Mobile forensics can be seen as a valuable range of scientific methodologies that are used by forensic investigators to extract data and other digital evidence from mobile devices. These include mobile computer devices such as cellular phones, smart phones, PDAs, and tablets. Once this evidence has been collected, it needs to be admissible in a court of law, which means that stringent, prescribed protocols must be followed by investigators at all times, and during all stages of the investigation process model. The generally accepted forensic investigation process model is:
We will be concentrating on the first step of the process, the acquisition of evidentiary data, and all details that pertain to the discovery, collection, and storage of evidence in a transparent, reproducible, and legally compliant manner. We offer an excellent starting point for anybody looking to begin their journey as a digital forensics specialist with our Computer Forensics Boot Camp course, which can be found at https://www.infosecinstitute.com/courses/computer-forensics-boot-camp. This training will prepare students for the CCFE, and CMFE certification examinations by transferring the necessary skills that will allow them to investigate computer and mobile threats and computer crime in real-world situations.
Here, we will look into the various approaches that an investigator may choose to employ during their time while working on a case and we will go into detail about each of these methods to provide a better understanding of the processes involved.
What Are the Various Types of Evidence/Data Acquisition in Mobile Forensics?
There are several methods that can be employed by forensics specialists when trying to acquire evidence from a device, but the most prominently employed methods of data acquisition are:
Each of these types of data acquisition has its own advantages and disadvantages, as well as circumstances in which they should be used. We will look at each of these methods individually and give a brief description of when a forensic specialist would be inclined to use a particular type of acquisition method.
Manual Data Acquisition
Manual data acquisition is used when a mobile device is functional and is not encrypted or physically damaged and, since the device can be navigated via its graphical user interface (GUI), no special software or software tools are required. Content such as pictures, documents, call records, or any other user-accessible data and features can be viewed by the investigator. In many cases, screenshots will be captured from the device, via either digital camera or a video adapter onto an external screen with image-capturing software.
This is not necessarily a comprehensive method of detection, as data that is unreadable to the device’s operating system will not be accessible to the investigator during this process. Deleted items are also unrecoverable at this level, meaning that other, more technical methods need to be employed if this becomes a requirement. Whenever an investigator uses the mobile device in this manner, there is the risk of compromising data by inadvertently deleting files or modifying time stamps.
Another critical factor is the time-consuming nature of manual data acquisition. This is because an investigator will be required to manually sift through potentially large stores of data and manually take screen shots of each piece being entered into evidence. In cases where there are several hundred pictures, emails, or messages, it quickly becomes clear that large amounts of time will be required to complete any meaningful investigation. For these reasons, a forensic investigator may only use this method as a last resort, when all other avenues have already been exhausted.
Logical Data Acquisition
This method involves connecting a mobile device to the forensic investigator’s workstation via a wired USB or RS 232 connection. Wireless connections such as Wi-Fi, IrDA (infrared) or Bluetooth can also be utilized, depending on the requirements of the investigator and the capabilities or limitations of the device that is being examined. Each method uses its own communications protocol and may package data differently in order to transfer the mobile device’s data at the bit level.
Each mobile operating system has an associated SDK (software development kit) that forensics investigators will have loaded on their workstations. The SDK provides manufacturer-level access to the mobile device’s hardware and software, as it interacts natively with the mobile device’s API (application programming interface) and means that it will respond to commands given to it remotely, from the forensic workstation.
This method is especially useful if SMS, MMS and call histories need to be examined. The investigator can remotely install OS-specific forensic tools on the device and run queries that will not affect the mobile device’s file structure, delivering forensic reports in many different formats, such as CSV- or XLS-formatted documents. These are human-readable documents and are excellent sources of information. In cases where SMS or text messaging data needs to be examined, the document fields can include time sent, time received, status (read or unread), message size, message content (what was said in the message), protocol and much more. The forensic application can then be removed remotely and without affecting the integrity of the mobile device once the assessment has been completed. One of the big disadvantages with this method is that deleted files are not usually detectable.
File System Data Acquisition
This is a great method for recovering deleted files from a mobile device. On many digital systems, a file that has been deleted usually hasn’t been deleted at all, but rather has been allocated a flag that tells the system that that file can be safely overwritten. When that overwrite happens depends on many factors, the main one being how much data has been copied to the device since the file’s deletion and whether the flagged data is located in an area of storage where writing activity is more likely to occur.
Android and IOS devices share a common database structure, which is based on the SQLite schema. The synchronization interface determines whether a file is ready to be overwritten and is responsible for flagging deleted items. If forensic investigators can successfully access it, then they can potentially copy these “deleted” files such as browser history, pictures, messages, and many other items of interest from the mobile device for further investigation.
Physical Data Acquisition
Physical data acquisition is a bit-by-bit copy, or clone, of a mobile device’s file system and directory structure. It can be thought of as a hard drive copy of a normal computer system. Once this data has been copied, it can then be indexed by specialized forensic tools. For instance, if instant messages are an area of interest to an investigator, such tools can compile all messages from different instant messenger applications in an ordered, logical list for an investigator to begin their search.
This method is advantageous because the risks associated with data integrity being compromised can be avoided entirely by using a write blocker on the interface that is used for the copy. Some finer details need to be addressed when using logical data acquisition, however. In cases where the state of a message needs to be established (either read or unread), the investigator must ensure that the copy method employed will not alter the flagged state of the message and that the forensic tool that is used to compile and display the message is also able to preserve this message state.
Another critical factor is the time stamps of the files in question. They should all match the mobile device’s time stamps and not be edited by the copy process or the forensic tool being used in the investigation. Problems arise when the date and time of the copy process replace the original time stamps of the mobile device that is under examination, which can seriously impede the progress of a forensic investigation.
Brute Force Data Acquisition
This method refers more to the act of “brute forcing” a passcode or password and is usually quite successful where relatively small combinations of digits are required. Many phones have a four-digit PIN that will range from 0000 to 9999. This means that there are 10,000 possible combinations that need to be guessed by the forensic investigator, and most mobile devices have a safety feature that locks the phone entirely after a threshold of attempts has been exceeded. Brute forcing a phone’s passcode can be successful in some instances, but an investigator should only use tools that are identified as being legal and admissible in court.
A device needs to be connected to the investigator’s workstation and booted into the boot loader or equivalent mode. An application on the workstation will then either mount the mobile device’s file system, locate the encrypted passcode file and begin the attack, or will temporarily load a custom boot ROM to the mobile device itself and will use the mobile device’s CPU to perform the attack. In either case, this does not take very long, as the CPU can handle multiple attempts per second and, depending on a few factors, could be as quick as a few minutes, or it may take anywhere up to a few hours.
Once the correct combination has been found, the four-digit pin will be displayed via the brute force application’s on-screen prompt, and the investigator can attempt to unlock the phone with it, provided that is has been deemed safe to do so.
Computer Forensics Training
We hope that you have found this brief outline of some of the mobile acquisition methods to be both informative and interesting and that it has helped you to gain a little further insight into what methods a forensic investigator might choose to employ during the course of an investigation.
If you are interested in further reading on the subject, take a look at some of our resources on the subject on our website. Some other interesting articles can be found here: