The recovery of digital evidence or data from a mobile device under forensically sound settings is referred to as mobile device forensics. The term “mobile device” is most commonly associated with cell phones, although it can also refer to any digital device with internal memory and communication capabilities, such as PDAs, GPS devices, and tablet PCs.
Some mobile phone firms attempted to copy the phone’s model, which is unlawful. As a result, we see a lot of new models every year, which is a step forward for future generations. Although the process of cloning mobile phones/devices in criminal cases has been well recognized for some time, the forensic analysis of mobile devices is a relatively young field, dating back to the late 1990s and early 2000s. The rise of phones (especially smartphones) and other digital devices on the consumer market created a demand for forensic investigation of the devices that existing computer forensics techniques could not meet.
Personal information such as contacts, photos, calendars, and notes, as well as SMS and MMS messages, can all be saved on mobile devices. Video, email, site browsing information, location information, and social networking messages and connections may all be stored on smartphones.
There is a growing demand for mobile forensics for a variety of reasons, including the following:
- Mobile phones are being used to store and communicate personal and business information
- Mobile phones are being used in online commerce
- Criminals, law enforcement, and mobile phone gadgets
On several levels, mobile device forensics can be particularly difficult. There are evidentiary and technical hurdles to overcome. Cell site analysis, for example, is not an exact science resulting from the use of mobile phone usage coverage. As a result, while it is possible to estimate the cell site zone from where a call was made or received, it is still impossible to declare with any certainty that a mobile phone call originated from a specific location, such as a home address.
Physical acquisition and logical acquisition are two methods for gathering data from mobile devices.
● Physical acquisition, sometimes known as a physical memory dump, is a method of acquiring all of the data from a mobile device’s flash memory chips. It enables the forensic tool to collect deleted data fragments. The data received is initially in raw format and cannot be read. After that, several procedures are used to turn the data into something that can be read by humans.
● Logical extraction, also known as logical acquisition, is a technique for extracting files and directories from a mobile device without removing any lost data. Some suppliers, on the other hand, define logical extraction as the capacity to collect a certain data type, such as images, call history, text messages, calendars, videos, and ringtones. A software tool is used to make a copy of the files. For example, iTunes backup is used to make a logical image of an iPhone or iPad.
What kinds of data can you get from a mobile device?
Before collecting data from a mobile device, students should have a basic understanding of data kinds. Contacts, call logs, SMS, photos, music, video, GPS data, and app data are all popular data kinds. A mobile device can also be used to extract both current and deleted data.
CDRs (Call Detail Records): CDRs are widely used by service providers to improve network performance. They can, however, supply useful information to investigators. CDRs can demonstrate:
- Date and time when the call began and ended
- The towers at the beginning and end of the line are known as terminating and originating towers, respectively
- Whether it was an outgoing or incoming call
- Duration of the call
- That was the one who dialed the number and who dialed it?
Almost all service providers save these vital records for a specific period. If the forensic professional so desires, he can obtain these records. The gathering of this data, however, is dependent on the policies of the state in question. In this sense, each state has its own set of legislation.
GPS (Global Positioning System): GPS data is a great way to get empirical evidence. If the suspect has an active mobile device at the crime scene, GPS can track his whereabouts and criminal activities. The suspect’s movements from a crime site to his refuge are also tracked via GPS. It also aids in the retrieval of phone call logs, photos, and SMS messages. A GPS now has twenty seven satellites in service.
Data stored and accessed by applications: Many apps save and access data that the user is unaware of. Many apps ask for permission to access these data during the installation process. Photo and video editing apps, for example, ask for permission to access media files, the camera, and the GPS for navigation. This information can be used as a primary source of evidence in court.
Text messaging (SMS) is a popular mode of communication. Text messages leave electronic records of conversations that can be used as evidence in court. They contain pertinent information such as:
- Each message’s date and time
- Sender’s and receiver’s phone numbers
- Evidence in the form of Photographs and Videos
- They can be a valuable source of evidence, but their connection to crime and verification is essential.
In mobile forensics, what tools and approaches are often used?
New approaches for extracting data from a variety of cellular devices are constantly being developed by forensic software applications. Physical and logical extraction are the two most popular methods. JTAG or cable connections are used for physical extraction, whereas Bluetooth, infrared, or cable connections are used for logical extraction.
