Before we get into the types of data that we regularly retrieve from smartphones (be it an Apple iPhone, Samsung Galaxy, Google Pixel/Nexus, HTC or Motorola Moto for example), there are a few “housekeeping” items to address or consider first. If you’re reading this, you likely stumbled across it because you searched something along the lines of “how to retrieve evidence from an employee’s smartphone”, but there are a few things that go along with such an endeavor. First and foremost there are some questions you should consider with respect to all smartphones and your employees. Do you have a legal right to the data on the phone? The easiest way to address this is by issuing the device to the employee and not allowing them to conduct business on their own smartphone. I know there are a number of software packages that you can install on the employee’s personal device enabling you to remotely control what they do with the data, remotely wipe and a few other things. However, in my opinion from an evidence collection and retention perspective, they pale in comparison to actually having an unlocked smartphone in hand that is/was used by your employee/recently departed employee.
Recovering text (or TXT) messages (deleted or not), phone call logs, voicemails, pictures taken, and GPS details of where the phone has been can prove to be extremely beneficial to an investigation. These types of data can provide valuable evidence pointing towards malfeasance, and can be either wholly located on the device, or used as pieces of corroborating evidence to assist in the investigation. Another detail that’s often overlooked is what programs are installed or have been previously installed on the phone. This can lead us to look for evidence in other places or systems. And lastly, but certainly not limited to, is the specific configuration of the device in question. This may shed some light on personal email and data that we can use. Again, provided you own the phone and entrusted it to your employee for business use, this means you essentially own the rights to the data contained within. If your employee ended up using their company phone for some personal matters, that may aid in the investigation as well. Another important thing to mention here are Electronic Device Policies. It would behoove you immensely to have one of these in place specifically outlining acceptable use of the device, that you (the company) own the phone and have rights to it at any time, etc. Another item worth including in the policy is a statement that makes it clear that any attempt to overwrite the data on the device, wipe it or reset to a factory “new” condition is a violation of the policy. As previously acknowledged in other postings we’re not lawyers, but the inclusion of an Electronic Device Policy makes sense, and I’m sure you can agree. This type of outlined agreement could prove useful in enforcing either rightful access to the data on the device, or in the event that the device was deliberately wiped or reset, supporting the narrative that it was done to conceal evidence of wrongdoing in direct violation of the policy. Something else that should be included in the agreement is the use of passcodes/pin codes which would be needed to gain access to these smartphones. These should always be provided to you as the employer and owner of the device. Depending on the type of smartphone, there may be a way to get into it, but it’s best to assume there’s not. This is especially true of recent model Apple iPhones and their operating systems, which we commonly find in the corporate environment.
Now that we’ve got all that out of the way and you have rightful access to the smartphone, we typically create a forensic image of the device and process the data contained within to see how it fits in the case. Sometimes the phone provides us with a starting point from which we are then able to locate deleted txt messages to unknown phone numbers. We are then oftentimes able to cross reference the contacts to see who the numbers belong to. Sometimes folks are clever and don’t assign a contact name. That’s ok, because when we show the number(s) to the client, many times the number is already known to them! Barring all that, we can also perform some database checks to see who the number belongs to. Some other valuable data retrieved from a smartphone that can be extremely beneficial to a case are deleted voicemails. Many don’t realize the voicemail they receive (especially in the case of an iPhone) is actually sitting on the device meaning that when we image the phone we will be able to retrieve and listen to these voicemails. And that can sometimes include deleted voicemails too! Sometimes just the call log (numbers called, how many times they were called or received, as well as call duration) provides a wealth of useable data in the investigation. Location data can be recovered as well. Knowing where the device has been can help shed light on activities by the user as well. Depending on the issue that the investigation is contending with, pictures and videos taken (some deleted and thought unrecoverable) can prove worthwhile in proving malfeasance. Sometimes it’s a photo of material or a document that someone took thinking they would outsmart us all since they didn’t email it or copy it to a USB device. Sometimes it’s a set of before and after photos that help prove our case. We’re also successful in sometimes decoding evidence stored in programs designed to securely communicate like Viber and Whatsapp. Although use of these programs doesn’t solely prove the user was trying to commit an act of wrong doing, it can definitely be a valuable piece in the case to help reinforce that argument. Finally I’d like to point out that many users sync their smartphone to their computer. They may do it merely to charge the device but it ends up getting synced with the company machine. There’s two points to be made here. First, if the device is synced or backed-up to your company computer, we can extract much of the same data from those backups in our analysis. Second, oftentimes we are able to locate data on the phone that points to these computers that the phone has been told to trust and backup to. With this data in hand we can request access to computers and devices outside of your official purview. Think of it this way, if there is data on the smartphone that is considered your intellectual property and it was synced to your employee’s home computer, we can help make the case that you should be granted access to that material to determine what happened to it and where all it went. As always, if you’ve got a similar scenario you’re contending with let us know and we’ll figure out the best course of action. We’ll help you build a better case!