Mobile Forensics: Fundamentals and Process

WHAT IS Mobile FORENSICS?

  • Mobile forensics is about finding and revealing digital proof of crimes or other technical issues from mobile devices.

  • It specifically deals with data from phones, smartphones, tablets, and other portable gadgets.

  • This field is very important for police, company investigations, and fixing security problems. It helps uncover facts about online crimes, data hacks, and legal issues.

  • It uses a clear step-by-step process: finding what to look for (Collection), making sure the evidence isn't changed (Preservation), closely examining the data (Analysis), writing down everything (Documentation), and finally, explaining the findings clearly (Presentation).

  • Key idea: The process makes sure to identify digital evidence, keep it safe, check it carefully, record all details, and share the results in a way that can be used in court.

Mobile Forensic Process

  • Identification: First, clearly understand what the investigation is about and which devices are important.

    • Figure out what people, tools, and legal permissions are needed.

    • Knowing the case well guides all the next steps.

  • Preservation: This crucial step makes sure digital evidence is kept safe and unchanged. It prevents it from being altered, contaminated, or destroyed.

    • Often, devices are put into special "Faraday bags" to stop remote wiping and to make exact copies of the device's data.

  • Analysis: After saving the data, it's processed, looked at closely, and understood to find useful and important information.

    • This involves using special forensic tools and methods to get back deleted files, look at call logs, location data, app use, and other digital clues.

  • Documentation: Every action taken during the forensic process must be carefully written down. This includes details of the device, tools used, methods applied, and results.

    • Record all steps and results to ensure they can be recreated and used legally.

  • Presentation: The investigation's findings are summarized and explained clearly to people who need to know, like lawyers, managers, or court officials.

    • The goal is to provide facts for decisions or to give expert testimony in court.

  • Additional notes:

    • Choose the right tools and methods based on the device's operating system and model.

    • Pick suitable ways to get data, such as copying the whole device, copying logical files, or copying the file system.

    • Thoroughly record the crime scene with photos, drawings, and maps to understand the situation and prove who handled the evidence.

Mobile Forensics Goals

  • Find legal evidence on digital devices and keep it safe so it can be used in court.

  • Save and recover evidence using approved technical steps, following forensic standards.

  • Find out if data is leaking from a company by looking at mobile device communications and stored data.

  • See how much damage happened during a data breach, including its size, effect, and what data on mobile devices was involved.

Mobile storage and evidence location

  • Internal Memory: This is the built-in storage in the device, like RAM (temporary memory) or flash memory (permanent storage).

    • It holds the mobile operating system, installed apps, user data (contacts, calls, messages), and system settings.

    • Data in RAM is temporary and disappears when the device turns off.

  • SIM Card (Subscriber Identity Module Card): A tiny, removable card that saves service information.

    • It stores personal details like your unique mobile identity (IMSI), contacts, SMS messages, call details, and network settings.

  • External Memory: This means removable storage, usually Micro SD cards.

    • These store personal info and files like audio, video, pictures, documents, and app data. Users often choose them for more storage space.

What should you do before investigation

  • Build a Forensics Workstation: Set up a special, secure computer area with the right equipment.

  • Build the Investigation Team: Put together a skilled team with different areas of expertise.

  • Review Policies and Laws: Understand relevant laws and company rules.

  • Notify Decision Makers and Acquire Authorization: Get official permission and tell the right people.

    • This makes sure the investigation is legal and can get the resources it needs.

  • Risk Assessment: Check for possible risks to data, privacy, and legal rules during the investigation.

  • Build a Mobile Forensics Toolkit: Gather all necessary hardware and software tools.

Build a forensic workstation

  • Equipment to include:

    • A strong computer (laptop or desktop): Needs enough power, memory (RAM), and storage for forensic software and data. It's often kept separate from networks.

    • A USB connector: To link various mobile devices and accessories to the workstation.

    • Mobile forensics toolkit: Special software and hardware for getting and analyzing data from mobile devices.

    • Micro SD memory card reader: To get data directly from external memory cards.

    • Mobile hardware toolkit: Tools like spudgers, screwdrivers, and opening picks for taking devices apart if needed.

    • Cables (including FireWire, Bluetooth, and IR): A full set of original cables and adapters to connect to many types of mobile devices.

    • SIM card reader: To get data directly from SIM cards without putting them in a phone.

Build the investigation team

  • The team should have experts in collecting and reporting mobile device evidence, combining different skills.

  • Roles may include:

    • Expert Witness: Gives unbiased testimony and explains technical details in court.

    • Evidence Manager: Keeps track of evidence and who has handled it.

    • Evidence Documenter: Writes down all observed details, actions, and the state of evidence.

    • Evidence Examiner/Investigator: Does the actual analysis and data extraction.

    • Attorney: Gives legal advice and ensures laws are followed.

    • Photographer: Takes pictures of the crime scene and evidence.

    • Incident Responder: Manages the overall response to security events.

