Practical Mobile Forensics, E-Book

Practical Mobile Forensics Third Edition

Copyright © 2018 Packt Publishing

All rights reserved. No part of this book may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written permission of the publisher, except in the case of brief quotations embedded in critical articles or reviews.

Every effort has been made in the preparation of this book to ensure the accuracy of the information presented. However, the information contained in this book is sold without warranty, either express or implied. Neither the authors, nor Packt Publishing or its dealers and distributors, will be held liable for any damages caused or alleged to have been caused directly or indirectly by this book.

Packt Publishing has endeavored to provide trademark information about all of the companies and products mentioned in this book by the appropriate use of capitals. However, Packt Publishing cannot guarantee the accuracy of this information.

Commissioning Editor: Vijin BorichaAcquisition Editor: Rohit RajkumarContent Development Editor: Devika BattikeTechnical Editor: Aditya KhadyeCopy Editor: Safis EditingProject Coordinator: Judie JoseProofreader: Safis EditingIndexer: Rekha NairGraphics: Tania DuttaProduction Coordinator: Arvindkumar Gupta

First published: July 2014 Second edition: May 2016 Third edition: January 2018

Production reference: 1220118

Published by Packt Publishing Ltd. Livery Place 35 Livery Street Birmingham B3 2PB, UK.

ISBN 978-1-78883-919-8

www.packtpub.com

Mapt is an online digital library that gives you full access to over 5,000 books and videos, as well as industry leading tools to help you plan your personal development and advance your career. For more information, please visit our website.

Why subscribe?

Spend less time learning and more time coding with practical eBooks and Videos from over 4,000 industry professionals

Improve your learning with Skill Plans built especially for you

Get a free eBook or video every month

Mapt is fully searchable

Copy and paste, print, and bookmark content

PacktPub.com

Did you know that Packt offers eBook versions of every book published, with PDF and ePub files available? You can upgrade to the eBook version at www.PacktPub.com and as a print book customer, you are entitled to a discount on the eBook copy. Get in touch with us at [email protected] for more details.

At www.PacktPub.com, you can also read a collection of free technical articles, sign up for a range of free newsletters, and receive exclusive discounts and offers on Packt books and eBooks.

Contributors

About the authors

Rohit Tamma is a security program manager currently working with Microsoft. With over 8 years of experience in the field of security, his background spans management and technical consulting roles in the areas of application and cloud security, mobile security, penetration testing, and security training. Rohit has also coauthored couple of books, such as Practical Mobile Forensics and Learning Android Forensics, which explain various ways to perform forensics on the mobile platforms. You can contact him on Twitter at @RohitTamma.

Oleg Skulkin is a digital forensics "enthusional" (enthusiast and professional) from Russia with more than 6 years of experience, and is currently employed by Group-IB, one of the global leaders in preventing and investigating high-tech crimes and online fraud. He holds a number of certifications, including GCFA, MCFE, and ACE. Oleg is a coauthor of Windows Forensics Cookbook, and you can find his articles about different aspects of digital forensics both in Russian and foreign magazines. Finally, he is a very active blogger, and he updates the Cyber Forensicator blog daily.

Heather Mahalik is the director of forensic engineering with ManTech CARD, where she leads the forensic effort focusing on mobile and digital exploitation. She is a senior instructor and author for the SANS Institute, and she is also the course leader for the FOR585 Advanced Smartphone Forensics course. With over 15 years of experience in digital forensics, she continues to thrive on smartphone investigations, digital forensics, forensic course development and instruction, and research on application analysis and smartphone forensics.

Satish Bommisetty is a security analyst working for a Fortune 500 company. His primary areas of interest include iOS forensics, iOS application security, and web application security. He has presented at international conferences, such as ClubHACK and C0C0n. He is also one of the core members of the Hyderabad OWASP chapter. He has identified and disclosed vulnerabilities within the websites of Google, Facebook, Yandex, PayPal, Yahoo!, AT&T, and more, and they are listed in their hall of fame.

About the reviewer

Igor Mikhaylov has been working as a forensics expert for 21 years. During this time, he has attended a lot of seminars and training classes in top forensic companies and forensic departments of government organizations. He has experience and skills in cellphones forensics, chip-off forensics, malware forensics, and other fields. He has worked on several thousand forensic cases.

He is the reviewer of Windows Forensics Cookbook by Oleg Skulkin and Scar de Courcier, Packt Publishing, 2017.

He is the author of Mobile Forensics Cookbook, Packt Publishing, 2017.

