Mobile phones have become an integral part of our lives. Today, almost every individual, ranging from kids to teenagers to adults, have mobile phones. It has come a long way from being only a communication device to being equipped with numerous features, such as high resolution camera, 4G technology, mp3 players, gaming console etc. They hold a wide array of information on the user and the user activities and it is no longer uncommon to encounter a mobile device during an investigation.
What is mobile device forensics?
Mobile Phone Forensics or Mobile Forensics deals with recovering and analysing digital evidences from a mobile phone, such as, call logs, text messages, multimedia, browsing history, etc., under forensically sound conditions.
Evidences present in mobile phones
Data present in mobile devices mainly originate from three sources, namely, SIM card, external memory and phone memory or internal memory. The following are the most common evidences found in a mobile device:
- Contacts: Contains the names and phone numbers, e-mail addresses; stored on device as well as the SIM card.
- Call Logs: Contains the dialled, received and missed calls, date and time of the call, call duration; stored on device as well as the SIM card.
- Messages: Containes the incoming and outgoing text messages; stored on the device as well as the SIM card.
- Images/Audio/Video: Contains audio, images or video, captured using the phone camera or transferred from other devices or downloaded from the internet; stored on internal/external memory.
- Documents: Contains documents created using the phone’s applications or transferred from other devices or downloaded from the internet; stored on phone memory/external memory.
- Calendar/ Notes: Contains calendar entries, reminders, notes, to-do lists, etc.; stored on phone memory.
- Third party installed apps: Contains alternate messaging and communication applications, chat logs; stored on internal/external memory.
- Internet-related evidence: web browsing history, social media accounts, e-mails, etc.; stored on phone memory.
- International Mobile Equipment Identity (IMEI): 15-digit number; stored as well as printed on the device.
- International Mobile Subscriber Identity (IMSI): 15-digit number; stored on SIM card.
- Integrated Circuit Card Identifier (ICCID): 20-digit number; stored on SIM card.
- Service Provider: Printed on SIM card.
Mobile Device Tool Classification System
The acquisition of data from mobile devices involves the use of automated tools. Therefore, understanding the various types of acquisition tools and the data they are capable of recovering is important for a mobile forensic examiner. Based on the various extraction methods, the tools available may be classified under one of the following levels:
Manual extraction method involves viewing the data content stored on a mobile device through the manual manipulation of the buttons, keyboard or touchscreen. Data of evidentiary value should be recorded using an external digital camera. One of the biggest disadvantages at this level is that it is impossible to recover deleted information. Moreover, it may become impossible to gather evidence when dealing with a broken or missing LCD screen or a damaged keyboard interface.
Logical extraction involves connecting the mobile device to a forensic workstation either using a wired (e.g., USB) or wireless (e.g.,WiFi, or Bluetooth) connection. Once the connection is established, the tools send a series of commands over the established interface from the computer to the mobile device. The mobile device then, responds with the requested data and is sent back to the workstation and presented to the forensics examiner for reporting purposes.
HexDumping and JTAG
Hex dumping, also known as Physical extraction gives the examiner direct access to the raw data stored in the flash memory. Hex dumping involves uploading an unsigned code or a modified boot loader into the phone’s memory, by connecting it to a flasher box which in turn, is connected to the forensic workstation. A series of commands are then executed, instructing the phone to dump its memory on the destination selected by the examiner.
JTAG (Joint Test Action Group) method involves connecting to Test Access Ports (TAPs) on a device, which is a common test interface for processor, memory, and other semiconductor chips. Special programmer devices are used to instruct the processor to transfer the data stored on the memory. JTAG method comes in handy while dealing with locked devices or devices that have minor logical damages, which are inaccessible through other methods.
Chip-Off methods refer to the acquisition of data directly from a mobile device’s flash memory. This extraction requires the physical removal of flash memory and connecting it to a chip reader to create a binary image of the removed chip. This method requires extensive training as they can be extremely challenging and has the risk of causing physical damage to the chip during the process.
A Micro read involves analysing the physical gates on a NAND or NOR chip with the use of an electron microscope. This process is not only time consuming and costly, but also involves extreme technicalities. Therefore, this method is carries out only for high profile cases equivalent to a national security crisis, when all the other extraction methods have been exhausted.
Mobile Device Forensic Process
Identification: It is the process of identifying the mobile device and other relevant details such as the goals of the examination; the make, model or IMEI of the device; any removable external memory; or other potential evidence such as fingerprints.
Isolation: Isolation of the mobile device from the network is extremely important to avoid modification of the evidence on the phone after seizure. This can be done by placing the device in faraday bags and placing the phone in airplane mode.
Acquisition: Once the phone is isolated, data from the device can be acquired using the appropriate extraction methods. Physical acquisition is preferred as it extracts the raw data directly from the memory of the device and recovers deleted data as well as data from unallocated space.
Examination and Analysis: After the data has been acquired, the examination process uncovers digital evidence, including that which may be hidden or deleted. The process begins with a copy of the evidence acquired from the mobile device and the results are gained by applying scientifically based methods. Data reduction, that is, separating relevant from irrelevant information, occurs once the data is exposed.
Documentation: The forensic examiner should document the entire procedure and steps taken by him during the acquisition and examination. It should include the date and time of the examination, condition and status (on/off) of the phone, tools used and data found.
Presentation: A report of the data extracted from the device should be created, including the opinion of the examiner. The findings of the case should then be presented in a clear and easy to understand manner in the court of law.
- Hardware Differences: The examiner may come across different types of models, which differ in operating systems, size, features or hardware.
- Encryption: Modern phones come with security features such as encryption, which has to be decrypted in order for the examiner to proceed with the examination.
- Lack of a single compound tool: Due to the varied nature of mobile devices, a single tool may not support all the devices or perform all the necessary functions.
- Anti-forensic Techniques: Anti forensic techniques such as data hiding, data obfuscation or wiping makes the investigation process more difficult.