Practical Mobile Forensics E-Book

Practical Mobile Forensics Fourth Edition

Copyright © 2020 Packt Publishing

All rights reserved. No part of this book may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written permission of the publisher, except in the case of brief quotations embedded in critical articles or reviews.

Every effort has been made in the preparation of this book to ensure the accuracy of the information presented. However, the information contained in this book is sold without warranty, either express or implied. Neither the authors, nor Packt Publishing or its dealers and distributors, will be held liable for any damages caused or alleged to have been caused directly or indirectly by this book.

Packt Publishing has endeavored to provide trademark information about all of the companies and products mentioned in this book by the appropriate use of capitals. However, Packt Publishing cannot guarantee the accuracy of this information.

Commissioning Editor: Vijin BorichaAcquisition Editor: Rohit RajkumarContent Development Editor: Ronn KurienSenior Editor: Rahul DsouzaTechnical Editor: Dinesh PawarCopy Editor: Safis EditingProject Coordinator:Vaidehi SawantProofreader: Safis EditingIndexer:Rekha NairProduction Designer: Deepika Naik

First published: July 2014 Second edition: May 2016 Third edition: January 2018 Fourth edition: April 2020

Production reference: 1090420

Published by Packt Publishing Ltd. Livery Place 35 Livery Street Birmingham B3 2PB, UK.

ISBN 978-1-83864-752-0

www.packt.com

Packt.com

Subscribe to our online digital library for full access to over 7,000 books and videos, as well as industry leading tools to help you plan your personal development and advance your career. For more information, please visit our website.

Why subscribe?

Spend less time learning and more time coding with practical eBooks and Videos from over 4,000 industry professionals

Improve your learning with Skill Plans built especially for you

Get a free eBook or video every month

Fully searchable for easy access to vital information

Copy and paste, print, and bookmark content

Did you know that Packt offers eBook versions of every book published, with PDF and ePub files available? You can upgrade to the eBook version at www.packt.com and as a print book customer, you are entitled to a discount on the eBook copy. Get in touch with us at [email protected] for more details.

At www.packt.com, you can also read a collection of free technical articles, sign up for a range of free newsletters, and receive exclusive discounts and offers on Packt books and eBooks. 

Contributors

About the authors

Rohit Tamma is a senior program manager currently working with Microsoft. With over 10 years of experience in the field of security, his background spans management and technical consulting roles in the areas of application and cloud security, mobile security, penetration testing, and secure coding. Rohit has also co-authored Learning Android Forensics, from Packt, which explain various ways to perform forensics on mobile platforms. You can contact him on Twitter at @RohitTamma.

Oleg Skulkin is a senior digital forensic analyst at Group-IB, one of the global leaders in preventing and investigating high-tech crimes and online fraud. He holds a number of certifications, including GCFA, GCTI, and MCFE. Oleg has also co-authored Windows Forensics Cookbook, and Learning Android Forensics, both from Packt, as well as many blog posts and articles on digital forensics, incident response, and threat hunting that you can find online. You can contact him on Twitter at @oskulkin.

Heather Mahalik is the senior director of digital intelligence at Cellebrite. She is a senior instructor and author for the SANS Institute, and she is also the course lead for the FOR585 Smartphone Forensic Analysis In-Depth course. With 18 years of experience in digital forensics, she continues to thrive on smartphone investigations, digital forensics, forensic course development and instruction, and research on application analysis and smartphone forensics.

Satish Bommisetty is a security architect currently working with JDA. His primary areas of interest include web and mobile application security, cloud security, and iOS forensics. He has presented at security conferences, such as ClubHACK and C0C0n. Satish is one of the top bug bounty hunters and is listed in the halls of fame of Google, Facebook, PayPal, Microsoft, Yahoo, Salesforce, and more, for identifying and reporting their security vulnerabilities. You can reach him on Twitter at @satishb3.

About the reviewers

Igor Mikhaylov has been working as a forensic examiner for 22 years. During this time, he has attended a lot of seminars and training classes by top digital forensic companies (such as Guidance Software, AccessData, and Cellebrite) and forensic departments of government organizations of the Russian Federation. He has experience and skills in computer forensics, incident response, cell phone forensics, chip-off forensics, malware forensics, data recovery, digital image analysis, video forensics, and big data. He has written three tutorials on cell phone forensics and incident response for Russian forensic examiners.

