The mobile forensics process: steps and types
Introduction: Importance of mobile forensics
The term “mobile devices” encompasses a wide array of gadgets ranging from mobile phones, smartphones, tablets, and GPS units to wearables and PDAs. What they all have in common is the fact that they can contain a lot of user information.
Mobile devices are right in the middle of three booming technological trends: Internet of Things, Cloud Computing, and Big Data. The proliferation of mobile technology is perhaps the main reason, or at least one of the main reasons, for these trends to occur in the first place. In 2015, 377.9 million wireless subscriber connections of smartphones, tablets, and feature phones occurred in the United States.
Nowadays, mobile device use is as pervasive as it is helpful, especially in the context of digital forensics, because these small-sized machines amass huge quantities of data on a daily basis, which can be extracted to facilitate the investigation. Being something like a digital extension of ourselves, these machines allow digital forensic investigators to glean a lot of information.
Information that resides on mobile devices (a non-exhaustive list):
- Incoming, outgoing, missed call history
- Phonebook or contact lists
- SMS text, application based, and multimedia messaging content
- Pictures, videos, and audio files and sometimes voicemail messages
- Internet browsing history, content, cookies, search history, analytics information
- To-do lists, notes, calendar entries, ringtones
- Documents, spreadsheets, presentation files and other user-created data
- Passwords, passcodes, swipe codes, user account credentials
- Historical geolocation data, cell phone tower related location data, Wi-Fi connection information
- User dictionary content
- Data from various installed apps
- System files, usage logs, error messages
- Deleted data from all of the above
One good display of the real-life effectiveness of mobile forensics is the mobile device call logs, and GPS data that facilitated solving the 2010 attempted bombing case in Times Square, NY.
I. What is the mobile forensics process?
Crimes do not happen in isolation from technological tendencies; therefore, mobile device forensics has become a significant part of digital forensics.
Most people do not realize how complicated the mobile forensics process can be in reality. As the mobile devices increasingly continue to gravitate between professional and personal use, the streams of data pouring into them will continue to grow exponentially as well. Did you know that 33,500 reams of paper are the equivalent of 64 gigabytes if printed? Storage capacity of 64 GB is common for today’s smartphones.
The mobile forensics process aims to recover digital evidence or relevant data from a mobile device in a way that will preserve the evidence in a forensically sound condition. To achieve that, the mobile forensic process needs to set out precise rules that will seize, isolate, transport, store for analysis and proof digital evidence safely originating from mobile devices.
Usually, the mobile forensics process is similar to the ones in other branches of digital forensics. Nevertheless, one should know that the mobile forensics process has its own particularities that need to be considered. Following correct methodology and guidelines is a vital precondition for the examination of mobile devices to yield good results.
Among the figures most likely to be entrusted with the performance of the following tasks are Forensic Examiners, Incident Responders, and Corporate Investigators. During the inquiry into a given crime involving mobile technology, the individuals in charge of the mobile forensic process need to acquire every piece of information that may help them later – for instance, device’s passwords, pattern locks or PIN codes.
II. What are the steps in the mobile forensics process?
Digital forensics operates on the principle that evidence should always be adequately preserved, processed, and admissible in a court of law. Some legal considerations go hand in hand with the confiscation of mobile devices.
There are two major risks concerning this phase of the mobile forensic process: Lock activation (by user/suspect/inadvertent third party) and Network / Cellular connection.
Network isolation is always advisable, and it could be achieved either through 1) Airplane Mode + Disabling Wi-Fi and Hotspots, or 2) Cloning the device SIM card.
Mobile devices are often seized switched on; and since the purpose of their confiscation is to preserve evidence, the best way to transport them is to attempt to keep them turned on to avoid a shutdown, which would inevitably alter files.
A Faraday box/bag and external power supply are common types of equipment for conducting mobile forensics. While the former is a container specifically designed to isolate mobile devices from network communications and, at the same time, help with the safe transportation of evidence to the laboratory, the latter, is a power source embedded inside the Faraday box/bag. Before putting the phone in the Faraday bag, disconnect it from the network, disable all network connections (Wi-Fi, GPS, Hotspots, etc.), and activate the flight mode to protect the integrity of the evidence.
Last but not least, investigators should beware of mobile devices being connected to unknown incendiary devices, as well as any other booby trap set up to cause bodily harm or death to anyone at the crime scene.
