Threat Intelligence
September Threat Intelligence Spotlight Report
October 21, 2024
by George Glass, Keith Wojcieszek, Laurie Iacono
Mobile Device Forensics
With a global mobile device forensics team and a proven track record in investigation and litigation support, Kroll enables key digital insights to be accessed quickly and securely.
Talk to an ExpertUnparalleled Expertise in Mobile Device Forensics
Unparalleled Expertise in Mobile Device Forensics
When mobile phone data is required to serve as evidence, Kroll ensures that no relevant information is overlooked. Our mobile phone forensics specialists can assist at any stage of an investigation or litigation to analyze key digital clues and quickly and defensibly uncover critical information.
With a global network of over 650 forensic examiners and laboratories across 19 countries, we respond to more than 3,000 incidents a year and work with over 100 law firms across the globe. Our highly experienced mobile forensics practitioners maintain SANS and other industry certifications associated with a range of mobile device forensics software. The Kroll team includes certified Cellebrite instructors, thought leaders and lecturers on digital forensics courses. We deploy forensically sound, best-practice methodologies to gather data for electronic investigation and forensic analysis, or forensic discovery.
With a reputation founded on extensive experience in forensically sound investigations and electronic data discovery, our mobile phone forensics services deliver high-caliber insight when it matters most.
Mobile Forensics Services from Kroll: Mobile Devices as an Attack Vector
To you, your network of mobile devices is a critical business asset. To a cybercriminal, it’s a source of valuable data and a potential point of access to your financial, cloud, and business assets and intellectual property. From smishing to malware to malicious apps, the security risks associated with smartphones and other mobile devices are significant. The rise in recent years of remote and hybrid working has further increased this challenge for organizations, combined with bring your own device (BYOD) and security corporate mobile inventories.
How Kroll Mobile Forensics Experts Help
Once seized, devices used to perpetrate a crime against you or your business have the potential to provide a wealth of data that can help to prove the intentions or actions of the individual concerned. Our mobile forensics team is highly skilled at investigating mobile phone data at all levels to provide vital insights about attacker behaviors and goals, ensuring the best outcome for your case or investigation. Types of forensic data retrieved usually cover three key areas, as outlined below:
SIM Forensics
The SIM is the one location where a permanent copy of a person’s contacts, phone book entries, text messages, the last numbers dialed and email addresses may be stored. It provides a great deal of valuable insight to help inform an investigation.
Removable Memory Card Forensics
Removable memory cards used to store information, such as photos taken with the phone’s camera and application data can provide useful information.
Internal Memory Forensics
This type of data is usually created by applications provided with the mobile devices. It may also include records of connectivity, such as Wi-Fi connections, audio and email use.
The Kroll Mobile Device Forensics Process
Retrieving potentially incriminating information at quickly and safely from a seized mobile phone is a complex process that presents many risks. Kroll’s approach draws on extensive experience, ensuring that critical evidence is accessed securely and within your required time frame. As experts in forensic mobile phone analysis and mobile phone data recovery, our team follows a proven process, based on industry standard chain of custody (CoC) guidelines. Our collection methodologies and CoC documentation meet the stringent standards required for acceptance in court.
Mobile Phone Seizure
With potential evidence at stake, this stage is critical to the success of the mobile phone forensics process. Each device should be handled and stored carefully to ensure that as much data as possible is preserved. During this phase, the data held on the device is vulnerable to two key risks: lock activation and network connection. Investigators protect against this by isolating the network and the device using the following methods:
Airplane Mode
Device shutdown can alter files and lead to the loss of valuable evidence. Investigators must mitigate this risk by keeping the phone on and putting it in airplane mode while it is transported.
Faraday Enclosure
The use of a Faraday Enclosure, a container designed to isolate mobile devices from any networks, accompanied by an external power supply, enables investigators to securely move mobile devices to the laboratory without risking the loss of any data.
Faraday Bag
A Faraday Bag works in the same way as a Faraday Enclosure to prevent signals from being sent and received by the device, ensuring that the data it contains is not tampered with.
Mobile Data Extraction and Acquisition
Once the mobile device has been seized and secured, investigators then extract the evidence by duplicating the files on it, using a software imaging tool, a process referred to as acquisition. Creating a duplicate in this way maintains the integrity of the original files so that it is suitable for use as evidence. After the media file with the duplicate has been carefully stored, it is verified in a process called “hashing” to ensure that all the data in the file is in its original state.
Regardless of the operating system your organization relies on, Kroll’s seasoned experts can provide in-depth mobile phone data forensics and analysis. Our team understands the data extraction challenges, risks and opportunities presented by the two main types of operating system.