Packt is searching for authors like you

If you're interested in becoming an author for Packt, please visit authors.packtpub.com and apply today. We have worked with thousands of developers and tech professionals, just like you, to help them share their insight with the global tech community. You can make a general application, apply for a specific hot topic that we are recruiting an author for, or submit your own idea.

Table of Contents

Introduction to Mobile Forensics

Why do we need mobile forensics?

Mobile forensics

Challenges in mobile forensics

The mobile phone evidence extraction process

The evidence intake phase

The identification phase

The legal authority

The goals of the examination

The make, model, and identifying information for the device

Removable and external data storage

Other sources of potential evidence

The preparation phase

The isolation phase

The processing phase

The verification phase

Comparing extracted data to the handset data

Using multiple tools and comparing the results

Using hash values

The documenting and reporting phase

The presentation phase

The archiving phase

Practical mobile forensic approaches

Overview of mobile operating systems 

Android

iOS

Windows Phone

Mobile forensic tool leveling system

Manual extraction

Logical extraction

Hex dump

Chip-off

Micro read

Data acquisition methods

Physical acquisition

Logical acquisition

Manual acquisition

Potential evidence stored on mobile phones

Examination and analysis

Rules of evidence

Good forensic practices

Securing the evidence

Preserving the evidence

Documenting the evidence and changes

Reporting

Summary

Understanding the Internals of iOS Devices

iPhone models

Identifying the correct hardware model

iPhone hardware

iPad models

Understanding the iPad hardware

Apple Watch models

Understanding the Apple Watch hardware

The filesystem

The HFS Plus filesystem

The HFS Plus volume

The APFS filesystem

The APFS structure

Disk layout

iPhone operating system

The iOS architecture

iOS security

Passcodes, Touch ID, and Face ID

Code Signing

Sandboxing

Encryption

Data protection

Address Space Layout Randomization

Privilege separation

Stack-smashing protection

Data execution prevention

Data wipe

Activation Lock

The App Store

Jailbreaking

Summary

Data Acquisition from iOS Devices

Operating modes of iOS devices

The normal mode

The recovery mode

DFU mode

Setting up the forensic environment

Password protection and potential bypasses

Logical acquisition

Practical logical acquisition with libimobiledevice

Practical logical acquisition with Belkasoft Acquisition Tool

Practical logical acquisition with Magnet ACQUIRE

Filesystem acquisition

Practical jailbreaking

Practical filesystem acquisition with Elcomsoft iOS Forensic Toolkit

Physical acquisition

Practical physical acquisition with Elcomsoft iOS Forensic Toolkit

Summary

Data Acquisition from iOS Backups

iTunes backup

Creating backups with iTunes

Understanding the backup structure

info.plist

manifest.plist

status.plist

manifest.db

Extracting unencrypted backups

iBackup Viewer

iExplorer

BlackLight

Encrypted backup

Elcomsoft Phone Breaker

Working with iCloud backups

Extracting iCloud backups

Summary

iOS Data Analysis and Recovery

Timestamps

Unix timestamps

Mac absolute time

WebKit/Chrome time

SQLite databases

Connecting to a database

SQLite special commands

Standard SQL queries

Accessing a database using commercial tools

Key artifacts – important iOS database files

Address book contacts

Address book images

Call history

SMS messages

Calendar events

Notes

Safari bookmarks and cache

Photo metadata

Consolidated GPS cache

Voicemail

Property lists

Important plist files

The HomeDomain plist files

The RootDomain plist files

The WirelessDomain plist files

The SystemPreferencesDomain plist files

Other important files

Cookies

Keyboard cache

Photos

Thumbnails

Wallpaper

Recordings

Downloaded applications

Apple Watch

Recovering deleted SQLite records

Summary

iOS Forensic Tools

Working with Cellebrite UFED Physical Analyzer

Features of Cellebrite UFED Physical Analyzer

Advanced logical acquisition and analysis with Cellebrite UFED Physical Analyzer

Working with Magnet AXIOM

Features of Magnet AXIOM

Logical acquisition and analysis with Magnet AXIOM

Working with Belkasoft Evidence Center

Features of Belkasoft Evidence Center

 iTunes backup parsing and analysis with Belkasoft Evidence Center

Working with Oxygen Forensic Detective

Features of Oxygen Forensic Detective

Logical acquisition and analysis with Oxygen Forensic Detective

Summary

Understanding Android

The evolution of Android

The Android model

The Linux kernel layer

The Hardware Abstraction Layer

Libraries

Dalvik virtual machine

Android Runtime (ART)

