Whether your objective is to look for spyware, find deleted text messages and call logs or even find browsed websites or GPS coordinates on a phone, tablet, or a stand alone GPS device, the first step is to forensically extract the data. The manner in which data is extracted from a phone can determine if the data is forensic or not.
- The extracted data must be an exact copy of the data on the device.
- The extracting software and hardware must not alter the data that is on the cell phone or other device.
- The extracting software must have the capability of reaching deep into the file system of the device so that all necessary data is retrievable.
- The data that is extracted must be protected during transit from the device to the storage location.
- The hardware and/or software must keep data flowing from the device to the storage location. It must not have the capability to allow data from any location outside of the device to enter the device. This would, of course, allow changes to be made to data on the device thus keeping the data from being forensically accurate.
Why Is Extracting Data in a Forensic Manor Important?
As soon as a method to extract data from a cell phone or any other device is used that is not forensically sound then there is no way to guarantee that the data is accurate. This is especially important when the data is being used in the court of law. If the data was extracted by software that allows the changing of any part of the data during the extraction process then you can be assured that the opposing counsel will argue that it was changed. It is extremely important that dedicated forensic software be utilized to protect the data from being changed in transit from the phone to the storage location where the extracted data will be saved.
Data Extraction
To perform cell phone data extraction, a cell phone is connected to one of the lab computers and the data is copied to a hard drive. The type of data extracted depends on the particular case but usually involves a complete copy of all contained historical data on the phone and any external memory data. Some cases require that only specific data be extracted, while other types of data remains on the phone. No data on the phone is deleted, just copied. During the data extraction process our software searches for deleted data and attempts to recover that data as well. The success of deleted data recovery depends upon the cell phone’s operating system and the type of memory storage. Usually data recovery is fully successful. If requested by our client all data can be preserved for evidence.
What Software Does All in Investigations’s Lab Use?
Our lab uses the leading cell phone forensic data extraction software from companies like Cellebrite, AccessData and many others. Some of the software developers we have partnered with have a close relationship with almost every cell phone service provider located anywhere in the world. When you go into a Verizon, ATT or sprint store to get your data moved from one phone to another the store employee is probably using a simplified version of the software and hardware that we use in our lab. The difference is our version of the software is much more powerful and is able to extract ALL the important data on the phone. We can retrieve deleted texts, call logs, website histories, file system data, installed applications list and much, much more.