THE YEAR AHEAD FOR MOBILE FORENSICSCellebrite’s Panel Predictions for 2013A decade after law enforcement first realized th...
Trends, and challenges, on the mobile forensics horizonMobile apps—more specifically, the data stored within them—will bec...
These issues come bundled with challenges to practitioners. “This quicklychanging field means that training, software, and...
to comply with federal privacy statutes and regulatory frameworks likeHIPAA, Gramm Leach Bliley, FERPA, and others,” he ex...
She anticipates an increase in malware and spyware used in stalking, identity     Apple’s iDevices will continue to be ext...
Legal, regulatory and legislative impacton mobile forensicsCarney noted that mobile device search and seizure issues are t...
to find, but everyone seems to be looking for them.” Thus Casey believesmore than just decision-makers have a duty in this...
How mobile forensics tools and practicesshould evolve in 2013Murphy believes that forensic tools and practices will contin...
The Questions1.   In your opinion, what are the biggest mobile forensics trends on the horizon for 2013?2.   Rank the foll...
About UFEDfrom thousands of legacy and feature phones, smartphones , portable GPS devices, and tablets with ground-breakin...
Upcoming SlideShare
Loading in …5

Mobile Forensics Trends for 2013 - Cellebrite’s Panel Predictions _WhitePaper MF 2013 Trends


Published on

Cellebrite asked six of its most influential customers to weigh in on how evolutions in mobile technology, legal, regulatory and legislative landscapes will impact forensic examiners’ efforts throughout 2013.

About Cellebrite UFED:

Download 30 Free Trial:

  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Mobile Forensics Trends for 2013 - Cellebrite’s Panel Predictions _WhitePaper MF 2013 Trends

  1. 1. THE YEAR AHEAD FOR MOBILE FORENSICSCellebrite’s Panel Predictions for 2013A decade after law enforcement first realized that evidence could exist on cell phones, the mobile forensics disciplinehas evolved as fast as, or arguably slower than, the technology whose data it was born to extract. Corporate legal teamsand private investigators have caught on to mobile evidence’s relevance to civil litigation. And accelerating smartphoneand tablet use has sparked debate over data security and privacy issues.Cellebrite asked six of its most influential customers to weigh in on how evolutions in mobile technology, legal,regulatory and legislative landscapes will impact forensic examiners’ efforts throughout 2013.Eoghan Casey is founding partner at CASEITE, a service instructor, she has been involved in the digital forensicsprovider that specializes in complex digital forensics, profession since 1999. For this paper, she providedincident response including network intrusions with in- perspective on how mobile apps and malware willternational scope, and cyber security risk management. impact law enforcement and trial courts.Casey also supports forensic R&D at the DoD’s CyberCrime Center (DC3/DCCI). An instructor/researcher at Heather Mahalik is mobile forensics technical leadJohns Hopkins University’s Information Security Insti- at Basis Technology and a SANS Institute Certifiedtute, he also authored the book “Digital Evidence and Instructor, where she authors and teaches FOR563Computer Crime: Forensic Science, Computers, and the – Mobile Device Forensics. Her experience as aInternet.” He is a SANS Institute Senior Instructor who government contractor centered her trend predictionsdeveloped and teaches the Mobile Device Forensics on encryption, apps, and mobile storage issues,(SANS FOR563) and the new Advanced Smartphone all affecting how forensic examinations are performed.and Mobile Device Forensics (SANS FOR564) courses.His experience drove his assessment of how mobile will Paul Henry, principal at vNet Security and a SANSimpact the enterprise in the coming year. Institute Senior Instructor, has worked in the fields of network security, incident response, digitalJohn Carney is Chief Technology Officer at Carney forensics and virtualization for 15 years. TheseForensics in St. Paul (Minnesota). Attorney-at-Law at specialties provided a future view of the still-devel-Carney Law Office and counselor-at-law admitted in oping “bring your own device” (BYOD) trend, mobilethe State of Minnesota and the US District Court for malware, and well-rounded forensic examinations.the District of Minnesota, he is a strategic evidenceconsultant and expert witness who previously worked Gary Kessler is associate professor at Embry-Riddlefor 30 years as a software engineer, systems architect Aeronautical University, adjunct professor at Australia’sand IT consultant. His insights on technology and Edith Cowan University, and a member of the ICACthe law informed his predictions in this paper. Northern Florida Task Force. Previously, he founded and directed Champlain College’s Master of Science inCindy Murphy has nearly 28 years in law enforcement. Digital Forensic Management program. His breadth andA Madison (Wisconsin) police detective and part-time depth of experience both at home and abroad gave riseSANS Institute FOR563 – Mobile Device Forensics to his insights about legal and technology trends.