The Java API framework layer

The system apps layer

Android security

Secure kernel

The permission model

Application sandbox

Secure inter-process communication

Application signing

Security-Enhanced Linux

Full Disk Encryption

Trusted Execution Environment

The Android file hierarchy

The Android file system

Viewing file systems on an Android device

Common file systems found on Android

Summary

Android Forensic Setup and Pre-Data Extraction Techniques

Setting up the forensic environment for Android

The Android Software Development Kit

The Android SDK installation

An Android Virtual Device

Connecting an Android device to a workstation

Identifying the device cable

Installing the device drivers

Accessing the connected device

The Android Debug Bridge

USB debugging

Accessing the device using adb

Detecting connected devices

Killing the local adb server

Accessing the adb shell

Basic Linux commands

Handling an Android device

Screen lock bypassing techniques

Using adb to bypass the screen lock

Deleting the gesture.key file

Updating the settings.db file

Checking for the modified recovery mode and adb connection

Flashing a new recovery partition

Using automated tools

Using Android Device Manager

Smudge attack

Using the Forgot Password/Forgot Pattern option

Bypassing third-party lock screens by booting into safe mode

Securing the USB debugging bypass using adb keys

Securing the USB debugging bypass in Android 4.4.2

Crashing the lock screen UI in Android 5.x

Other techniques

Gaining root access

What is rooting?

Rooting an Android device

Root access - adb shell

Summary

Android Data Extraction Techniques

Data extraction techniques

Manual data extraction

Logical data extraction

ADB pull data extraction

Using SQLite Browser to view the data

Extracting device information

Extracting call logs

Extracting SMS/MMS

Extracting browser history

Analysis of social networking/IM chats

ADB backup extraction

ADB dumpsys extraction

Using content providers

Physical data extraction

Imaging an Android phone

Imaging a memory (SD) card

Joint Test Action Group

Chip-off

Summary

Android Data Analysis and Recovery

Analyzing an Android image

Autopsy

Adding an image to Autopsy

Analyzing an image using Autopsy

Android data recovery

Recovering deleted data from an external SD card

Recovering data deleted from internal memory

Recovering deleted files by parsing SQLite files

Recovering files using file-carving techniques

Recovering contacts using your Google account

Summary

Android App Analysis, Malware, and Reverse Engineering

Analyzing Android apps

Facebook Android app analysis

WhatsApp Android app analysis

Skype Android app analysis

Gmail Android app analysis

Google Chrome Android app analysis

Reverse engineering Android apps

Extracting an APK file from an Android device

Steps to reverse engineer Android apps

Android malware

How does malware spread?

Identifying Android malware

Summary

Windows Phone Forensics

Windows Phone OS

Security model

Chambers

Encryption

Capability-based model

App sandboxing

Windows Phone filesystem

Data acquisition

Commercial forensic tool acquisition methods

Extracting data without the use of commercial tools

SD card data extraction methods

Key artifacts for examination

Extracting contacts and SMS

Extracting call history

Extracting internet history

Summary

Parsing Third-Party Application Files

Third-party application overview

Chat applications

GPS applications

Secure applications

Financial applications

Social networking applications

Encoding versus encryption

Application data storage

iOS applications

Android applications

Windows Phone applications

Forensic methods used to extract third-party application data

Commercial tools

Oxygen Detective

Magnet IEF

UFED Physical Analyzer

Open source tools

Autopsy

Other methods of extracting application data

Summary

Other Books You May Enjoy

Leave a review - let other readers know what you think

Preface

The exponential growth in smartphones has revolutionized several aspects of our lives. Smartphones are one of the most quickly adopted consumer technologies in recent history. Despite their small size, smartphones are capable of performing many tasks, such as sending private messages and confidential emails, taking photos and videos, making online purchases, viewing sensitive information such as medical records and salary slips, completing banking transactions, accessing social networking sites, and managing business tasks. Hence, a mobile device is now a huge repository of sensitive data, which could provide a wealth of information about its owner. This has in turn led to the evolution of mobile device forensics, a branch of digital forensics, which deals with retrieving data from a mobile device. Today, there is a huge demand for specialized forensic experts, especially given the fact that the data retrieved from a mobile device is court-admissible.

