As promised, we continue our list of places you may not have looked for digital evidence. It’s not always obvious, and sometimes we have to dig deep to find anything useful. Read on to find out more…
- VOIP (Voiceover IP)
VOIP refers to the communication protocols, technologies, methodologies and transmission techniques involved in the delivery of voice communications and multimedia sessions over internet protocol (IP) networks.
It’s not new technology, but with many phones now having WiFi connectivity or data bundles included in tariffs as standard, it’s becoming a more popular way of communicating. VOIP replaces “traditional” over-the-network phone calls, enabling users to make calls using a computer (Skype is a well-known example of this type of technology).
The traces left by this activity are just as relevant as traditional call logs, but “calls” made using VOIP do not necessarily leave the same type of information on the phone, or call data records, as a standard call. Instead of being logged at the network provider with IMEI, IMSI and other data, it is just recorded as data transfer. It may not even show in the handset’s call list.
VOIP calls do, however, leave a deeper digital trail within a phone either within the application itself or in other log files. The apps may also have their own phonebooks, where contact details are stored separately from the phone’s standard contact list.
Computers are also used for VOIP communications, which will leave traces within the apps and on the hard drive in a similar way to mobile phones.
- Web browsers
Internet browsers – on computers, laptops, tablets and smartphones – contain a wealth of data that could prove vital to a case.
As well as a user’s browsing history, other evidential opportunities can include bookmarks, cache data, downloads, social media history, and more. Together with other forms of digital evidence, such as chat logs and emails, a picture can be built of the user’s behaviour, and may help to prove mens rea – intent to commit a crime – in a case. Conversely, of course, it could help to prove someone’s innocence.
Mobile internet has been around since 1999, but has improved vastly since then. Smartphones are now miniature computers, with full-colour and fully-functional mobile web pages – and mobile web browsers work in much the same way as standard browsers. The same information can be extracted from mobile web browsers, helping to add to the bigger picture.
- Dynamic key logger
Smartphones are – as their name suggests – generally pretty smart. Many of them can now “learn” how people use them, recording every key press in a log file. For instance, they will remember people’s names and place names between applications – not just in text message apps (as an example).
Users cannot disable this functionality and will not necessarily be aware of its existence. Dynamic key loggers are a potentially-rich source of evidence: it may be that a text message or email of interest may no longer be present on the device – but its content could exist in one of these log files.
The technology gives investigators another method of extracting data from mobile devices, adding an extra dimension to digital evidence.
- Data-hiding applications
If you know what you’re doing, it’s entirely possible to hide data on mobile phones, putting it beyond the reach of typical forensic extraction tools and techniques.
There are several apps that can be downloaded to smartphones which can hide data within other applications. This means that, for example, photographs could be hidden within – for example – the stocks and shares app on the phone, but they would only be retrievable using the data-hiding application.
The data remains hidden on the device if the data-hiding app is uninstalled, and can only be retrieved if the app is reinstalled. Valuable evidence may be going unnoticed if the deliberately-hidden data is not located.
CCL-Forensics’ R&D team has developed a technique to analyse the installed apps on a smartphone to identify what that phone is capable of, which enables our analysts to tailor the examination accordingly. How can you analyse a mobile phone unless you know what it can do?
- On the circuit board
Just occasionally, a mobile device is so complicated – or the data you’re after is so deeply buried – that the only viable option is interfacing directly with the circuitry.
“Chip off” forensics is nothing new – but removing chips from the circuit board of a device is a destructive process, and one that cannot necessarily be repeated by another qualified expert. Examining the chips in situ is much more desirable.
One such method of doing this is to interface directly with the circuit board. Many phones will have a series of JTAG (Joint Test Action Group) ports, to which connections can be made, and from which data can be retrieved. JTAG is an industry-standard method of carrying out such engineering work, but it is still necessary to interpret the data which is extracted.
CCL-Forensics has spent considerable time researching this. If you require further information about the potential of this technique, please get in touch.
More hints and tips will follow in a few days – stay tuned!