Mobile forensics in a connected world

In this interview, Andrew Hoog, CEO of viaForensics, talks about the forensic examination of mobile devices, the challenges involved with testifying at trials, and offers advice to those interested in working in the mobile security forensics field.

What are the unique challenges involved in doing a forensic examination on a mobile device compared to investigating desktop machines?
Traditional desktop investigation is more straightforward. For instance, to acquire a forensic disk image you can usually power down the machine, remove the hard drive, attach a write blocker and make an exact copy of the full disk.

That simply is not possible on mobile, and chip-off methods (physically removing NAND memory) are destructive and not accessible to most investigators.

Since there is no drive to remove you have to image the device while it is running, and take caution to understand and document the steps taken to gain access (such as rooting) and ensure the user data is not affected. With many devices you can’t get a full image and instead have to rely on putting pieces of logical data together.

When you testify at trials, how do you make technologically unsavvy judges and jurors understand the intricacies of your testimony?
In my experience, mobile is so new that the technologically unsavvy tend to skip over all the technical details. If you can prove that you’re an expert, that you have credentials, that you’ve written books, worked on past cases, testified in other trials, then judges tend not to ask a lot of questions about the technical intricacies of mobile forensics.

That said, if you call yourself a forensic examiner, you’d better have the evidence to back you up and be prepared to walk people through it during trial.

You need to be able to describe how you accessed the device, how you recovered the data and performed the analysis, and these techniques need to be repeatable. What’s really critical, though — and its a skill you develop over time — is the ability to describe very technical terms and concepts in plain English. If you can’t do this, you’re going to lose the judge and jury during your testimony.

How is mobile security keeping pace with cyber criminals and the methods and technologies they employ?
Traditional mobile security is not keeping pace. Many vendors use static signature-based malware detection, and the mobile world moves too quickly for that to be effective. The path forward is polymorphic and multifactor security — technologies and techniques that provide a comprehensive view to analyze behaviors and detect anomalies.

Our approach focuses on the four domains of the device – system, configuration, apps and networks (SCAN). Together, these domains provide a complete view of the mobile device and its activities, and enable dynamic security that keeps pace with threats.

What advice would you give to someone who wants to specialize in mobile security forensics?
I look at mobile forensics and mobile security as two distinct disciplines. Mobile forensics informs mobile security in a really great way – it helps us see things empirically, learn what’s at risk and informs us about the techniques used to compromise mobile devices.

Mobile security is broader and there are a lot of factors at play. You need to look at the network, the apps, and how a device is configured. But first you need to understand security as a base, and be familiar with networks, as well as have a basic grasp of penetration testing, static code analysis, reverse engineering, and forensic analysis. It’s really a big undertaking.

My advice is to pick a particular niche, dive into it, learn as much as you can and then contribute back to the community. Mobile security is a very collaborative community. People respect talks, white papers, blog posts, YouTube channels.

Try to broadly understand the different principles at play, but then pick an area that really excites you, do a deep dive and give something back. When you do that, you’ll discover like-minded individuals, you’ll build your community, and ultimately, land jobs and work with companies that will support you in your efforts.