Challenges for digital investigators

by Mark Rowe

Not long ago, mobile device forensics was relatively straightforward, writes Lee Reiber, pictured, Vice President, Mobile Solutions, AccessData.

Contact lists, SMS messages and call logs were obtained and examined for evidence using specialised forensics technology. But with the blistering rate advances in mobile technology, the explosion of mobile data and devices, and all the ways in which they are used today—for working, engaging in social media, taking photos, making videos, conducting financial transactions and more—times have drastically changed. In addition, the digital world has become a breeding ground for new types of crimes, such as cyber stalking, cyber bullying, hacking and other offences. Can mobile device forensics keep up?

A survey of 1083 organisations carried out by The Ponemon Institute, discovered that 86 per cent find it difficult to investigate mobile devices, with 54 per cent reporting that that they are unable or unsure of how to locate sensitive data on mobile devices as part of an investigation.

Five challenges to mobile forensics

Law enforcement agencies and enterprises are struggling with too many devices, too many mobile apps, and too many data types. Mobile applications are updated at blinding speeds and mobile operating systems are continually refreshed. A massive amount of data is accruing on mobiles and this in increasingly being targeted by mobile malware. All these add up to five critical challenges confronting the field of mobile forensics.

1) The Increase in Mobile Devices

​According to the Cisco VNI Global IP Traffic Forecast, 2012-2017 , by 2017 there will be 2.5 mobile devices for every person on earth, and 5 devices for every Internet user. These multi-device, multi-subscription scenarios complicate mobile device forensics. Investigators are likely to find themselves analysing data from more than one mobile phone, tablet, GPS device per person. The OS and device permutations can become overwhelming when conducting a digital forensics investigation.

2) Changing Technology

Apple came out with seven minor updates and in March 2014 delivered a major update, iOS 7.1. Apple has since delivered two minor updates to fix a few bugs, and iOS 8 isn’t too far off. The Android OS has gone through similar rapid updates. Device investigators and examiners also have to keep up with new limited feature phones and disposable, sometimes counterfeit devices. Mobile technology is progressing at such a rapid rate; it’s difficult for mobile forensic solutions to keep up. Most forensics tools require regular updates so they can keep pace with the latest mobile technologies, but those updates frequently fall behind. Add to that the learning curve with successive updates and busy digital forensics investigators face yet another bottleneck.

3) Application usage

According to mobiThinking, analysts estimate that there could be 200 billion app downloads by 2017. Social media usage on mobile devices is exploding. Daily, there are 609 million active mobile Facebook users. On a typical day, people send out more than 500 million tweets . On average, there are 60 million Instagram photos posted per day .

As a result, the number of criminal investigations involving data collected from social media applications is rising significantly.

4) Data

With the amount of digital evidence growing from gigabytes to terabytes in many cases, data visualisation and data analytics have become crucial in understanding evidence. Cisco estimates that traffic from wireless and mobile devices will exceed traffic from wired devices by 2016 . However, research shows that only 5 to 10 percent of the entire corpus of user data is examined by typical mobile device forensics tools. This leaves as much as 95 percent of application data uncollected, and therefore unanalysed.

Investigators need to be able to separate relevant data from the inconsequential, and then easily understand and explain the differences to themselves, colleagues, barristers and jurors. However, most mobile forensic tools on the market today are still not up to scratch in terms of parsing and displaying all the different data that might be available on a mobile device.

5) Mobile malware

Kaspersky Lab says nearly 100,000 new malicious programs for mobile devices were detected in 2013, which is more than double the 2012 figure of 40,059 samples. As of January 1, 2014, Kaspersky Lab has collected 143,211 mobile malware samples. The report also found that majority of mobile malware in 2013 was designed to gain access to financial details, and the number of mobile malware modifications designed for phishing, stealing bank card information and money from bank accounts increased by a factor of almost 20.

Considering that a crime can be now be facilitated entirely by targeting a mobile device, it is imperative that law enforcement quickly adapts mobile device forensics to keep up with the constantly evolving world of mobility.

The rising tide of mobile malware is forcing forensics examiners to understand how to recognise and analyse it, alongside other digital evidence. At best, mobile malware causes delays to mobile investigations. In the worst case scenario, mobile malware can harm the integrity of digital evidence presented in a court of law, resulting in dismissal of charges or even the dismissal of the entire civil/criminal case.


Mobile device forensics has become an increasingly complex process, mainly because the tools available to examiners and investigators have not kept pace with mobile technology advances, the increase in mobile malware and crimes committed using mobile devices. Law enforcement agencies and enterprises are struggling with these rapid changes, all of which are threatening the efficacy of criminal and civil investigations. Investigators need a radically new approach to mobile device forensics: one that is adaptive, intuitive and capable of supporting every mobile device on the market, as well as multiple operating systems and data types. Selected mobile forensics solutions must also integrate with other digital forensics tools and address e-discovery requirements.

Digital investigators need to put a plan in place that enables them to quickly and effectively collect, identify and uncover information from mobile devices, which often yields the key data needed to crack a case.

Related News

  • Interviews

    Operations Director

    by Mark Rowe

    The lone worker product company SoloProtect has announced Stephen Hough, as Operations Director. The company reports headcount across UK operations increased by…

  • Interviews

    Securing crypto-assets

    by Mark Rowe

    It’s a cliche, but a justified cliche, to describe the cryptocurrency space as a ‘wild west’, says G4S Risk Consulting, an arm…


Subscribe to our weekly newsletter to stay on top of security news and events.

© 2023 Professional Security Magazine. All rights reserved.