A decade after law enforcement first realized that evidence could exist on cell phones, the mobile forensics discipline has evolved as fast as, or arguably slower than, the technology whose data it was born to extract. Corporate legal teams and private investigators have caught on to mobile evidence’s relevance to civil litigation. And accelerating smartphone and tablet use has sparked debate over data security and privacy issues. Cellebrite asked six of its most influential customers to weigh in on how evolutions in mobile technology, legal,regulatory and legislative landscapes will impact forensic examiners’ efforts throughout 2013.

Eoghan Casey is founding partner at CASEITE, a service provider that specializes in complex digital forensics, incident response including network intrusions with in-ternational scope, and cyber security risk management. Casey also supports forensic R&D at the DoD’s Cyber Crime Center (DC3/DCCI). An instructor/researcher at Johns Hopkins University’s Information Security Insti-tute, he also authored the book “Digital Evidence and Computer Crime: Forensic Science, Computers, and the Internet.” He is a SANS Institute Senior Instructor who developed and teaches the Mobile Device Forensics (SANS FOR563) and the new Advanced Smartphone and Mobile Device Forensics (SANS FOR564) courses. His experience drove his assessment of how mobile will impact the enterprise in the coming year.

John Carney is Chief Technology Officer at Carney Forensics in St. Paul (Minnesota). Attorney-at-Law at Carney Law Office and counselor-at-law admitted in the State of Minnesota and the US District Court forthe District of Minnesota, he is a strategic evidence consultant and expert witness who previously worked for 30 years as a software engineer, systems architect and IT consultant. His insights on technology andthe law informed his predictions in this paper.

Cindy Murphy has nearly 28 years in law enforcement. A Madison (Wisconsin) police detective and part-time SANS Institute FOR563 – Mobile Device Forensics

instructor, she has been involved in the digital forensics profession since 1999. For this paper, she providedperspective on how mobile apps and malware willimpact law enforcement and trial courts.

Heather Mahalik is mobile forensics technical leadat Basis Technology and a SANS Institute CertifiedInstructor, where she authors and teaches FOR563– Mobile Device Forensics. Her experience as agovernment contractor centered her trend predictions on encryption, apps, and mobile storage issues,all affecting how forensic examinations are performed.

Paul Henry, principal at vNet Security and a SANSInstitute Senior Instructor, has worked in the fieldsof network security, incident response, digitalforensics and virtualization for 15 years. Thesespecialties provided a future view of the still-devel-oping “bring your own device” (BYOD) trend, mobile malware, and well-rounded forensic examinations.

Gary Kessler is associate professor at Embry-Riddle Aeronautical University, adjunct professor at Australia’s Edith Cowan University, and a member of the ICAC Northern Florida Task Force. Previously, he founded and directed Champlain College’s Master of Science in Digital Forensic Management program. His breadth and depth of experience both at home and abroad gave rise to his insights about legal and technology trends.

THE YEAR AHEAD FOR MOBILE FORENSICS

Cellebrite’s Panel Predictions for 2013

Trends, and challenges, on the mobile forensics horizon

Mobile apps—more specifically, the data stored within them—will become more relevant in investigations this year. Pointing to apps like WhatsApp Messenger, Kik Messenger, Text Free, Go SMS Pro, and SnapChat, Carney says this is partly because mobile messaging apps are cannibalizing service providers’ revenues for text messaging.

But these apps aren’t the only sources of evidence. “Whether it’s mobilemessaging apps, or personal navigation apps, or social media apps, orproductivity apps, or mobile payment apps, or any other category, appsare going to dominate in 2013,” said Carney.

Both Mahalik and Murphy pointed out that the more apps there are and the more data they contain, the more extensive file systems will become. That will lengthen forensic examinations. Mahalik added that some app data could be stored or encrypted in such a way that renders it difficult to access.This may impact investigators dealing with the BYOD trend, which gotunderway in 2012. “Corporate IT has not been able to stop the onslaughtof consumer device use in the enterprise,” said Carney. “As a result, keepingpersonal evidence separate from corporate evidence on the same mobile device is proving to be a real challenge.”

TRENDINGOther expected trends include:

A continued shift away from logical to physical mobile examinations. “One of the biggest problems in the legal system is that we are not being thorough enough,” said Henry. “Physical analysis is much more thorough and can recover a much greater amount of data.”

Mobile’s increasing relevance to civil litigation and e-discovery, said Carney, as more responsive evidence – data and communications – is found on mobile devices.

All panelists agreed that 2013 will be the year mobile malware becomes prevalent. Casey added thatthe growing quantity and sophistication of malware will lead to more complex intrusions into smart phones targeting sensitive data, creating challenges for investigators and computer security professionals.

