Mobile device forensics is a digital forensics branch that deals with the recovery of digital evidence or data from mobile devices in forensic sound conditions. The phrase mobile devices usually refers to the phone; however, it can also be related to any digital devices that have internal memory and communication capabilities, including PDA devices, GPS devices, and tablet computers.
The use of mobile phones/devices in crime is widely recognized for several years, but mobile device forensic studies are a relatively new field, dating from the early 2000s and late 1990s. The proliferation of mobile phones (especially smartphones) and other digital devices in the consumer market led to a demand for forensic examination of devices, which can not be fulfilled by existing computer forensics techniques.
Mobile devices can be used to store certain types of personal information such as contacts, photos, calendars and notes, SMS and MMS messages. Smartphones can also include video, email, web browsing information, location information, as well as social network messages and contacts.
There is a growing need for cellular forensics for several reasons and some of the main reasons are:
- Mobile phone usage for storing and submitting personal and company information
- Mobile phone use in online transactions
- Law enforcers, criminals and mobile devices
Forensic mobile devices can be very challenging on a number of levels:
There are technical and technical challenges. for example, cell site analysis that follows the use of mobile phone coverage, is not an exact science. Consequently, while it may be possible to specify roughly the zone of the cell site where calls are made or received, it can not yet be said with any degree of certainty, that cellular phone calls come from certain locations, e.g. address.
- To remain competitive, original equipment manufacturers often change the form factor of mobile phones, operating system file structure, data storage, services, peripherals, and even pin and cable connectors. As a result, forensic examiners should use different forensic processes compared to computer forensics.
- Storage capacity continues to accrue thanks to the demand for stronger "mini computer" device types.
- Not only the data types but also the way mobile devices are used continue to grow.
- Hibernation behavior in which the process is suspended when the device is turned off or inactive but at the same time, remains active.
As a result of this challenge, various tools exist to extract evidence from mobile devices; there is no tool or method that can obtain all the evidence from all devices. It is therefore recommended that forensic examiners, especially those who wish to qualify as expert witnesses in court, undergo extensive training to understand how each tool and method obtains evidence; how to maintain standards for forensic health; and how to meet legal requirements such as Daubert standards or Frye standards.
Video Mobile device forensics
History
As a field of forensic screening studies of mobile devices originated in the late 1990s and early 2000s. The role of mobile phones in crime has long been recognized by law enforcement. With the increased availability of such devices in the consumer market and the broader communication platform they support (eg email, web search), the demand for forensic examinations increases.
Initial attempts to check mobile devices use techniques similar to the first computer forensics investigation: analyzing phone content directly through the screen and capturing important content. However, this proved to be a time consuming process, and as the number of mobile devices began to increase, the researchers called for more efficient ways to extract data. Forensic mobile phone forensics testers sometimes use mobile phones or PDA sync devices to "backup" device data to computer forensics for imaging, or sometimes just do computer forensics on a suspect computer's hard drive where the data has been synced. However, this type of software can write to the phone and read it, and can not retrieve deleted data.
Some forensic testers find that they can retrieve deleted data even using a "flasher" or "twister" box, a tool developed by OEMs for "flash" phone memory for debugging or updating. However, flasher boxes are invasive and may alter data; can be tricky to use; and, since they were not developed as forensic tools, did not verify the hash or (in most cases) the audit trail. For physical forensic examination, therefore, better alternatives are still required.
To meet these demands, a commercial tool appears that allows the examiner to recover the phone's memory with minimal disruption and analyze it separately. Over time, these commercial techniques are expanding and recovering deleted data from proprietary mobile devices becomes possible with some specialized tools. In addition, commercial tools have even automated many extraction processes, making it possible even for the first-trained first responders - who are now far more likely to confront a suspect with their mobile device, compared to a computer - to perform basic extraction for triage and preview of destination data.
Maps Mobile device forensics
Professional apps
Forensic mobile devices are notorious for their application in law enforcement investigations, but also useful for military intelligence, corporate investigation, personal investigation, criminal and civil defense, and electronic inventions.
