Sweet Gum Ball Mobile Phone Forensics

Sweet Gum Ball Mobile Phone Forensics By Thomas J. Slovenski Certified and Licensed Mobile Forensics Examiner SLED PDC2073 www.cellularforensics.com January 2015 I just got back in from raking my yard. The lawn specialist had laid out fertilizer on my wife s priced lawn and I now had to water the beast. But before I could I had to rid the yard of those blasted prickly good for nothing things called Sweet Gum Balls. Now I live in the South and if you are from the South you know exactly what I am talking about. If you are cursed with a sweet gum ball tree in your yard, you know exactly where I am going with this. If you don t have the pleasure of such a tree, then let me drop some knowledge on you. A Sweet Gum Ball Tree is worthless! Just ask someone that has one.

Oh sure, in the summer it makes some shade, but the rest of the year you are cursed with its fruit, namely, Sweet Gum Balls. Now these balls aren t some cute, round, easy to gather trinkets from a delightful tree. No. These balls are edgy, sticky (think like Velcro on your socks), and will make a preacher cuss if you turn your ankle on one. But, I had to get them up before I could water the lawn. Not only would their presence inhibit the watering process, but they could also possibly damage the lawn with their acidity. And you can t give them away. Ask your neighbor if he wants a bag and watch him turn it down quicker than a fat man invited to a Jenny Craig meeting! So, off I go with my rake in hand to gather the monsters. While trying to herd these good for nothing rascals with my handy dandy rake, it occurred to me how this arduous task is likened to what I do for a living, which is cell phone data recovery and forensics. For years, I have heard seasoned examiners, attorneys and civilians liken the mobile phone to a computer in the examination techniques. I ve heard the term imaging a smart phone used as if the smart phone was the same as a computer. However, nothing is further from the truth when it comes to retrieving data from a mobile phone.

So let s compare smart phone forensics with sweet gum ball gathering. Here are the observations I ve learned throughout my years of being in the digital forensics field and as a seasoned sweet gum ball herder: 1. Sweet Gum Ball Retrieving is NOT Easy: No matter how much you rake, you look back and you see other balls that you missed. So back you go and rake those balls up. Then you come back a few minutes later and there s MORE that you did not see. These buggers hide and blend in. Some are stuck in the ground. Others blend in with the leaves. There seems to be no end to them! Mobile Data Recovery is the same way. Just when you think your job is done, you review your work and (dang it!) that expensive & complete tool you used MISSED some text messages, pics, objects and other data. If you are a conscientious examiner, this about gives you a nervous breakdown or a free ride to the anger management course. So back you go again with the same tool, only to leave you result-less. And you thought real mobile forensics was just a push of the button, huh? LOL! Not if it s done right! The conscientious examiner will keep trying to get more and more data. After all, if he cares about his reputation, he will. Now if you re the client, how committed to your case is the professional you are hiring? Sure, they were cheap, and you got what you paid for very likely, with data left. Just ask yourself, How much does my case mean to me? Then you ll ask, If I had used the other guy who was more expensive, but did more, would he have found more evidence? That will keep you up at nights. Consequently in mobile forensics, you many times get what you pay for.

2. No One Tool Gets Every Sweet Gum Ball: After you take your rake and break it in two because it did not do a complete job with these blasted Sweet Gum Balls, now you look for another tool to get the balls up. So what do you use? Well, you then try your lawn mover. Surely that will suck them up. Nope, still some left. These balls are heavy and can thwart a lawn mover like a squirrel does a hawk. Next you try a lawn vacuum. Nope, did not get them all. Lastly, you see the ones stuck in the ground and you are left with the only other option manually picking the ball up by hand. There! You re done! Then you see some more. Off to the kitchen you go to take a Prozac! Back to digital forensics: If you give a digital forensics examiner a computer to image, he or she will use one of a few programs available on the market today. Hardly ever does the computer forensics examiner go the extra mile and figure out why there are dead sectors and what could be hidden in those sectors. Pretty much their motto is One and done! One software to do the job, nothing more. They will say they imaged the hard drive. But did they really? (Got you thinking, don t I?). Could there still be active data in that computer they missed? Another topic for another day. Cell Phones are NOT like the computer when it comes to data gathering and recovery. One and done just gets PART of the job done. For one thing, you can t image a cell phone at this date and time. If you can, please show me the software that does it. I ve been in this biz full time now for 8 years and I have yet to see a mobile forensic software that produces a bit by bit image of a mobile phone. So what s the answer? When it comes to a cell phone, you need more than one tool (software) to adequately perform the job you were hired for, which is, to get as much data as possible off the phone. So for the mobile forensics examiner,

