It is a branch of digital forensics relating to recovery of digital evidence or data from a mobile device under forensically sound conditions. The phrase mobile device usually refers to mobile phones; however, it can also relate to any digital device that has both internal memory and communication ability, including PDA devices, GPS devices and tablet computers.
The use of phones in crime was widely recognised for some years, but the forensic study of mobile devices is a relatively new field, dating from the early 2000s. A proliferation of phones (particularly smartphones) on the consumer market caused a demand for forensic examination of the devices, which could not be met by existing computer forensics techniques.
Mobile devices can be used to save several types of personal information such as contacts, photos, calendars and notes, SMS and MMS messages. Smartphones may additionally contain video, email, web browsing information, location information, and social networking messages and contacts. There is growing need for mobile forensics due to several reasons and some of the prominent reasons are:
- Use of mobile phones to store and transmit personal and corporate information
- Use of mobile phones in online transactions
- Law enforcement, criminals and mobile phone devices
Mobile Evidence
As mobile device technology advances, the amount and types of data that can be found on a mobile device is constantly increasing. Evidence that can be potentially recovered from a mobile phone may come from several different sources, including handset memory, SIM card, and attached memory cards such as SD cards.
Traditionally mobile phone forensics has been associated with recovering SMS and MMS messaging, as well as call logs, contact lists and phone IMEI/ESN information. However, newer generations of smartphones also include wider varieties of information; from web browsing, Wireless network settings, geolocation information (including geotags contained within image metadata), e-mail and other forms of rich internet media, including important data—such as social networking service posts and contacts—now retained on smartphone ‘apps’.
- Internal memory – Nowadays mostly flash memory consisting of NAND or NOR types are used for mobile devices.
- External memory – External memory devices are SIM cards, SD cards (commonly found within GPS devices as well as mobile phones), MMC cards, CF cards, and the Memory Stick.
- Service provider logs – Although not technically part of mobile device forensics, the call detail records (and occasionally, text messages) from wireless carriers often serve as “back up” evidence obtained after the mobile phone has been seized. These are useful when the call history and/or text messages have been deleted from the phone, or when location-based services are not turned on. Call detail records and cell site (tower) dumps can show the phone owner’s location, and whether they were stationary or moving (i.e., whether the phone’s signal bounced off the same side of a single tower, or different sides of multiple towers along a particular path of travel). Carrier data and device data together can be used to corroborate information from other sources, for instance, video surveillance footage or eyewitness accounts; or to determine the general location where a non-geotagged image or video was taken.
Mobile Acquisition
Mobile device data extraction can be classified according to a continuum, along which methods become more technical and “forensically sound,” tools become more expensive, analysis takes longer, examiners need more training, and some methods can even become more invasive.
- Manual acquisition – The examiner utilizes the user interface to investigate the content of the phone’s memory. Therefore, the device is used as normal, with the examiner taking pictures of each screen’s contents. This method has an advantage in that the operating system makes it unnecessary to use specialized tools or equipment to transform raw data into human interpretable information. In practice this method is applied to cell phones, PDAs and navigation systems. Disadvantages are that only data visible to the operating system can be recovered; that all data are only available in form of pictures; and the process itself is time-consuming.
- Logical acquisition – Logical acquisition implies a bit-by-bit copy of logical storage objects (e.g., directories and files) that reside on a logical store (e.g., a file system partition). Logical acquisition has the advantage that system data structures are easier for a tool to extract and organize. Logical extraction acquires information from the device using the original equipment manufacturer application programming interface for synchronizing the phone’s contents with a personal computer. A logical extraction is generally easier to work with as it does not produce a large binary blob. However, a skilled forensic examiner will be able to extract far more information from a physical extraction.
- File system acquisition – Logical extraction usually does not produce any deleted information, due to it normally being removed from the phone’s file system. However, in some cases—particularly with platforms built on SQLite, such as iOS and Android—the phone may keep a database file of information which does not overwrite the information but simply marks it as deleted and available for later overwriting. In such cases, if the device allows file system access through its synchronization interface, it is possible to recover deleted information. File system extraction is useful for understanding the file structure, web browsing history, or app usage, as well as providing the examiner with the ability to perform an analysis with traditional computer forensic tools.
- Physical acquisition – Physical acquisition implies a bit-for-bit copy of an entire physical store (e.g. flash memory); therefore, it is the method most similar to the examination of a personal computer. A physical acquisition has the advantage of allowing deleted files and data remnants to be examined. Physical extraction acquires information from the device by direct access to the flash memories. Generally this is harder to achieve because the device original equipment manufacturer needs to secure against arbitrary reading of memory; therefore, a device may be locked to a certain operator. To get around this security, mobile forensics tool vendors often develop their own boot loaders, enabling the forensic tool to access the memory (and often, also to bypass user passcodes or pattern locks). Generally the physical extraction is split into two steps, the dumping phase and the decoding phase.
Mobile Forensics Tools
Early investigations consisted of live manual analysis of mobile devices; with examiners photographing or writing down useful material for use as evidence. Without forensic photography equipment such as Fernico ZRT, EDEC Eclipse, or Project-a-Phone, this had the disadvantage of risking the modification of the device content, as well as leaving many parts of the proprietary operating system inaccessible.
In recent years a number of hardware/software tools have emerged to recover logical and physical evidence from mobile devices. Most tools consist of both hardware and software portions. The hardware includes a number of cables to connect the phone to the acquisition machine; the software exists to extract the evidence and, occasionally even to analyse it.
Most recently, mobile device forensic tools have been developed for the field. This is in response both to military units’ demand for fast and accurate anti-terrorism intelligence, and to law enforcement demand for forensic previewing capabilities at a crime scene, search warrant execution, or exigent circumstances. Such mobile forensic tools are often ruggedized for harsh environments (e.g. the battlefield) and rough treatment (e.g. being dropped or submerged in water).
Generally, because it is impossible for any one tool to capture all evidence from all mobile devices, mobile forensic professionals recommend that examiners establish entire toolkits consisting of a mix of commercial, open source, broad support, and narrow support forensic tools, together with accessories such as battery chargers, Faraday bags or other signal disruption equipment, and so forth.
- Commercial Forensic Tools – Some current tools include Cellebrite UFED and Micro Systemation XRY. Some tools have additionally been developed to address increasing criminal usage of phones manufactured with Chinese chipsets, which include MediaTek (MTK), Spreadtrum and MStar. Such tools include Cellebrite’s CHINEX, and XRY PinPoint.
- Open source – Most open source mobile forensics tools are platform-specific and geared toward smartphone analysis. Though not originally designed to be a forensics tool, BitPim has been widely used on CDMA phones as well as LG VX4400/VX6000 and many Sanyo Sprint cell phones.