Cell phone forensics was being completed to determine whether or not malware or cellular spyware had been installed on a client’s phone. The user was suspicious because there were some people who knew things that he didn’t want them to know. After talking to others around him he determined the only witness was the machine – it was a cellphone witness.
took the cell phone and began the process. The data was isolated and the file verified as an exact copy. Then the analyst began to extract all the data.
The phone user was a gamer. He had many, many different games loaded onto his phone. As a result of all the games, apps and call data, the amount of extracted data was immense, there were pages and pages of code. Everything on the phone was represented in some way in that mass of data.
The analyst’s job is to determine what each bit of data represents and to identify anything that could be considered malware or spyware – in other words – what doesn’t belong with everything else! And this was quite a job.
Having a background and knowledge of programming helps the expert along and having experience and knowing the coding for popular games and apps helps, too. At least it makes the job take less time. Every line still needs to be reviewed and reviewed closely – sometimes just a letter or two makes a big difference.
That was exactly what happened in this case. The common file name for a popular game was altered just slightly. There was a number 1 added at the end of the name. That one tiny little difference uncovered the spyware on a client’s cell phone. A less experienced analyst may have missed it.
Cellphone expert analysis is not a simple task. It requires diligence and a highly attuned attention to detail.
-Brenda McGinley, CEO, All in Investigations, All in Investigations