imaging and Extraction. “They are trained in advanced non-destructive and destructive processes such as Rooting, JTAG (Joint Test Action Group) and Chip-off procedures.”

Mobile devices include a wide variety of apparatuses and technologies such as smart phones, smart watches, tablets and navigation devices. Such devices often contain a wealth of data relevant to investigations including text messages/SMS messages, downloads, deleted files, call logs, contacts and GPS/location.

Mobile device forensics is a specific area of digital forensics that requires knowledge that exceeds basic digital forensics. Examiners must have specific knowledge regarding each mobile device to perform acquisition and data recovery in a forensically sound manner. Without the appropriate skill set, a digital forensic examiner is at risk of making mistakes that could miss or even destroy important data.

One of the main challenges for examiners arises from manufacturers continuously updating their operating systems and security architectures. This makes it difficult to create a single method or tool to take on the constantly changing world of mobile device forensics.

“CFL’s biggest challenges are companies that develop devices with encryption already enabled and users that create alpha-numeric passwords,” said Lutzow. “When doing so, there are [effectively] an infinite number of possibilities and our brute force attempts to gain access to the mobile device can run for months, if not years.”

“Brute force is an automated method used to decode encrypted data such as passwords or Data Encryption Standard keys. Brute force calculates every possible combination that could make up a password and then tries each one until the device is unlocked.

Of the more than 500 mobile devices received thus far by the CFL during the fiscal year, 246 were locked. The CFL examiners successfully acquired data from 188, or 76 percent, of these devices. The CFL currently averages about 91 days to “brute force” mobile devices.

“The emphasis placed on electronic privacy versus the need to exploit mobile devices, which can be historical archives of criminal activity, presents a daily challenge to digital/multi-media labs, worldwide,” said Cyber Forensics Laboratory Acting Director Mike Ricucci. “As the vendors harden their phones to ensure that the data is 'secure', forensic tool manufacturers are attempting to circumvent these safeguards in order to obtain the information.

“Regardless of the technology used, or subsequently bypassed, it is still the experience and technical expertise of the examiner that drives the analysis. Both incriminating and exculpatory information may be found in the device. It is our examiners responsibility to present all of the evidence to the case agent for consideration."

According to the Pew Research Center, a nonpartisan American fact tank based in Washington, D.C., 96 percent of Americans now own a cellphone of some kind. The share of Americans that own smartphones is now 81 percent, up from just 35 percent in Pew Research Center’s first survey of smartphone ownership conducted in 2011. Along with mobile phones, Americans own a range of other information devices. Nearly three-quarters of U.S. adults now own desktop or laptop computers, while roughly half now own tablet computers and roughly half own e-reader devices.

As the amount of users increases and the technology advances, so will the challenges faced in the world of mobile device forensics.

For more information about CFL, visit https://www.dc3.mil/digital-forensics.