Cyber
KAPE Quarterly Update - Q4 2023
February 14, 2024
by Andrew Rathbun, Eric Zimmerman
Mobile Device Forensics
With a global mobile device forensics team and a proven track record in investigation and litigation support, Kroll enables key digital insights to be accessed quickly and securely.
Talk to an ExpertUnparalleled Expertise in Mobile Device Forensics
Unparalleled Expertise in Mobile Device Forensics
When mobile phone data is required to serve as evidence, Kroll ensures that no relevant information is overlooked. Our mobile phone forensics specialists can assist at any stage of an investigation or litigation to analyze key digital clues and quickly and defensibly uncover critical information.
With a global network of over 650 forensic examiners and laboratories across 19 countries, we respond to more than 3,000 incidents a year and work with over 100 law firms across the globe. Our highly experienced mobile forensics practitioners maintain SANS and other industry certifications associated with a range of mobile device forensics software. The Kroll team includes certified Cellebrite instructors, thought leaders and lecturers on digital forensics courses. We deploy forensically sound, best-practice methodologies to gather data for electronic investigation and forensic analysis, or forensic discovery.
With a reputation founded on extensive experience in forensically sound investigations and electronic data discovery, our mobile phone forensics services deliver high-caliber insight when it matters most.
Mobile Forensics Services from Kroll: Mobile Devices as an Attack Vector
To you, your network of mobile devices is a critical business asset. To a cybercriminal, it’s a source of valuable data and a potential point of access to your financial, cloud, and business assets and intellectual property. From smishing to malware to malicious apps, the security risks associated with smartphones and other mobile devices are significant. The rise in recent years of remote and hybrid working has further increased this challenge for organizations, combined with bring your own device (BYOD) and security corporate mobile inventories.
Threat actors take advantage of mobile devices through a wide range of vectors. The most commonly used approaches include:
Smishing
Smishing is a form of phishing that involves the use of text messages purporting to be from a reputable source, such as a bank or government body, in order to trick recipients into disclosing personal information. This allows the threat actor to gain access to financial resources or valuable data or to download mobile malware. Smishing now includes mobile messaging apps, such as Facebook Messenger and WhatsApp. While smishing targets individuals, it is frequently used as part of broader campaigns to compromise a company, with attackers seeking to gain access to networks and data.
SIM Swapping
SIM swapping, also referred to as port-out scamming, SIM splitting, smishing and simjacking, is a type of account takeover fraud. It involves a threat actor contacting the mobile service provider and impersonating the legitimate phone owner, stating that they have a new SIM card to activate for the account. Once the provider enables this, the attacker gains full access to the device.
Attacks via Malicious Applications
With so many apps in use, there is a considerable risk of employees unknowingly downloading a malicious app containing malware to an organization’s mobile devices. Once on the mobile devices, the apps can then steal or encrypt data. This risk is increased by the wide range of available malicious apps and the continual evolution of permission implementations and permission acceptances that many users grow complacent about or resistant to approving in order to “just use their device.” This can result in accidental app approvals with over-reaching permissions across the device.
Injection Attacks
Injection attacks lead to the execution of malicious code on the mobile device through a mobile app. The malicious code is usually in the form of data that the attacker inputs to the mobile app. Depending on the vulnerability, zero-day exploit or remote code execution (RCE), these can sometimes be triggered by something as simple as a user accessing a malicious website.
Jailbreaking and Rooting Techniques
In jailbreaking, the bad actor removes the security limitations on devices running the Apple iOS operating system to gain full access to the root of it and to all the features, enabling privilege escalation. Rooting is a similar process undertaken on a mobile device with the Android operating system, allowing the attacker to gain system administrator privileges and the ability to perform operations on the device. While jailbreaking only removes some restrictions in the software and is usually used to install applications from outside the App Store, Android rooting enables attackers to obtain full control of the operating system.
How Kroll Mobile Forensics Experts Help
Once seized, devices used to perpetrate a crime against you or your business have the potential to provide a wealth of data that can help to prove the intentions or actions of the individual concerned. Our mobile forensics team is highly skilled at investigating mobile phone data at all levels to provide vital insights about attacker behaviors and goals, ensuring the best outcome for your case or investigation. Types of forensic data retrieved usually cover three key areas, as outlined below:
SIM Forensics
The SIM is the one location where a permanent copy of a person’s contacts, phone book entries, text messages, the last numbers dialed and email addresses may be stored. It provides a great deal of valuable insight to help inform an investigation.
Removable Memory Card Forensics
Removable memory cards used to store information, such as photos taken with the phone’s camera and application data can provide useful information.
Internal Memory Forensics
This type of data is usually created by applications provided with the mobile devices. It may also include records of connectivity, such as Wi-Fi connections, audio and email use.
The Kroll Mobile Device Forensics Process
Retrieving potentially incriminating information at quickly and safely from a seized mobile phone is a complex process that presents many risks. Kroll’s approach draws on extensive experience, ensuring that critical evidence is accessed securely and within your required time frame. As experts in forensic mobile phone analysis and mobile phone data recovery, our team follows a proven process, based on industry standard chain of custody (CoC) guidelines. Our collection methodologies and CoC documentation meet the stringent standards required for acceptance in court.
Mobile Phone Seizure
With potential evidence at stake, this stage is critical to the success of the mobile phone forensics process. Each device should be handled and stored carefully to ensure that as much data as possible is preserved. During this phase, the data held on the device is vulnerable to two key risks: lock activation and network connection. Investigators protect against this by isolating the network and the device using the following methods:
Airplane Mode
Device shutdown can alter files and lead to the loss of valuable evidence. Investigators must mitigate this risk by keeping the phone on and putting it in airplane mode while it is transported.
Faraday Enclosure
The use of a Faraday Enclosure, a container designed to isolate mobile devices from any networks, accompanied by an external power supply, enables investigators to securely move mobile devices to the laboratory without risking the loss of any data.
Faraday Bag
A Faraday Bag works in the same way as a Faraday Enclosure to prevent signals from being sent and received by the device, ensuring that the data it contains is not tampered with.
Mobile Data Extraction and Acquisition
Once the mobile device has been seized and secured, investigators then extract the evidence by duplicating the files on it, using a software imaging tool, a process referred to as acquisition. Creating a duplicate in this way maintains the integrity of the original files so that it is suitable for use as evidence. After the media file with the duplicate has been carefully stored, it is verified in a process called “hashing” to ensure that all the data in the file is in its original state.
Regardless of the operating system your organization relies on, Kroll’s seasoned experts can provide in-depth mobile phone data forensics and analysis. Our team understands the data extraction challenges, risks and opportunities presented by the two main types of operating system.
Digital Investigation and Analysis
As the first step of every digital investigation involving a mobile device(s), the forensic expert needs to identify:
- Type of mobile device(s): For example, is it a smartphone or a tablet?
- Type of network: The mobile phone industry uses many digital networks, including Global System for Mobile Communication (GSM), Code Division Multiple Access (CDMA) and Time Division Multiple Access (TDMA).
- Carrier: The type of wireless service provider providing mobile connectivity services to the subscriber or owner of the mobile device.
- Service provider (reverse lookup): While reverse lookup through the mobile service provider can provide some clues in an investigation, it should not be relied upon as it may or may not be correct due to mobile number portability.
Reporting and Expert Testimony
At this stage, the evidence collected is presented to other forensic examiners, if appropriate, or to a court that will determine its relevance to the case. Depending on an organization’s specific requirements, Kroll’s experts can author declarations, affidavits and any expert reporting necessary. We can also serve as expert witnesses, providing expert testimony in presenting findings to judges, juries and arbitrators, with many of our team having served as special masters at the court’s appointment.
