Mobile forensics

by dr D.K. Sharma and Ishita Gupta


Forensic science is heavily reliant on police forces as these are the first responding officers who reach the crime scene. If the investigating officer feels the need for forensic examination, then a forensic expert is called in and the exhibits are submitted for analysis. Apart from crimes such as homicide, rape, illegal drug trade, cybercrime is becoming increasingly popular. According to Beaming’s Five Years in Cyber Security, 1.5 million organizations in the UK fell victim to cybercrime in 2019.

Over the past several years, digital forensic examiners have seen a remarkable increase in requests to examine data from cellular phones and other mobile devices. The examination and extraction of data from these devices presents numerous unique challenges for forensic examiners. With smart phones and tablets representing an increasing proportion of mobile devices submitted for examination, the number unique challenges continue to grow. Some of those challenges include the following: Not only are there a large variety of mobile devices available commercially, those devices use a variety of proprietary operating systems, embedded file systems, applications, services, and peripherals. Each of these unique devices may be supported to different extents by the available forensic software tools or may not be supported at all. There is also generally significant lag time before newer smart phone devices are supported sufficiently by mobile forensic tools.

Mobile forensics is all about utilizing scientific methodologies to recover data stored within a mobile phone for legal purposes. Unlike traditional computer forensics, mobile forensics has limitations when obtaining evidence due to rapid changes in the technology and the fast-paced evolution of mobile software. With different operating systems and a wide range of models being released into the market, mobile forensics has expanded over the last 3-4 years. Specialized forensic techniques and skills are required in order to extract data under different conditions. Phases of Mobile Forensics include: Seizure, acquisition and Analysis or examination It is to be ensured that appropriate legal authority exists. The make, model and IMEI/serial number should be noted for the seized mobile and sim card. The goal of examination should be determined as to why the mobile has to be seized and what data we want to get recovered from it. The evidence should be handled carefully wearing gloves. With the growing demand for examination of cellular phones and other mobile devices, a need has also developed for the development of process guidelines for the examination of these devices. While the specific details of the examination of each device may differ, the adoption of consistent examination processes will assist the examiner in ensuring that the evidence extracted from each phone is well documented and that the results are repeatable and defensible in court. Mobile devices use a variety of internal, removable and online data storage capabilities. In many cases, it is necessary to use more than one tool in order to extract and document the desired data from the mobile device and its associated data storage media. In certain cases, the tools used to process cellular phones may report conflicting or erroneous information. It is therefore critical to verify the accuracy of data obtained from mobile devices. And, while the amount of data stored by phones is still small when compared to the storage capacity of traditional computer hard drives, the storage capacity of these devices continues to grow. The types of data contained within mobile devices and the way they are being used are constantly evolving. The data from an ever-growing number of installed applications can contain a wealth of relevant information that may not be automatically parsed by available forensic software solutions. Data can be stored in four different locations on/in the phone: On the Sim card inside the phone On the memory card inside the phone In the cloud In the cellular provider’s records Data can be communicated through phone calls, SMS, MMS and other forms. The available records depends on the carrier, Call detail records (CDR), Detail records for SMS/MMS messages and data records for data usage. Physical extraction refers to the ability to perform a bit-for-bit copy of the entire physical storage, which allows the forensic tools to acquire remnants of deleted data. However, this process requires direct access to the file system of the mobile device. This is necessary to be able to recover deleted data from the disk using methods such as carving, where particular file headers are searched for to recover target file types. Carving is a commonly used technique in digital forensics to extract a collection of data from a larger data set. Logical extraction refers to the ability to copy the logical storage objects of the mobile device (eg directories and files; Grispos, Storer & Glisson 2011).

All of the tools selected have the ability to perform a logical extraction; it is understood that this extraction acquires the data from the mobile device using the vendor’s interface, which is most commonly used for synchronising the handset with a computer. This extraction method does not usually recover any deleted information due to the data being transferred file by file rather than bit for bit. It should be noted that results may vary when analysing mobile devices that use operating systems designed for use by many different manufacturers (eg Android). Manufacturers will often customise their implementation of the operating system, which can result in data being stored in different locations to the standard operating system conventions (eg HTC Sense and Samsung TouchWiz). To successfully collect the maximum amount of data from a mobile device, investigators and practitioners need to be aware of the key features and limitations of the tools they use. This will allow them to make informed selections in an environment where timeliness is often critical and workloads are high. However, forensic tools are constantly updated to provide support for new devices and expand support for existing devices. Mobile forensics can plays a crucial role in todays digital world where mobiles have become a part and parcel of life and a must necessity of daily routine. Certain limitations of traditional approach are being surpassed by the introduction of modern approach, by the application of various advanced digital forensic tools. However, for evidence to be admissible, it must be authentic, complete, reliable and believable. Hence, proper and updated forensic practices should be adopted in order to make the evidence admissible in court.


About the Authors:

Dr. D.K. Sharma (S.S.O and A.C.E to the Govt. of M.P, India, Regional Forensic Science Laboratory, Bhopal, M.P, India) and Ishita Gupta (Trainee at Regional Forensic Science Lab, Bhopal, M.P, India).

The post Mobile forensics | by Dr. D.K. Sharma and Ishita Gupta appeared first on eForensics.

By admin