  2. 2. Trends, and challenges, on the mobile forensics horizonMobile apps—more specifically, the data stored within them—will becomemore relevant in investigations this year. Pointing to apps like WhatsAppMessenger, Kik Messenger, Text Free, Go SMS Pro, and SnapChat, Carneysays this is partly because mobile messaging apps are cannibalizing serviceproviders’ revenues for text messaging.But these apps aren’t the only sources of evidence. “Whether it’s mobilemessaging apps, or personal navigation apps, or social media apps, orproductivity apps, or mobile payment apps, or any other category, appsare going to dominate in 2013,” said Carney.Both Mahalik and Murphy pointed out that the more apps there are and themore data they contain, the more extensive file systems will become. Thatwill lengthen forensic examinations. Mahalik added that some app datacould be stored or encrypted in such a way that renders it difficult to access.This may impact investigators dealing with the BYOD trend, which gotunderway in 2012. “Corporate IT has not been able to stop the onslaughtof consumer device use in the enterprise,” said Carney. “As a result, keepingpersonal evidence separate from corporate evidence on the same mobiledevice is proving to be a real challenge.”TRENDINGOther expected trends include: A continued shift away from logical to physical mobile examinations. “One of the biggest problems in the legal system is that we are not being thorough enough,” said Henry. “Physical analysis is much more thorough and can recover a much greater amount of data.” Mobile’s increasing relevance to civil litigation and e-discovery, said Carney, as more responsive evidence – data and communications – is found on mobile devices. All panelists agreed that 2013 will be the year mobile malware becomes prevalent. Casey added that the growing quantity and sophistication of malware will lead to more complex intrusions into smart phones targeting sensitive data, creating challenges for investigators and computer security professionals. Increased use of mobile evidence visualization in reporting and in the courtroom, especially timelines, maps, and social graphs and activity analytics “to explain the people aspect of the evidence,” said Carney. A greater need for non-vendor-specific mobile forensics training and certifications. 2
  3. 3. These issues come bundled with challenges to practitioners. “This quicklychanging field means that training, software, and equipment needs arealso always changing,” said Murphy.Kessler put this into context, observing that phones contain more probativeevidence per byte of data than computer hard drives do. “In many cases a fullphysical extraction can take hours on a single phone,” he explained. “This willcontinue to be exacerbated as people purchase bigger smartphones; it takesless time to image a one-terabyte hard drive than it does to acquire a 60GBphone.”To meet these needs, mobile forensics tools must be well engineered,which raises their cost. “The Vermont ICAC spends more on one mobileworkstation than on one computer workstation,” Kessler noted. Yet budgets,in both the public and private sectors, are not keeping pace—and thesituation isn’t expected to improve.This is confounded, according to Carney, by the hard-to-quantify“opportunity cost of time that examiners need to install, configure,and validate new tools given the pace and amount of innovation.”Evolutions in mobile security, apps development Ranking the trends in mobile forensicsand storage, and their impact on mobile forensics for the year aheadCarney believes that mobile device security will evolve into its own this year. Two of the most important issues facing the“It took years and a lot of pain and data loss for anti-virus, anti-spyware mobile forensics industry, according to panelists’solutions to become common, even popular, on personal computers over survey rankings, are 1) critical data stored in appsa decade ago,” he said. “But now, with the increase of malware, especially as well as on mobile devices; and 2) password,on Android platforms, we have reached a tipping point. Even some encryption, prepaid, and other technologyconsumers are beginning to understand the need for mobile security limiting examiners’ ability to obtain and backup/sync solutions on their devices and I expect this These items each ranked in panelists’ top three.trend to accelerate in 2013.” Of somewhat lesser importance were the rapidlyThat’s because consumers and their employers have begun to learn hard evolving regulatory and legislative landscape,lessons about mobile apps’ lack of security and privacy, especially as mobile helping investigative professionals understandapp developers rush to market without adequately testing their apps. “With those evolutions, mobile e-discovery, BYOD,mobile devices all over the enterprise, security is just not up to par and it and issues related to closed Apple securityneeds to be paramount,” said Henry. and the open Android platform.However, this could lead to additional frustration for mobile forensicsexaminers. “Expect to see more encryption of data on smartphones toprotect personal privacy and corporate data, which will make forensicexamination more challenging,” Casey warned.On the bright side, said Carney, addressing oversights in the appdevelopment lifecycle could help secure both user and corporate data.“The real issue with insecure and exposed mobile app data is failure 3
