Mobile device forensics is a form of digital forensics relating to the recovery of digital evidence or data from mobile devices. The phrase mobile device usually refers to mobile phones; however, it can also relate to any digital device that has both internal memory and communication ability, including PDA devices, GPS devices, and tablet computers. The extraction of deleted mobile phone files used as criminal evidence is the primary work of mobile phone forensics investigators. Mobile phone forensics is applied to digital data retrieval of deleted communications. These may aid legal teams or police detectives, resulting in legal evidence production and presentation.
Which data is evaluated under phone forensic?
◆ Call logs (received, dialed, missed) Contact lists.
◆ Locations (Wi-Fi, cell towers and GPS coordinates)
◆ Text messages and MMS (Video/Audio) Messages.
◆ Images
◆ Emails
◆ Browser history
◆ Wi-Fi connections and passwords
◆ Downloaded files
◆ Tracking apps
◆ Deleted data
◆ Bluetooth connections
◆ Installed malware
Which tools & techniques are used in mobile forensics?
Forensic software tools are developing new techniques for the extraction of data from several cellular devices. The two most known techniques are physical and logical acquisition. Physical extraction is done through JTAG or cable connection, whereas logical extraction occurs via Bluetooth, infrared, or cable connection.
Manual Acquisition
The manual extraction technique allows investigators to extract and view data through the device’s touchscreen or keypad. At a later stage, this data is documented. Manual extraction may be time-consuming and involves a probability of human error. For example, the data may be accidentally modified or deleted during the examination.
Logical Acquisition
In this technique, the investigators connect the cellular device to a forensic workstation via Bluetooth, Infrared, RJ-45 cable, or USB cable. The computer—using a logical extraction tool—sends a series of commands to the mobile device. The required data is collected from the phone’s memory and sent back to the forensic workstation for analysis purposes.
Mobile forensic challenges
One of the biggest forensic challenges of the mobile platform is the fact that data can be accessed, stored, and synchronized across multiple devices. As the data is volatile and can be quickly transformed or deleted remotely, the preservation of this data is really hard. The reasons for these difficulties are:
Hardware differences: There are many different models of mobile phones from different manufacturers. Forensic examiners may come across different types of mobile models, which differ in size, hardware, features, and operating system. It is important for the examiner to adapt to all the challenges and remain updated on mobile device forensic techniques.
Mobile operating systems: Mobile devices widely use more operating systems, including Apple’s iOS, Google’s Android, RIM’s BlackBerry OS, Microsoft’s Windows Mobile, HP’s webOS, Nokia’s Symbian OS, and many others. A different method may be required for each operating system.
Mobile platform security features: Modern mobile platforms contain built-in security features to protect user data and privacy. These features may act as a hurdle during forensic acquisition and examination.
Lack of resources: With the growing number of mobile phones, the tools required by a forensic examiner would also increase. Forensic acquisition accessories, such as USB cables, batteries, and chargers for different mobile phones, have to be maintained in order to obtain those devices.
Generic state of the device: Even if a device appears to be in an off state, background processes may still run. For example, in most mobiles, the alarm clock still works even when the phone is switched off.
Anti-forensic techniques: Anti-forensic techniques, such as data hiding, data forgery, and secure wiping, make investigations on digital media more difficult. Accidental reset: Mobile phones provide features to reset everything. Resetting the device accidentally while examining may result in the loss of data.
Malicious programs: The device might contain malicious software. Such malicious programs may attempt to spread over other devices over either a wired interface or a wireless one.
Legal issues: Mobile devices might be involved in crimes, which can cross geographical boundaries. In order to tackle these multi-jurisdictional issues, the forensic examiner should be aware of the nature of the crime and regional law.