Detective Chad Prda has served in law enforcement for over 16 years. Throughout his distinguished career he has obtained several certifications, including Advanced Peace Officer, Advanced Interview and Interrogation, and Expert in Mobile Forensics. Detective Prda served on S.W.A.T. for 8 years as a firearms instructor and a lead marksman (sniper).

He later moved into criminal investigations, specializing in social media investigations, mobile forensics, and cellular mapping, as well as testifying in several criminal cases as an expert witness and studying at the United States Secret Service National Computer Forensics Institute.

Packt is searching for authors like you

If you're interested in becoming an author for Packt, please visit authors.packtpub.com and apply today. We have worked with thousands of developers and tech professionals, just like you, to help them share their insight with the global tech community. You can make a general application, apply for a specific hot topic that we are recruiting an author for, or submit your own idea.

Table of Contents

Title Page

Copyright and Credits

Practical Mobile Forensics Fourth Edition

About Packt

Why subscribe?

Contributors

About the authors

About the reviewers

Packt is searching for authors like you

Preface

Who this book is for

What this book covers

To get the most out of this book

Download the color images

Conventions used

Disclaimer

Get in touch

Reviews

Introduction to Mobile Forensics

The need for mobile forensics

Understanding mobile forensics

Challenges in mobile forensics

The mobile phone evidence extraction process

The evidence intake phase

The identification phase

The legal authority

Data that needs to be extracted

The make, model, and identifying information for the device

Data storage media

Other sources of potential evidence

The preparation phase

The isolation phase

The processing phase

The verification phase

The documenting and reporting phase

The archiving phase

Practical mobile forensic approaches

Understanding mobile operating systems 

Android

iOS

Windows Phone

Mobile forensic tool leveling system

Manual extraction

Logical analysis

Hex dump

Chip-off

Micro read

Data acquisition methods

Physical acquisition

Logical acquisition

Manual acquisition

Potential evidence stored on mobile phones

Examination and analysis

Rules of evidence

Good forensic practices

Securing the evidence

Preserving the evidence

Documenting the evidence and changes

Reporting

Summary

Section 1: iOS Forensics

Understanding the Internals of iOS Devices

iPhone models and hardware

Identifying the correct hardware model

Understanding the iPhone hardware

iPad models and hardware

Understanding the iPad hardware

The HFS Plus and APFS filesystems

The HFS Plus filesystem

The HFS Plus volume

The APFS filesystem

The APFS structure

Disk layout

The iPhone OS

The iOS architecture

iOS security

Passcodes, Touch ID, and Face ID

Code signing

Sandboxing

Encryption

Data protection

Address Space Layout Randomization (ASLR)

Privilege separation

Stack-smashing protection

Data Execution Prevention (DEP)

