[co-author: David Youssef]
Built-in security features make it challenging for forensic investigators to confirm the presence of spyware in smartphones. A new technique speeds up the process.
Spyware isn't always nefarious. When employed by law enforcement and legitimate intelligence agencies, it can be used to impede threats from cyber actors or terrorist organizations by turning a device into a covert surveillance tool to monitor activity.
In the wrong hands, however, spyware can undermine data security for individuals, corporate leaders and government officials by hacking mobile devices and gaining complete control of the operating system. From there data can be harvested and unwanted spying can be initiated.
Pegasus spyware, which leverages sophisticated exploits against the operating systems of mobile devices, is a real-world example of information being collected from its targets without consent. This creates additional challenges for forensic investigators and leaves potentially affected individuals — from journalists to C-suite executives — wondering, “Has my phone been compromised?”
Investigators Playing Catch-Up
It’s not an easy question to answer. Mobile phone manufacturers have become increasingly concerned with enabling robust data privacy and security controls within their devices. While strengthened security features indeed provide data protection benefits for consumers, they also create limitations that can become problematic in certain scenarios.
For example, the same “privacy veil” built into mobile devices to restrict end users also provides hiding spots for cyber actors, as evidenced in “zero-click attacks.” In these attacks, without requiring any user interaction whatsoever, sophisticated cyber actors can covertly gain remote access to a device’s entire operating system. Even when a user follows security best practices such as multifactor authentication and regular software updates, zero-click attacks can gain entry, leaving users unaware that cyber actors have gained access to use the camera and microphone to spy.
Common smartphone security features also complicate the job for forensic investigators. Determining whether a device has been hacked is a complex process requiring examination of massive amounts of collected data logs. Alternatively, “jailbreaking” the device — removing manufacturer restrictions to unlock additional controls — is an option for gaining access, but that process is often convoluted and time-consuming.
Compounding these complications is the fact that operating systems are constantly being updated, leaving investigators in a continual game of catch-up to stay apace with ever-changing code, policies and settings. In some cases, an investigation cannot begin until it is determined exactly what has changed since the last OS update and whether the forensic analysis process needs to be altered. At times, this can require a total rewrite of forensic tools to align with the latest OS changes.
The process of determining if a device has been compromised can take weeks or months, which can be problematic in time-sensitive matters — and because individuals are not likely to agree to relinquish their devices for an extended period of time. However, a new methodology developed within FTI Consulting’s Cybersecurity and Technology segments offers a more efficient and convenient process for determining compromise.
Seeing the Entire Picture
The methodology involves using specific threat-detection tools and AI-powered technology to automatically process and analyze anonymized network data and identify active threats related to data theft, espionage and surveillance. Relevant information is pulled from specific device logs and run through a proprietary tool that monitors the information. Working with a team of investigators and researchers, a step-by-step roadmap is developed that shows how the device was infected and how much data was extracted — all in a matter of hours.
And the process can be done remotely. There is no need to go through the laborious process of forensically imaging the mobile device or to wait for a jailbreak to gain access.
Beyond identifying threats, investigators can use the tools in tandem with a uniquely developed review process to build a timeline leading up to compromise and beyond. The result? A stronger investigation that depicts a full story on how the cyber attack occurred and what information was accessed — all done efficiently and without the need to rely on outside sources.
The advantages that cyber actors hold — namely the ability to hide in plain sight — require investigators to leverage cutting-edge methodologies to keep pace during the forensic review of mobile devices. Without the right investigation methodology, results can be shaky, outcomes can be delayed and victims can be left to further risk. To truly root out spyware in a mobile device and prevent future incidents, investigators need to see the entire picture of what happened.
Is it possible to predict the next “Pegasus?” Not likely, as all too often, white hat technology can fall into the wrong hands. However, as the threat landscape continues to evolve, so too will the efforts by experts to develop new cyber risk mitigation techniques.