/Identification + extraction/
The goal of this phase is to retrieve data from the mobile device. A locked screen can be unlocked with the right PIN, password, pattern, or biometrics (Note that biometric approaches while convenient are not always protected by the fifth amendment of the U.S. Constitution). According to a ruling by the Virginia Circuit Court, passcodes are protected, fingerprints not. Also, similar lock measures may exist on apps, images, SMSs, or messengers. Encryption, on the other hand, provides security on a software and/or hardware level that is often impossible to circumvent.
It is hard to be in control of data on mobile devices because the data is mobile as well. Once communications or files are sent from a smartphone, control is lost. Although there are different devices having the capability to store considerable amounts of data, the data in itself may physically be in another location. To give an example, data synchronization among devices and applications can take place directly but also via the cloud. Services such as Apple’s iCloud and Microsoft’s One Drive are prevalent among mobile device users, which leave open the possibility for data acquisition from there. For that reason, investigators should be attentive to any indications that data may transcend the mobile device as a physical object, because such an occurrence may affect the collection and even preservation process.
Since data is constantly being synchronized, hardware and software may be able to bridge the data gap. Consider Uber – it has both an app and a fully functional website. All the information that can be accessed through the Uber app on a phone may be pulled off the Uber website instead, or even the Uber software program installed on a computer.
Regardless of the type of the device, identifying the location of the data can be further impeded due to the fragmentation of operating systems and item specifications. The open-source Android operating system alone comes in several different versions, and even Apple’s iOS may vary from version to version.
Another challenge that forensic experts need to overcome is the abundant and ever-changing landscape of mobile apps. Create a full list of all installed apps. Some apps archive and backup data.
After one identifies the data sources, the next step is to collect the information properly. There are certain unique challenges concerning gathering information in the context of mobile technology. Many mobile devices cannot be collected by creating an image and instead they may have to undergo a process called acquisition of data. Thera are various protocols for collecting data from mobile devices as certain design specifications may only allow one type of acquisition.
The forensic examiner should make a use of SIM Card imagining – a procedure that recreates a replica image of the SIM Card content. As with other replicas, the original evidence will remain intact while the replica image is being used for analysis. All image files should be hashed to ensure data remains accurate and unchanged.
2.3 Examination and analysis
As the first step of every digital investigation involving a mobile device(s), the forensic expert needs to identify:
- Type of the mobile device(s) – e.g., GPS, smartphone, tablet, etc.
- Type of network – GSM, CDMA, and TDMA
- Service provider (Reverse Lookup)
The examiner may need to use numerous forensic tools to acquire and analyze data residing in the machine. Due to the sheer diversity of mobile devices, there is no one-size-fits-all solution regarding mobile forensic tools. Consequently, it is advisable to use more than one tool for examination. AccessData, Sleuthkit, and EnCase are some popular forensic software products that have analytic capabilities. The most appropriate tool(s) is being chosen depending on the type and model of mobile device.
Timeline and link analysis available in many mobile forensic tools could tie each of the most significant events, from a forensic analyst’s point of view.
All of the information, evidence, and other findings extracted, analyzed, and documented throughout the investigation should be presented to any other forensic examiner or a court in a clear, concise, and complete manner.
The New digital reality of mobile forensics
“On May 17, 2015, a biker gang shootout erupted at the Twin Peaks Restaurant near Waco, Texas, killing nine and injuring dozens. More than a hundred mobile phones were recovered from the incident, setting the wheels in motion for one of the state’s largest and most challenging investigations to date.
The events that unfolded at the Twin Peaks restaurant thrust McLennan County law enforcement into a new urgent reality.
Within days of the decision to deploy, [the Cellebrite’s New UFED Analytics Platform] allowed both investigators and prosecutors to import and decode all extracted mobile digital forensics data from one centralized location for fast and efficient analysis. Call records, text messages, photos, videos and social media posts could be filtered by keywords and tagged for other members of the investigative team to view instantly.
“… [the solution] allowed us to go back and more quickly comb through the data to find the bigger picture details we needed to confirm the motives, plans and goals of these motorcycle organizations [,]” said the McLennan County prosecutor.”
Quick Question: What procedure could the McLennan County law enforcement have used immediately at the crime scene to reduce the large backlogs of digital forensics casework at the outset (provided that they had the experts to carry out that procedure)?
Find the answer below the Reference List.
