Mobile Phone Forensics

MD5 have an extensive amount of knowledge of mobile phone forensics, ranging from older generation feature phones to the latest smart phones and tablets. Research and development ensure our capability includes the latest advanced methods for recovering data and stays abreast of the most recent software updates.

 

MD5 are accredited to ISO 17025:2017 for the physical/logical capture and preservation of data from Mobile phone handsets and tablets (Apple iOS, Android and Non-smartphone proprietary systems), the logical capture and preservation of data from SIM cards and the physical capture and preservation of data Memory cards. Further details regarding the current scope of our accredited laboratory activities can be located at ukas.com 9359 Schedule of Accreditation

 

Digital Evidence Investigation   Sources of Evidence

With the capabilities of modern smart phones and tablets constantly evolving, there is a greater capability to recover larger volumes of data to further assist cases involving mobile phone analysis:

 

  • Indecent Images
  • Crime, Drug & People Trafficking
  • Money Laundering
  • Intellectual Property Theft
  • Fraud and Business Crime
  • Insolvency
  • Internet Investigations
  • Tax Investigations
  • Employee Disputes
 

MD5 examiners have the ability to recover and analyse live and deleted data using a wide range of forensic tools and in-house processes:

 

  • Operating system artefacts
  • Contacts/Calls/SMS
  • Images and Movies
  • Internet Browsing
  • Communication Data  e.g. WhatsApp, (Facebook) Messenger, Snapchat, Telegram
  • Emails
  • Documents
  • Mobile Phone Backups
  • Connected Devices
  • Deleted Data

 

Advanced Data Recovery Procedures (ADR)   Handset Repair

ADR procedures are applied where the standard forensic process is ineffective e.g.  for PIN/Pattern/Password protected phones or damaged/non-working handsets. These techniques include (but are not limited to):

 

  • Flash Memory Chip Removal (FMCR)
    • Also known as ‘chip off ’. This process  involves  disassembling the device to remove the flash memory chip from the Printed Circuit Board (PCB) and then using specialist hardware and software to acquire a physical image.
  • Flash Memory Chip Transplant (FMCT)
    • FMCT involves removing the flash memory chip from the exhibit and a matchig a donor device. The exhibit flash memory chip is then transplanted into the donor device. Specialist hardware and software is used to acquire a physical image
  • ISP (In System Programming) / Direct eMMC Forensics
    • A connection is made to specific locations on the exhibit’s Printed Circuit Board (PCB) to provide a direct communication to certain pins on the memory chip so that specialist software and hardware can acquire a physical image by reading the chip directly.
  • A connection is made to specific locations on the exhibit’s Printed Circuit Board (PCB) to provide a direct communication to certain pins on the memory chip so that specialist software and hardware can acquire a physical image by reading the chip directly.
 

Devices that are not functioning correctly will require repair in our laboratory before a forensic examination can take place. This can include (not limited to):

 

  • Fault diagnosis
  • Donor swap
  • Part replacement
  • Board level repairs (including Port repair)

 

Cell Site Analysis

Places mobile devices at a specific location at a specific time through examination of Call Data Records (CDRs) kept by the mobile phone networks.
Provides  alternative interpretations of existing reports.
Surveys mobile networks to map out true network coverage