Data wiping

Activation Lock

The App Store

Jailbreaking

Summary

Data Acquisition from iOS Devices

Operating modes of iOS devices

Normal mode

Recovery mode

DFU mode

Setting up the forensic environment

Password protection and potential bypasses

Logical acquisition

Practical logical acquisition with libimobiledevice

Practical logical acquisition with the Belkasoft Acquisition Tool

Practical logical acquisition with Magnet ACQUIRE

Filesystem acquisition

Practical jailbreaking

Practical filesystem acquisition with free tools

Practical filesystem acquisition with Elcomsoft iOS Forensic Toolkit

Summary

Data Acquisition from iOS Backups

Working with iTunes backups

Creating and analyzing backups with iTunes

Understanding the backup structure

info.plist

manifest.plist

status.plist

manifest.db

Extracting unencrypted backups

iBackup Viewer

iExplorer

Handling encrypted backup files

Elcomsoft Phone Breaker

Working with iCloud backups

Extracting iCloud backups

Summary

iOS Data Analysis and Recovery

Interpreting iOS timestamps

Unix timestamps

Mac absolute time

WebKit/Chrome time

Working with SQLite databases

Connecting to a database

Exploring SQLite special commands

Exploring standard SQL queries

Accessing a database using commercial tools

Key artifacts – important iOS database files

Address book contacts

Address book images

Call history

Short Message Service (SMS) messages

Calendar events

Notes

Safari bookmarks and history

Voicemail

Recordings

Device interaction

Phone numbers

Property lists

Important plist files

Other important files

Local dictionary

Photos

Thumbnails

Wallpaper

Downloaded third-party applications

Recovering deleted SQLite records

Summary

iOS Forensic Tools

Working with Cellebrite UFED Physical Analyzer

Features of Cellebrite UFED Physical Analyzer

Advanced logical acquisition and analysis with Cellebrite UFED Physical Analyzer

Working with Magnet AXIOM

Features of Magnet AXIOM

Logical acquisition and analysis with Magnet AXIOM

Working with Belkasoft Evidence Center

Features of Belkasoft Evidence Center

Logical acquisition and analysis with Belkasoft Evidence Center

Working with Elcomsoft Phone Viewer

Features of Elcomsoft Phone Viewer

Filesystem analysis with Elcomsoft Phone Viewer

Summary

Section 2: Android Forensics

Understanding Android

The evolution of Android

The Android architecture

The Linux kernel layer

The Hardware Abstraction Layer

Libraries

Dalvik Virtual Machine (DVM)

ART

The Java API framework layer

The system apps layer

Android security

Secure kernel

The permission model

Application sandbox

Secure IPC

Application signing

Security-Enhanced Linux (SELinux)

FDE

Android Keystore

TEE

Verified Boot

The Android file hierarchy

The Android filesystem

Viewing filesystems on an Android device

Common filesystems found on Android

Flash memory filesystems

Media-based filesystems

Pseudo filesystems

Summary

Android Forensic Setup and Pre-Data Extraction Techniques

Setting up a forensic environment for Android

Installing the software

Installing the Android platform tools

Creating an Android virtual device

Connecting an Android device to a workstation

Identifying the device cable

Installing device drivers

Accessing the connected device

The Android debug bridge

USB debugging

Accessing the device using adb

Detecting connected devices

Killing the local ADB server

Accessing the adb shell

Basic Linux commands

Handling an Android device

Screen lock bypassing techniques

Using ADB to bypass the screen lock

Deleting the gesture.key file

Updating the settings.db file

Checking for the modified recovery mode and ADB connection

Flashing a new recovery partition

Using automated tools

Using Android Device Manager

Bypass using Find My Mobile (for Samsung phones only)

Smudge attack

Using the forgot password/forgot pattern option

Bypassing third-party lock screens by booting into safe mode

Secure USB debugging bypass using ADB keys

Secure USB debugging bypass in Android 4.4.2

Crashing the lock screen UI in Android 5.x

Other techniques

Gaining root access

What is rooting?

Understanding the rooting process

Rooting an Android device

Root access - ADB shell

Summary

Android Data Extraction Techniques

Understanding data extraction techniques

Manual data extraction

Logical data extraction

ADB pull data extraction

Using SQLite Browser to view the data

Extracting device information

Extracting call logs

Extracting SMS/MMS

Extracting browser history information

Analysis of social networking/IM chats

ADB backup extraction

ADB dumpsys extraction

Using content providers

Physical data extraction

Imaging an Android phone

Imaging a memory (SD) card

Joint Test Action Group

The chip-off technique

Summary

Android Data Analysis and Recovery

Analyzing and extracting data from Android image files using the Autopsy tool

The Autopsy platform

Adding an image to Autopsy

Analyzing an image using Autopsy

Understanding techniques to recover deleted files from the SD card and the internal memory

Recovering deleted data from an external SD card

Recovering data deleted from the internal memory

Recovering deleted files by parsing SQLite files

Recovering files using file-carving techniques

Recovering contacts using your Google account

Summary

Android App Analysis, Malware, and Reverse Engineering

Analyzing widely used Android apps to retrieve valuable data

Facebook Android app analysis

WhatsApp Android app analysis

Skype Android app analysis

Gmail Android app analysis

Google Chrome Android app analysis

Techniques to reverse engineer an Android application

Extracting an APK file from an Android device

Steps to reverse engineer Android apps

Android malware

Types of Android malware

How does Android malware spread?

