East African Data Handlers offers expert recovery services using the latest mobile forensic solutions complete with all the necessary hardware for recovering data for simplified and rapid logical extraction of evidentiary data from a wide range of mobile devices: legacy and feature phones, Smartphone’s, tablets and phones manufactured with Chinese chipsets.

Mobile devices, such as Personal Digital Assistants (PDAs), Blackberry, and cell phones are one of the most commonly used communication tools that are used in our daily lives and have become essential tools in our personal and professional lives.

With the development of new technology, the capabilities of these devices are continually evolving, providing users with greater storage capacities, better Internet connectivity, and enhanced Personal Information Management (PIM) capabilities. Devices with cellular capabilities provide users with the ability to perform additional tasks such as SNS (Short Message Service) messaging, Multi-Media Messaging Service (MMS) messaging, IM (Instant Messaging), electronic mail, and Web browsing.

Most people don’t think of mobile phones, tablets and PDAs as areas of evidence, but over time, these devices accumulate a sizeable amount of information about the owner and the activities conducted with the device. With the advanced features of today’s phones, there is more information about where someone has been, who they know and are talking to, what they are saying, and pictures they have as well as larger amounts of file storage than ever before. This information can be invaluable to the law enforcement or other security officials as digital evidence.

Let our staff of trained professionals examine your evidence and provide a comprehensive report of all the information on the phone, including:

• Phone Browser Memory
• SQLite database files
• SMS, Call records
• GPS data and Email client data
• Contact list
• Social networking applications (Facebook, Twitter, Orkut) records
• Messenger (Yahoo, MSN) records
• Application storage data stored in external card and system storage

Every mobile device is different and different results will occur based on that device. We do our best with each unit we receive to retrieve the maximum amount of information. No matter what data is retrieved from the device you will be charged a minimum KSH 6500 fee.

Forensic Process

The forensics process for mobile devices broadly matches other branches of digital forensics; however, some particular concerns apply. Generally, the process can be broken down into three main categories: seizure, acquisition, and examination/analysis. Other aspects of the computer forensic process, such as intake, validation, documentation/reporting, and archiving still apply.

Seizure

Seizing mobile devices is covered by the same legal considerations as other digital media. Mobiles will often be recovered switched on; as the aim of seizure is to preserve evidence, the device will often be transported in the same state to avoid a shutdown, which would change files. In addition, the investigator or first responder would risk user lock activation.

However, leaving the phone on carries another risk: the device can still make a network/cellular connection. This may bring in new data, overwriting evidence. In order to preserve all the data in the cellular device, our engineers activate Airplane Mode on the device, or clone its SIM card (a technique which can also be useful when the device is missing its SIM card entirely).

Acquisition

The second step in the forensic process is acquisition, in this case usually referring to retrieval of material from a device (as compared to the bit-copy imaging used in computer forensics).

Due to the proprietary nature of mobiles it is often not possible to acquire data with it powered down; most mobile device acquisition is performed live. With more advanced Smartphone’s using advanced memory management, connecting it to a recharger and putting it into a faraday cage may not be good practice. The mobile device would recognize the network disconnection and therefore it would change its status information that can trigger the memory manager to write data.

Therefore our forensic engineers are equipped with the latest and most current hardware and software tools for safe retrieval of material from a device.

Examination and analysis

As an increasing number of mobile devices use high-level file systems, similar to the file systems of computers, methods and tools can be taken over from hard disk forensics or only need slight changes.

The FAT file system is generally used on NAND memory. A difference is the block size used, which is larger than 512 bytes for hard disks and depends on the used memory type, e.g., NOR type 64, 128, 256 and NAND memory 16, 128, 256, or 512 kilobyte.

Different software tools can extract the data from the memory image. Our forensic engineers use specialized and automated forensic software products or generic file viewers such as hex editors to search for characteristics of file headers. The advantage of the hex editor is the deeper insight into the memory management, but working with a hex editor means a lot of handwork and file system as well as file header knowledge.

Data Acquisition Types

Mobile device data extraction can be classified according to a continuum, along which methods become more technical and forensically sound, tools become more expensive, analysis takes longer, examiners need more training, and some methods can even become more invasive. The east African forensic team used a variety of methods to acquire data from various handsets and devices.

Manual acquisition

East African Data Handlers forensic examiners utilize the user interface to investigate the content of the phone’s memory. Therefore the device is used as normal, with the examiner taking pictures of each screen’s contents. This method has an advantage in that the operating system makes it unnecessary to use specialized tools or equipment to transform raw data into human interpretable information. In practice this method is applied to cell phones, PDAs and navigation systems. Disadvantages are that only data visible to the operating system can be recovered; that all data are only available in form of pictures; and the process itself is time-consuming.

Logical acquisition

Logical acquisition implies a bit-by-bit copy of logical storage objects (e.g., directories and files) that reside on a logical store (e.g., a file system partition). Logical acquisition has the advantage that system data structures are easier for a tool to extract and organize. Logical extraction acquires information from the device using the original equipment manufacturer application programming interface for synchronizing the phone’s contents with a personal computer. A logical extraction is generally easier to work with as it does not produce a large binary blob. Hence, our skilled forensic examiners are able to extract far more information from a logical acquisition than a manual acquisition.

File system acquisition

Logical extraction usually does not produce any deleted information, due to it normally being removed from the phone’s file system. However, in some cases — particularly with platforms built on SQLite, such as iOS and Android, the phone may keep a database file of information which does not overwrite the information but simply marks it as deleted and available for later overwriting.

In such cases, out team is able to recover deleted information. File system extraction is useful for understanding the file structure, web browsing history, or app usage, as well as providing the examiner with the ability to perform an analysis with traditional computer forensic tools.

Physical acquisition

Physical acquisition implies a bit-for-bit copy of an entire physical store (e.g. flash memory); therefore, it is the method most similar to the examination of a personal computer. A physical acquisition has the advantage of allowing deleted files and data remnants to be examined. Physical extraction acquires information from the device by direct access to the flash memories.

Generally this is harder to achieve because the device original equipment manufacturer needs to secure against arbitrary reading of memory; therefore, a device may be locked to a certain operator. To get around this security, our engineers enable access to the memory (and often, also to bypass user pass codes or pattern locks).

Generally the physical extraction is split into two steps, the dumping phase and the decoding phase.

Supported Mobile Devices

Currently we support a large set of phones that you can see in the list below. If your phone is not in the list, we can still try it, as we support whole platforms and not all phones can be listed. We are capable of recovering from up to the 4060+ mobile devices, supported under 150 mobile carriers and retailers worldwide, including the following models or operators:

• Acer
• Alcatel
• Amoi
• Apple
• Archos
• Asus
• Blackberry
• Cal Comp
• Casio
• Chinese phones
• Coolpad
• Dell
• Dopod
• Garmin
• Haier
• HTC
• Huawei
• I mate
• INQ
• Kyocera
• Lenovo
• LG
• MicromaX
• Imo
• Motorola
• Nokia
• Palm
• Pantech
• Pidion
• QTEK
• Sagem
• Samsung
• Sanyo
• Sharp
• Smartphone’s/PDAs
• Sonny Ericson
• Tablets
• T mobile
• Toshiba
• UNX
• Unimile
• Vertu
• Videocon
• Vodafone
• ZTE

For the first time in country EADH brings JTAG & Chip-Off Mobile Forensics/Data Recovery Solutions!!!!!!!!!