Digital Investigation and Analysis
As the first step of every digital investigation involving a mobile device(s), the forensic expert needs to identify:
- Type of mobile device(s): For example, is it a smartphone or a tablet?
- Type of network: The mobile phone industry uses many digital networks, including Global System for Mobile Communication (GSM), Code Division Multiple Access (CDMA) and Time Division Multiple Access (TDMA).
- Carrier: The type of wireless service provider providing mobile connectivity services to the subscriber or owner of the mobile device.
- Service provider (reverse lookup): While reverse lookup through the mobile service provider can provide some clues in an investigation, it should not be relied upon as it may or may not be correct due to mobile number portability.
Reporting and Expert Testimony
At this stage, the evidence collected is presented to other forensic examiners, if appropriate, or to a court that will determine its relevance to the case. Depending on an organization’s specific requirements, Kroll’s experts can author declarations, affidavits and any expert reporting necessary. We can also serve as expert witnesses, providing expert testimony in presenting findings to judges, juries and arbitrators, with many of our team having served as special masters at the court’s appointment.
Our experts are recognized for the quality and independence of their insight and have been appointed as expert witnesses on the world’s largest and most complex disputes. We have extensive testifying experience in business and commercial disputes that are resolved through litigation, including in federal courts in the U.S. and Canada, the U.S. state courts, the U.S. Tax Court, the Tax Court of Canada, bankruptcy courts, the International Trade Commission and the UK High Court.
Accelerate Response to Mobile Device Fraud with a Cyber Risk Retainer
Kroll’s cyber risk retainer enables organizations to manage and minimize the potential impact of mobile device fraud. Delivering more than a typical incident response retainer, our cyber risk retainer includes elite digital forensics and incident response capabilities, with maximum flexibility for proactive and notification services.. The Kroll cyber risk retainer guarantees expedited response as well as notification and proactive services to minimize the impact of an incident. Learn more.
Key Insight When It Matters Most
When mobile device data has the potential to impact on criminal, civil and corporate legal proceedings, a fast, effective investigation is critical. Highly experienced and supported with state-of-the-art forensic hardware and software, Kroll’s mobile phone forensics specialists ensure that any extracted data is forensically sound and suitable for use as admissible evidence.
Frequently Asked Questions
Cyber and Data Resilience
Incident response, digital forensics, breach notification, security strategy, managed security services, discovery solutions, security transformation.
Computer Forensics
Kroll's computer forensics experts ensure that no digital evidence is overlooked and assist at any stage of an investigation or litigation, regardless of the number or location of data sources.
24x7 Incident Response
Kroll is the largest global IR provider with experienced responders who can handle the entire security incident lifecycle.
Cyber Litigation Support
Whether responding to an investigatory matter, forensic discovery demand, or information security incident, Kroll’s forensic engineers have extensive experience providing litigation support and global eDiscovery services to help clients win cases and mitigate losses.
RelativityOne Litigation Support Services
Kroll’s Litigation Support team has seasoned digital forensics investigators and Relativity-certified administrators to help your team defensibly preserve evidence and gain valuable insights faster, anywhere in the world.
Data Recovery and Forensic Analysis
Kroll's expertise establishes whether data was compromised and to what extent. We uncover actionable information, leaving you better prepared to manage a future incident.
Cyber Risk Retainer
Kroll delivers more than a typical incident response retainer—secure a true cyber risk retainer with elite digital forensics and incident response capabilities and maximum flexibility for proactive and notification services.
Q3 2024 Cyber Threat Landscape Virtual Briefing
Threat Intelligence
Q3 2024 Cyber Threat Landscape Virtual Briefing
November 21, 2024|Online
Our quarterly threat landscape reports are fuelled by frontline incident response intel from elite analysts.
Valuation Outlook
Conference–Valuation Challenges and Governance in the Wake of Economic Trends and Geopolitical Shifts
December 5, 2024|Conference
Volatile public markets and continued uncertainty in the global macroeconomic environment, place increased pressure on exercising informed judgment when valuing private investments. You’re invited to join esteemed speakers on Thursday, December 5 at 8:30 a.m. as we explore this topic.
Kroll is headquartered in New York with offices around the world.
One World Trade Center
285 Fulton Street, 31st Floor
New York NY 10007
Sign up to receive periodic news, reports, and invitations from Kroll.
Our privacy policy describes how your data will be processed.
© 2024 Kroll, LLC. All rights reserved.
Kroll is not affiliated with Kroll Bond Rating Agency,
Kroll OnTrack Inc. or their affiliated businesses. Read more.