Mobile devices are right within the middle of three booming technological trends:
Internet of Things, Cloud Computing, and large Data. The proliferation of mobile technology is probably the most reason, or a minimum of one among the most reasons, for these trends to occur within the first place. In 2015, 377.9 million wireless subscriber connections of smartphones, tablets, and have phones occurred within the us .
Nowadays, mobile device use is as pervasive because it is useful , especially within the context of digital forensics, because these small-sized machines amass huge quantities of knowledge on a day to day , which may be extracted to facilitate the investigation. Being something sort of a digital extension of ourselves, these machines allow digital forensic investigators to glean tons of data .
Information that resides on mobile devices (a non-exhaustive list):
• Incoming, outgoing, missed call history
• Phonebook or contact lists
• SMS text, application based, and multimedia messaging content
• Pictures, videos, and audio files and sometimes voicemail messages
• Internet browsing history, content, cookies, search history, analytics information
• To-do lists, notes, calendar entries, ringtones
• Documents, spreadsheets, presentation files and other user-created data
• Passwords, passcodes, swipe codes, user account credentials
• Historical geolocation data, telephone tower related location data, Wi-Fi connection information
• User dictionary content
• Data from various installed apps
• System files, usage logs, error messages
• Deleted data from all of the above
I. What’s the Mobile Forensics Process?
Crimes don’t happen in isolation from technological tendencies; therefore, mobile device forensics has become a big a part of digital forensics.
Most people don’t realize how complicated the mobile forensics process are often actually . because the mobile devices increasingly still gravitate between professional and private use, the streams of knowledge pouring into them will still grow exponentially also . Did you recognize that 33,500 reams of paper are the equivalent of 64 gigabytes if printed? Storage capacity of 64 GB is common for today’s smartphones.
The mobile forensics process aims to recover digital evidence or relevant data from a mobile device during a way which will preserve the evidence during a forensically sound condition. to realize that, the mobile forensic process must began precise rules which will seize, isolate, transport, store for analysis and proof digital evidence safely originating from mobile devices.
Usually, the mobile forensics process is analogous to those in other branches of digital forensics. Nevertheless, one should know that the mobile forensics process has its own particularities that require to be considered. Following correct methodology and guidelines may be a vital precondition for the examination of mobile devices to yield good results.
Among the figures presumably to be entrusted with the performance of the subsequent tasks are Forensic Examiners, Incident Responders, and company Investigators. During the inquiry into a given crime involving mobile technology, the individuals responsible of the mobile forensic process got to acquire each piece of data which will help them later – as an example , device’s passwords, pattern locks or PIN codes.
II. What are the Steps within the Mobile Forensics Process?
2.1 Seizure
Mobile phone evidence box
Digital forensics operates on the principle that evidence should be adequately preserved, processed, and admissible during a court of law. Some legal considerations go hand in hand with the confiscation of mobile devices.
There are two major risks concerning this phase of the mobile forensic process: Lock activation (by user/suspect/inadvertent third party) and Network / Cellular connection.
Network isolation is usually advisable, and it might be achieved either through
1) Airplane Mode + Disabling Wi-Fi and Hotspots, or 2) Cloning the device SIM card.
Airplane Mode
Mobile devices are often seized switched on; and since the aim of their confiscation is to preserve evidence, the simplest thanks to transport them is to aim to stay them turned on to avoid a shutdown, which might inevitably alter files.
Phone Jammer
A Faraday box/bag and external power supply are common sorts of equipment for conducting mobile forensics. While the previous may be a container specifically designed to isolate mobile devices from network communications and, at an equivalent time, help with the safe transportation of evidence to the laboratory, the latter, may be a power source embedded inside the Faraday box/bag. Before putting the phone within the Faraday bag, disconnect it from the network, disable all network connections (Wi-Fi, GPS, Hotspots, etc.), and activate the flight mode to guard the integrity of the evidence.
Faraday bag
Last but not least, investigators should watch out for mobile devices being connected to unknown incendiary devices, also as the other booby trap found out to cause bodily harm or death to anyone at the crime scene.
2.2 Acquisition
Identification or Extraction
The goal of this phase is to retrieve data from the mobile device. A locked screen are often unlocked with the proper PIN, password, pattern, or biometrics (Note that biometric approaches while convenient aren’t always protected by the Fifth Amendment of the U.S. Constitution). consistent with a ruling by the Virginia Circuit Court, passcodes are protected, fingerprints not. Also, similar lock measures may exist on apps, images, SMSs, or messengers. Encryption, on the opposite hand, provides security on a software and/or hardware level that’s often impossible to bypass .
It is hard to be on top of things of knowledge on mobile devices because the info is mobile also . Once communications or files are sent from a smartphone, control is lost. Although there are different devices having the potential to store considerable amounts of knowledge , the info in itself may physically be in another location. to offer an example, data synchronization among devices and applications can happen directly but also via the cloud. Services like Apple’s iCloud and Microsoft’s One Drive are prevalent among mobile device users, which leave open the likelihood for data acquisition from there. For that reason, investigators should be aware of any indications that data may transcend the mobile device as a object , because such an event may affect the gathering and even preservation process.
Also Read: Mobile Forensic Overview
Since data is consistently being synchronized, hardware and software could also be ready to bridge the info gap.
Regardless of the sort of the device, identifying the situation of the info are often further impeded thanks to the fragmentation of operating systems and item specifications. The open-source Android OS alone comes in several different versions, and even Apple’s iOS may vary from version to version.
Another challenge that forensic experts got to overcome is that the abundant and ever-changing landscape of mobile apps. Create a full list of all installed apps. Some apps archive and backup data.
After one identifies the info sources, subsequent step is to gather the knowledge properly. There are certain unique challenges concerning gathering information within the context of mobile technology. Many mobile devices can’t be collected by creating a picture and instead they’ll need to undergo a process called acquisition of knowledge . There are various protocols for collecting data from mobile devices as certain design specifications may only allow one sort of acquisition.
The forensic examiner should make a use of SIM Card imagining – a procedure that recreates a reproduction image of the SIM Card content. like other replicas, the first evidence will remain intact while the replica image is getting used for analysis. All image files should be hashed to make sure data remains accurate and unchanged.
2.3 Examination & Analysis
Flasher box forensics. employing a UFS box to access mobile
As the initiative of each digital investigation involving a mobile device(s), the forensic expert must identify:
• Type of the mobile device(s) – e.g., GPS, smartphone, tablet, etc.
• Type of network – GSM, CDMA, and TDMA
• Carrier
• Service provider (Reverse Lookup)
The examiner may have to use numerous forensic tools to accumulate and analyze data residing within the machine. thanks to the sheer diversity of mobile devices, there’s no one-size-fits-all solution regarding mobile forensic tools. Consequently, it’s advisable to use quite one tool for examination. AccessData, Sleuthkit, and EnCase are some popular forensic software products that have analytic capabilities. the foremost appropriate tool(s) is being chosen counting on the sort and model of mobile device.
Timeline and link analysis available in many mobile forensic tools could tie each of the foremost significant events, from a forensic analyst’s point of view.