How do I forensically determine whether a mobile phone has been infected with a spy suite?
If I were in your position, I would grab complete image(s) of the individual mobile device(s) to forensically analyze the images using another, independent system because…
- You do not have to install anything on the related mobile devices as you can analyze the device image(s) on your other system with any tool you like/want/need.
- You can modify (in the sense of “cleaning up suspicious and/or malicious data”) the image as needed and push the checked and cleaned image(s) back to the individual mobile device(s).
- You have image(s) of the mobile device(s) which can act — if needed — as forensic proof and legal evidence.
If you do not know how to create and analyze such device images but are almost sure that the devices are indeed compromised, it's time to get professional help from an information security specialist… your best choice will be an forensic analyst in this case.
Additionally, since you are describing a situation that could involve a commercial environment (work/company), you should also reach out for legal advise in case you actually manage to identify the person(s) who have compromised your devices.
As you might know, governmental institutions and agencies (including “ye regular police”) have access to specialists like forensic analysts. Most probably, they are your best choice when it comes to "securing proof" and "defending your rights" (in a legal sense).
The above approach has a high potential to close the loop of your security problem without too much impact, while providing you with a good stand when legal consequences start gaining importance to you.
EDIT
The following information will be of use to you:
- SANS: An Incident Handling Process for Small and Medium Businesses (PDF)
- SANS: FORENSICS PLAN GUIDE (PDF)
Whatever you do, do not destroy or modify digital evidence. That's why I am advising a forensic analyst instead of doing research and analysis yourself. And let's be honest — if you were trained in digital forensics, you wouldn't have asked the question in the first place. Instead, you would have applied the 6 Phases of Incident Management…
- Preparation
- Identification
- Containment
- Eradication
- Recovery
- Training
… using the appropriate proceedings and tools.
EDIT
Due to the comment(s) talking about iPhone and iPad imaging, I would like to note that when I talk about imaging for forensics purposes, I am talking about "professional digital forensics software" that fits the individual needs and purposes of the analyst.
This is a list of currently available tools which I would use (depending on the situation and needs) for iPhone/iPad:
- Black Bag Technology Mobilyze
- Cellebrite UFED
- EnCase Neutrino
- FTS iXAM
- iPhone Analyzer
- iphone-dataprotection
~ A set of tools that can image and decrypt an iPhone. The tools can even brute-force the iPhone's 4-digit numerical password. - iOS Forensic Research (Available to law enforcement only!)
~ Among many things, Jonathan Zdziarski has released tools that will image iPhones, iPads and iPod Touch. - Katana Forensics Lantern
- libimobiledevice
~ A library with utilities for backing up iPhones. The output format is an iTunes-style backup that can be examined with traditional tools. They are available in the Debian-testing packages libimobiledevice and libimobiledevice-utils. - Logicube CellDEK
- MacLock Pick
- Micro Systemation .XRY
- Mobile Sync Browser
- Nuix Desktop and Proof Finder
~ Tools that can detect and analyse many databases from iOS and iPhones and can directly ingest HFSX dd images. - Oxygen Forensic Suite 2010
- Paraben Device Seizure
- SpyPhone
I'll spare you listing the appropriate tools for Android, Blackberry and other mobile devices, which each have their own set of forensics tools. I'm convinced you don't really need a list of tools, since any forensics specialist knows them. If you don't, you're not a digital forensics professional… yet.
Now, if you want to dive in a bit deeper into digital forensics, you should take a look at
- http://www.forensicswiki.org/wiki/Main_Page
which provides some pretty good heads-up information for people who aren't educated in the field.
Also, you should read some books on the subject like "iPhone and iOS Forensics".
If you're still interested in digital forensics after reading a dozen of books and getting your hands dirty by trying it on your own devices, I would like to advise you to reach out for an according digital forensics education. It's an interesting field and you can trust me when I say: "it never gets boring."
The easiest way would be to disable the cellular modem and leave them on wifi. You can then monitor the connections they make for anything going to unexpected servers. That will be significantly easier than trying to gain access to the cellular traffic.