Learn about the importance of contacts within mobile devices. Contact phone numbers are not only stored within mobile devices but also at the network level for billing purposes. How can we take these two datasets to paint a better picture in an investigation?
Painting A Better Data Picture With Contact Information During An Investigation
So, you have been to the ArtifactIQ by Grayshift Dashboard and looked through the overview of the device extraction. One apparent artifact that appears to be invaluable is the Phone Number of the device owner. However, how accurate is this number? Can this number be wrong? Can you rely on it?
As some of you know, navigating to Contacts on your phone and for your contact card is possible, as is inserting any random number here. It may be because of an accidental input error on behalf of the device owner, or it may be a deliberate attempt by the owner to obscure the real number of the mobile device.
Nevertheless, it does not make any difference to the operationality of the phone, as the stored contact number has no impact on the device’s functionality. Device communications do not rely on the stored mobile number (officially known as the MSISDN (Mobile Station International Subscriber Directory Number) but an identifier called the IMSI (International Mobile Subscriber Identity). Have you ever left your phone near a TV or a speaker and heard some sort of interference coming from your speaker? Mobile devices are constantly communicating with networks, even when you’re not using them. In the case of a GSM device with a SIM (Subscriber Identification Module) Card, the device will perform a handshake with the network to let the cellular network know where it is on the network and that it is available for communications such as receiving calls and SMS messages.
It also “talks” to the network and asks, “Are there any changes I need to know about? Does my owner still have enough money in the account to make a call? Is my number still the same as it was 20 minutes ago?” Think of a time when you changed your contact number with your provider. You didn’t receive a new SIM Card; your network told you to wait up to 24 hours and restart your phone after midnight. What was happening, in reality, was when you switched on your phone, your device would perform a handshake with the cellular network and broadcast the IMSI (which NEVER changes) of the SIM Card to the network, which would let the network know the device was available and online, but also for the device to receive any new information, such as a new contact number being assigned to that SIM Card.
So how can we tell? How can we try to bolster the reliability of that number? Well, this is where the Contacts section in ArtifactIQ can help.
What Data Can You Get From Contacts In A Mobile Forensics Investigation?
Navigating to the Contacts section in ArtifactIQ by Grayshift shows that Contacts have been recovered from the device. Now what? What use are they?
Well, firstly let us break them down.
You can find two fundamental types of Contacts on a mobile device:
- Contact details associated with the owner of a device
- Other people’s contacts that the device owner has stored
The ArtifactIQ Contacts are not limited to just what is stored in the Contacts application of the mobile device. You know, that little phone book icon on the home screen on your phone. ArtifactIQ by Grayshift is recovering contact details from not only the device phone book, but also sources such as Facebook Messenger, iMessage, Signal, Snapchat, and WhatsApp.
So, let’s look at the device owner’s first contact type.
We have a number purporting to be the device owner’s number – +44 7902 123456.
You can search the Contacts for this number and can ascertain whether this number has been used for active communications within a specific application, such as iOS Messages. Selecting an artifact will present a more detailed “Contact Details” window showing whether the number in question is the phone owner’s number. In this case, a yes will indicate this number is associated with the phone owner
, and potentially whether it is most likely reliable , if it has been used in an active communication.
This number can also be provided to a Communication Service Provider, such as AT&T, T-Mobile, Verizon, Vodafone, O2, etc., who can provide details regarding the number and any associated data they hold for that number (with appropriate legal authority). The cellular provider can match the number (MSISDN) to the IMSI for definitive proof of the number of the device.
The other type of Contact is other people the device owner stores on the device. Traditionally such contents are simply recovered from the device phone book or app on the device. However, ArtifactIQ sources contacts from various sources as mentioned previously. This can be highly beneficial in several circumstances.
Think of a traditional content entry and what it includes:
- First name
- Last name
- Contact number
However, these fields were optional. So, a phone owner could store a number such as +44 7902 123456 with no name. Or with abbreviations or even possibly with a nickname.
Don’t Overlook Contact Details From Messaging Apps
With ArtifactIQ by Grayshift recovering Contact details from sources such as Facebook Messenger, iMessage, Signal, Snapchat and WhatsApp, a better picture of a specific number could be built up. For example, suppose a number is stored in Contacts as “Russell B +44 7902 123456.” In that case, another application may have “R Bell” as its profile for the number with “Stringer.” By studying all instances of +44 7902 123456, we can associate the number +44 7902 123456 with Russell Bell who may go by the nickname Stringer.
It’s not only numbers ArtifactIQ can provide. We also mentioned Facebook Messenger and other applications in the ArtifactIQ Contacts section.
You can utilize the filter to select only Facebook Messenger. ArtifactIQ will provide the basic details such as the contact name; however, if you choose an entry and open the “Contact Details” window for that entry, you may be able to ascertain the actual Facebook Handle for that person within the “Additional Info” section. This handle can be added to the URL https://www.facebook.com/ as a suffix. For example, you find a Facebook Messenger contact with the handle “grayshiftllc.” You can append that to Facebook to create https://www.facebook.com/grayshiftllc and extend your research beyond the mobile device itself.
ArtifactIQ not only recovers Contacts from device extractions, but also provides insight into the frequency of contacts in the form of bar graphs. This can be an invaluable tool to rapidly identify the most frequent contacts on a device visualized by a number, name, or application.
So, Contacts. They are often overlooked and taken at face value; however, as you can now see, drilling down into the details available within Contacts can be advantageous to an investigation. Try ArtifactIQ by Grayshift for yourself by participating in ArtifactIQ Early Access and work with the Contacts Feature yourself.
© 2022. Grayshift, LLC. All rights reserved. Proprietary and confidential.