Extracting data from mobile devices is one of digital investigators’ top challenges. It’s not a simple process. They face an array of issues, from legal concerns to disparate operating systems, applications, and forensic software. Technical roadblocks include the need for keystore/keychain extraction support and the lack of file sharing capabilities in some apps, such as Instagram and TikTok, which prevents timestamp extraction. And with data volume constantly mounting the process becomes ever more complex. For example, in the January 6th investigation the FBI received more than 100,000 pieces of digital evidence.
Besides today’s data extraction challenges, many new ones wait right around the corner. By understanding what lies ahead, investigators can be better prepared to solve both today’s and tomorrow’s problems.
Upcoming challenges in device extractions
Two specific areas warrant continued study and monitoring. First is on the software front, including:
- Operating system upgrades containing OS-specific security mechanisms.
- New application version changes that may include enhanced or exotic encryption algorithms and server-side API changes.
- Obfuscation code designed to hide and confuse reverse engineering.
- Recent patches to existing vulnerabilities that alter which available data can be collected and the methods that can be employed to retrieve it. (Investigators should consider the option to downgrade the application versions where possible.)
The move to memory safe languages will also present stumbling blocks as adoption grows.
The second area of concern is on the hardware front. As newer processors are released, new challenges emerge, such as a shift to TTE (trusted execution environments). On some mobile devices, we‘re now seeing SPUs (secure processing units) in addition to the main processor. Designed to harden security applications using their own memory and encryption, SPUs ensure that only trusted software can be installed.
Upcoming challenges in cloud extractions
In addition to server-side API changes, revisions to code for the cloud can make data extraction extremely difficult. New encryption algorithms, security layers, Captcha systems, and MFA (multifactor authentication) may help improve data security and privacy, but they also make it harder to extract data. Add to those more restrictive access rules, the reduction in TTL (time-to-live) of tokens, and a move toward going passwordless, and the investigative environment gets that much more challenging.
Harnessing solutions for digital extraction
It’s nothing new: Limited resources will continue to impede the ability of jurisdictions and organizations to overcome challenges in mobile data extraction. Yet there are solutions within reach that can help mitigate the issues. A combination of industry- and organization-level actions can improve the ability to extract relevant data both from devices and the cloud to conduct more effective investigations.
Resource allocation. By more effectively allocating resources for exploit research for Xiaomi, Samsung, Oppo, Vivo, Realme, and other mobile devices, the forensics industry can gain a better understanding of new technologies and develop better processes for data extraction.
Research. Expanding research, such as what is being conducted on UniSoC chipsets, will also provide investigators with more knowledge and best practices.
Increased monitoring of API and application changes. This, accompanied by updates to methods and protocols to make them faster, will help investigators conquer the sheer volume of new software and devices.
Training. All forensic investigators should keep their training on the tools they use up to date. By requiring law enforcement and other DFIR professionals to receive comprehensive training in all types of digital forensics, mobile included, organizations will see investigations proceed more efficiently and effectively.
Education for the legal profession. The industry should also consider a comprehensive plan to increase mobile digital forensics competence in the judiciary and among lawyers.
Preparing for future challenges
The key to moving forward will continue to be collaboration between DFIR professionals, including law enforcement, and vendors. When investigators share what they see in the field with those developing the forensic technology, the industry can move forward in lockstep.
By working with Oxygen Forensics, organizations can access the expertise and tools needed for both today’s and tomorrow’s issues. We diligently update our software whenever a new vulnerability is discovered. And we lead the way in developing new technology for data extraction and analysis, so you can focus on your digital investigations.