Modern Tools for the Modern Investigation

Case Study: Smart Phone Deleted Data Recovery

Company Profile 

McCann Investigations is a full service private investigations firm providing complete case solutions by employing cutting-edge computer forensics and traditional PI tools and techniques.  For 25 years, McCann’s investigators have worked in the public and private sector encompassing law enforcement, physical and electronic security and computer forensics. 

McCann works with Law Firms, Financial Firms, Private and Public companies and individuals in cases including contentious divorce, child custody issues, fraud, embezzlement, spyware/malware detection, civil and criminal background investigations, due diligence. 

McCann Investigations tools include:

  • Computer Forensics
  • Mobile Device Forensics
  • Spyware/Malware Detection
  • Network Breach Detection
  • Digital Debugging
  • IT Network Vulnerability Assessments
  • Background Investigations
  • Under Cover Work
  • Surveillance
  • Corporate Intelligence
  • E-Discovery

Business Situation 

The United States oil and gas industry has a dominant presence in the Houston area.  As a result, Houston has the highest number of Fortune 500 companies second only the New York.  Because of the dense concentration of companies in the Houston area who are focused on the oil and gas industry, competition becomes fierce where protection of intellectual property rights are paramount to a company’s success.  Most companies have very tight non-compete agreements in place with employees to ensure the protection of company assets, including intellectual property. 

In this case, XYZ Energy Company holds certain intellectual property rights from the design of its equipment, its drilling techniques to their customer list.  Non-compete agreements are in place to deter an employee from in effect stealing intellectual property from an employer and creating a competing entity using the former employer’s technology, vendors and in most cases, selling that technology to the same customers. 

XYZ Energy, upon learning of the formation of the competing company by its former employees contacted McCann Investigations because they believed that communications regarding the new venture had taken place on the company smartphones used by the former employees. 

McCann Investigations has found that in most cases involving the violation of a non-compete agreement and the theft of intellectual property theft, the former employees almost always use their company laptops or smartphones to communicate with co-conspirators.  Although the data has been deleted, in most cases, that data can be recovered by an experienced computer forensics expert. 

It is important to note, that in order for the data to be admissible as evidence in civil or even criminal litigation, the data must be extracted and stored in a forensically sound manner by a third party licensed computer forensics examiner.  Allowing the company’s IT personnel to extract the data would deem the evidence contaminated and inadmissible in a court of law.  It is extremely important that once the suspicion of wrong-doing arises, that the device is immediately powered down and delivered to a qualified computer forensics expert.

Technical situation 

XYZ Energy’s standard issue company phones are iPhones.  While iPhones have by far the best security options in the smartphone market, passwords are easily cracked and data can often be recovered from several years past.  It should be noted that Android and Windows based phones are even more easily accessed for forensics investigations.  Factory re-setting any of these phones will essentially wipe all of the data.  However, if the phone has been backed up to a laptop or a desktop, the data will be stored on that device and is recoverable. 

The following are the types of devices that can typically be imaged for recoverable data: 

  • Smartphones - iPhones, Android, Blackberry, Microsoft Windows Mobile, Symbian
  • Mobile phones - standard phones such as CDMA, TDMA, GSM
  • SIM cards contained in mobile phones
  • Removable flash storage contained in mobile devices
  • Tablet devices - iPad, Android tablet, Microsoft tablet
  • Other mobile devices - PDA devices, GPS devices, iPods, Palm Pilots, digital cameras, digital video recorders, digital audio recorders, MP3 players, flash storage devices, 2-way pagers 

Mobile device operating systems are not as standard or stable as computer operating systems, so locating and reporting on data is more difficult and time consuming than on a Mac or PC.

While recovering deleted data from a smartphone is can be successful in most circumstances, there are problems which can arise in the imaging process:

Standard Imaging Protocols - Mobile devices should follow standard forensic imaging protocols to avoid data being changed, written or updated on the devices.  

  • An incoming phone call could cause an older call log entry to be overwritten potentially spoiling the state of the evidence. 
  • The same can be true about allowing the mobile device to send or receive text messages, MMS, phone calls, emails, application updates, etc. 
  • Methods to prevent this include cloning the SIM card for GSM devices to prevent network access and only powering on the device in a "stronghold box" or "Faraday Bag" which prevent any types of wireless, cellular, Bluetooth, Wi-Fi or phone carrier signals from reaching the phone.
     
  • Advanced Security Settings – Some newer devices prevent any type of access to information without the passcode.
     
  • Self-Destruct Mode - Some devices have the capability to securely erase themselves if the wrong password is entered too many times. 
  • SIM Card Passwords - Most SIM cards have hardware based password control that can lock out the card after too many wrong passwords. (Locked SIM cards can sometimes be unlocked with help from mobile provider by providing a SIM carrier specific PUK code.) 
  • Remote Self-Destruct – Allows self-destruct commands to be sent remotely by Blackberry or Exchange server administrators.  (This is another reason to be sure the mobile devices are handled by specially trained forensic experts with the proper equipment.) 

While permanently wiping data from a smart phone is possible, the average user typically is not tech savvy enough to accomplish this.  In most cases, a computer forensics examiner will be able to recover deleted data.

Solution 

McCann Investigations received smart phone of the former employee.  Through forensic imaging of the device, McCann Investigators were able to recover deleted emails, text messages, call history and images from the device.  Upon investigation of the text messages, emails and call history, it was determined that the employee was in communication with another former employee and they had in fact started a competing company using intellectual property of XYZ Energy.  It was also determined that the former employee had been in communication with clients as well regarding the new company.

With this data, extracted in a forensically sound manner, XYZ Energy was able to provide information to their attorney and begin proceedings to file civil litigations and injunctions against the former employee and their co-horts.

Products and Services Used:

  • Computer Forensics Technician – Licensed Private Investigator in the State of Texas with certification is computer forensics.
  • Oxygen Forensic Suite – Leading software application to forensically image Smartphones.

The McCann Suite of Investigation Tools:

McCann Investigations are accredited members of...