Mobile Forensics

Overview of Mobile Forensics

• Focus on the forensic analysis of mobile devices which includes extracting and analyzing data.
• Key areas include:
  • Types of mobile devices
  • Mobile operating systems
  • Variability in mobile devices
  • Methods for extracting data
  • Mobile phone architecture
  • Role of digital information in investigations

Mobile Forensics

• Mobile devices function similarly to computers, offering numerous applications and services.
• They provide extensive evidentiary data during investigations.
• Best practice for preserving data:
  • Keep the mobile device running while blocking communication signals (e.g., using a Faraday bag).
• Challenges in mobile forensics stem from:
  • Diverse data storage and management methods across different devices.

Types of Mobile Devices

• Cellular Network Basics:
  • Cellular systems consist of short-distance transceivers enabling communication between phones and network.
• Mobile Network Generations:
  • 2G: Digital cellular networks transition to handheld devices enabling basic data communication.
  • 3G: Transition from circuit-switched to packet-switched networks, allowing broader data access.
  • 4G and 5G: Native IP networks with direct Internet access enhancing speed; 5G offers advanced processing and supports various devices beyond smartphones, including automation tools.

Mobile Phone Operating Systems

• Prominent OS include:
  • iOS (Apple)
  • Android (Google)
  • Windows Phone OS (Microsoft, less common)
• 3G, 4G, and 5G phones mirror PC architecture, enabling app installations akin to laptops/desktops.

Variability of Mobile Devices

• Geolocation capabilities through GPS track user activities, aiding in locating suspects relative to crime scenes.
• Each device’s unique features necessitate special connectors and drivers for forensic analysis.
• Device storage forms:
  • Onboard nonvolatile memory (internal)
  • External storage (mini-SD cards) for additional capacity.

Extracting Data from Mobile Devices

• Forensic analysis enhances understanding of timelines related to criminal activities.
• Storage Practices:
  • Always store devices in a Faraday bag to avoid remote alterations.
• Types of Data Extraction:
  • Physical forensic images: Complete, bit-by-bit duplicates of file systems, including deleted data.
  • Logical data extraction: Snapshots representing visible data to standard users.
• Recommended practice:
  • Run the forensic image operation twice— retain one as evidence, determining extraction types based on the device.

Mobile Phone Architecture

• Storage Options:
  • SD Cards: Nonvolatile, expandable storage for photos, music, etc.
  • SIM Cards: Contain international mobile subscriber identity (IMSI), and integrated circuit card identifier (ICCID) essential for network identification.
• Components of a mobile device:
  • Digital signal processor
  • Microprocessor
  • RF transmitter/receiver
  • Audio components
  • Power supply and battery system.

Assessing the Impact of Digital Evidence on an Investigation

• Causal Chains of Evidence:
  • Cause and effect relationships in crime analysis, detailing how evidence links contribute to overall understanding.
• Hybrid Crime Assessment Technique:
  • Methodology for dealing with crimes encompassing physical and digital elements (e.g., crimes involving mobile devices).
• Objective: Integrate information from mobile devices into larger investigations to enhance evidence comprehension.