Increased use of mobile evidence visualization in reporting and in the courtroom, especially timelines, maps, and social graphs and activity analytics “to explain the people aspect of the evidence,” said Carney.

A greater need for non-vendor-specific mobile forensics training and certifications.

2

These issues come bundled with challenges to practitioners. “This quickly changing field means that training, software, and equipment needs arealso always changing,” said Murphy.

Kessler put this into context, observing that phones contain more probative evidence per byte of data than computer hard drives do. “In many cases a full physical extraction can take hours on a single phone,” he explained. “This will continue to be exacerbated as people purchase bigger smartphones; it takes less time to image a one-terabyte hard drive than it does to acquire a 60GB phone.”

To meet these needs, mobile forensics tools must be well engineered,which raises their cost. “The Vermont ICAC spends more on one mobileworkstation than on one computer workstation,” Kessler noted. Yet budgets, in both the public and private sectors, are not keeping pace—and thesituation isn’t expected to improve.

This is confounded, according to Carney, by the hard-to-quantify“opportunity cost of time that examiners need to install, configure,and validate new tools given the pace and amount of innovation.”

Evolutions in mobile security, apps developmentand storage, and their impact on mobile forensics

Carney believes that mobile device security will evolve into its own this year. “It took years and a lot of pain and data loss for anti-virus, anti-spywaresolutions to become common, even popular, on personal computers overa decade ago,” he said. “But now, with the increase of malware, especiallyon Android platforms, we have reached a tipping point. Even someconsumers are beginning to understand the need for mobile securitysolutions and backup/sync solutions on their devices and I expect thistrend to accelerate in 2013.”

That’s because consumers and their employers have begun to learn hard lessons about mobile apps’ lack of security and privacy, especially as mobile app developers rush to market without adequately testing their apps. “With mobile devices all over the enterprise, security is just not up to par and it needs to be paramount,” said Henry.

However, this could lead to additional frustration for mobile forensicsexaminers. “Expect to see more encryption of data on smartphones toprotect personal privacy and corporate data, which will make forensicexamination more challenging,” Casey warned.

On the bright side, said Carney, addressing oversights in the appdevelopment lifecycle could help secure both user and corporate data.“The real issue with insecure and exposed mobile app data is failure

Ranking the trends in mobile forensics for the year ahead

Two of the most important issues facing the

mobile forensics industry, according to panelists’

survey rankings, are 1) critical data stored in apps

as well as on mobile devices; and 2) password,

encryption, prepaid, and other technology

limiting examiners’ ability to obtain data.

These items each ranked in panelists’ top three.

Of somewhat lesser importance were the rapidly

evolving regulatory and legislative landscape,

helping investigative professionals understand

those evolutions, mobile e-discovery, BYOD,

and issues related to closed Apple security

and the open Android platform.

3

to comply with federal privacy statutes and regulatory frameworks like HIPAA, Gramm Leach Bliley, FERPA, and others,” he explained. “Also,compliance with state data privacy breach statutes is in jeopardy, especially as Congress considers enacting a national data privacy statute.”

Also affecting mobile security and privacy: storage. Murphy believes thatthe trend toward cloud storage will continue, with the result that at least some evidence might exist off-device. However, Carney cautioned, “The canary in the mine on cloud-based mobile storage will be iPhone-to-iCloud automated backups. Likely only a minority of iPhone users do it today, but it will grow. I don’t see it for the majority of Android users any time soon because third-party backup apps must be selected, installed, configuredand tested. Google will, however, sync contacts, calendars and settingsautomatically after the user connects the device to his or her Googleaccount.”

2013: the year of mobile malware?

Both as a subset of BYOD and on their own, malware and spyware are also expected to become more prevalent this year. Casey predicts more varied, prevalent mobile malware whose payloads will include data destruction, denial of service, data theft and espionage, while Carney anticipates specific types of attacks. “We will see an increase in viruses on mobile, spyware on mobile, phishing and smishing (SMS phishing) attacks, and all assortmentof hacks, data loss, and incidents needing effective responses,” he said.

Likewise, Henry stated, “We are going to see more malware and moreof it targeting enterprise credentials. Mobile malware in the corporateenvironment will be a huge problem in 2013. Phishing attacks will continue to be the number one way to infect systems. Vishing will also increase asa result of VoIP usage.”

