Some detectives, digital investigators, and their managers believe that if they have access to a device and its PIN, they can easily extract data.
Don’t be fooled. In digital forensic investigations, things are rarely that simple.
Stop right there!
Of course, there are means of getting into a device even when you don’t know the PIN. But as experienced investigators understand, most devices have layers of security. Even on an unlocked device, there can be numerous extraction roadblocks. Some include:
- Multiple users with different logins on Android devices
- OS restrictions that prevent root access
- Local backup solutions that limit extraction of data from the default system user
- Encryption at the app level in addition to the device level
- Data that’s stored outside the device, such as in the cloud
Even the most knowledgeable investigators can be tripped up by a seemingly successful extraction, because they may not actually get all the data, or they can’t view or read what they get. Maybe you’ve heard groans of “Where’s the data from Xiaomi Second Space …. and from Huawei Private Space?” or “Why wasn’t Signal decrypted?!”
On top of these challenges, Android and Apple continually harden their operating systems to increase security for device owners. OEM vendors also regularly implement their own new security features, e.g., Samsung will add protections on top of what Android builds in. This puts digital forensic investigators in the unenviable position of constantly playing catch up to be able to extract the data they need.
How to position yourself as the extraction optimization expert
To help get the most from extractions and advance your investigations, adopt the following guidelines.
- Stay informed about key security releases by Android, Apple, the major OEMs, and cloud providers. While you shouldn’t be expected to be aware of every nuance and their impacts, knowing at least the broad strokes of a release may clue you in as to why a type of data you could extract before is no longer accessible, and may guide you toward steps to take. Monitor the blogs of digital forensics solutions providers to learn deeper details about key issues and developments. For more information on some of the extraction roadblocks discussed here, jump to the Related Articles section at the end of this blog.
- Work with a reliable digital forensics solutions provider whose experts are focused full time on how to extract every last bit of data from devices and incorporate those capabilities into their platform. For questions to ask when assessing which software to purchase, be sure to read Top Questions to Ask When Purchasing Digital Forensic Software.
- Manage expectations of those waiting on the data from your investigation. Your manager may question why some expected data isn’t accessible even when the phone is unlocked. Be prepared to explain at an appropriate level what may be preventing you from extracting the data you need, and whether you have the tools and know-how to get past these challenges. And when you prepare reports, where applicable, be sure to note that while you’ve exhausted available options, you may not have captured all the desired data.