Mobile forensics is all about using scientific methodologies to recover data stored within a mobile phone for legal purposes. Unlike traditional computer forensics, mobile forensics has limitations in obtaining evidence due to rapid changes in technology and the fast-paced evolution of mobile software. With different operating systems and a wide range of models being released onto the market, mobile forensics has expanded over the past few years. Specialized forensic techniques and skills are required in order to extract data under different conditions.

This book takes you through various techniques to help you learn how to forensically recover data from different mobile devices with the iOS, Android, and Windows Mobile operating systems. This book also covers behind the scenes details, such as how data is stored and what tools actually do in the background, giving you deeper knowledge on several topics. Step-by-step instructions enable you to try forensically recovering data yourself.

The book is organized in a manner that allows you to focus independently on chapters that are specific to your required platform.

Who this book is for

This book is intended for forensic examiners with little or basic experience in mobile forensics or open source solutions for mobile forensics. The book will also be useful to computer security professionals, researchers, and anyone seeking a deeper understanding of mobile internals. It will also come in handy for those who are trying to recover accidentally deleted data (photos, contacts, SMS messages, and more).

What this book covers

Chapter 1, Introduction to Mobile Forensics, introduces you to the concepts of mobile forensics, the core values, and the challenges involved. The chapter also provides an overview of practical approaches and best practices involved in performing mobile forensics.

Chapter 2, Understanding the Internals of iOS Devices, provides an overview of the popular Apple iOS devices, including an outline of different models and their hardware. The book explains iOS security features and device security and its impact on iOS forensics approaches, focusing on iOS 9-11. The chapter also gives an overview of the HFS+ and APFS filesystems and outlines the sensitive files that are useful for forensic examination.

Chapter 3, Data Acquisition from iOS Devices, covers various types of forensic acquisition methods that can be performed on iOS devices, including logical, filesystem, and physical, and guides you to prepare your desktop machine for forensic work. The chapter also discusses passcode bypass techniques.

Chapter 4, Data Acquisition from iOS Backups, provides detailed explanations of modern iOS backups and details what types of files are stored in a backup. The chapter also includes step-by-step guides on creating encrypted and unencrypted backups and introduces forensic tools capable of recovering data from backups.

Chapter 5, iOS Data Analysis and Recovery, discusses the types of data that is stored on iOS devices and its most common locations in the filesystem. Common file types used in iOS devices, such as plists and SQLite databases, are discussed in detail in order to provide an understanding of how data is stored on a device, which will help forensic examiners to efficiently recover data from those files.

Chapter 6, iOS Forensic Tools, introduces you to the most widely used commercial mobile forensic suites, Cellebrite UFED, Belkasoft Evidence Center, Magnet AXIOM, and Oxygen Forensic Detective, and contains step-by-step guides on how to use them in mobile forensic examinations.

Chapter 7, Understanding Android, introduces you to the Android model, filesystem, and its security features. This chapter provides an explanation of how data is stored on any android device, which will be useful when carrying out forensic investigations.

Chapter 8, Android Forensic Setup and Pre-Data Extraction Techniques, guides you through Android forensic setup and other techniques to use before extracting any information. Screen lock bypass techniques and gaining root access are also discussed in this chapter.

Chapter 9, Android Data Extraction Techniques, provides an explanation of physical, filesystem, and logical acquisition techniques to extract relevant information from an Android device. This chapter covers imaging the device and other advanced techniques, such as JTAG and Chip-Off.

Chapter 10, Android Data Analysis and Recovery, explains how to extract and analyze data from Android image files. The chapter also covers the possibilities and limitations of recovering deleted data from Android devices.

Chapter 11, Android App Analysis, Malware, and Reverse Engineering, includes an analysis of some of the most widely used Android apps to retrieve valuable data. The chapter also covers Android malware and techniques to reverse engineer an Android app to view its data.

Chapter 12, Windows Phone Forensics, provides a basic overview of forensic approaches when dealing with Windows Phones.

Chapter 13, Parsing Third-Party Application Files, guides you through how applications are stored on Android, iOS, and Windows devices and how commercial and open source tools parse through application data.

To get the most out of this book

The book details practical forensic approaches and explains techniques in a simple manner. The content is organized in a way that allows even a user with basic computer skills to examine a device and extract the required data. A Mac, Windows, or Linux computer would be helpful to successfully repeat the methods defined in this book. Where possible, methods for all computer platforms are provided.

Download the color images

We also provide a PDF file that has color images of the screenshots/diagrams used in this book. You can download it here: https://www.packtpub.com/sites/default/files/downloads/PracticalMobileForensicsThirdEdition_ColorImages.pdf.