Identifying Android malware

Summary

Section 3: Windows Forensics and Third-Party Apps

Windows Phone Forensics

Windows Phone OS

Windows 10 Mobile security model

Chambers

Encryption

Capability-based model

App sandboxing

Windows Phone filesystem

Data acquisition

Commercial forensic tool acquisition methods

Extracting data without the use of commercial tools

SD card data extraction methods

Key artifacts for examination

Extracting contacts and SMS

Extracting call history

Extracting internet history

Summary

Parsing Third-Party Application Files

Introduction to third-party applications

Chat applications

GPS applications

Secure applications

Financial applications

Social networking applications

Encoding versus encryption

iOS, Android, and Windows Phone application data storage

iOS applications

Android applications

Windows Phone applications

Forensic methods used to extract third-party application data

Commercial tools

Oxygen Forensic Detective

Magnet AXIOM

UFED Physical Analyzer

Open source/free tools

Working with Autopsy

Other methods of extracting application data

Summary

Other Books You May Enjoy

Leave a review - let other readers know what you think

Preface

Mobile phone forensics is the science of retrieving data from a mobile phone under forensically sound conditions. This is the fourth edition of our successful Practical Mobile Forensics book that delves into the concepts of mobile forensics and its importance in today’s world. This book focuses on teaching you the latest forensic techniques in the investigation of mobile devices across various mobile platforms. You will learn forensic techniques on multiple OS versions, including iOS 12, iOS 13, Android 9, Android 10, and Windows 10. You will delve into the latest open source and commercial mobile forensic tools, enabling you to analyze and retrieve data effectively. You will learn how to inspect the device, retrieve data from the cloud, and successfully document reports of your investigations. You will explore reverse engineering of applications and ways to identify malware. You will also come across parsing popular third-party applications such as Facebook and WhatsApp.

By the end of this book, you will have mastered various mobile forensic techniques to analyze and extract data from mobile devices with the help of open source solutions.

Who this book is for

This book is intended for forensic examiners with little or only basic experience in mobile forensics or open source solutions for mobile forensics. This book will also be useful for computer security professionals, researchers, and anyone seeking a deeper understanding of mobile internals. Some understanding of digital forensics practices would be helpful.

What this book covers

Chapter 1, Introduction to Mobile Forensics, introduces you to the concepts of mobile forensics, its core values, and the challenges involved. This chapter also provides an overview of the practical approaches and best practices involved in performing mobile forensics.

Chapter 2, Understanding the Internals of iOS Devices, provides an insight into iOS forensics. You will learn about the filesystem layout, security features, and the way files are stored on an iOS device.

Chapter 3, Data Acquisition from iOS Devices, discusses tools that will help you obtain data from iOS devices to later examine forensically. Not all tools are created equal, so it's important to understand the best tools to get the job done properly.

Chapter 4, Data Acquisition from iOS Backups, discusses iOS device backup files in detail, including user, forensic, encrypted, and iCloud backup files, and the methods to conduct your forensic examination.

Chapter 5, iOS Data Analysis and Recovery, goes further into forensic investigation by showing the examiner how to analyze the data recovered from the backup files. Areas containing data of potential evidentiary value will be explained in detail.

Chapter 6, iOS Forensic Tools, for familiarity purposes, walks you through the use ofa number of commercial tools, such as Elcomsoft iOS Forensic Toolkit, Cellebrite (UFED4PC, Touch, and Physical Analyzer), BlackLight, Oxygen Forensic Detective, AccessData MPE+, EnCase, Belkasoft Evidence Center, MSAB XRY, and many more, which are available for forensic acquisition and the analysis of iOS devices. This chapter provides details of the processes required to perform acquisitions and analysis of iOS devices.

Chapter 7, Understanding Android, introduces the fundamentals of the Android platform, its built-in security features, and its filesystem. This chapter establishes the basic forensic knowledge that will be helpful in the next chapters.

Chapter 8, Android Forensic Setup and Pre-Data Extraction Techniques, tells you what to consider when setting up a digital forensic examination environment. Step-by-step information about rooting an Android device and bypassing the screen lock feature is provided in this chapter. 

Chapter 9, Android Data Extraction Techniques, helps you to identify the sensitive locations on an Android device and explains various logical and physical techniques that can be applied to the device in order to extract the necessary information.

Chapter 10,  Android Data Analysis and Recovery, explains how to extract relevant data, such as call logs, text messages, and browsing history from an image file. We will also cover data recovery techniques, with which we can recover data that's been deleted from a device.

