Digging for Data, Finding Evidence in Third-Party Applications
With the global smartphone market expected to total 1.75 billion users this year,1 it is rare for an investigator to conduct a digital forensic investigation that does not include a smartphone. While smartphone forensics has vastly improved over the years, third-party apps are making it increasingly difficult for investigators to find data. As a result, valuable evidence is being overlooked.
Smartphones have grown in popularity because of the functionality they offer users. However, the default applications on these devices are usually not enough for today’s consumers. To achieve the added functionality that makes smartphones so desirable, users are turning to third-party apps.
For example, third-party apps can quickly become a more affordable workaround to costly communication services or a way to communicate when standard methods are not available. Consider the popular third-party communication app Tango, this free app allows users to chat from their phone without using up their allotment of minutes. Because Tango does not require an active data plan, users can buy an iPhone or Android device off eBay without having to activate it. By simply using Wi-Fi, the Tango app enables users to communicate as if they have a data plan (without the fee).
If an investigator were to examine a smartphone with Tango in use, the default location where call logs are stored would appear to be empty. Without knowing where to look for data, potentially valuable evidence would be missed. This is a common scenario when conducting an investigation on smartphones when third-party apps are in use.
While users enjoy the additional capabilities third-party apps provide, they are creating big headaches for investigators as investigators must dig deeper into systems to find application data.
Finding Third-Party Application Data
When conducting a digital forensic investigation involving a smartphone, a common misconception is if a tool is not pulling data off the database file there is no data, or that data is encrypted and can’t be interpreted. The reality, however, is often that the tool is not looking in the correct location or cannot properly decode the data.
While all third-party apps store data in an application folder, how the data is stored varies greatly depending on the device itself. It’s common for an Android device to have the added ability to store information to an SD card. Couple this with the fact that users often have the ability to change the default location where information is stored, and this often leads to tools missing information. The tool may look at the default location of a well-known app for information and would miss the important data because of the changes the user made. While the iPhone does not have the option of an SD card, there may be ways for the user to change default locations. Or the application might itself change the way it saves information.
The files may contain login information, chat history, picture files, file transfers, and more. If an investigator is examining a smartphone for different contacts, call logs, and SMS, the location of the data will vary depending on the device and third party app. If the investigator does not know where to look, information will not be pulled.
For example, data pertaining to the Tango application may be encrypted on some devices (iPhone 5s) and base64 encoded on others (Samsung Galaxy S III). How the data is stored for this application depends upon the device, the operating system, and the version of the app. As versions are released, protection of the data may increase, which makes recovering the data even more difficult. Most of the relevant data for Tango is in the .sgiggle directory in the TC.db file. This data must be examined for relevance especially if the forensic tool does not provide content.
If an examiner has the ability to use different tools, it’s highly recommended. Just like traditional hard drive forensics, there is no ONE tool that will gather all the information. If an examiner has access to different mobile forensic tools, it may be worthwhile to run them. Chances are at least one of them will point the investigator in the right direction and provide clues as to where to find the data. Investigators can compare the outputs of different tools and see what was missed and refocus the investigation if necessary.
Knowledge Is Important
Third-party apps are forcing investigators to open their eyes to a whole different data set which most people don't think of on smartphones. Investigators must know how to access this information in order to obtain that evidence. While there are tools available that do a really good job pulling third-party app data, these tools typically focus on the most popular apps. With new apps coming out every day, it is increasingly difficult for vendors to keep up. While vendors work hard to ensure their tools are locating and pulling data, often they are unaware that they are missing data until someone points it out or by finding it through manual methods. Manual examination is recommended as the most reliable way to find data.
While the process of manual examination is complex and time-consuming, digital forensic courses are available that help investigators along the way. Vendor-neutral courses that review the most popular extraction tools, demonstrate what data these tools are missing, and show you where to even begin a smartphone investigation are very valuable. Hands-on training is also essential, especially when it comes to learning how to manually extract data missed by the tools. These training courses make it easier for investigators to look for data that tools are missing as well as educate attendees on how data is stored, how to make it readable, and how it is all tied together. With new third-party apps continuing to be introduced, it is important that investigators seek out current, up-to-date training to ensure a thorough digital forensic investigation. For those that aren’t interested in training or can’t afford it, download the third-party app on a test device of the same make/model and populate it with as much data as possible. Once there is a sufficient amount of data on the device, try to reverse engineer it and manually look to see where the data is stored. Be sure to use a test device to avoid damaging the device or destroying the evidence.
As third-party apps become increasingly popular, the impact they have on investigations is substantial. To stay current and ensure cases are not compromised as a result of missed evidence, investigators must take the time to learn how and where to find third party-app data. In doing so investigators skills will be in greater demand as they will be able to find critical evidence that others are overlooking.
Heather Mahalik works for Basis Technology where she focuses on digital forensics. She is the lead author and instructor for the SANS Institute's FOR585 Advanced Smartphone Forensics course. Cesar Quezada works for Basis Technology on client-site where he focuses on mobile device forensics.