Conventions used

There are a number of text conventions used throughout this book.

CodeInText: Indicates code words in text, database table names, folder names, filenames, file extensions, pathnames, dummy URLs, user input, and Twitter handles. Here is an example: "Alternatively, the ideviceinfo command-line tool available in the libimobiledevice software library (http://www.libimobiledevice.org/) can be used to identify the iPhone model and its iOS version."

Any command-line input or output is written as follows:

$ ruby -e "$(curl -fsSLhttps://raw.githubusercontent.com/Homebrew/install/master/install)"< /dev/null 2> /dev/null

Bold: Indicates a new term, an important word, or words that you see onscreen. For example, words in menus or dialog boxes appear in the text like this. Here is an example: "Launch Belkasoft Acquisition Tool and choose the Mobile device option:"

Get in touch

Feedback from our readers is always welcome.

General feedback: Email [email protected] and mention the book title in the subject of your message. If you have questions about any aspect of this book, please email us at [email protected].

Errata: Although we have taken every care to ensure the accuracy of our content, mistakes do happen. If you have found a mistake in this book, we would be grateful if you would report this to us. Please visit www.packtpub.com/submit-errata, selecting your book, clicking on the Errata Submission Form link, and entering the details.

Piracy: If you come across any illegal copies of our works in any form on the Internet, we would be grateful if you would provide us with the location address or website name. Please contact us at [email protected] with a link to the material.

If you are interested in becoming an author: If there is a topic that you have expertise in and you are interested in either writing or contributing to a book, please visit authors.packtpub.com.

Reviews

Please leave a review. Once you have read and used this book, why not leave a review on the site that you purchased it from? Potential readers can then see and use your unbiased opinion to make purchase decisions, we at Packt can understand what you think about our products, and our authors can see your feedback on their book. Thank you!

For more information about Packt, please visit packtpub.com.

Introduction to Mobile Forensics

There is no doubt that mobile devices have become part of our lives and revolutionized the way we do most of our activities. As a result, a mobile device is now a huge repository that holds sensitive and personal information about its owner. This has, in turn, led to the rise of mobile device forensics, a branch of digital forensics that deals with retrieving data from a mobile device. This book will help you understand forensic techniques on three main platforms—Android, iOS, and Windows. We will go through various methods that can be followed to collect evidence from different mobile devices.

In this chapter, we will cover the following topics:

Introduction to mobile forensics

Challenges in mobile forensics

Mobile phone evidence extraction process

Mobile forensic approaches

Good forensic practices

Why do we need mobile forensics?

According to Statista reports, the number of mobile phone users in the world is expected to pass 5 billion by 2019. The world is witnessing technology and user migration from desktops to mobile phones. Most of the growth in the mobile market can be attributed to the continued demand for smartphones. The following graph, sourced from https://www.statista.com/, shows the actual and estimated growth of smartphones from the year 2009 to the year 2019:

According to an Ericsson report, global mobile data traffic will reach 71 exabytes per month by 2022, from 8.8 exabytes in 2017, a compound annual growth rate of 42 percent. Smartphones of today, such as the Apple iPhone and the Samsung Galaxy series, are compact forms of computers with high performance, huge storage, and enhanced functionality. Mobile phones are the most personal electronic device that a user accesses. They are used to perform simple communication tasks, such as calling and texting, while still providing support for internet browsing, email, taking photos and videos, creating and storing documents, identifying locations with GPS services, and managing business tasks. As new features and applications are incorporated into mobile phones, the amount of information stored on the devices is continuously growing. Mobile phones become portable data carriers, and they keep track of all your movements. With the increasing prevalence of mobile phones in people's daily lives and in crime, data acquired from phones becomes an invaluable source of evidence for investigations relating to criminal, civil, and even high- profile cases. It is rare to conduct a digital forensic investigation that does not include a phone. Mobile device call logs and GPS data were used to help solve the attempted bombing in Times Square, New York, in 2010. The details of the case can be found at: https://www.forensicon.com/forensics-blotter/cell-phone-email-forensics-investigation-cracks-nyc-times-square-car-bombing-case/.

The science behind recovering digital evidence from mobile phones is called mobile forensics. Digital evidence is defined as information and data that is stored on, received, or transmitted by an electronic device that is used for investigations. Digital evidence encompasses any and all digital data that can be used as evidence in a case.