Chapter 11, Android App Analysis, Malware, and Reverse Engineering, explains that while the data extraction and data recovery techniques discussed in earlier chapters provide access to valuable data, app analysis in this chapter helps us to acquire information about the specifics of an application, such as preferences and permissions.

Chapter 12, Windows Phone Forensics, discusses Windows Phones, which do not occupy much of the mobile market space. Therefore, most forensic practitioners are unfamiliar with the data formats, embedded databases, and other artifacts that exist on the device. This chapter provides an overview of Windows Phone forensics, describing various methods of acquiring and examining data on Windows mobile devices.

Chapter 13, Parsing Third-Party Application Files, introduces you to the various applications seen on Android devices, iOS devices, and Windows Phones. Each application will vary due to versions and devices, but their underlying structures are similar. We will look at how the data is stored and why preference files are important to your investigation.

To get the most out of this book

Ensure that you have a test mobile device on which you can experiment with the techniques explained in the book. Do not try these techniques on your personal phone. 

Some of the techniques explained in the book, such as rooting a device, are specific to the brand and the OS running on the device. Ensure that you research and gather sufficient information before trying these techniques.

If you are using the digital version of this book, we advise you to type the commands yourself. Doing so will help you avoid any potential errors related to the copying and pasting of code.

Download the color images

We also provide a PDF file that has color images of the screenshots/diagrams used in this book. You can download it here: http://www.packtpub.com/sites/default/files/downloads/9781838647520_ColorImages.pdf

Conventions used

There are a number of text conventions used throughout this book.

CodeInText: Indicates code words in text, database table names, folder names, filenames, file extensions, pathnames, dummy URLs, user input, and Twitter handles. Here is an example: "Mount the downloaded WebStorm-10*.dmg disk image file as another disk in your system."

A block of code is set as follows:

html, body, #map { height: 100%; margin: 0; padding: 0}

When we wish to draw your attention to a particular part of a code block, the relevant lines or items are set in bold:

[default]exten => s,1,Dial(Zap/1|30)exten => s,2,Voicemail(u100)

exten => s,102,Voicemail(b100)

exten => i,1,Voicemail(s0)

Any command-line input or output is written as follows:

$ mkdir css

$ cd css

Bold: Indicates a new term, an important word, or words that you see on screen. For example, words in menus or dialog boxes appear in the text like this. Here is an example: "Select System info from the Administration panel."

Disclaimer

The information within this book is intended to be used only in an ethical manner. Do not use any information from the book if you do not have written permission from the owner of the equipment. If you perform illegal actions, you are likely to be arrested and prosecuted to the full extent of the law. Packt Publishing does not take any responsibility if you misuse any of the information contained within the book. The information herein must only be used while testing environments with proper written authorization from the appropriate persons responsible.

Get in touch

Feedback from our readers is always welcome.

General feedback: If you have questions about any aspect of this book, mention the book title in the subject of your message and email us at [email protected].

Errata: Although we have taken every care to ensure the accuracy of our content, mistakes do happen. If you have found a mistake in this book, we would be grateful if you would report this to us. Please visit www.packtpub.com/support/errata, selecting your book, clicking on the Errata Submission Form link, and entering the details.

Piracy: If you come across any illegal copies of our works in any form on the internet, we would be grateful if you would provide us with the location address or website name. Please contact us at [email protected] with a link to the material.

If you are interested in becoming an author: If there is a topic that you have expertise in and you are interested in, either writing or contributing to a book, please visit authors.packtpub.com.

Reviews

Please leave a review. Once you have read and used this book, why not leave a review on the site that you purchased it from? Potential readers can then see and use your unbiased opinion to make purchase decisions, we at Packt can understand what you think about our products, and our authors can see your feedback on their book. Thank you!

For more information about Packt, please visit packt.com.

Introduction to Mobile Forensics

There is no doubt that mobile devices have become part of our lives and have revolutionized the way we do most of our activities. As a result, a mobile device is now a huge repository that holds sensitive and personal information about its owner. This has, in turn, led to the rise of mobile device forensics, a branch of digital forensics that deals with retrieving data from a mobile device. This book will help you understand forensic techniques on three main platforms—Android, iOS, and Windows. We will go through various methods that can be used to collect evidence from different mobile devices.