Our experts are recognized for the quality and independence of their insight and have been appointed as expert witnesses on the world’s largest and most complex disputes. We have extensive testifying experience in business and commercial disputes that are resolved through litigation, including in federal courts in the U.S. and Canada, the U.S. state courts, the U.S. Tax Court, the Tax Court of Canada, bankruptcy courts, the International Trade Commission and the UK High Court.
Accelerate Response to Mobile Device Fraud with a Cyber Risk Retainer
Kroll’s cyber risk retainer enables organizations to manage and minimize the potential impact of mobile device fraud. Delivering more than a typical incident response retainer, our cyber risk retainer includes elite digital forensics and incident response capabilities, with maximum flexibility for proactive and notification services.. The Kroll cyber risk retainer guarantees expedited response as well as notification and proactive services to minimize the impact of an incident. Learn more.
Key Insight When It Matters Most
When mobile device data has the potential to impact on criminal, civil and corporate legal proceedings, a fast, effective investigation is critical. Highly experienced and supported with state-of-the-art forensic hardware and software, Kroll’s mobile phone forensics specialists ensure that any extracted data is forensically sound and suitable for use as admissible evidence.
Frequently Asked Questions
Cyber Risk
Incident response, digital forensics, breach notification, managed detection services, penetration testing, cyber assessments and advisory.
Computer Forensics
Kroll's computer forensics experts ensure that no digital evidence is overlooked and assist at any stage of an investigation or litigation, regardless of the number or location of data sources.
24x7 Incident Response
Kroll is the largest global IR provider with experienced responders who can handle the entire security incident lifecycle.
Cyber Litigation Support
Whether responding to an investigatory matter, forensic discovery demand, or information security incident, Kroll’s forensic engineers have extensive experience providing litigation support and global eDiscovery services to help clients win cases and mitigate losses.
RelativityOne Litigation Support Services
Kroll’s Litigation Support team has seasoned digital forensics investigators and Relativity-certified administrators to help your team defensibly preserve evidence and gain valuable insights faster, anywhere in the world.
Data Recovery and Forensic Analysis
Kroll's expertise establishes whether data was compromised and to what extent. We uncover actionable information, leaving you better prepared to manage a future incident.
Cyber Risk Retainer
Kroll delivers more than a typical incident response retainer—secure a true cyber risk retainer with elite digital forensics and incident response capabilities and maximum flexibility for proactive and notification services.
Explore Insights
Article List
Cyber
Data Breach Outlook: Finance Surpasses Healthcare as Most Breached Industry in 2023
February 7, 2024
by David White
Threat Intelligence
CVE-2024-0204: Authentication Bypass Vulnerability in Fortra GoAnywhere MFT
January 25, 2024
by George Glass
Threat Intelligence
Inside the SYSTEMBC Command-and-Control Server
January 19, 2024
by Dave Truman
Events
Article List
Cyber
State of Cyber Defense: Healthcare Edition
April 24, 2024|Online
A deep dive into the latest threats and vulnerabilities facing the health care sector along with gaps in detection and response impacting improvement efforts.
Cyber
Kroll at RSA Conference 2024
May 6 - 9, 2024|Conference
Join Kroll experts at the RSA Conference in San Francisco May 6-9, 2024. Stop by booth 2239 in the South Expo Hall to meet our team.
Threat Intelligence
Q1 2024 Cyber Threat Landscape Virtual Briefing
May 29, 2024|Online
Join the Q1 2024 Cyber Threat Landscape Virtual Briefing as Kroll’s cyber threat analysts outline notable trends and insights from our incident response intelligence.
Kroll is headquartered in New York with offices around the world.
55 East 52nd Street 17 Fl
New York NY 10055
Sign up to receive periodic news, reports, and invitations from Kroll.
Our privacy policy describes how your data will be processed.
© 2024 Kroll, LLC. All rights reserved.
Kroll is not affiliated with Kroll Bond Rating Agency,
Kroll OnTrack Inc. or their affiliated businesses. Read more.