Mobile forensics

Digital forensics is a branch of forensic science focusing on the recovery and investigation of raw data residing in electronic or digital devices. The goal of the process is to extract and recover any information from a digital device without altering the data present on the device. Over the years, digital forensics has grown, along with the rapid growth of computers and various other digital devices. There are various branches of digital forensics based on the type of digital device involved, such as computer forensics, network forensics, mobile forensics, and so on.

Mobile forensics is a branch of digital forensics related to the recovery of digital evidence from mobile devices. Forensically sound is a term used extensively in the digital forensics community to qualify and justify the use of a particular forensic technology or methodology. The main principle for a sound forensic examination of digital evidence is that the original evidence must not be modified. This is extremely difficult with mobile devices. Some forensic tools require a communication vector with the mobile device, and thus a standard write protection will not work during forensic acquisition. Other forensic acquisition methods may involve removing a chip or installing a bootloader on the mobile device prior to extracting data for forensic examinations. In cases where the examination or data acquisition is not possible without changing the configuration of the device, the procedure and the changes must be tested, validated, and documented. Following proper methodology and guidelines is crucial in examining mobile devices as it yields the most valuable data. As with any evidence gathering, not following the proper procedure during the examination can result in loss or damage of evidence or render it inadmissible in court.

The mobile forensics process is broken down into three main categories—seizure, acquisition, and examination/analysis. Forensic examiners face some challenges while seizing the mobile device as a source of evidence. At the crime scene, if the mobile device is found switched off, the examiner should place the device in a Faraday bag to prevent changes should the device automatically power on. Faraday bags are specifically designed to isolate the phone from the network. A Faraday bag can be found at: http://www.amazon.com/Black-Hole-Faraday-Bag-Isolation/dp/B0091WILY0.

If the phone is found switched on, switching it off has a lot of concerns attached to it. If the phone is locked by a PIN or password, or encrypted, the examiner will be required to bypass the lock or determine the PIN to access the device. Mobile phones are networked devices and can send and receive data through different sources, such as telecommunication systems, Wi-Fi access points, and Bluetooth. So, if the phone is in a running state, a criminal can securely erase the data stored on the phone by executing a remote wipe command. When a phone is switched on, it should be placed in a Faraday bag. If possible, prior to placing the mobile device in the Faraday bag, disconnect it from the network to protect the evidence by enabling the flight mode and disabling all network connections (Wi-Fi, GPS, hotspots, and so on). This will also preserve the battery, which will drain while in a Faraday bag, and protect against leaks in the Faraday bag. Once the mobile device is seized properly, the examiner may need several forensic tools to acquire and analyze the data stored on the phone.

Mobile device forensic acquisition can be performed using multiple methods, which are defined later. Each of these methods affects the amount of analysis required, which will be discussed in greater detail in the upcoming chapters. Should one method fail, another must be attempted. Multiple attempts and tools may be necessary in order to acquire the maximum data from the mobile device.

Mobile phones are dynamic systems that present a lot of challenges to the examiner in extracting and analyzing digital evidence. The rapid increase in the number of different kinds of mobile phones from different manufacturers makes it difficult to develop a single process or tool to examine all types of devices. Mobile phones are continuously evolving as existing technologies progress and new technologies are introduced. Furthermore, each mobile is designed with a variety of embedded operating systems. Hence, special knowledge and skills are required from forensic experts to acquire and analyze the devices.

Challenges in mobile forensics

One of the biggest forensic challenges when it comes to the mobile platform is the fact that data can be accessed, stored, and synchronized across multiple devices. As the data is volatile and can be quickly transformed or deleted remotely, more effort is required for the preservation of this data. Mobile forensics is different from computer forensics and presents unique challenges to forensic examiners.

Law enforcement and forensic examiners often struggle to obtain digital evidence from mobile devices. The following are some of the reasons:

Hardware differences

: The market is flooded with different models of mobile phones from different manufacturers. Forensic examiners may come across different types of mobile models, which differ in size, hardware, features, and operating system. Also, with a short product development cycle, new models emerge very frequently. As the mobile landscape is changing each passing day, it is critical for the examiner to adapt to all the challenges and remain updated on mobile device forensic techniques across various devices.

Mobile operating systems

: Unlike personal computers, where Windows has dominated the market for years, mobile devices widely use more operating systems, including Apple's iOS, Google's Android, RIM's BlackBerry OS, Microsoft's Windows Phone OS, HP's webOS, and many others. Even within these operating systems, there are several versions, which makes the task of the forensic investigator even more difficult.