    • Decision Maker: Approves actions and makes key choices.

    • Incident Analyzer: Understands why an incident happened and what its effects are.

  • Each member should have:

    • Deep knowledge of many mobile devices, their hardware, operating systems (like Android, iOS), and apps.

    • Awareness of local and international laws about mobile crime and digital evidence.

    • Necessary security clearance and permission for their tasks, especially with sensitive information.

  • Keep the team small to maintain secrecy and communicate easily.

  • Assign clear jobs to team members; choose a technical lead to manage forensic activities.

Review policies and laws

  • Check local, national, and international laws that might affect the investigation, such as privacy laws or rules for electronic evidence.

  • Investigators must follow a legally accepted process and document everything to make sure evidence can be used in court and avoid legal problems.

  • Look at internal company policies (like "Bring Your Own Device" or BYOD) and security rules for company mobile devices to understand user agreements and who owns the data.

    • This also includes rules about how long data is kept and acceptable ways to use devices.

Mobile phone evidence — analysis

  • Things involved in analysis include:

    • Phone Memory: A detailed look at both temporary (RAM) and permanent (flash memory) data to find call logs, SMS, emails, web history, GPS data, and app data.

    • Service Provider Data: Information from network carriers, like billing records, cell tower locations, and subscriber details, which can support device data.

    • Reports: Creating full forensic reports explaining findings, methods, and conclusions for legal or internal use.

    • Forensics Workstation: The place where all analysis happens, keeping data safe and providing access to special tools.

Collecting the evidence

  • Protect physical and electronic evidence by securing the crime scene.

  • Stop unauthorized people from entering and touching evidence to avoid messing it up.

  • Collect all electronic devices at the crime scene, including phones, tablets, chargers, and external storage.

  • Check if the mobile device is plugged into a computer or other things; if so, write it down and keep the connection safe.

  • Confirm if devices are on or off (by checking lights, screen, or vibration) to decide how to save them.

  • Collect non-electronic evidence like written passwords, notes, and printouts that might give important clues.

Document the scene

  • Write down details of all electronic devices at the crime scene, their location, condition, and any accessories.

  • Take clear, many-angled photos of all evidence and write detailed notes about what's on the screen or device.

  • Document the device's condition when seized (on/off, locked/unlocked, charging, connected to network).

  • Note any activity on the electronic devices at the crime scene, like incoming calls, messages, or screen changes, before doing anything else.

Document the evidence

  • Phone Identification: Clearly identify the brand, model, operating system (e.g., Android version, iOS version), and network provider of the device.

    • This helps a lot in choosing the right forensic tool and method to get data.

  • Connection Identification: Identify how the mobile device is connected to the forensics workstation (e.g., USB cable, infrared, or Bluetooth).

    • The choice depends on the phone's abilities, the tool's compatibility, and how the data is being copied.

  • Tool Selection: Based on the device and connection, pick a forensic tool that is:

    • Usable: Easy to use for trained staff.

    • Comprehensive: Supports many devices, operating systems, and data types (like SMS, call logs, GPS, app data).

    • Accurate: Gets data reliably without errors or changing the original evidence.

    • Deterministic: Gives the same results if used multiple times on the same data under the same conditions.

    • Verifiable: Its output can be checked by other means or by looking at the raw data, showing it's trustworthy and transparent.

Evidence preservation

  • The goal of preservation is to take the suspect mobile phone and its accessories without changing or contaminating the digital data inside.

  • This is the first important step done before the actual investigation and analysis.

  • It involves finding, recognizing, documenting, and carefully collecting digital evidence at the crime scene to keep it intact for legal use.

Set of switching for on/off mobile phone

  • ON State:

    • If the device is ON, DO NOT turn it OFF. Powering it down could lock it, start remote wiping, encrypt data, or change temporary memory (RAM) content.

    • Write down everything on the display (like incoming messages, current apps), and photograph it if possible, for immediate record-keeping.

    • Only turn it off before moving it if absolutely necessary, and only after taking all needed steps, like unplugging it and cutting off network connections.

  • OFF State:

    • If the device is OFF, leave it OFF. Turning it ON could change evidence (like altering timestamps, enabling network, or writing over deleted data), similar to how it affects computers.

    • Secure the device while it's OFF using methods like a Faraday bag.

Faraday bag

  • A Faraday bag offers RF (Radio Frequency) protection. It creates an electromagnetic shield to stop remote changes or wiping of data on a mobile device.

  • It blocks all wireless signals (cellular, Wi-Fi, Bluetooth), separating the device from outside interference.

  • Disklabs is an example brand known for its forensic-grade Faraday bags.

Forensic imaging

  • A forensic investigator should not work directly on the original evidence because any action could accidentally change or destroy important data.

  • Instead, the normal practice is to create an exact copy (called a "forensic image" or "physical acquisition") of the mobile device's storage. This is done for the device found at the crime scene.

  • This image is an exact duplicate of the storage, capturing every bit of data, even deleted files and empty spaces.