Mobile device data continues to increase in significance in both civil and criminal investigations. Location data is often of particular interest. To date, research has established that the devices are location aware, incorporate a variety of resources to obtain location information, and cache the information in various ways. However, a review of the existing research suggests varying degrees of reliability of any such recovered location data. In an effort to clarify the issue, this project offers case studies of multiple Android mobile devices utilized in controlled conditions with known settings and applications in documented locations. The study uses data recovered from test devices to corroborate previously identified accuracy trends noted in research involving live-tracked devices, and it further offers detailed analysis strategies for the recovery of location data from devices themselves. A methodology for reviewing device data for possible artifacts that may allow an examiner to evaluate location data reliability is also presented. This paper also addresses emerging trends in device security and cloud storage, which may have significant implications for future mobile device location data recovery and analysis. Discussion of recovered cloud data introduces a distinct and potentially significant resource for investigators, and the paper addresses the cloud resources' advantages and limitations.
Location Investigations Involving Android Devices
The VCACITF (formerly known as the Innocent Images International Task Force) became operational in 2004 and serves as the largest task force of its kind in the world, composed of 68 online child sexual exploitation investigators from almost 46 countries. A five-week training session for newly invited task force officers brings them to the United States to work side-by-side with FBI agents in the Violent Crimes Against Children program. The VCACITF also conducts an annual case coordination meeting where task force members come together in a central location to share best practices and coordinate transnational investigations between members.
Google has agreed to pay nearly $392 million in a settlement with 40 states over allegations that the company tracked people through their devices after location tracking had been turned off, a coalition of state prosecutors announced on Monday.
The state prosecutors said they launched the investigation after reporting by the Associated Press in 2018 revealed that many Google services on Android devices and iPhones kept saving users' location data even after location tracking had been turned off in privacy settings.
The AP reported that many Google services on Android devices and iPhones store users' location data even if they use a privacy setting that says it will prevent Google from doing so. Computer-science researchers at Princeton confirmed these findings at the AP's request.
The AP reported in 2018 that the privacy issue with location tracking affected some two billion users of devices that run Google's Android operating software and hundreds of millions of worldwide iPhone users who rely on Google for maps or search.
In our October 2019 report, we detail how we determined these redirections to be the result of network injection attacks performed either through tactical devices, such as rogue cell towers, or through dedicated equipment placed at the mobile operator. When months later we analysed the iPhone of Moroccan independent journalist Omar Radi, who as documented in our 2020 report was targeted, we found similar records involving the free247downloads[.]com domain as well.
These records played critical role in later investigations. In many cases we discovered suspected Pegasus processes executed on devices immediately following suspicious iMessage account lookups. For example, the following records were extracted from the phone of a French journalist (CODE FRJRN2):
This and all previous investigations demonstrate how attacks against mobile devices are a significant threat to civil society globally. The difficulty to not only prevent, but posthumously detect attacks is the result of an unsustainable asymmetry between the capabilities readily available to attackers and the inadequate protections that individuals at risk enjoy.
Digital Forensics is a branch of forensic science that focuses on the recovery, examination, and investigation of evidence stored on computers and other digital devices, as well as various media that may have been used to store data. Although it is commonly associated with criminal investigations, digital forensics has been used in civil cases, internal investigations, tribunals, and other inquiries or forums that require an exploration of data.
There are additional considerations when a mobile device is seized. When a mobile device is connected to a cellular network, it may access new data that will overwrite evidence. Similarly, a mobile GPS unit that is turned on may continue to record track points (i.e., locations that the GPS has been) as its being transported. Because a mobile phone or tablet can be sent a command to wipe the device, you also run the risk of everything on it being erased. To preserve potential evidence on a mobile phone, GPS or other device, it is important they are stored in a Faraday bag or cage. A Faraday cage is an area protected by material that blocks signals, essentially creating the same conditions of being in a "dead zone" where you cannot get a cell phone signal from your carrier. A Faraday bag is used to store mobile devices for transport, preserving any evidence stored on them.
GPS devices will also store tracks, which are geographic points that the unit has been. When you turn on the GPS unit, it will connect to satellites and determine its current location. As you travel, additional track points will be stored as a record of where the GPS unit has been, and stored in a track log. By looking at the track log, you are able to view a listing of coordinates that the portable GPS has visited and, by extension, where its owner has been.
Michael Cross is a SharePoint Administrator and Developer, and has worked in the areas of software development, Web design, hardware installation/repairs, database administration, graphic design, and network administration. Working for law enforcement, he is part of an Information Technology team that provides support to over 1,000 civilian and uniformed users. His theory is that when the users carry guns, you tend to be more motivated in solving their problems. Michael has a diverse background in technology. He was the first computer forensic analyst for a local police service, and performed digital forensic examinations on computers involved in criminal investigations. Over five years, he recovered and examined evidence involved in a wide range of crimes, inclusive to homicides, fraud, and possession of child pornography. In addition to this, he successfully tracked numerous individuals electronically, as in cases involving threatening e-mail. He has consulted and assisted in numerous cases dealing with computer-related/Internet crimes and served as an expert witness on computers for criminal trials. In 2007, he was awarded a Police Commendation for work he did in developing a system to track local high-risk offenders and sexual offenders. With extensive experience in Web design and Internet-related technologies, Michael has created and maintained numerous Web sites and implementations of Microsoft SharePoint. This has included public Web sites, private ones on corporate intranets, and solutions that integrate them. In doing so, he has incorporated and promoted social networking features, created software to publish press releases online, and developed a wide variety of solutions that make it easier to get work done. Michael has been a freelance writer and technical editor on over four dozen I.T. related books, as well as writing material for other genres. He previously taught as an instructor and has written courseware for IT training courses. He has also made presentations on Internet safety, SharePoint and other topics related to computers and the Internet. Despite his experience as a speaker, he still finds his wife won't listen to him. Over the years, Michael has acquired a number of certifications from Microsoft, Novell and Comptia, including MCSE, MCP+I, CNA, Network+.
In 2015 and 2016, Apple Inc. received and objected to or challenged at least 11 orders issued by United States district courts under the All Writs Act of 1789. Most of these seek to compel Apple "to use its existing capabilities to extract data like contacts, photos and calls from locked iPhones running on operating systems iOS 7 and older" in order to assist in criminal investigations and prosecutions. A few requests, however, involve phones with more extensive security protections, which Apple has no current ability to break. These orders would compel Apple to write new software that would let the government bypass these devices' security and unlock the phones.[3]
Hess said the CEAU Chief wanted to use the case as a "poster child" to resolve the larger problem with encrypted devices known as the "Going Dark challenge". The challenge is defined by the FBI as "changes in technology [that] hinder law enforcement's ability to exercise investigative tools and follow critical leads".[122] As The Los Angeles Times reported in March 2018, the FBI was unable to access data from 7,775 seized devices in their investigations. The unidentified method used to unlock Farook's phone - costing more than $1 million to obtain - quit working once Apple updated their operating system.[4]
In addition to the privacy and security risks arising from a poorly secured or manufactured devices, developers and manufacturers of connected devices may share some of the data collected with third parties such as advertisers. In the case of wearable health and fitness devices, this data may include heart rate, pulse, exercise data, geo-location information associated with workout routines, sleep data, personal hygiene patterns, dietary preferences, or any number of extremely revealing personal information. 2ff7e9595c
Comments