Mobile forensics, as a new subset of digital forensics, has been on everyone’s lips when it comes to various eDiscovery cases in recent years. This is because mobile forensics can help provide digital evidence or relevant data directly and effectively in litigation or investigation related scenarios. Mobile data often serves as the key to crack the code; this is especially true in some internal investigations. However, do you think it’s something at our fingertips and easy to obtain? In fact, collecting and analyzing mobile data is not as simple as it would seem in China.

Global leading forensics tool provider Cellebrite has exited the China market

Cellebrite, one of the worldwide software providers in forensics analysis, is most well-known for its simple and intuitive flagship product series, which allow extraction and analysis of data from mobile devices such as smartphones and tablets. However, on October 7 2020, due to regulatory changes in the U.S., Cellebrite announced that it would stop selling its digital information software and services to customers in Hong Kong and China effective immediately. This was a significant blow to eDiscovery service providers and brought disruption to the China market.

Mainstream mobile forensics software fails to stay up to date with Chinese mobile applications

Had global vendors like Cellebrite remained in the Chinese market, their “famous” forensics tools would not always have been up to date, given the frequent upgrade of Chinese mobile applications.

Taking WeChat (the most popular IM app in China) as an example – WeChat has been upgrading its IM databases and storage schemes during the past few releases, but none of the global mainstream forensic tools are able to perfectly analyze and parse WeChat databases. This is probably because, while mainly facing the global market, mainstream forensic tools focus more on changes of international popular IM applications (e.g., WhatsApp) rather than the China market. Gradually, it becomes more difficult to use mainstream forensics tools to collect and analyze mobile data within China, especially for WeChat chat history.

Different Chinese phone manufacturers produce various models of mobile phones

There are various mobile phone brands in China's cellular market. In addition to the iPhone (which is still popular with the public), Android phones (such as Huawei, Oppo and Xiaomi) occupy a relatively high market share. Each phone maker uses a different Android-based operating system and has its own unique UI style and personalization to suit the needs of different consumers. Therefore, in the process of collecting and analyzing the mobile data, we cannot use one method to deal with all mobile phones but must adapt to various scenarios and use different methods.

The implementation of China’s data regulations complicates the data collection procedure

PRC Data Security Law and Personal Information Protection Law launched respectively on September 1 and November 1 in 2021. With the new regulation in place, people are beginning to pay more attention to data privacy and data protection, especially with regard to personal information. In most data collections where people use personal phones for business purposes, there is no easy way for forensics tools to completely segregate company data from personal data. Hence, certain measures must be taken to make sure the collection procedure complies with local regulations.

As previously demonstrated, applying mobile forensics in today’s China market is a significant challenge but, despite these objective obstacles and practical barriers, we see the rise of local forensic software suppliers and their advancement in domestic application analysis. Moreover, with the accumulation of experience in using mobile forensics, eDiscovery service providers have also gained a deeper understanding of adopting different data processing methods in different cases. We believe in the bright future ahead.