Cell Phone Forensics/Spyware Detection
The first step involves always keeping powered phones in a Faraday case to prevent signals from leaving and entering the phone. One problem that is becoming more prevalent is that more malware/spy-ware programs are being found with remote software removal functions that allow the perpetrator to remove the malware from the phone remotely. Although it can sometimes leave traces of its prior existence, more information could have been detected and obtained had the phone been protected from these removal functions, therefore by keeping the phones in Faraday cases we remove this problem completely. Examiner then physically examines the phone while in a Faraday case to determine if there are any signs of malware while testing the functionality of the phone. This can provide valuable first clues as to the type of malware that has already been installed into the device. In order to obtain any information from the phone we must first connect to the device using the our vast cable catalog. We always use USB connections since it is the most secure connection and easiest to work with when the phone is in the Faraday case. Once the phone is connected to our software, we then perform a memory dump. This basically extracts all possible data from the phone onto our computer for isolated examination. We then search through the data for any signs of malware and attempt to locate its origin. We then run the data through a 2nd software package that attempts to locate any malware traces in the physical data on the device. This process is extensive and can take many hours. WE WILL NOT DELETE ANYTHING FROM THE PHONE DURING THIS PROCESS.
Once the examination is complete, we then generate a detailed report of our exact findings. Some reports are more extensive than others depending upon the model examined and how robust its operating system is.
Click on the thumb-nails to view larger image.
CAN I EXAMINE MY OWN PHONE?
It is nearly impossible on most phones to detect malware without the use of sophisticated software. Not only is forensic spy-ware detection software expensive, it is also highly complex and difficult to master. Furthermore, the software is only as good as the examiner who utilizes it. The examiner must not only know how to operate the software to its full potential but also be able to manually search through the data (lines of code) to find the spy-ware. An examiner must have completed multiple certification courses prior to becoming an expert examiner. This is particularly useful if any evidence obtained is to be introduced into a court of law. Credibility is very important in technical evidence.
HOW DO I GET MY PHONE TO YOU?
We recommend placing the phone in a well protected container with the battery separated from the phone and supplied along with the charger. If you are unable to remove the battery from the phone then we highly recommend that you turn it off and wrap the phone 8 or 10 times with metal foil which will essentially become a Faraday cage. This will prevent any signals from leaving or entering the phone prior to our examination. Once we receive your phone an examination begins within one business day and usually takes approximately seven days to complete prior to sending the phone back to you. Sometime we are able to accomplish the examination in less time.