In this chapter, we will cover the following topics:

The need for mobile forensics

Understanding mobile forensics

Challenges in mobile forensics

The mobile phone evidence extraction process

Practical mobile forensic approaches

Potential evidence stored on mobile phones

Examination and analysis

Rules of evidence

Good forensic practices

The need for mobile forensics

According to Statista reports (statista.com), the number of mobile phone users in the world is expected to pass 5 billion by 2020. The world is witnessing technology and user migration from desktops to mobile phones. Most of the growth in the mobile market can be attributed to the continued demand for smartphones.

According to an Ericsson report, global mobile data traffic will reach 71 exabytes per month by 2022, from 8.8 exabytes in 2017, a compound annual growth rate of 42 percent. Smartphones of today, such as Apple's iPhone and the Samsung Galaxy series, are compact forms of computers with high performance, huge storage, and enhanced functionality. Mobile phones are the most personal electronic device that a user accesses. They are used to perform simple communication tasks, such as calling and texting, while still providing support for internet browsing, email, taking photos and videos, creating and storing documents, identifying locations with GPS services, and managing business tasks.

As new features and applications are incorporated into mobile phones, the amount of information stored on devices is continuously growing.

Mobile phones have become portable data carriers, keeping track of all your movements. With the increasing prevalence of mobile phones in people's daily lives and in crime, data acquired from phones has become an invaluable source of evidence for investigations relating to criminal, civil, and even high-profile cases. It is rare to conduct a digital forensic investigation that does not include a phone. Mobile device call logs and GPS data were used to help solve the attempted bombing in Times Square, New York, in 2010.

The science behind recovering digital evidence from mobile phones is called mobile forensics, and we will be looking into it in the next section. Digital evidence is defined as information and data that is stored on, received by, or transmitted by an electronic device that is used for investigations. Digital evidence encompasses any and all digital data that can be used as evidence in a case.

Understanding mobile forensics

Digital forensics is a branch of forensic science focusing on the recovery and investigation of raw data residing in electronic or digital devices. The goal of the process is to extract and recover any information from a digital device without altering the data present on the device. Over the years, digital forensics has grown along with the rapid growth of computers and various other digital devices. There are various branches of digital forensics based on the type of digital device involved, such as computer forensics, network forensics, and mobile forensics.

Mobile forensics is a branch of digital forensics that deals with the acquisition and recovery of evidence from mobile devices. Forensically sound is a term used extensively in the digital forensics community to qualify and justify the use of a particular forensic technology or methodology. One of the core principles that drive sound forensic examination is that the original evidence must not be altered in any form. This is extremely difficult with mobile devices. Some forensic tools require a communication vector with the mobile device, and thus standard write protection will not work during forensic acquisition.

Other forensic acquisition methods may involve detaching a chip or installing a custom bootloader on the mobile device prior to extracting data for forensic examination. In cases where examination or data acquisition is not possible without changing the configuration of the device, the procedure and the changes must be carefully tested and documented for later reference. Following proper methodology and guidelines is crucial in examining mobile devices as doing so yields the most valuable data. As with any evidence gathering, not following the proper procedure during the examination can result in loss or damage of evidence or render it inadmissible in court.

The mobile forensics process is broken down into three main categories—seizure, acquisition, and examination/analysis. Forensic examiners face some challenges while seizing the mobile device as a source of evidence. At the crime scene, if the mobile device is found switched off, you as the examiner should place the device in a Faraday bag to prevent changes should the device automatically power on. Faraday bags are specifically designed to isolate a phone from a network.

If the phone is found switched on, switching it off has a lot of concerns attached to it. If the phone is locked by a PIN or password, or encrypted, you will be required to bypass the lock or determine the PIN to access the device. Mobile phones are networked devices and can send and receive data through different sources, such as telecommunication systems, Wi-Fi access points, and Bluetooth. So, if the phone is in a running state, a criminal could securely erase the data stored on the phone by executing a remote wipe command. When a phone is switched on, it should be placed in a Faraday bag. If possible, prior to placing a mobile device in a Faraday bag, you should disconnect it from the network to protect the evidence by enabling flight mode and disabling all network connections (Wi-Fi, GPS, hotspots, and so on). This will also preserve the battery, which will drain while in a Faraday bag, and protect against leaks in the Faraday bag. Once the mobile device is seized properly, the examiner may need several forensic tools to acquire and analyze the data stored on the phone.