Henry added, “BYOD equals BYOM (bring your own malware). While 80% of companies are permitting BYOD, only 20% have policies in place. In addition, we’ve seen a spike in Android malware. Forensics professionals are going to have to be able to handle these compromised devices.” Casey added, “Individuals and employers can best prepare to respond to mobile malware by treating smartphones with the same level of care, policies and security measures as other computers they use to communicate, conduct business, and support financial activities and health care. In other words, implement security measures but be prepared for the worst by having an incidentresponse plan that includes smartphones.”

Besides the enterprise, malware will affect law enforcement investigations, said Murphy. “I anticipate that mobile malware will closely follow the path of ‘traditional’ non-mobile malware,” Murphy said, “and that the intended uses will be very similar: 1) steal money, 2) steal information, 3) invade privacy.”

Smartphone market share,consumer usage and investigations

Android™ took 75% global market share in Q3 of

2012, and according to comScore, more than half

of the US market share in Q4 (although Kantar

Worldpanel ComTech data shows an Apple lead

in the US for the same period). BlackBerry®’s share

has been slipping for some time, but is still the

preferred enterprise solution for many public

and private sector organizations. What will these

trends mean for mobile forensics in 2013?

Android will continue to come on like gang-

busters in 2013, for both high end, consumer

smart phones, and down-market pre-paids.

Continued on next page

4

She anticipates an increase in malware and spyware used in stalking, identity theft, and as a defense against crimes like possession of child abuse images.This is profound considering Carney’s observation that most of the currentmobile spyware detection tools are not forensically sound. “The non-forensic solutions available from leading antivirus, anti-spyware commercial vendors (Lookout, Kaspersky, Symantec, Bullguard, etc.) are not sufficient for ourrigorous requirements to preserve mobile device evidence,” he says.

One specific area where mobile malware could have a serious impact: mobile payment strategies. “The emerging use of mobile devices as currencysubstitutes for credit cards, ‘mobile payments,’ has great potential to become a big, bold target for malware,” said Carney. “Malware and other hacks used to perpetrate fraud in consumer commerce could seriously curtail the emerging role of mobile devices in mobile payment strategies.

“Mobile device forensics may serve as an early and effective, if only reactive, deterrent from a criminal justice perspective,” Carney continued. “But, mobile app testing and validation responsibly performed by app developers before launch is clearly the more proactive approach for secure mobile payments.”

FUTURE THINKINGCould Windows 8 merge computer and mobileforensics disciplines?

“I believe Windows 8 could provide the first real impetus for a merger of the two disciplines, computer forensics and mobile device forensics,” said Carney. “Microsoft has enlarged Windows 8 support of traditional computing platforms, like laptops and servers, to embrace post-PC computing platforms as well. Will Windows tablets look to us forensi-cally like hard drives and vice versa? What impact will a completely solid state device environment have on Windows forensicexaminations?”

On the other hand, Murphy thinks the disciplines have already merged. “It began with micro SD storage cards and has continuedas examiners use traditional tools along with mobile forensic toolsto get the most out of their examinations,” she explained.

However, Carney believes tablets may take this concept a step further. “We are talking about the whole device, not just a memory add-on,” he said. Casey agrees. “I anticipate more users combining their phone and tablet usage into a single mobile device,” he said. “This will make these devices more important as sources of evidence (perhaps the sole source of evidence in some cases).”

Apple’s iDevices will continue to be extremely

popular. (Carney) Keep in mind the bulk of

bandwidth is still being used on Apple devices.

(Henry)

BlackBerry’s decline will continue, even regard-

less of OS10’s anticipated release. Email is still

vulnerable via BlackBerry servers, and no one is

writing BlackBerry apps. (Kessler) BlackBerry

devices will continue to be a major target of

attacks as long as they are used by government

organizations and corporate enterprises. (Casey)

Also, even if BlackBerry sales trail off, they will

remain an important legacy device due to their

long-time popularity. (Carney)

Windows Phone is the real wildcard in 2013.

The platform may gain market (and app

developers’) mind share especially if Windows 8

tablets become significant. (Carney) Windows

Mobile together with Android, iOS and even

counterfeit “knock-offs” will continue to

dominate the industry. (Mahalik)

5

Legal, regulatory and legislative impacton mobile forensics

Carney noted that mobile device search and seizure issues are too unsettled to project how they will ultimately affect the mobile forensics industry.However, he believes two specific issues are important to watch: globalpositioning systems geo-data, especially tracking devices; and privacy and liability concerns regarding access to employee owned mobile devices (BYOD), which confound the corporate legal department,” he added.

Courts, too, are struggling. Both Murphy and Kessler believe that judges, prosecutors and police need better education about the evidence thatmobile devices contain, the extent to which they contain it, and what this means for privacy and pretrial discovery.