For mobile forensics, there are a variety of tools to choose from. There are three types of forensic tools: open source, commercial, and non-forensic. When it comes to interacting with a mobile device, both non-forensic and forensic tools usually use the same methodologies and standards.
Tools Classification System
The Classification System for Forensic Tools:
Forensic analysts must be aware of the various sorts of forensic tools. The tools classification system provides forensic analysts with a framework for comparing the data collecting methodologies utilized by various forensic tools.
Manual extraction
Investigators can extract and view data using the device’s touchscreen or keyboard using the manual extraction technique. This information is later photographed and documented. Furthermore, manual extraction takes time and is fraught with the risk of human error. During the assessment, for example, the data could be mistakenly destroyed or updated.
The following are some of the most commonly used manual extraction tools:
- Project-A-Phone
- Fernando ZRT
- EDEC Eclipse
Logical extraction
The investigators use Bluetooth, Infrared, RJ-45 connection, or USB cable to link the cellular handset to a forensic workstation or hardware. The computer sends a sequence of orders to the mobile device using a logical extraction tool. As a consequence, the necessary information is extracted from the phone’s memory and delivered to the forensic workstation for processing. The following are some of the tools that are used for logical extraction:
- XRY Logical
- Oxygen Forensic Suite
- Lantern
Hex dump
A hex dump, also known as physical extraction, extracts the raw image from the mobile device in binary format. The forensic expert attaches the device to a forensic workstation and installs the boot loader, which tells the device to dump its memory to the computer. This method is less expensive and provides investigators with more information, including the recovery of deleted files and unallocated space on the phone. The following are some of the most commonly used hex dump tools:
- XACT
- Cellebrite UFED Physical Analyzer
- Pandora’s Box
Chip-off
Examiners can extract data directly from the cellular device’s flash memory using the chip-off approach. They take the phone’s memory chip out and make a binary image of it. This procedure is pricey and necessitates extensive hardware knowledge. Improper handling may result in physical damage to the chip, rendering the data unrecoverable. Chip-off is commonly done with the following tools and equipment:
- iSeasamo Phone Opening Tool
- Xytronic 988D Solder Rework Station
- FEITA Digital inspection station
- Chip Epoxy Glue Remover
- Circuit Board Holder
Micro read
This procedure entails deciphering and displaying data stored on memory chips. The researchers analyze the physical gates on the chips with a high-powered electron microscope, than transform the gate level into 1s and 0s to find the ASCII code. This is a costly and time-consuming procedure. It also necessitates a thorough understanding of hardware and file systems. There is not a tool for micro-reading available.
Paid Tools
• Cellebrite
One of the most well-known and comprehensive evidence extraction devices is the Cellebrite Touch. It enables us to calculate over 6,300 terminals running the most popular mobile operating systems. It’s also quite easy to use and understand.
• Encase Forensics
In addition to Cellebrite, Encase Forensics might be a global standard in forensic analysis. It has a long list of functions, including one that detects encrypted files and attempts to decrypt them using Passware Kit Forensic, a tool with specific algorithms for this purpose.
• Oxygen Forensic Suite
Oxygen Forensic Suite is capable of extracting data from over 10,000 distinct mobile device models, as well as getting data from cloud services and importing backups or photos.
• MOBILedit
Forensic enables the receipt of large amounts of data as well as advanced actions such as acquiring a whole memory dump, bypassing terminal-locking measures, and preparing reports on the fly.
• Elcomsoft iOS Forensic Toolkit
On iOS devices such as the iPhone, iPad, and iPod, physical acquisition is possible. Other useful capabilities include decoding the keychain, which keeps user passwords within the terminal under investigation, and registering each action taken throughout the procedure to keep track of them.
Many of the tools need enabling the “USB debugging” option, ideally the “Stay awake” option, and disabling any time-out screen lock option to carry out the evidence-gathering procedure on an Android mobile device. It is important to bypass any screen lock options that may be configured on the terminal. As a result of these difficulties, a range of technologies for extracting evidence from mobile devices exist; no single instrument or method can obtain all of the evidence from all devices.
It is therefore recommended that forensic examiners, particularly those wishing to qualify as expert witnesses in court, receive extensive training to learn how each tool and method acquires evidence, maintains forensic soundness standards, and complies with legal requirements such as the Daubert or Frye standards.
