Digital Forensics Dispatch

Employee Data Theft Investigations: Part Three – Mobile Device Evidence Artifacts

February 14, 2023

In part two of this series, computer evidence artifacts were covered and in part one the discussion on preserving devices for an investigation. In this final section, we cover the examination of data from mobile devices – smartphones, tablets and other small or portable electronic storage devices. What evidence resides on them and what can you find?

What data can be found on mobile devices?

Much like computers, there is quite a bit of data that floats around and is stored on our little devices that are within arm’s reach 24/7.

Every day people walk around with the equivalent of a computer in their pockets, purses and bags. People can access information at the tips of their fingers 24/7, and that information leaves traces.

In an employee data theft investigation, there can be a lot of information stored on the ex-employee’s mobile device. Preservation was discussed in part one, but preserving the device when it is returned should be priority before putting it back in reuse.

If a smartphone – an iPhone for example – is restored to factory settings before an examination of its contents can be performed, significant data has likely been overwritten and won’t be discovered.

SMS/MMS/Chats

One of the biggest data sources that can be found on smartphones and tablets are Short Messaging Service (SMS), Multimedia Messaging Service (MMS) and chat data. These data sources are text messages and third-party chat application data such as data from iMessage, WhatsApp, Facebook Messenger.

In scenarios where the ex-employee has been messaging clients, there can be some important information in their messages. If client poaching to start a new business is suspected with your clients, then it is quite possible that the ex-employee has been messaging them about their new business and how they should drop their previous employer and move to their new business.

Web browser history

Much like a computer, smartphones and tablets can store web browser activity. If the ex-employee thinks that their browsing data on the computer may be monitored, then maybe they will run some searches or access sites from their smartphone. Browser history can show what websites were visited and searches run as well. It can even reveal access to file sharing websites such as Dropbox, Google Drive, iCloud and more.

Installed applications

Much like a computer, mobile devices use programs and software to perform tasks. The installed applications can show what apps were installed on the device. A review of these applications can often reveal what capabilities the device user has, such as if there are file sharing apps or other messaging applications installed.

Locally stored files

Many mobile devices contain the ability to save files directly to the onboard storage of the device. This means that an employee can save pdfs, Excel files and much more to the device. There are also photos and videos, which in terms of a data theft or deletion matter usually are not of great importance unless photos and videos are key to business operations.

Recovering deleted data

The ability to recover deleted data from a mobile device such as a tablet or smartphone can vary depending on the support for the device. In many cases a full file system or physical collection of the device needs to be performed to recover deleted data.

In some cases, it may be possible to recover deleted message data from a mobile device or even deleted files. All of this depends on the support for the device, so it is key to provide as much information as possible about the device to the digital forensic examiner.

What about external storage media?

External storage media, such as USB flash drives or external hard drives or SSDs can often contain information pertaining to a data theft or deletion investigation. These devices often will contain data that has been saved to them.

This can include files and other data that may be important, especially if the company has a strict policy on USB devices. Deleted data can sometimes be recovered from these devices to show what files were once stored on the device as well.

All of this, combined with the data from a computer that a system was connected to, can sometimes show file access to the USB device. This may indicate files being copied or accessed on that USB drive and certainly shows that the device was connected to the computer system.

Final thoughts

Data theft investigations can take quite a long time to complete, especially if there are many devices that need to be investigated. As always, consulting with a digital forensic examiner about what data types might be found is recommended.

Consulting with a digital forensic firm or examiner can save both time and money. If you have questions or need digital forensic services, contact us at or at 703.359.0700.

Email:    Phone: 703.359.0700
Digital Forensics/Cybersecurity/Information Technology
https://senseient.com/services/digital-forensic