Evidence acquisition in mobile forensics
Acquisition is the process of cloning or copying digital data evidence from mobile devices.
The process of acquiring digital media and obtaining information from a mobile device and its associated media is precisely known as “imaging.” The evidence image can be stored in different formats which can be used for further analysis. A hash value is generated to make sure that the image is not tampered with at any given point in time.
The imaging can be done with the help of tools such as FTK imager, the Oxygen forensic suite, Windows Mobile Device, Zune, X-Ways, EnCase, Cellebrite Physical Analyzer, IEF, etc.
There are various methods which can be used for the data extraction from the mobile device in question, and are as follows:
- Manual Acquisition –This deals with the visual display of the data content stored on a mobile device. The content displayed on the LCD screen requires the manual manipulation of the buttons, keyboard or touchscreen to view the contents of the mobile device.
At this level, it is impossible to recover deleted information. Manual extractions have become increasingly difficult and perhaps unachievable when encountering a broken/missing LCD screen or a damaged/missing keyboard interface. Additional challenges occur when the device is configured to display a language unknown to the investigator; this may cause difficulty in successful menu navigation.
- Physical Acquisition – This method of acquisition deals with a bit by bit cloning or copying of the entire physical storage. A successful physical acquisition is difficult to obtain as the mobile device manufacturer in most cases provides additional security to prevent direct memory access to their brand of mobile devices. To overcome this challenge, Mobile forensic tool development companies develop their own customized bootloader so that their tool can access the memory directly. The primary advantage of physical acquisition is that it allows for deleted data, part of the data, unstructured data to be presented for examination.
The material acquisition is divided into two sections:
Dumping: During this phase, the data from physical memory is dumped into a raw hexadecimal file format.
Decoding: During this phase, the raw data is converted into a human-readable format.
- File system acquisition –This method allows for the extraction of particular files from the file system of the mobile device.
Usually, the Filesystem acquisition comprises of the following:
Allocated space: This means having access to the files present on the mobile device that includes images, videos, databases, logs, system files, password, app data, phonebook information, call logs, etc.
Unallocated space: This means having access to the files present on the mobile device that includes hidden or deleted app data, EXIF data of images, web history, system data, etc.
- Logical Acquisition – In this kind of acquisition method, connectivity between a mobile device in question and the forensics workstation is established using either a hard-wired (e.g., USB or RS-232) or wireless (e.g., IrDA, Wi-Fi, or Bluetooth) connection. The examiner should be aware of the fact that integrity depends on choosing the connectivity method, as different connection types and associated protocols may result in data being modified. Tools that perform logical acquisition begin by sending a series of commands over the established interface from the computer to the mobile device. The mobile device then responds based upon the command request. The response (mobile device data) is sent back to the workstation and presented to the forensic examiner for reporting purposes. In most instances, an API is used for interacting with the mobile device.
- Bruteforce Acquisition: Bruteforce is a method of trial and error which requires a series of combinations to identify the correct password or pin. In forensics, the brute-force technique has series of numbers ranging from 0000 to 9999 which are sent to the mobile device by a connected 3rd party tool (hardware or software) until the correct code is identified. Once the code is determined then, the device may be used for further forensic analysis.
Tools that perform brute force to get the passcodes are:
- Susteen svStrike: This is a commercial tool that can brute force 6 digits passcodes for Android and IOS platform. For more information and purchase you can follow the URL http://forensicstore.com/product/cellphone-analysis/susteen-svstrike/
- IP-Box: This hardware tool can be used to break the passcode if it is 4 digits on the iOS. It supports up to OS 8.1. For more information and purchase you can follow the URL http://www.fonefunshop.co.uk/cable_picker/98483_IP-BOX_iPhone_Password_Unlock_Tool.html
- Python script: There are few python scripts which can obtain the passcode of the mobile device in question. Once of such script useful for unlocking IOS device can be obtained from the URL https://github.com/bored-engineer/iOS-DataProtection/blob/master/python_scripts/demo_bruteforce.py for Windows phone it can be obtained from the URL https://github.com/cheeky4n6monkey/4n6-scripts/blob/master/wp8-sha256-pin-finder.py
Challenges in mobile acquisition
- Mobile Operating system: As there are many types and kinds of OS’s along with different variants, this makes the task of the forensic examiner just that much more difficult
- Security features: In some of the cases the software layer of the mobile device is encrypted using a custom encryption by the manufacturer, and the decryption process is only known to them.
- Anti-forensic technique: Mobile manufacturers or a custom build app may have hidden functionalities such as data obfuscation, data hiding, data forgery, secure wiping, etc. As a result, this makes the task of forensic examiner very difficult if not impossible.
- Mobile device forensics
- Mobile device forensics data acquisition types
- Logical and file system extraction of mobile data
- File system extraction of mobile data
- Mobile forensics and its challenges