he/she has to invest large sums of cash into other mobile forensic programs to at least insure they get as much data from that phone as is possible for them to get at that time. One and done does not cut it in mobile phone data recovery. Now listen to this: several months ago, I did an unofficial study of my own on how much data numerous programs retrieved off a particular cell phone, both present and deleted data. The phone in question was an iphone 5s. I reviewed 5 independent softwares and did a side-by-side comparison study using the most expensive software on the market today (sorry, no names), several less expensive software clear to a free program. The results? You would not believe what was missed. Depending on the program and how the developers set it up, one program did great on text messages but sucked on pics. One did great on call history and the other missed it. And the free program? Oh it beat out the most expensive software in the amount of deleted and present text messages it found. What I m getting at is this you can t rely on ONE mobile forensic software to do it all. Out of the over 22000 devices out there, there is not one software that can get everything off every device. The salesman or trade show babe may not tell you that, but if you push them they will have to admit it. Or you caught them lying. As with sweet gum balls, sometimes after all the tools are exhausted you have to go into manual mode. That could mean securing photos of text messages and other data with a digital camera. It may also mean that the examiner has to manually examine the SQLite databases and P-Lists for hidden data. So when you hire the Examiner, ask them, How many tools do you use? If they offer just one, keep shopping. They most likely will not get you everything you want from that phone.

3. Know What You Want: My goal was to retrieve Sweet Gum Balls. Not leaves, not dog crap, not sticks. I had set out for those sticky balls and that s what I went after. Consequently, my targeted efforts were rewarded with numerous balls retrieve and removed. Yeah for me! When you finally pick an examiner to do your job, tell them in DETAIL what you want. For years I have heard, I want EVERYTHING off that phone! Now when you mean everything, you are telling the examiner you want him or her to give you even the stuff you will not understand, that has no bearing on your case and will be pages and pages of cobbely-gook. Or did you mean you wanted the pics, text messages and call history? You need to be specific. If you say everything don t be surprised with a 20,000-page report. Remember, you most likely wanted to save money and volunteered to go through the report yourself. That s fine, but you just made your job that much harder. 4. Delivery of the Product: It s not enough to just gather the sweet gum balls into a pile. They have to go somewhere and into some container. I just could not leave the piles of balls and call the job done. No, I had to scoop them up, put them in a trash bag and drag the bag to the trash can and then pull the trash can out to the road. Leaving piles of sweet gum balls would not get me a Honey you did good blessing from my wife! The same with mobile forensics. Sure, I can use multiple means and ways to get the data, but if I can t wrap it up in a neat package and deliver it, what good were my efforts? I still think back to this example: one day I got a call from a colleague who had just gotten off the phone with a potential client. The client had

an iphone and had used an examiner locally. Now this rogue examiner I will not name, but I was told he did not get a signed contract for the job, was a police forensics officer with a nearby entity (totally working illegally), took cash for his work and delivered a 7 page report. On an iphone??? Folks, we normally get thousands of pages from an iphone, not a mere 7 pages! Basically she got taken and was delivered horrible work. A true professional will deliver the goods in an easy to understand format. Many times it will be a PDF report or an HTML report that you can easily open yourself on your computer. The goods can be gathered by the best but if not packaged correctly they can leave you with a mess. So there you have it. Sweet Gum Balls and Mobile Phone Data. No one tool gets them all and the success of the sweep is only as good as the examiners and the tools they use. Shameless plug! If you are looking for quality, professional and timely mobile phone forensics services, please give me a call! Your case will be handled discreetly and expertly. My company specializes in mobile phone data recovery and forensic analysis cell tower analysis mobile phone spyware discovery (which I pioneered!) Call me at 864-962-7307 to discuss your case needs. Or write to me at tom@cellularforensics.com.