Type of evidence
As mobile device technology advances, the number and types of data that can be found on mobile devices continues to increase. Potentially recoverable evidence of the phone may come from several different sources, including the handset's memory, SIM card, and an attached memory card such as an SD card.
Traditional mobile phone forensics has been associated with the recovery of SMS and MMS messages, as well as call records, contact lists and IMEI/ESN phone information. However, newer smartphone generations also include a wider variety of information; from web browsing, wireless network settings, geolocation information (including geotags contained in image metadata), e-mail and other rich forms of Internet media, including important data - such as posting social networking services and contacts - are now stored on smartphone 'apps'.
Internal memory
Currently most of the flash memory consisting of NAND or NOR types is used for mobile devices.
External memory
External memory devices are SIM cards, SD cards (commonly found in GPS devices as well as cell phones), MMC cards, CF cards, and Memory Stick.
Service provider log
Although not technically part of a mobile forensic device, the call detail records (and sometimes text messages) from wireless carriers often serve as a "backup" of evidence obtained after the phone has been seized. This is useful when call history and/or text messages have been deleted from the phone, or when location-based services are not turned on. Call detail details and cell sites (tower) dumps can indicate the location of phone owners, and whether they are stationary or moving (that is, whether phone signals bounce from the same side of a single tower, or different sides of several towers along certain travel paths). Operator data and device data together may be used to corroborate information from other sources, for example, surveillance videotape or eyewitness accounts; or to specify the general location where unassigned images or videos are taken.
The EU requires its member states to store certain telecommunication data for use in investigations. This includes data about calls made and retrieved. The location of the phone can be determined and this geographic data should also be stored. In the United States, however, there are no such requirements, and there is no standard governing how long operators have to store data or even what they should maintain. For example, text messages can be saved for just one or two weeks, while call logs can be stored anywhere from weeks to months. To reduce the risk of missing evidence, law enforcement agencies must submit a preservation letter to the operator, which they then have to back up with search warrants.
The forensic process
The forensic process for mobile devices is broadly compatible with other digital forensics branches; however, certain issues apply. In general, the process can be divided into three main categories: foreclosure, acquisition, and examination/analysis. Other aspects of the forensic computer process, such as intake, validation, documentation/reporting, and archiving still apply.
Seizure
The seizure of mobile devices is protected by the same legal considerations as other digital media. The phone is often restored and turned on; because the purpose of foreclosure is to maintain evidence, the device will often be transported under the same circumstances to avoid termination, which will change the file. In addition, investigators â ⬠<â ⬠However, letting the phone carry another risk: the device can still establish a network/mobile connection. It can bring new data, override the evidence. To prevent connections, mobile devices are often transported and checked from within the Faraday cage (or bag). However, there are two disadvantages to this method. First, making the device unusable, because its touch screen or keypad can not be used. Secondly, device search for network connections will drain the battery faster. While their devices and batteries can often be recharged, again, investigators â ⬠<â ⬠The second step in the forensic process is acquisition, in which case it usually refers to the retrieval of material from the device (compared to bit-copy imaging used in computer forensics). Due to the nature of mobile ownership it is often impossible to obtain data with it switched off; most mobile device acquisitions are made directly. With more advanced smartphones using advanced memory management, connecting them to a charger and putting them in a faraday cage may not be a good practice. The mobile device will recognize the termination of the network and will therefore change its status information that may trigger the memory manager to write the data. Most acquisitions tools for mobile devices are commercial and consist of hardware and software components, often automatic. Examination and analysis
As more and more mobile devices use high-level file systems, similar to computer file systems, methods and tools can be taken over from hard disk forensics or just a small change.
FAT file systems are generally used in NAND memory. The difference is the size of the block used, which is larger than 512 bytes for the hard disk and depends on the type of memory used, for example, NOR types 64, 128, 256 and NAND memory 16, 128, 256, or 512 kilobytes.