Mobile platform security features

: Modern mobile platforms contain built-in security features to protect user data and privacy. These features act as a hurdle during forensic acquisition and examination. For example, modern mobile devices come with default encryption mechanisms from the hardware layer to the software layer. The examiner might need to break through these encryption mechanisms to extract data from the devices. The FBI versus Apple encryption dispute was a watershed moment in this regard, where the security implementation of Apple prevented the FBI from breaking into the iPhone seized from an attacker in the San Bernardino case.

Preventing data modification

: One of the fundamental rules in forensics is to make sure that data on the device is not modified. In other words, any attempt to extract data from the device should not alter the data present on that device. But this is not practically possible with mobiles because just switching on a device can change the data on that device. Even if a device appears to be in an off state, background processes may still run. For example, in most mobiles, the alarm clock still works even when the phone is switched off. A sudden transition from one state to another may result in the loss or modification of data.

Anti-forensic techniques

: Anti-forensic techniques, such as data hiding, data obfuscation, data forgery, and secure wiping, make investigations on digital media more difficult.

Passcode recovery

: If the device is protected with a passcode, the forensic examiner needs to gain access to the device without damaging the data on the device. While there are techniques to bypass the screen lock, they may not always work on all the versions.

Lack of resources

: As mentioned earlier, with the growing number of mobile phones, the tools required by a forensic examiner would also increase. Forensic acquisition accessories, such as USB cables, batteries, and chargers for different mobile phones, have to be maintained in order to acquire those devices.

Dynamic nature of evidence

: Digital evidence may be easily altered either intentionally or unintentionally. For example, browsing an application on the phone might alter the data stored by that application on the device.

Accidental reset

: Mobile phones provide features to reset everything. Resetting the device accidentally while examining it may result in the loss of data.

Device alteration

: The possible ways to alter devices may range from moving application data or renaming files, to modifying the manufacturer's operating system. In this case, the expertise of the suspect should be taken into account.

Communication shielding

: Mobile devices communicate over cellular networks, Wi-Fi networks, Bluetooth, and infrared. As device communication might alter the device data, the possibility of further communication should be eliminated after seizing the device.

Lack of availability of tools

: There is a wide range of mobile devices. A single tool may not support all the devices or perform all the necessary functions, so a combination of tools needs to be used. Choosing the right tool for a particular phone might be difficult.

Malicious programs

: The device might contain malicious software or malware, such as a virus or a Trojan. Such malicious programs may attempt to spread over other devices over either a wired interface or a wireless one.

Legal issues

: Mobile devices might be involved in crimes, which can cross geographical boundaries. In order to tackle these multijurisdictional issues, the forensic examiner should be aware of the nature of the crime and the regional laws.

The mobile phone evidence extraction process

Evidence extraction and forensic examination of each mobile device may differ. However, following a consistent examination process will assist the forensic examiner to ensure that the evidence extracted from each phone is well-documented and that the results are repeatable and defendable. There is no well-established standard process for mobile forensics.

However, the following figure provides an overview of process considerations for the extraction of evidence from mobile devices. All methods used when extracting data from mobile devices should be tested, validated, and well-documented:

As shown in the preceding figure, forensics on a mobile device includes several phases, from the evidence intake phase to the archiving phase. The following sections provide an overview of various considerations across all the phases.

The evidence intake phase

The evidence intake phase is the starting phase and entails request forms and paperwork to document ownership information and the type of incident the mobile device was involved in, and it outlines the type of data or information the requester is seeking. Developing specific objectives for each examination is the critical part of this phase. It serves to clarify the examiner's goals. Also, while seizing the device, care should be taken not to modify any data present on the device. At the same time, any opportunity that might help the investigation should not be missed. For example, at the time of seizing the device, if the device is unlocked, then try to disable the passcode.

The identification phase

The forensic examiner should identify the following details for every examination of a mobile device:

The legal authority

The goals of the examination

The make, model, and identifying information for the device

Removable and external data storage

Other sources of potential evidence

We will discuss each of them in the following sections.

The legal authority

It is important for the forensic examiner to determine and document what legal authority exists for the acquisition and examination of the device, as well as any limitations placed on the media prior to the examination of the device. For example, if the mobile device is being searched pursuant to a warrant, the examiner should be mindful of confining the search to the limitations of the warrant.

The goals of the examination

The examiner will identify how in-depth the examination needs to be based upon the data requested. The goal of the examination makes a significant difference in selecting the tools and techniques to examine the phone and increases the efficiency of the examination process.

