Evidence acquisition in mobile forensics
Acquisition
Acquisition is the process of cloning or copying digital data evidence from mobile devices.
The process of acquiring digital media and obtaining information from a mobile device and its associated media is precisely known as "imaging." The evidence image can be stored in different formats which can be used for further analysis. A hash value is generated to make sure that the image is not tampered with at any given point in time.
Learn Digital Forensics
The imaging can be done with the help of tools such as FTK imager, the Oxygen forensic suite, Windows Mobile Device, Zune, X-Ways, EnCase, Cellebrite Physical Analyzer, IEF, etc.
There are various methods which can be used for the data extraction from the mobile device in question, and are as follows:
- Manual Acquisition –This deals with the visual display of the data content stored on a mobile device. The content displayed on the LCD screen requires the manual manipulation of the buttons, keyboard or touchscreen to view the contents of the mobile device.
At this level, it is impossible to recover deleted information. Manual extractions have become increasingly difficult and perhaps unachievable when encountering a broken/missing LCD screen or a damaged/missing keyboard interface. Additional challenges occur when the device is configured to display a language unknown to the investigator; this may cause difficulty in successful menu navigation.
- Physical Acquisition – This method of acquisition deals with a bit by bit cloning or copying of the entire physical storage. A successful physical acquisition is difficult to obtain as the mobile device manufacturer in most cases provides additional security to prevent direct memory access to their brand of mobile devices. To overcome this challenge, Mobile forensic tool development companies develop their own customized bootloader so that their tool can access the memory directly. The primary advantage of physical acquisition is that it allows for deleted data, part of the data, unstructured data to be presented for examination.
The material acquisition is divided into two sections:
Dumping: During this phase, the data from physical memory is dumped into a raw hexadecimal file format.
Decoding: During this phase, the raw data is converted into a human-readable format.
- File system acquisition –This method allows for the extraction of particular files from the file system of the mobile device.
Usually, the Filesystem acquisition comprises of the following:
Allocated space: This means having access to the files present on the mobile device that includes images, videos, databases, logs, system files, password, app data, phonebook information, call logs, etc.
Unallocated space: This means having access to the files present on the mobile device that includes hidden or deleted app data, EXIF data of images, web history, system data, etc.
- Logical Acquisition – In this kind of acquisition method, connectivity between a mobile device in question and the forensics workstation is established using either a hard-wired (e.g., USB or RS-232) or wireless (e.g., IrDA, Wi-Fi, or Bluetooth) connection. The examiner should be aware of the fact that integrity depends on choosing the connectivity method, as different connection types and associated protocols may result in data being modified. Tools that perform logical acquisition begin by sending a series of commands over the established interface from the computer to the mobile device. The mobile device then responds based upon the command request. The response (mobile device data) is sent back to the workstation and presented to the forensic examiner for reporting purposes. In most instances, an API is used for interacting with the mobile device.
- Bruteforce Acquisition: Bruteforce is a method of trial and error which requires a series of combinations to identify the correct password or pin. In forensics, the brute-force technique has series of numbers ranging from 0000 to 9999 which are sent to the mobile device by a connected 3rd party tool (hardware or software) until the correct code is identified. Once the code is determined then, the device may be used for further forensic analysis.
Tools that perform brute force to get the passcodes are:
- Susteen svStrike: This is a commercial tool that can brute force 6 digits passcodes for Android and IOS platform. For more information and purchase you can follow the URL http://forensicstore.com/product/cellphone-analysis/susteen-svstrike/
- IP-Box: This hardware tool can be used to break the passcode if it is 4 digits on the iOS. It supports up to OS 8.1. For more information and purchase you can follow the URL http://www.fonefunshop.co.uk/cable_picker/98483_IP-BOX_iPhone_Password_Unlock_Tool.html
- Python script: There are few python scripts which can obtain the passcode of the mobile device in question. Once of such script useful for unlocking IOS device can be obtained from the URL https://github.com/bored-engineer/iOS-DataProtection/blob/master/python_scripts/demo_bruteforce.py for Windows phone it can be obtained from the URL https://github.com/cheeky4n6monkey/4n6-scripts/blob/master/wp8-sha256-pin-finder.py
Challenges in mobile acquisition
- Mobile Operating system: As there are many types and kinds of OS's along with different variants, this makes the task of the forensic examiner just that much more difficult
- Security features: In some of the cases the software layer of the mobile device is encrypted using a custom encryption by the manufacturer, and the decryption process is only known to them.
- Anti-forensic technique: Mobile manufacturers or a custom build app may have hidden functionalities such as data obfuscation, data hiding, data forgery, secure wiping, etc. As a result, this makes the task of forensic examiner very difficult if not impossible.
Learn Digital Forensics
Sources
- Mobile device forensics
- Mobile device forensics data acquisition types
- Logical and file system extraction of mobile data
- File system extraction of mobile data
- Mobile forensics and its challenges
In this Series
- Evidence acquisition in mobile forensics
- Digital forensics and cybersecurity: Setting up a home lab
- Top 7 tools for intelligence-gathering purposes
- iOS forensics
- Kali Linux: Top 5 tools for digital forensics
- Snort demo: Finding SolarWinds Sunburst indicators of compromise
- Memory forensics demo: SolarWinds breach and Sunburst malware
- Digital forensics careers: Public vs private sector?
- Email forensics: desktop-based clients
- What is a Honey Pot? [updated 2021]
- Email forensics: Web-based clients
- Email analysis
- Investigating wireless attacks
- Wireless networking fundamentals for forensics
- Protocol analysis using Wireshark
- Wireless analysis
- Log analysis
- Network security tools (and their role in forensic investigations)
- Sources of network forensic evidence
- Network Security Technologies
- Network Forensics Tools
- The need for Network Forensics
- Network Forensics Concepts
- Networking Fundamentals for Forensic Analysts
- Popular computer forensics top 19 tools [updated 2021]
- 7 best computer forensics tools [updated 2021]
- Spoofing and Anonymization (Hiding Network Activity)
- Browser Forensics: Safari
- Browser Forensics: IE 11
- Browser Forensics: Firefox
- Browser forensics: Google chrome
- Webinar summary: Digital forensics and incident response — Is it the career for you?
- Web Traffic Analysis
- Network forensics overview
- Eyesight to the Blind – SSL Decryption for Network Monitoring [Updated 2019]
- Gentoo Hardening: Part 4: PaX, RBAC and ClamAV [Updated 2019]
- Computer forensics: FTK forensic toolkit overview [updated 2019]
- The mobile forensics process: steps and types
- Free & open source computer forensics tools
- An Introduction to Computer Forensics
- Common mobile forensics tools and techniques
- Computer forensics: Chain of custody [updated 2019]
- Computer forensics: Network forensics analysis and examination steps [updated 2019]
- Computer Forensics: Overview of Malware Forensics [Updated 2019]
- Incident Response and Computer Forensics
- Computer Forensics: Memory Forensics
- Comparison of popular computer forensics tools [updated 2019]
- Computer Forensics: Forensic Analysis and Examination Planning
- Computer forensics: Operating system forensics [updated 2019]
- Computer Forensics: Mobile Forensics [Updated 2019]
- Computer Forensics: Digital Evidence [Updated 2019]
Get certified and advance your career
- Exam Pass Guarantee
- Live instruction
- CompTIA, ISACA, (ISC)², Cisco, Microsoft and more!
Digital forensics
Digital forensics
Digital forensics
Digital forensics