Different software tools can extract data from memory images. One can use specialized and automated forensic software products or generic file viewers such as hex editors to find characteristics of the header files. The advantage of a hex editor is a deeper insight into memory management, but working with a hex editor means a lot of handwork and file systems as well as knowledge of header files. Instead, special forensic software simplifies searching and extracting data but may not find it all. AccessData, Sleuthkit, and EnCase, to name just a few, are forensic software products for analyzing memory images. Since there is no tool that extracts all possible information, it is recommended to use two or more tools for inspection. Currently (February 2010) there is no software solution to get all the evidence of flash memory.
Data acquisition type â ⬠<â â¬
Mobile data extraction can be classified according to the continuum, where methods become more technical and "forensic sound," tools become more expensive, analysis takes longer, testers need more training, and some methods can even become more invasive.
Manual acquisition
The examiner uses the user interface to investigate the contents of the phone's memory. Therefore, this device is used as usual, with the examiner taking pictures of each screen content. This method has an advantage because the operating system makes it unnecessary to use special equipment or equipment to convert raw data into information that can be interpreted by humans. In practice this method is applied to mobile phones, PDAs and navigation systems. The drawback is that only data visible to the operating system can be recovered; that all data is available only in the form of images; and the process itself takes time.
Logical acquisition
Logical acquisition implies a bit-by-bit copy of a logical storage object (eg, directories and files) residing on logical storage (eg, file system partition). The logical acquisition has the advantage that the system data structure is easier for tools to extract and manage. Logical extraction obtains information from the device using the original equipment manufacturer's application programming interface to synchronize the contents of the phone with a personal computer. Logical extraction is generally easier to use because it does not produce large binary clumps. However, an expert forensic examiner will be able to extract far more information from physical extraction.
Acquisition of file system
Logical extraction usually does not generate deleted information, as it is usually removed from the phone's file system. However, in some cases - especially with platforms built on top of SQLite, such as iOS and Android - the phone may store database information files that do not overwrite the information but simply mark it as deleted and available for override later. In such cases, if the device allows file system access through the sync interface, it is possible to recover deleted information. File system extraction is useful for understanding file structure, web search history, or app usage, and provides testers with the ability to perform analytics with traditional computer forensics tools.
Physical acquisition
Physical acquisition implies a bit-to-bit copy of an entire physical store (eg flash memory); Therefore, this is the method most similar to a personal computer check. Physical acquisition has the advantage of allowing deleted files and remnants of data for review. Physical extraction gets information from devices with direct access to flash memory.
In general this is more difficult to achieve because the equipment manufacturer's original equipment must be secure against arbitrary memory readings; therefore, the device can be locked to a specific operator. To get around this security, mobile forensics tool vendors often develop their own boot loader, allowing forensic tools to access memory (and often, also by passing the user's password or pattern lock).
Generally the physical extraction is divided into two steps, the dumping phase and the decoding phase.
Brute force capture
Forced brute force removal can be done by a 3rd-party code brute force tool that sends a set of passcode/password to mobile device. This is a time-consuming method, but it is still effective. The brute force tool connects to the device and physically sends codes on iOS devices from 0000 to 9999 in sequence until the correct code is successfully entered. Once the code entry is successful, full access to the device is given and data extraction can begin.
Tools
Initial investigation consists of direct mobile manual analysis; with testers photographing or writing useful material for use as evidence. Without forensic photography equipment such as Fernico ZRT, EDEC Eclipse, or Project-a-Phone, this has the disadvantage of risking modification of device content, as well as leaving many parts of proprietary operating systems inaccessible.
In recent years a number of hardware/software have appeared to recover logical and physical evidence from a mobile device. Most tools consist of hardware and software parts. Hardware includes a number of wires to connect the phone to an acquisition machine; software exists to extract evidence and, sometimes even analyze it.