Mobile device forensic acquisition can be performed using multiple methods, which will be defined later. Each of these methods affects the amount of analysis required, which will be discussed in greater detail in the upcoming chapters. Should one method fail, another must be attempted. Multiple attempts and tools may be necessary in order to acquire the maximum amount of data from the mobile device.

Mobile phones are dynamic systems that present a lot of challenges for us in extracting and analyzing digital evidence. The rapid increase in the number of different kinds of mobile phones from different manufacturers makes it difficult to develop a single process or tool to examine all types of devices. Mobile phones are continuously evolving as existing technologies progress and new technologies are introduced. Furthermore, each mobile is designed with a variety of embedded operating systems. Hence, special knowledge and skills are required from forensic experts to acquire and analyze the devices.

Challenges in mobile forensics

One of the biggest forensic challenges when it comes to the mobile platform is the fact that data can be accessed, stored, and synchronized across multiple devices. As data is volatile and can be quickly transformed or deleted remotely, more effort is required for the preservation of this data. Mobile forensics is different from computer forensics and presents unique challenges to forensic examiners.

Law enforcement and forensic examiners often struggle to obtain digital evidence from mobile devices. The following are some of the reasons for this:

Hardware differences

: The market is flooded with different models of mobile phones from different manufacturers. Forensic examiners may come across different types of mobile models that differ in size, hardware, features, and operating system. Also, with a short product development cycle, new models emerge very frequently. As the mobile landscape changes with each passing day, it is critical for you to adapt to all challenges and remain updated on mobile device forensic techniques across various devices.

Mobile operating systems

: Unlike personal computers, where Windows has dominated the market for years, mobile devices widely use more operating systems, including Apple's iOS, Google's Android, RIM's BlackBerry OS, Microsoft's Windows Phone OS, HP's webOS, and many others. Even within these operating systems, there are several versions, which makes your task even more difficult.

Mobile platform security features

: Modern mobile platforms contain built-in security features to protect user data and privacy. These features act as a hurdle during forensic acquisition and examination. For example, modern mobile devices come with default encryption mechanisms from the hardware layer to the software layer. You might need to break through these encryption mechanisms to extract data from the devices. The FBI versus Apple encryption dispute was a watershed moment in this regard, where the security implementation of Apple prevented the FBI from breaking into an iPhone seized from an attacker in the San Bernardino case.

Preventing data modification

: One of the fundamental rules in forensics is to make sure that data on the device is not modified. In other words, any attempt to extract data from the device should not alter the data present on that device. But this is not practically possible with mobiles, because just switching on a device can change the data on that device. Even if a device appears to be in an off state, background processes may still run. For example, in most mobiles, the alarm clock still works even when the phone is switched off. A sudden transition from one state to another may result in the loss or modification of data.

Anti-forensic techniques

: Anti-forensic techniques, such as data hiding, data obfuscation, data forgery, and secure wiping, make investigations on digital media more difficult.

Passcode recovery

: If the device is protected with a passcode, the forensic examiner needs to gain access to the device without damaging the data on the device. While there are techniques to bypass the screen lock, they may not always work on all versions of the OS.

Lack of resources

: As mentioned earlier, with the growing number of mobile phones, the amount of tools required by a forensic examiner also increases. Forensic acquisition accessories, such as USB cables, batteries, and chargers for different mobile phones, have to be maintained in order to acquire those devices.

Dynamic nature of evidence

: Digital evidence may be easily altered either intentionally or unintentionally. For example, browsing an application on a phone might alter the data stored by that application on the device.

Accidental reset

: Mobile phones provide features to reset everything. Resetting a device accidentally while examining it may result in the loss of data.

Device alteration

: The possible ways to alter devices may range from moving application data or renaming files to modifying the manufacturer's operating system. In this case, the expertise of the suspect should be taken into account.

Communication shielding

: Mobile devices communicate over cellular networks, Wi-Fi networks, Bluetooth, and infrared. As device communication might alter the device data, the possibility of further communication should be eliminated after seizing the device.

Lack of availability of tools

: There is a wide range of mobile devices. A

 combination of tools needs to be used, because a

 single tool may not support all the devices or perform all the necessary functions. So, choosing the right tool for a particular phone might be difficult.

