New SANS Institute Report Codifies Best Practice in Mobile Forensics
Cellebrite joins vendors across the digital intelligence industry to contribute to the report and welcome its findings.
The extraction, collection, analysis, and reporting of mobile data for intelligence purposes is vital for investigations. However, it is also a complex and rapidly evolving discipline which can make it difficult to understand and susceptible to misrepresentation.
The SANS Institute’s recently published paper on mobile validation aims to clear up some of the confusion that currently exists around smartphone forensics. It does this by providing clear, actionable guidance and best practices for professionals using these advanced techniques to solve crimes and save lives.
In a first for the digital intelligence industry, peer companies across the sector including Cellebrite, Elcomsoft, Grayshift, Group-IB, Magnet Forensics, MSAB, Oxygen, and Reality Net have all worked together to contribute to the SANS Institute’s report. As an industry, we collectively stand behind its recommendations.
The paper outlines six key steps that investigators must take when collecting, handling, and analyzing data from smartphones and other mobile devices. These are summarized below and expanded on in more detail in the full version of the paper:
- Determine all possible extraction methods for your search authority: Ensure seizure of the device is legally authorized, then learn as much as possible about the device to determine the appropriate extraction tools and techniques.
- Process the data in multiple tools, when necessary: Ensure that you understand your tools, their intricacies, and their strong suits. Compare findings for exculpatory and inculpatory evidence across more than one tool, where possible. The fastest way to validate a finding is to follow the source file and manually verify it.
- Deep dive into the forensics: A deep dive may not be required for all aspects of your investigation. This can be as simple as manual verification and validating the parsed artifact or photographing settings on the device. This may require the creation of test data to ensure you understand what the tools are showing as evidence.
- Validate your findings: If the artifact is important to your investigation, ensure the source is identified and reported. Examine relevant files in their native format or in a file viewer. Create test data to replicate your findings and, once complete, retain all documentation created should it be required as evidence in the future.
- Responsibly report and share your findings: Only highlight evidence that is relevant to the investigation and consider data privacy concerns and subset reports when sharing it with third parties. Only provide opinions if you are required or legally permitted to do so. Where possible, share your findings with the DFIR community for peer review.
- Educate yourself and your team: To ensure you are on the cutting edge of the field, embrace and engage with the latest training and research. Build and actively follow a list of researchers in the field and join a user group or community that can help you stay up to date. Most of the vendors who authored this paper offer free community get-togethers or learning sessions to help advance your knowledge.
For 22 years, Cellebrite has equipped customers with the technology and expertise they need to protect and save lives, accelerate justice, and preserve privacy. The contributions of three Cellebrite experts to this paper – Heather Mahalik, Paul Lorentz, and Ian Whiffin – support the company’s goal of arming investigators with the insights and best practices needed to leverage our solutions effectively and decisively.
For investigators who want to learn more about mobile validation, Heather Mahalik will be participating in two talks on the topic at Techno Security in June and the DFIR Summit in July. In the spirit of cross-industry collaboration, she will be joined by other experts who want to share their experiences with the community including Jessica Hyde, Ian Whiffin, John Bair, Mattia Epifani, Christophe Poiriere, Lee Reiber, Paul Lorentz, Alexis Brignoni, Mike Dickinson, and Mike Williamson.