Handhelds give up secrets

PricewaterhouseCoopers is increasingly being asked to extract secret information from mobile phones and handheld devices.

PricewaterhouseCoopers is increasingly being asked to extract secret information from mobile phones and handheld devices.

The consulting giant mainly does computer forensics work on PCs, says PwC security consultant Colin Slater, but extracting information from mobile phones and portable digital assistants (PDAs) is an area where forensics services are also in demand.

“Until recently, commonly available forensics tools were disk-based, not flash memory-based, but there is a tool called Zert which allows you to image mobile phones and PDAs — you can suck off an image from the machine and examine it as usual.”

Zert, a device produced by the Netherlands Forensic Institute which is unavailable to the public, is used by police forces around the world, Slater says, “because mobile phones are used in a large number of crimes — you can buy a prepaid one off the shelf and no one knows you’ve got it”.

Being able to duplicate data from PDAs is also important, “as a Palm Pilot can hold a massive amount of information”.

Tarik Mallett, also of PricewaterhouseCoopers, says tools are available to forensically analyse the SIM cards on mobile phones and the history of text messages sent on those phones. He says it’s also possible to analyse fax machines to recover sent and received faxes.

Mallett says as the use of handheld devices increases throughout the world, “we are seeing a proliferation of investigations which are undertaken forensically on these devices”.

“These handhelds come in all shapes and sizes, from Palms to iPaqs and mobile phones, and a lot of forensic investigations now involve the analysis of these devices, either on the information that is stored on a desktop/laptop computer when the devices are synched, or of the devices themselves.”

Zert, mentioned above, is a hardware device, but there is also a software tool, PDA Seizure from Paraben, soon to be released, which will be the first software forensic analysis application for PDAs, Mallett says.

Slater says PwC employs four fulltime computer forensics staff in New Zealand and has others who are trained in the field. He worked in computer forensics in Europe before coming to New Zealand and has written forensics software. He says computer forensics is a growing area and that some perpetrators of computer crime are becoming more savvy about covering their tracks, or attempting to.

“People are getting smarter about how they use computers — it’ll be harder to prove fraud in the future, but we’ll come up with new ways of proving evidence ... there aren’t many people who can cover their trail.”

On the other hand, he says, there are still a lot of people who don’t realise that when they delete something it hasn’t disappeared.

The Serious Fraud Office and IRD also make use of computer forensics and other information recovery methods.

“Obviously information on computers is of interest to us — my investigators are trained in the art of retrieving information from computers,” says SFO director David Bradshaw. The office also makes use of the police e-crime labs when necessary, he says, and while cases the office brings don’t usually hinge on any one document retrieved from a computer, they have been important to the overall picture.

Retrieving documents isn’t the only function the office requires. In one case, the issue was whether a document found had been initiated by a suspect or whether someone else who had access to the computer could have put it there to frame them.

Inland Revenue spokesman Paul Ryder says the department is developing protocols for use in copying hard drives and associated matters.

An “increasing number” of IRD IT staff are acquiring expertise in the area, Ryder says. The technology has been used in some tax cases, he says.

Join the newsletter!

Error: Please check your email address.

Tags computer forensics

More about Inland RevenuePalmPricewaterhouseCoopersPricewaterhouseCoopers

Show Comments
[]