  4. 4. to comply with federal privacy statutes and regulatory frameworks likeHIPAA, Gramm Leach Bliley, FERPA, and others,” he explained. “Also,compliance with state data privacy breach statutes is in jeopardy, especiallyas Congress considers enacting a national data privacy statute.”Also affecting mobile security and privacy: storage. Murphy believes thatthe trend toward cloud storage will continue, with the result that at leastsome evidence might exist off-device. However, Carney cautioned, “Thecanary in the mine on cloud-based mobile storage will be iPhone-to-iCloudautomated backups. Likely only a minority of iPhone users do it today, butit will grow. I don’t see it for the majority of Android users any time soonbecause third-party backup apps must be selected, installed, configuredand tested. Google will, however, sync contacts, calendars and settingsautomatically after the user connects the device to his or her Googleaccount.”2013: the year of mobile malware?Both as a subset of BYOD and on their own, malware and spyware are alsoexpected to become more prevalent this year. Casey predicts more varied,prevalent mobile malware whose payloads will include data destruction,denial of service, data theft and espionage, while Carney anticipates specifictypes of attacks. “We will see an increase in viruses on mobile, spyware onmobile, phishing and smishing (SMS phishing) attacks, and all assortmentof hacks, data loss, and incidents needing effective responses,” he said.Likewise, Henry stated, “We are going to see more malware and moreof it targeting enterprise credentials. Mobile malware in the corporateenvironment will be a huge problem in 2013. Phishing attacks will continueto be the number one way to infect systems. Vishing will also increase asa result of VoIP usage.” Smartphone market share, consumer usage and investigationsHenry added, “BYOD equals BYOM (bring your own malware). While 80% ofcompanies are permitting BYOD, only 20% have policies in place. In addition, Android™ took 75% global market share in Q3 ofwe’ve seen a spike in Android malware. Forensics professionals are going 2012, and according to comScore, more than halfto have to be able to handle these compromised devices.” Casey added, of the US market share in Q4 (although Kantar“Individuals and employers can best prepare to respond to mobile malware Worldpanel ComTech data shows an Apple leadby treating smartphones with the same level of care, policies and security in the US for the same period). BlackBerry®’s sharemeasures as other computers they use to communicate, conduct business, has been slipping for some time, but is still theand support financial activities and health care. In other words, implement preferred enterprise solution for many publicsecurity measures but be prepared for the worst by having an incident and private sector organizations. What will theseresponse plan that includes smartphones.” trends mean for mobile forensics in 2013?Besides the enterprise, malware will affect law enforcement investigations, Android will continue to come on like gang-said Murphy. “I anticipate that mobile malware will closely follow the path of busters in 2013, for both high end, consumer‘traditional’ non-mobile malware,” Murphy said, “and that the intended uses smart phones, and down-market pre-paids.will be very similar: 1) steal money, 2) steal information, 3) invade privacy.” Continued on next page 4
