Digital Forensics: Mobile and Computer Investigation Notes

Definition: The systematic process of locating, safeguarding, analyzing, and documenting digital evidence.
Sub-fields: - Mobile Phone Forensics: Acquiring digital proof from mobile devices. - Media Forensics: Retrieving data from storage media. - Network Forensics: Analyzing network activities to identify attack origins. - Memory Forensics: Recovering evidence from the RAM of an active computer. - Other Types: Wireless, Database, Software, and Email forensics.

History: The first mobile phone was created in $1973$ by Martin Cooper for Motorola using a prototype called DynaTAC (Analog $1G$ ).
Evolution: Technology has progressed from $1G$ ( $1981$ ) to $5G$ ( $2020$ ), with $6G$ expected by $2030$ .
Operating Systems: - Single Vendor (Hardware/OS): iPhone, Blackberry, Symbian. - Different Vendors: Android, Windows Mobile.
Market Share (January 2025): - Global: Apple ( $27.28\%$ ), Samsung ( $23.37\%$ ), Xiaomi ( $11.96\%$ ). - Malaysia: Apple ( $29.38\%$ ), Samsung ( $14.19\%$ ), Oppo ( $11.17\%$ ).
Key Components: Mobile Equipment (ME), SIM Card (checked via *#06# for IMEI), Memory Card, and the Mobile Network.
Data Storage: Data resides in the Handset, SIM, or Memory card. Some data, like contacts, can be duplicated across locations.

Acquisition Methods: - Physical: Provides a bit-by-bit copy of flash memory; allows for the recovery of deleted data from file systems and database files. - Logical: Extracts visible folders and files; often uses proprietary storage formats. - Agent: Used for Android devices; does not recover deleted data but extracts contacts, messages, and calls.
Analysis Techniques: Keyword search, file hashing, file type filtering, date sorting, and manual searching.
Forensic Tools: - General: EnCase, FTK (Forensic Toolkit), Magnet AXIOM, Cellebrite, XRY. - Specialized: I2 (relationship mapping), Live Response (for RAM and volatile data), and Imaging Tools.

Hardware Components: Systems include desktops, laptops, and mainframes consisting of the case (microprocessors, hard drive), monitor, keyboard, and mouse.
Storage Interfaces: Hard drives utilize SCSI, SATA, or IDE ( $40$ -pin or $44$ -pin) connections.
Live Triaging Steps: - Lock Screen: Check for notifications or user info. - Date/Time: Record any discrepancies against a verified time source. - User Accounts: Identify administrators and check login logs in the Windows Registry. - Security: Identify sign-in options and encryption status (e.g., BitLocker). - Running Processes: Use Task Manager ( $Ctrl + Shift + Esc$ ) to find active apps.
Post-Shutdown: Use a writeblocker before triaging hard drives to prevent data alteration.

Functionality: When a file is deleted, the Master Boot Record (MBR) is updated, but the actual data remains in the clusters.
Overwriting: The space is marked as "unallocated" (available). If a new file is added, it may overwrite the original data clusters.
Recovery: Partial files (e.g., $100\,MB$ of a $150\,MB$ file) can sometimes be recovered if they have not been completely overwritten.

Role of the Computer Crime Forensic Unit: Led by DSP Mohd Izzuwan bin Marzuki, the unit provides justice via forensics for the Royal Malaysia Police (PDRM).
Case Study: Sosilawati Murder ( $2010$ ): Analysis was performed on $11$ mobile phones, some of which were recovered in damp conditions and required specialized drying.
Case Study: Stephanie Foray Murder ( $2014$ ): Evidence included blood splatters and objects identified through directional guides.
Common Submission Errors: - Sending wet phones or spoilt batteries. - Failing to provide PIN/pattern locks. - Marking or signing directly on screens. - Vague requests (e.g., "Vacuum all data") instead of specific date ranges or keyword objectives.
Challenge: Criminals intentionally damage phones through burning, water/saltwater immersion, chemicals, or physical destruction (snapping the device).