The make, model, and identifying information for the device

As part of the examination, identifying the make and model of the phone assists in determining what tools would work with the phone. For all phones, the manufacturer, model number, carrier, and the current phone number associated with the cellular phone should be identified and documented.

Removable and external data storage

Many mobile phones provide an option to extend the memory with removable storage devices, such as the Trans Flash Micro SD memory expansion card. In cases when such a card is found in a mobile phone that is submitted for examination, the card should be removed and processed using traditional digital forensic techniques. It is wise to also acquire the card while in the mobile device to ensure that data stored on both the handset memory and card are linked for easier analysis. This will be discussed in detail in upcoming chapters.

Other sources of potential evidence

Mobile phones act as good sources of fingerprint and other biological evidence. Such evidence should be collected prior to the examination of the mobile phone to avoid contamination issues, unless the collection method will damage the device. Examiners should wear gloves when handling the evidence.

The preparation phase

Once the mobile phone model is identified, the preparation phase involves research regarding the particular mobile phone to be examined and the appropriate methods and tools to be used for acquisition and examination. This is generally done based on the device model, underlying operating system, its version, and so on. Also, choosing tools for examination of a mobile device will be determined by factors such as the goal of the examination, resources available, the type of cellular phone to be examined, and the presence of any external storage capabilities.

The isolation phase

Mobile phones are, by design, intended to communicate via cellular phone networks, Bluetooth, infrared, and wireless (Wi-Fi) network capabilities. When the phone is connected to a network, new data is added to the phone through incoming calls, messages, and application data, which modifies the evidence on the phone. Complete destruction of data is also possible through remote access or remote wiping commands. For this reason, isolation of the device from communication sources is important prior to the acquisition and examination of the device. Network isolation can be done by placing the phone in radio frequency shielding cloth and then putting the phone in airplane or flight mode. The airplane mode disables a device's communication channels, such as cellular radio, Wi-Fi, and Bluetooth. However, if the device is screen-locked, then this is not possible. Also, since Wi-Fi is now available in airplanes, some devices now have Wi-Fi access enabled in airplane mode. An alternate solution is isolation of the phone through the use of Faraday bags, which block radio signals to or from the phone. Faraday bags contain materials that block external static electrical fields (including radio waves). Thus, Faraday bags shield seized mobile devices from external interference to prevent wiping and tracking. To work more conveniently with the seized devices, Faraday tents and rooms also exist.

The processing phase

Once the phone has been isolated from communication networks, the actual processing of the mobile phone begins. The phone should be acquired using a tested method that is repeatable and is as forensically sound as possible. Physical acquisition is the preferred method as it extracts the raw memory data and the device is commonly powered off during the acquisition process. On most devices, the smallest number of changes occur to the device during physical acquisition. If physical acquisition is not possible or fails, an attempt should be made to acquire the filesystem of the mobile device. A logical acquisition should always be obtained as it may contain only the parsed data and provide pointers to examine the raw memory image. These acquisition methods are discussed in detail in later chapters.

The verification phase

After processing the phone, the examiner needs to verify the accuracy of the data extracted from the phone to ensure that data has not been modified. The verification of the extracted data can be accomplished in several ways.

Comparing extracted data to the handset data

Check whether the data extracted from the device matches the data displayed by the device. The data extracted can be compared to the device itself or a logical report, whichever is preferred. Remember, handling the original device may make changes to the only evidence—the device itself.

Using multiple tools and comparing the results

To ensure accuracy, use multiple tools to extract the data and compare results.

Using hash values

All image files should be hashed after acquisition to ensure that data remains unchanged. If filesystem extraction is supported, the examiner extracts the filesystem and then computes hashes for the extracted files. Later, any individually extracted file hash is calculated and checked against the original value to verify the integrity of it. Any discrepancy in a hash value must be explainable (for example, the device was powered on and then acquired again, thus the hash values are different).

The documenting and reporting phase

The forensic examiner is required to document throughout the examination process in the form of contemporaneous notes relating to what was done during the acquisition and examination. Once the examiner completes the investigation, the results must go through some form of peer review to ensure that the data is checked and the investigation is complete. The examiner's notes and documentation may include information such as the following:

The examination start date and time

The physical condition of the phone

Photos of the phone and individual components

Phone status when received—turned on or off

Phone make and model

Tools used for the acquisition

Tools used for the examination

Data found during the examination

Notes from peer review

The presentation phase