  5. 5. She anticipates an increase in malware and spyware used in stalking, identity Apple’s iDevices will continue to be extremelytheft, and as a defense against crimes like possession of child abuse images. popular. (Carney) Keep in mind the bulk ofThis is profound considering Carney’s observation that most of the current bandwidth is still being used on Apple spyware detection tools are not forensically sound. “The non-forensic (Henry)solutions available from leading antivirus, anti-spyware commercial vendors(Lookout, Kaspersky, Symantec, Bullguard, etc.) are not sufficient for our BlackBerry’s decline will continue, even regard-rigorous requirements to preserve mobile device evidence,” he says. less of OS10’s anticipated release. Email is still vulnerable via BlackBerry servers, and no one isOne specific area where mobile malware could have a serious impact: mobile writing BlackBerry apps. (Kessler) BlackBerrypayment strategies. “The emerging use of mobile devices as currency devices will continue to be a major target ofsubstitutes for credit cards, ‘mobile payments,’ has great potential to become attacks as long as they are used by governmenta big, bold target for malware,” said Carney. “Malware and other hacks used to organizations and corporate enterprises. (Casey)perpetrate fraud in consumer commerce could seriously curtail the emerging Also, even if BlackBerry sales trail off, they willrole of mobile devices in mobile payment strategies. remain an important legacy device due to their long-time popularity. (Carney)“Mobile device forensics may serve as an early and effective, if only reactive,deterrent from a criminal justice perspective,” Carney continued. “But, mobile Windows Phone is the real wildcard in testing and validation responsibly performed by app developers before The platform may gain market (and applaunch is clearly the more proactive approach for secure mobile payments.” developers’) mind share especially if Windows 8 tablets become significant. (Carney) Windows Mobile together with Android, iOS and even counterfeit “knock-offs” will continue toFUTURE THINKING dominate the industry. (Mahalik)Could Windows 8 merge computer and mobileforensics disciplines?“I believe Windows 8 could provide the first real impetus for a mergerof the two disciplines, computer forensics and mobile device forensics,”said Carney. “Microsoft has enlarged Windows 8 support of traditionalcomputing platforms, like laptops and servers, to embrace post-PCcomputing platforms as well. Will Windows tablets look to us forensi-cally like hard drives and vice versa? What impact will a completelysolid state device environment have on Windows forensicexaminations?”On the other hand, Murphy thinks the disciplines have alreadymerged. “It began with micro SD storage cards and has continuedas examiners use traditional tools along with mobile forensic toolsto get the most out of their examinations,” she explained.However, Carney believes tablets may take this concept a step further.“We are talking about the whole device, not just a memory add-on,” hesaid. Casey agrees. “I anticipate more users combining their phone andtablet usage into a single mobile device,” he said. “This will make thesedevices more important as sources of evidence (perhapsthe sole source of evidence in some cases).” 5
  6. 6. Legal, regulatory and legislative impacton mobile forensicsCarney noted that mobile device search and seizure issues are too unsettledto project how they will ultimately affect the mobile forensics industry.However, he believes two specific issues are important to watch: globalpositioning systems geo-data, especially tracking devices; and privacy andliability concerns regarding access to employee owned mobile devices(BYOD), which confound the corporate legal department,” he added.Courts, too, are struggling. Both Murphy and Kessler believe that judges,prosecutors and police need better education about the evidence thatmobile devices contain, the extent to which they contain it, and what thismeans for privacy and pretrial discovery.“Lawmakers and judges both seem to be looking at cell phones much morecritically than they did computers, but because few understand the natureof the technology, they are proposing laws and making rulings that err toogreatly on the side of caution,” said Kessler. Casey added, “I anticipate thatcourts will continue to react against investigative haste and missteps, asthey have done with other sources of digital evidence in the past. Privacyconcerns are heightened by the personal nature of mobile devices, whichaccompany people wherever they go and enable investigators to reconstructmovements, communications, and other personal details.”These issues have led to an unpredictable, constantly shifting legislative andregulatory environment. As Murphy pointed out, criminal and civil courtsat various levels across 50 states are not likely to come up with consistentrulings this year. Henry has noticed a similar trend. “Legal decisions mostlydepend on geographic boundaries, and differ from state to state,” he said.“In more traditionally liberal states we are seeing a greater erosion of privacyrights, and in other states there has been greater push back.”However, Murphy is optimistic that it will settle. “As the courts become moreaware of technology and privacy issues, they will make more well-reasoneddecisions about the legal ramifications of search and seizure, acquisitionand analysis,” she said.This will be shaped partly by the regulatory environment, which is alsoin flux. Carney questioned whether digital forensic examiners might berequired to be licensed in more states, or even by the federal governmentone day; whether labs could be inspected and qualified against uncertaincriteria; and whether examiners might be required to obtain non-vendor-specific, mobile forensic certifications that do not yet exist.Murphy agreed. “Regulators don’t seem to make decisions with practitioners’perspective in mind,” she explained. “One size fits all solutions are impossible 6
