Lecture 17 Mobile Forensics (2)

Risk Management

• Investigations pose risks to evidence/investigation; these must be managed.

• How to Identifying phone manufacturer/model- can be challenging due to fakes.

• How to identify the operating system used on the

  phone- Symbian phones may erase call logs if the date is not set.

• Can have or get Damage to screen,

• Phones are small & fiddly- accidental button presses can occur.

• Prevent live signal to avoid data changes and legal issues./ prevent evidence contamination/ biohazards

• Use Faraday box to prevent live signal.

• Clone SIM card to prevent connection to live signal but Will allow the phone to switch on; modern phones may have eSIM -Expert hardware forensics techniques required to access integrated modules

Typical Digital Forensics Investigation Process

• Four key stages:

  • 1.Preparation

  • 2.Acquisition & Preservation

  • 3.Examination & Analysis

  • 4.Reporting & Presentation

STAGE 2 Acquisition & Preservation:

Data Extraction Methods

• Manual Extraction: Direct interaction with the phone, documentation through photos.

• Digital Extraction: Using write blockers (e.g., Cellebrite UFED) to create a digital copy.

3 Digital Data Extraction Types

• 1.Logical: Extracts data via the phone's OS, limited access, no deleted data.

  • The forensic tool typically uses an API (Application Programming Interface) to connect and communicate with the OS of the mobile device and request the required data from the system.

    • The OS chooses which data it allows the forensic investigator

    to access.

    • Logical extractions will not recover deleted files, and the process cannot be performed on locked or password- protected devices.

• 2.File System: Connects using third-party software, accesses more data but has protected areas.

  • Involves extracting data from an mobile device by accessing its

    file system.

    • File system extraction is often used to extract specific types of

    data, such as documents, email messages, or photos, rather

    than the entire contents of the device's storage. So, there will

    be ‘protected areas’.

    • Retrieves more data than a logical extraction, e.g. , hidden

    system files, databases and other files which were not visible

    within a logical extraction.

• 3. Physical: Connect to the device and take a copy of the entire contents of

  the device.

  • Physical Extraction bypasses the device’s OS.

  • It produces a low-level, bit-by-bit, copy of the phone’s storage device.

  • It can bypass system locks and passcodes to extract deleted passwords, files, photos, videos, text messages, call logs, GPS tags, and other artifacts.

  • Can access deleted data

• Data Extraction Considerations

Has the data changed ?

• Connecting device may be recognized, potentially altering data.

• Photographs serve as evidence of changes (ACPO Principle 3).

  • Confirm correct cable usage.

STAGE 3 Extraction & Analysis Phase

• Once extracted, it must be interpreted

• Interpreting extracted data using tools like Cellebrite UFED Physical Analyser.

• But also act as an investigation tool

• Allows viewing data in different formats and bookmarking important data & View and search through the raw data.

Mobile Device Evidence

• Generic evidence sources commonly found on mobile phones:

  call logs, phone book, calendar, messages, location, web URLs, images/video etc

• Identifiers: Subscriber/Device Identifier.

STAGE 4 Reporting & Presentation Phase

• Give expert testimony in court, if requiredReport Requirements

• Itemized methodology, identity/credentials, reproducible steps, factual results, expert opinion.

Generate report

• Give expert testimony in court, if required

Generate report

• Give expert testimony in court, if required

5 steps

1.    Itemized forensic investigations listing methodology. Where they

are sequential indicate this.

2. Your identity and credentials. Provides authentication and

assigns responsibility.

3. For each complete investigation over a device/clone, record steps

so that they are reproducible.

4. Results to be presented factually without speculation.

5. Based on expert opinion, what do these facts indicate in the

context of the investigation?

Reports in Court

• Digital forensics reports are subject to discovery in UK and US courts

  – The opposing legal team may request your reports for analysis by their own experts

  – Inconsistencies or departures from protocol may damage or remove your report as evidence

  • Reports may provide specific opinions but must be based on common, unbiased scientific principles

  – Reproducibility is key.

  – Any individual regardless of personal bias should get the same results following the same methodology.

Reports as Deliverables

• As a forensic technician or investigator, reports are:

  • Reflect the quality of work,

  • The primary deliverable expected from your work

  • influence decision-making IN COURT

  • and are crucial for career advancement.

Conclusion

• Much of the investigator’s work for a mobile phone examination is done before even looking at the mobile phone data

  – Risk Management

  – Identifying the phone

  – Cloning the SIM

  – Extracting the data

  – A brief overview of good practices in reporting (and experimental methods in general)