“Lawmakers and judges both seem to be looking at cell phones much more critically than they did computers, but because few understand the nature of the technology, they are proposing laws and making rulings that err too greatly on the side of caution,” said Kessler. Casey added, “I anticipate that courts will continue to react against investigative haste and missteps, as they have done with other sources of digital evidence in the past. Privacy concerns are heightened by the personal nature of mobile devices, which accompany people wherever they go and enable investigators to reconstruct movements, communications, and other personal details.”

These issues have led to an unpredictable, constantly shifting legislative and regulatory environment. As Murphy pointed out, criminal and civil courts at various levels across 50 states are not likely to come up with consistent rulings this year. Henry has noticed a similar trend. “Legal decisions mostly depend on geographic boundaries, and differ from state to state,” he said. “In more traditionally liberal states we are seeing a greater erosion of privacy rights, and in other states there has been greater push back.”

However, Murphy is optimistic that it will settle. “As the courts become more aware of technology and privacy issues, they will make more well-reasoned decisions about the legal ramifications of search and seizure, acquisitionand analysis,” she said.

This will be shaped partly by the regulatory environment, which is alsoin flux. Carney questioned whether digital forensic examiners might berequired to be licensed in more states, or even by the federal government one day; whether labs could be inspected and qualified against uncertain criteria; and whether examiners might be required to obtain non-vendor-specific, mobile forensic certifications that do not yet exist.

Murphy agreed. “Regulators don’t seem to make decisions with practitioners’ perspective in mind,” she explained. “One size fits all solutions are impossible

6

to find, but everyone seems to be looking for them.” Thus Casey believes more than just decision-makers have a duty in this area. “Mobile forensics professionals will have to keep updated on privacy protection legislation and data breach regulations,” he stated, “in much the same way as other forensic professionals have to be aware of these issues. More stringent requirements will put more constraints on mobile forensic practitioners, and require digital investigators to have greater awareness of the privacy issues associated with data on mobile devices.”

Planning for mobile evidence’s relevance to litigation and e-discovery in the coming year

Legal issues from mobile evidence extend to civil litigation, as well. “Mobile device forensic examiners are now challenged to find new ways to load their mobile data from phones and tablets into litigation support and e-discovery systems,” said Carney. “The challenge, of course, is not just the data load, but more importantly, formatting, tagging, and structuring the data such thatit will support important, new e-discovery capabilities like early caseassessment (ECA) and predictive coding.”

Carney continued, “Organizations can plan for the coming onslaughtof mobile device evidence by educating themselves on mobile as a new,relevant and probative form of evidence that will shape civil litigation incoming years. Organizations can begin evaluating and selecting mobile device forensic tools that have the promise to integrate well with litigation support and e-discovery tools in meaningful ways during the comingNew Year and beyond.”

“E-discovery experts need to be just as trained on mobile devices ascomputers,” said Mahalik. “Most companies provide cell phones to employees and these are often a part of the investigation. Unique data could be missedif the mobile device is handled improperly.” To this, Casey added: “Theindustry should resolve to provide stronger capabilities for enterprise-wide smartphone investigations to support the investigation of data breachestargeting smartphones and the needs of e-discovery. In addition, organiza-tions should seriously consider data protection and retention on mobile devices to manage the risks associated with data breach and e-discovery. ”

“This will grow rapidly this year due to the blind adoption of BYOD,” said Henry. “We will also continue to see more mobile data with regards tolitigation in the coming year. Mobile forensics is growing and it willcontinue to become a more profitable venture moving forward.”

7

How mobile forensics tools and practicesshould evolve in 2013

Murphy believes that forensic tools and practices will continue to evolveto fit immediate needs, “close on the tail of technological and legal changesin the mobile device world,” she said. Mahalik agreed. “The tools are always playing catch up to the fast paced device releases and this will continue,”she said.

“Support for Windows Phone 7 and 8 is limited and will need to improve,”Mahalik added. “Practices are going to have to include bypassing morepasswords / locks and device encryption. [Vendors should also] focus on supporting one device to the best of their ability. For example, if iOS support is your main goal, support all aspects of it (logical, file system and physical). Don’t partially support it.”

On a related point, Carney seeks real forensic solutions for mobile spyware “before the need outpaces our capabilities as examiners. I know of only one tool that lightly supports the forensically sound detection of just a few mobile spyware apps,” he said. In addition, he sees mobile app support as “the new measuring stick for mobile device forensic tools’ superiority.” Casey, meanwhile, wants to see more capabilities to support investigation of data breaches and malware-related incidents.

On the other hand, Carney sees the recent and growing emphasis onadvanced visualization as a positive step. “Basic support for timelines took great leaps forward during 2012,” he explained. “Even rudimentary geo-data and map visualizations appeared in 2012. I think we’re going to go much further in 2013.