  7. 7. to find, but everyone seems to be looking for them.” Thus Casey believesmore than just decision-makers have a duty in this area. “Mobile forensicsprofessionals will have to keep updated on privacy protection legislation anddata breach regulations,” he stated, “in much the same way as other forensicprofessionals have to be aware of these issues. More stringent requirementswill put more constraints on mobile forensic practitioners, and require digitalinvestigators to have greater awareness of the privacy issues associated withdata on mobile devices.”Planning for mobile evidence’s relevance to litigationand e-discovery in the coming yearLegal issues from mobile evidence extend to civil litigation, as well. “Mobiledevice forensic examiners are now challenged to find new ways to load theirmobile data from phones and tablets into litigation support and e-discoverysystems,” said Carney. “The challenge, of course, is not just the data load, butmore importantly, formatting, tagging, and structuring the data such thatit will support important, new e-discovery capabilities like early caseassessment (ECA) and predictive coding.”Carney continued, “Organizations can plan for the coming onslaughtof mobile device evidence by educating themselves on mobile as a new,relevant and probative form of evidence that will shape civil litigation incoming years. Organizations can begin evaluating and selecting mobiledevice forensic tools that have the promise to integrate well with litigationsupport and e-discovery tools in meaningful ways during the comingNew Year and beyond.”“E-discovery experts need to be just as trained on mobile devices ascomputers,” said Mahalik. “Most companies provide cell phones to employeesand these are often a part of the investigation. Unique data could be missedif the mobile device is handled improperly.” To this, Casey added: “Theindustry should resolve to provide stronger capabilities for enterprise-widesmartphone investigations to support the investigation of data breachestargeting smartphones and the needs of e-discovery. In addition, organiza-tions should seriously consider data protection and retention on mobiledevices to manage the risks associated with data breach and e-discovery. ”“This will grow rapidly this year due to the blind adoption of BYOD,” saidHenry. “We will also continue to see more mobile data with regards tolitigation in the coming year. Mobile forensics is growing and it willcontinue to become a more profitable venture moving forward.” 7
  8. 8. How mobile forensics tools and practicesshould evolve in 2013Murphy believes that forensic tools and practices will continue to evolveto fit immediate needs, “close on the tail of technological and legal changesin the mobile device world,” she said. Mahalik agreed. “The tools are alwaysplaying catch up to the fast paced device releases and this will continue,”she said.“Support for Windows Phone 7 and 8 is limited and will need to improve,”Mahalik added. “Practices are going to have to include bypassing morepasswords / locks and device encryption. [Vendors should also] focus onsupporting one device to the best of their ability. For example, if iOS supportis your main goal, support all aspects of it (logical, file system and physical).Don’t partially support it.”On a related point, Carney seeks real forensic solutions for mobile spyware“before the need outpaces our capabilities as examiners. I know of onlyone tool that lightly supports the forensically sound detection of just a fewmobile spyware apps,” he said. In addition, he sees mobile app support as“the new measuring stick for mobile device forensic tools’ superiority.” Casey,meanwhile, wants to see more capabilities to support investigation of databreaches and malware-related incidents.On the other hand, Carney sees the recent and growing emphasis onadvanced visualization as a positive step. “Basic support for timelines tookgreat leaps forward during 2012,” he explained. “Even rudimentary geo-dataand map visualizations appeared in 2012. I think we’re going to go muchfurther in 2013.“And I’m quite excited about the activity analytics and social graphs that I’mseeing coming out of phone contact data as integrated with profiles frommobile apps and other important mobile data,” Carney continued. “This visualinformation is going to allow us to get the big picture and discover quicklywho the significant custodians and actors are in the case. Mobile deviceforensic tools are going to help us get that big picture more effectivelyin 2013.”Henry believes this will only be possible if the industry abandons basiclogical analysis and agrees only to perform full physical analysis of devices.Most broadly, however, mobile forensics practitioners must keep a close eyeon manufacturers’ development trends. Says Gary Kessler: “It’s incumbent onboth tool vendors and forensic examiners to keep up with, if not stay aheadof, the manufacturers.” 8
