Overview
Extraction Required: Full File System of iOS or Android Device
Prerequisites:
- Obtain device passcode
- Disable automatic updates
- Disable Stolen Device Protection (iOS Only)
- Allow access to Developer Options (Managed (MDM) Android Only)
The Process:
- Disable Bluetooth and Network Connections, Enable Airplane Mode to prevent remote wiping.
- Connect mobile device to advanced, industry premium forensic software
- Gain elevated access to mobile device and perform a Full File System Extraction
- Ensure Signal databases and decryption keys are present in extraction
- Load the acquired data in forensic tool for parsing and perform forensic examiner analysis
- Manually review Signal databases for recoverable artifacts
Limitations:
- Retention Policy
- Signal supports Disappearing Messages.
- This setting can be customized to the user’s preference
- Default options range from 30 seconds to 4 weeks
- Database carving may not result in recovered artifacts
- Signal champions security, their database does not retain deleted artifacts for prolonged periods
- Disappearing Messages are unlikely to be recovered
- Unknown Passcode
- If passcode is unknown, the device can be PIN cracked under certain circumstances (e.g. company owned devices)
The Latest from S2|DATA