“And I’m quite excited about the activity analytics and social graphs that I’m seeing coming out of phone contact data as integrated with profiles from mobile apps and other important mobile data,” Carney continued. “This visual information is going to allow us to get the big picture and discover quickly who the significant custodians and actors are in the case. Mobile deviceforensic tools are going to help us get that big picture more effectivelyin 2013.”

Henry believes this will only be possible if the industry abandons basiclogical analysis and agrees only to perform full physical analysis of devices. Most broadly, however, mobile forensics practitioners must keep a close eye on manufacturers’ development trends. Says Gary Kessler: “It’s incumbent on both tool vendors and forensic examiners to keep up with, if not stay ahead of, the manufacturers.”

8

The Questions

1. In your opinion, what are the biggest mobile forensics trends on the horizon for 2013?2. Rank the following trends in mobile forensics for the year ahead 1-6, in order from most to least important, with 1 being the most important:

__ Critical data stored not only on the device but in apps as well __ Device passwords, encryption, prepaid versions, and other technology posing obstacles for law enforcement and private sector investigative professionals __ Challenges with new closed security on Apple devices; conversely, challenges with open platforms such as Android __ Upcoming digital forensics regulation and legislation, and how it may impact mobile investigations __ Helping law enforcement, corporate security and legal professionals stay abreast of trends, precedents and technology affecting mobile devices as “witnesses” in criminal and civil investigations __ Other (Add one trend not listed above)

3. If there is a New Year’s resolution the mobile forensics industry should make, what should it be?4. What are the biggest challenges facing mobile forensics professionals in 2013? 5. How will the evolving regulatory and legislative environment in the areas of digital forensics, electronic communications and privacy impact the mobile forensics industry in 2013?6. How do you anticipate mobile security, apps development and storage evolving in 2013, and what impact will these advancements have on mobile forensics?7. How do you anticipate mobile forensics tools and practices evolving in 2013?8. Android took 75% market share in Q3 of 2012. Apple’s and BlackBerry’s leads are slipping. What other changes do you anticipate in the mobile market in 2013? How do you anticipate these trends affecting usage—and thus investigations?9. How do you anticipate courts deciding cases on the seizure, acquisition and analysis of cell phone evidence, and what effect will these decisions have on the mobile forensics industry in the year ahead?10. What trends do you anticipate regarding mobile malware: its genesis, impact and how criminals will use it? How can individuals and their employers best prepare to prevent and respond to mobile malware?11. How should organizations plan for mobile data’s relevance to litigation and e-discovery in the coming year?

9

About UFED

from thousands of legacy and feature phones, smartphones , portable GPS devices, and tablets with ground-breaking physical extraction capabilities for the world’s most popular platforms – BlackBerry®, iOS, Android, Nokia, Windows Mobile, Symbian and Palm and more.

ESN IMEI, ICCID and IMSI information and more.

About Cellebrite

Founded in 1999, Cellebrite is a global company known for its technological breakthroughs in the cellular industry.A world leader and authority in mobile data technology, Cellebrite established its mobile forensics division in 2007,with the Universal Forensic Extraction Device (UFED). Cellebrite’s range of mobile forensic products, UFED Series, enable the bit-for-bit extraction and in-depth decoding and analysis of data from thousands of mobile devices, including feature phones, smartphones, portable GPS devices, tablets and phones manufactured with Chinese chipsets.

Cellebrite’s UFED Series is the prime choice of forensic specialists in law enforcement, military, intelligence, corporatesecurity and eDiscovery agencies in more than 60 countries.

Cellebrite is a wholly-owned subsidiary of the Sun Corporation, a listed Japanese company (6736/JQ)www.ufedseries.com

BlackBerry® is a registered trademark of Research in Motion (RIM) Corp. Android™ is a trademark of Google Inc.iPhone® is a trademark of Apple Inc., registered in the United States and other countries.

USA

Cellebrite USA, Inc.266 Harristown Rd., Suite 105Glen Rock, NJ 07452USA

Tel: +1 201 848 8552Fax: +1 201 848 9982

www.ufedseries.com

HEADQUARTERS

Cellebrite Ltd.94 Em Hamoshavot St.Petah Tikva 49130Israel

Tel: +972 3 926 0900 Fax: +972 3 924 7104

GERMANY

Cellebrite GmbHAm Hoppenhof 32a33104 PaderbornGermany

Tel: +49 52 51 54 64 90Fax: +49 52 51 54 64 9 49

© 2013 Cellebrite Mobile Synchronization LTD, All rights Reserved