Smash it, submerge it in water, and perhaps shoot it for good measure – just three of the methods criminals use to permanently erase digital evidence from smartphones.
And yet, as many criminals have found out to their cost, reducing a device to a pile of smashed plastic and glass means nothing if the internal memory chips remain in working order.
The forensic engineers who help police gather evidence understand this even if it’s not always been clear which methods are the most effective as extracting data accurately enough for it to meet standards of evidence.
With more and more evidence now sitting on smartphones, a better understanding of what works and what doesn’t has suddenly turned into an urgent issue.
To examine the issue, the US National Institute of Standards and Technology (NIST) says it recently conducted tests using 10 popular Android smartphones careful loaded with a mix of data accumulated during simulated use.
This wasn’t as easy as it sounds and required the testers to load each device with photos, social media and app data, GPS traces and the like.
Engineers from NIST and its forensic partners then attempted to extract the data from the internal chips using different methods to compare with the original data set.
At a physical level this involved hooking up to the test smartphone’s circuit board via ‘JTAG’ test connectors or by carefully extracting the chips and connecting to them direct. NIST writes:
The comparison showed that both JTAG and chip-off extracted the data without altering it, but that some of the software tools were better at interpreting the data than others, especially for data from social media apps.
It’s a big challenge. Neither technique is easy, especially extracting data using JTAG, and that’s before factoring the shortage of trained forensics people and the subtle differences between different data extraction software and the diversity of smartphones.
Said NIST forensic expert, Rick Ayers:
Many labs have an overwhelming workload, and some of these tools are very expensive. To be able to look at a report and say, this tool will work better than that one for a particular case can be a big advantage.
Anyone who’s interested in their findings can read the first set of results on the Department of Homeland Security (DHS) website. So far, the researchers have only managed to test two software products against the physical methods, which underlines the scale of the testing challenge ahead of them.
Encryption barrier
These techniques allow forensics teams to retrieve data but of course have no bearing on their ability to bypass any encryption that has been applied to it.
Despite reports that specific tools can do this already, as with any data extraction it remains a skilled and time-consuming undertaking. That’s why the US Government keep returning to the issue, in October 2019 even publicly asking Facebook to delay its end-to-end encryption rollout until it can be showed that this doesn’t get in the way of investigators in a hurry.
Meanwhile, the long-running battle with Apple goes on despite the company cooperating by providing iCloud backups connected to the shooting in Pensacola in December.
But even supposing a bypass for encryption were to hand, the reality is that criminals still often damage their devices and delete backups.
If politicians underestimate the problems this poses, NIST doesn’t. But it won’t deliver quick answers. Smartphone forensics faces a long road ahead.
Beratung Consulting are dedicated to Security solutions and are a trusted Sophos Partner.