Recently, mobile device forensic tools have been developed for this field. This is in good response to the military unit's demand for rapid and accurate anti-terrorism intelligence, and law enforcement demands for forensic preview capabilities at crime scenes, the execution of search warrants, or emergencies. Such mobile forensics tools are often hacked for harsh environments (such as battlefields) and harsh treatment (eg dropped or submerged in water).
In general, since it is not possible for a tool to capture all evidence from all mobile devices, mobile forensics professionals recommend that testers define an entire toolkit consisting of a mix of commercial, open source, broad support and narrow support forensic tools, along with accessories like charger, Faraday bag or other signal interference equipment, and so on.
Commercial forensics tools
Some current tools include Cellebrite UFED, Oxygen Forensic Detective, Susteen Secure View and Micro Systemation XRY.
Several tools have also been developed to address the increasing use of phones made with Chinese chipsets, including MediaTek (MTK), Spreadtrum and MStar. These tools include CHINEX Cellebrite, and PinPoint XRY.
Open source
Most open source mobile forensic tools are platform-specific and geared toward smartphone analysis. Although originally not designed to be a forensic tool, BitPim has been widely used on CDMA phones as well as LG VX4400/VX6000 and many Sanyo Sprint phones.
Physical tools
Desoldering forensics
Usually referred to as the "Chip-Off" technique in the industry, the last and most disturbing method to get the memory image is to design a non-volatile memory chip and connect it to a memory chip reader. This method contains the potential danger of destruction of the total data: it is possible to destroy the chip and its contents due to the heat required during soldering. Prior to the invention of BGA technology it was possible to attach the probe to the pins of the memory chip and to recover the memory through this probe. The BGA technique binds the chip directly to the PCB through a liquid solder ball, so it is no longer possible to mount the probe.
Breaking the chip is done carefully and slowly, so the heat does not damage the chip or data. Before the chip is broken, the PCB is baked in the oven to remove the remaining water. This prevents the so-called popcorn effect, where the rest of the water will blow the chip packets on the fracture.
There are three main methods for melting solder: hot air, infrared light, and steam stapling. Infrared ray technology works with focused infrared light to certain integrated circuits and is used for small chips. Methods of hot air and steam can not focus as much as infrared techniques.
Chip re-balling
After bending the chip, the balling process clears the chip and adds a new tin to the chip. Re-balling can be done in two different ways.
- The first is to use a stencil. Stencils depend on the chip and must be precise. Then tin solder is placed in stencil. After cooling the stencil tin is removed and if necessary a second cleaning step is done.
- The second method is laser re-balling. Here the stencil is programmed into the re-balling unit. Bondhead (looks like a tube/needle) is automatically loaded with a lead ball from a solder ball solder tank. The ball is then heated by a laser, so the lead solder ball becomes liquid and flows to a cleaned chip. Instantly after melting the ball, the laser dies and the new ball falls into the bondhead. When reloading the bondhead the re-balling unit changes the position to the next pin.
The third method makes the whole re-balling process unnecessary. The chip is connected to an adapter with a Y-shaped spring or spring pogo pin. The Y-shaped spring must have the ball to the pin to make the electrical connection, but the pogo pin can be used directly on the pad on the chip without the ball.
The advantage of soldering forensics is that the device does not need to function and that a copy without changes to the original data can be made. The disadvantage is expensive re-balling devices, so this process is very expensive and there is some risk of total data loss. Therefore, forensic soldering should only be carried out by experienced laboratories.
JTAG
The standard interfaces available for reading data are made into multiple mobile devices, for example, to obtain position data from GPS equipment (NMEA) or to obtain information on the slowdown of the airbag unit.
Not all mobile devices provide such standardized interface nor is there a standard interface for all mobile devices, but all manufacturers have one problem in common. The miniaturizing part of the device opens the question of how to automatically test the functionality and quality of integrated components that are soldered. For this problem, an industry group, the Joint Test Action Group (JTAG), developed a test technology called boundary scanning.
