Mobile and Wearable Device Examination
With the arrival of 5G technology, the increasing popularity of fitness trackers and smart watches, and growth in other “wearable tech”, the amount of data being collected is increasing at an unprecedented rate. And whilst many consumers might consider this data to be “private” that is no-longer necessarily true. And for the law enforcement or corporate IT community, access to this information could be vital in the successful capture and prosecution of those with criminal intent, or during misconduct proceedings.
Since May 2017, OpenText™ EnCase™ Forensic and OpenText™ EnCase™ Endpoint Investigator have included the ability to analyse many mobile devices including those running Android and Apple iOS. At the same time, OpenText launched OpenText™ EnCase™ Mobile Investigator, giving users specific functionality which is crucial for examination of mobile devices, including:
- Mobile-specific reporting features
- Optical Character Recognition (OCR) to allow textual searches within (for example) images and pictures
- In built SQLite viewing capabilities
By using both EnCase Mobile Investigator alongside EnCase Forensic and EnCase Endpoint Investigator, investigators have been able to successfully examine and research acquired data on Apple iOS device, highlighting the importance of having access to multiple forensic products.
In a recent example relating to Mobile Safari internet browsing activity, EnCase Mobile Investigator can present the current internet history – and the last state of the browser in terms of tabs open in the web browser – in tabular form.
Using the in-built SQLite viewing capabilities of EnCase Mobile Investigator, examination of the supporting databases was conducted and indicated some of the tabs had been viewed using the Private mode. Subsequently, additional data was identified that could verify website information for those Private tabs.
Using the flexibility and power of EnScript programs within EnCase Forensic, the encoded data was extracted and subsequently parsed (using SQLite BLOB extractor and plist parser EnScript programs).
Hence, the combination of the two EnCase products provided a streamlined examination of automated output relating to internet activity, but also ‘deep-dive’ functionality to expose additional information, including some Private internet activity.
Currently, the forensic examination of data relating to Apple Watch is limited in terms of automation. However, backup data can exist on the paired handset, as well as in Apple Health.
Following an acquisition of an Apple iPhone with encrypted backups, EnCase software can – with the relevant passwords – decrypt the Apple Health data fed by an Apple Watch. Using similar techniques to those as mentioned, the recorded heart rate can be identified, indicating workout information or daily activity records.
Finally, using a direct Apple Health export from the iPhone, detailed location data was identified. Using the single file feature of EnCase Forensic, a custom EnScript program was used to create a KML file that could be opened in Google Earth, showing the route taken during the workout.
Similar information has also been identified for a Fitbit Ionic, with location information recorded in a supporting application and database.