Targeted Forensic Data Extraction from Mobile Devices

Principal Investigator: Umit Karabiyik

With the rapid growth of mobile devices, it is becoming common for law enforcement to need to seize and conduct forensic analysis on such devices. These mobile devices now have so much data on them that they have in essence become personal data repositories and the privacy of this data is a reasonable concern. A recent ruling of the US Supreme Court (Riley v California (573 U.S. [2014]) and subsequent rulings arising from this landmark case indicate that in order to search a cell phone, it may not be enough to have a warrant for the search but it may also be required to restrict the search to the specific items on the device that relate to the crime being investigated. It is a challenge to do this selective data extraction in an effective and forensically sound manner and we know of no open source or even commercial tools that can support this. Although commercial tools such as Cellebrite [1] have great utility, they are not easily usable by first responders and they do not do much automatic content analysis of file data. In fact, in [2] it is indicated that the backlog of files needing expert analysis may be up to four years and the authors propose to train first responders to use a filed triage process.

The goal of this project is to develop a prototype software system that can do targeted data extraction from mobile devices (iOS or Android based) in a forensically sound manner, driven by input provided by either a first responder or a forensic examiner. The system would run on a laptop and would connect to a mobile device. The input provided could be based either on consent or on a warrant. Our software system would reduce the number of files collected through both analysis of the file metadata as well as analysis of the content of the files. The forensic soundness of the system processes would be developed using the eDiscovery reference model (EDRM) [3] as well as dynamic / live analysis forensic techniques being proposed for network and cloud forensics [4, 5]. Essentially, we validate the processes done by our system rather than rely on traditional dead forensic approaches that are not appropriate for such mobile device analysis.

The goal for our targeted extraction system is thus to: (1) collect significant relevant data related to the crime; (2) substantially filter the number of files that need to be analyzed with the expectation that further analysis can be done much more quickly with much less demand on the investigator’s time; and (3) maintain a proper chain-of-custody approach with appropriate guarantees on evidence preservation that has probative value in a court of law.