III. What other models are available?
IV. Non-invasive vs. invasive forensics
No matter what your actual mobile forensic method is, it is imperative to create a policy or plan for its execution and follow all its steps meticulously and in the proper sequence. Not following the protocol may entail grave consequences. One should start with non-invasive forensic techniques first as they tend to endanger a device’s integrity to a lesser degree. Be careful with built-in security features – “[f]or example, collecting a physical image before a logical image on certain devices can completely wipe a phone of all data, as can attempting to access a locked device and making too many password attempts.” /Source: Mobile Device Forensics by Scott Polus/
From the legal point of view, the level of the interaction between the user and the device is critical.
Mobile forensics – tool classification pyramid
4.1 Non-invasive methods
Non-invasive methods can deal with other tasks, such as unlocking the SIM lock or/and the operator lock, the operating system update, IMEI number modification, etc. These techniques are virtually inapplicable in cases where the device has sustained severe physical damage. Types of non-invasive mobile forensic methods:
The forensic examiner merely browses through the data using the mobile device’s touchscreen or keypad. Information of interest discovered on the phone is photographically documented. This process of manual extraction is simple and applicable to almost every phone. While there are some tools designed to make this process easier, it is not possible, however, to restore deleted data this way.
This approach involves instituting a connection between the mobile device and the forensic workstation using a USB cable, Bluetooth, Infrared or RJ-45 cable. Following the connecting part, the computer sends command requests to the device, and the device sends back data from its memory. The majority of forensic tools support logical extraction, and the process itself requires short-term training. On the downside, however, this technique may add data to the mobile device and may alter the integrity of the evidence. Also, deleted data is rarely accessible.
JTAG is a non-invasive form of physical acquisition that could extract data from a mobile device even when data was difficult to access through software avenues because the device is damaged, locked or encrypted. The device, however, must be at least partially functional (minor damages would not hinder this method).
The process involves connecting to the Test Access Ports (TAPs) on a device and instructing the processor to transfer raw data stored on connected memory chips. This is a standard feature that one could come across in many mobile phone models, which provides mobile phone manufactures a low-level interface outside the operating system. Digital forensic investigators take an interest in JTAG, as it can, in theory, allow direct access to the mobile device’s memory without jeopardizing it. Despite that fact, it is a labor-intensive, time-consuming procedure, and it requires advance knowledge (not only of JTAG for the model of the phone under investigation but also of how to arrange anew the resulting binary composed of the phone’s memory structures).
Similar to JTAG, Hex dump is another method for physical extraction of raw information stored in flash memory. It is performed by connecting the forensic workstation to the device and then tunneling an unsigned code or a bootloader into the device, each of them will carry instructions to dump memory from the phone to the computer. Resulting image is fairly technical—in binary format—and it requires a person having the technical education to analyze it. Furthermore, the examiner comes into possession of an abundant amount of data, since deleted data can be recovered, and, on top of that, the entire process is inexpensive.
4.2 Invasive methods
Typically, they are longer and more complex. In cases where the device is entirely non-functional due to some severe damage, it is very likely the only way to retrieve data from the device might be to manually remove and image the flash memory chips of the device. Even if the device or item is in good condition, circumstances may require the forensic expert to acquire the chip’s contents physically.
A process that refers to obtaining data straight from the mobile device’s memory chip. According to the preparations pertinent to this level, the chip is detached from the device and a chip reader or a second phone is used to extract data stored on the device under investigation. It should be noted that this method is technically challenging because of the wide variety of chip types existing on the mobile market. Also, the chip-off process is expensive, training is required, and the examiner should procure specific hardware to conduct de-soldering and heating of the memory chip. Bits and bytes of raw information that is retrieved from the memory are yet to be parsed, decoded, and interpreted. Even the smallest mistake may lead to damages to the memory chip, which, in effect, would render the data irrevocably lost. Consequently, experts advise having recourse to chip-off when: a) other methods of extraction are already attempted, b) it is important to preserve the current state of device’s memory, c) the memory chip is the only element in a mobile device that is not broken.
The whole process consists of five stages:
- Detect the memory chip typology of the device
- Physical extraction of the chip (for example, by unwelding it)
- Interfacing of the chip using reading/programming software
- Reading and transferring data from the chip to a PC
- Interpretation of the acquired data (using reverse engineering)
The last two phases coincide with those of the non-invasive methods. However, the phases of physical extraction and interfacing are critical to the outcome of the invasive analysis.
This method refers to manually taking an all-around view through the lenses of an electron microscope and analyzing data seen on the memory chip, more specifically the physical gates on the chip. In a nutshell, micro read is a method that demands utmost level of expertise, it is costly and time-consuming, and is reserved for serious national security crises.
Read more articles about mobile forensics:
Wikipedia Mobile device forensics.