I get this question quite a bit. The good part is that people recognize that there is valid information on the digital devices. The bad part is that they may have a misconception of what can be recovered from the device. Here are a few things to consider as these are things that I ask when I get the call:
- Do you own the phone?
- What type of phone?
- What version of the phone?
- Do you have access to the phone?
- Do you have a home computer that they ‘backup’ to?
- Do you have a home computer that they ‘just charge the phone’ on?
- Do you own the computer?
The reason I ask these questions is that it is usually an iPhone that I have been getting requests lately. The good part about the iDevices(since iPads graciously leave a good dump too) is that, yes, they leave a version of themselves cleverly hidden on the device. What does this mean? Well, after the answer to the first question, maybe they don’t own the phone.
If they do, good. Imaging someone else’s phone is, well…bad. I’m pretty sure bad things happen to the investigator that gets a phone that is not owned by their client, images it, gets evidence off of it…and they uses it against the person. Again, that only works on TV.
Then we get the type/model. Why? Because imaging a phone magically only works on TV(and you have to yell “ENHANCE”!!! and use the term “piggyback off the server”). Unless you have about $30,000 to get all the cell seizure software and hardware out there, then you have to figure out if your tools can image the phone, how long it will take, what the results will be(logical, physical, magical). We always take into account the technical level of the person receiving the report. I’m still thinking that the software out there cannot produce a report yet that the average person finds useful. The results extracted are simply amazing…the reporting? Not quite the same. Don’t get me wrong, there is some great data in there, but the investigator still has to spoon feed it to someone. The reason for that is often that the person doesn’t actually need to see the IMEI in a report. That is important if being used in court, but chances are, they just want the SMS traffic and email(maybe pictures too).
This is tough since people usually carry cell phones on them. That is the purpose–to have them portable and modular so as to carry them around. Rarely do people get them and leave them lay around. When there is a suspected spouse, the phone is usually VERY well guarded and this leads to the next section…
I ask “do you have a computer at home that they backup the iDevice to”? ”No…but he/she charges it on the one in the kitchen”. That’s good. See that actually creates a backup on there, which is good since that is what most tools will do anyway. So if you came here looking for magical information on finding this info, then this is it. The iDevices backup to the computer used to “charge”.
Usually the home computer is owned by ‘the family’ so this one is easier to get at. Regardless, by going to the locations below, one can submit “Best Evidence” to an investigator and *then* say “I think my husband/wife is cheating…and here is their backup to prove it”
\Documents and Settings\USERNAME\Application Data\Apple Computer\MobileSync\Backup\
Windows Vista or Windows 7:
(Note-Windows protects itself from users by hiding directories. If you go to the top of the Windows Explorer and click in there, you can cut and paste these file locations(changing the USERNAME, of course) and it will take you to the directory)
(Note-”Library” will be hidden so go to “Finder” then “Go” –> “Go To Folder” and type ~/Library in the Box…then click to the rest of the directories.)