Although standardization there are four tasks before JTAG device interface can be used to recover memory. To find the correct bits in the boundary scan register, one must know which processor and memory circuits are used and how they are connected to the system bus. If it is not accessible from the outside, you must find the test point for the JTAG interface on the printed circuit board and determine which test point is used for which signal. The JTAG port is not always soldered with a connector, so it is sometimes necessary to open the device and re-solder the access port. The protocol for reading memory should be known and finally the correct voltage must be determined to prevent damage to the circuit.
Boundary scanning produces a complete forensic image of both volatile and non-volatile memory. The risk of data changes is minimized and the memory chip does not have to be broken. Generating images can be slow and not all mobile devices are enabled by JTAG. In addition, it is difficult to find the test access port.
Command line tool
System command
Mobile devices do not provide the possibility to run or boot from CDs, connect to network shares or other devices with clean tools. Therefore, system commands can be the only way to save volatile memory from a mobile device. With the risk of modified system commands it should be estimated if volatile memory is so important. A similar problem arises when no network connection is available and no secondary memory can be connected to a mobile device because a volatile memory image must be stored in internal non-volatile memory, where user data is stored and most likely deleted critical data will get lost. System commands are the cheapest method, but imply some risk of data loss. Any use of commands with options and outputs should be documented.
AT command
The AT commands are old modem commands, for example, the Hayes command and AT commands of the Motorola mobile phone, and therefore can only be used on devices that have modem support. Using these commands one can only obtain information through the operating system, so no deleted data can be extracted.
dd
For external memory and USB flash drives, the appropriate software, for example, the Unix dd command, is required to make a bit rate copy. In addition, USB flash drives with memory protection require no special hardware and can be connected to any computer. Many USB drives and memory cards have a write-key key that can be used to prevent data changes, while making copies.
If the USB drive does not have a protection switch, the blocker can be used to install the drive in read-only mode or, in exceptional cases, a removable memory chip. The SIM and memory card requires a card reader to make a copy. The SIM card is thoroughly analyzed, making it possible to recover data (deleted) such as contacts or text messages.
The Android operating system includes the dd command. In a blog post about Android forensic techniques, a method for displaying an Android device image using the dd command is shown.
Non-forensic commercial tools
Flasher Tools
Flasher tools are software and/or programming software that can be used to program (flash) device memory, for example, EEPROM or flash memory. These tools primarily come from manufacturers or service centers for debugging, repairing, or upgrading services. They can overwrite non-volatile memory and some, depending on the manufacturer or device, can also read memory to make copies, originally intended as backup. Memory can be protected from reading, for example, with software commands or the destruction of fuses on the read circuit.
Note, this will not prevent writing or using memory internally by the CPU. Flasher tools are easy to connect and use, but some may alter data and have other malicious options or do not make full copies.
Controversy
Generally there is no standard for what is a supported device in a particular product. This has led to a situation where different vendors define devices that are supported differently. Situations like this make it much more difficult to compare products based on the list of support devices provided by the vendor. For example a device where logical extraction using a single product only generates a list of calls made by a device can be listed as supported by that vendor while other vendors can generate more information.
Furthermore, different products extract different amounts of information from different devices. This leads to a very complex landscape while trying to look around the product. In general this leads to a situation where extensive testing of a product before purchase is strongly advised. It is common to use at least two complementary products.
Mobile phone technology is growing very fast. Digital forensics related to mobile devices seems to be in a quiet position or slowly evolving. For mobile forensics to pursue mobile release cycles, a more comprehensive and in-depth framework for evaluating mobile forensics tools should be developed and data on appropriate tools and techniques for each type of phone should be available in a timely manner.
Anti-forensics
Anti-computer forensics is more difficult due to the small device size and limited user data access. However, there are developments to secure memory in hardware with security circuits on CPU and memory chips, so the memory chips can not be read even after soldering.
References
External links
- 'Mobile Forensics World' Conference
- Chip-Off Forensics (forensicwiki.org)
- JTAG Forensics (forensicwiki.org)
Source of the article : Wikipedia