  9. 9. The Questions1. In your opinion, what are the biggest mobile forensics trends on the horizon for 2013?2. Rank the following trends in mobile forensics for the year ahead 1-6, in order from most to least important, with 1 being the most important: __ Critical data stored not only on the device but in apps as well __ Device passwords, encryption, prepaid versions, and other technology posing obstacles for law enforcement and private sector investigative professionals __ Challenges with new closed security on Apple devices; conversely, challenges with open platforms such as Android __ Upcoming digital forensics regulation and legislation, and how it may impact mobile investigations __ Helping law enforcement, corporate security and legal professionals stay abreast of trends, precedents and technology affecting mobile devices as “witnesses” in criminal and civil investigations __ Other (Add one trend not listed above)3. If there is a New Year’s resolution the mobile forensics industry should make, what should it be?4. What are the biggest challenges facing mobile forensics professionals in 2013?5. How will the evolving regulatory and legislative environment in the areas of digital forensics, electronic communications and privacy impact the mobile forensics industry in 2013?6. How do you anticipate mobile security, apps development and storage evolving in 2013, and what impact will these advancements have on mobile forensics?7. How do you anticipate mobile forensics tools and practices evolving in 2013?8. Android took 75% market share in Q3 of 2012. Apple’s and BlackBerry’s leads are slipping. What other changes do you anticipate in the mobile market in 2013? How do you anticipate these trends affecting usage—and thus investigations?9. How do you anticipate courts deciding cases on the seizure, acquisition and analysis of cell phone evidence, and what effect will these decisions have on the mobile forensics industry in the year ahead?10. What trends do you anticipate regarding mobile malware: its genesis, impact and how criminals will use it? How can individuals and their employers best prepare to prevent and respond to mobile malware?11. How should organizations plan for mobile data’s relevance to litigation and e-discovery in the coming year? 9
  10. 10. About UFEDfrom thousands of legacy and feature phones, smartphones , portable GPS devices, and tablets with ground-breakingphysical extraction capabilities for the world’s most popular platforms – BlackBerry®, iOS, Android, Nokia, Windows Mobile,Symbian and Palm and more.ESN IMEI, ICCID and IMSI information and more.About CellebriteFounded in 1999, Cellebrite is a global company known for its technological breakthroughs in the cellular industry.A world leader and authority in mobile data technology, Cellebrite established its mobile forensics division in 2007,with the Universal Forensic Extraction Device (UFED). Cellebrite’s range of mobile forensic products, UFED Series, enablethe bit-for-bit extraction and in-depth decoding and analysis of data from thousands of mobile devices, including featurephones, smartphones, portable GPS devices, tablets and phones manufactured with Chinese chipsets.Cellebrite’s UFED Series is the prime choice of forensic specialists in law enforcement, military, intelligence, corporatesecurity and eDiscovery agencies in more than 60 countries.Cellebrite is a wholly-owned subsidiary of the Sun Corporation, a listed Japanese company (6736/JQ)www.ufedseries.comBlackBerry® is a registered trademark of Research in Motion (RIM) Corp. Android™ is a trademark of Google Inc.iPhone® is a trademark of Apple Inc., registered in the United States and other countries.HEADQUARTERS USA GERMANYCellebrite Ltd. Cellebrite USA, Inc. Cellebrite GmbH94 Em Hamoshavot St. 266 Harristown Rd., Suite 105 Am Hoppenhof 32aPetah Tikva 49130 Glen Rock, NJ 07452 33104 PaderbornIsrael USA GermanyTel: +972 3 926 0900 Tel: +1 201 848 8552 Tel: +49 52 51 54 64 90Fax: +972 3 924 7104 Fax: +1 201 848 9982 Fax: +49 52 51 54 64 9© 2013 Cellebrite Mobile Synchronization LTD, All rights Reserved