Malicious programs

: The device might contain malware or 

malicious software

, such as a virus or a Trojan. These programs may try to spread over other devices over either a wired interface or a wireless one.

Legal issues

: Mobile devices might be involved in crimes that cross geographical boundaries. In order to tackle these multi-jurisdictional issues, the forensic examiner should be familiar with the nature of the crime and the regional laws.

Let's have a look at the process of evidence extraction in the next section.

The mobile phone evidence extraction process

Evidence extraction and the forensic examination of different mobile devices may differ based on various factors. However, following a consistent examination process will help the forensic examiner to ensure that the evidence gathered from each phone is well documented and that the results are reliable. There is no well-established standard process for mobile forensics.

However, the following diagram provides an overview of process considerations for the extraction of evidence from mobile devices. All methods used when extracting data from mobile devices should be tested, validated, and well documented:

As shown in the preceding diagram, forensics on a mobile device includes several phases, from the evidence intake phase to the archiving phase. The following sections provide an overview of various considerations across all the phases.

The evidence intake phase

The evidence intake phase is the starting phase and involves paperwork that captures ownership information and the type of incident the mobile device was involved in, and outlines the kind of data the requester is seeking. Developing specific objectives for each examination is the critical part of this phase. It serves to clarify your goals. Before the physical seizure process begins, you should be familiar with federal, state, and local laws pertaining to an individual's rights. If the right procedures are not followed, the investigation may be considered illegal in a court of law. The procedure and the legality may vary based on whether you are a government agent or a private party. For example, in the US, fourth amendment rights prevent any searching or seizure by a government agent without having a proper search warrant. The search warrant should clearly authorize the seizure of the mobile device as well as the kind of data that needs to be collected. After a successful seizure, care should be taken to ensure that a chain of custody is established not only for the device but also for the data collected. 

Also, while seizing the device, care should be taken not to modify any data present on the device. At the same time, any opportunity to help the investigation should not be missed. For example, at the time of seizing the device, if the device is unlocked, then try to disable the passcode.

The identification phase

The forensic examiner should identify the following details for every examination of a mobile device:

The legal authority

The data that needs to be extracted

The make, model, and identifying information for the device

Data storage media 

Other sources of potential evidence

We will discuss each of these in the following sections.

The legal authority

It is important for the forensic examiner to determine and document what legal authority exists for the acquisition and examination of the device, as well as any limitations placed on the media prior to the examination of the device. For example, if the investigation on the device is being conducted based on a warrant, the search should be limited only to those areas that are defined in the warrant. In short, prior to the device seizure, you need to answer the following questions:

If a search warrant does not exist, has the device owner consented to the search?

If a search warrant exists, is the device included within the original warrant?

If the device is included in the warrant, does it also define what data can be collected?

If it's a corporate investigation, is the device owned by an individual or his or her employer?

Does the corporate policy allow collection and subsequent analysis?

Data that needs to be extracted

You will identify how in-depth the examination needs to be based upon the data requested. The goal of the examination makes a significant difference in selecting the tools and techniques to examine the phone and increases the efficiency of the examination process.

The make, model, and identifying information for the device

As part of the examination, identifying the make and model of the phone assists in determining what tools would work with the phone. When available, it is recommended to capture the following details of the seized device:

The device manufacturer

The device model number

The mobile device serial number

The color of the device

The wallpaper visible on the device screen or lock screen wallpaper

The presence of any hardware components (such as front camera, headphone jack, and so on)

A description of any specific details unique to the device (scratches, broken screen, and so on)

Next, let's look at data storage media.

Data storage media

Many mobile phones provide an option to extend memory with removable storage devices. In cases when such removable media is found in a mobile phone that is submitted for examination, the storage card should be removed and processed using traditional digital forensic techniques. It is wise to also acquire the card while in the mobile device to ensure that data stored on both the handset memory and card are linked for easier analysis. This will be discussed in detail in the upcoming chapters.

Other sources of potential evidence

Mobile phones act as good sources of fingerprint and other biological evidence. Such evidence should be collected prior to the examination of the mobile phone to avoid contamination issues, unless the collection method will damage the device. Examiners should wear gloves when handling the evidence.

The preparation phase

Once the mobile phone model is identified, the preparation phase involves research regarding the particular mobile phone to be examined and the appropriate methods and tools to be used for acquisition and examination. This is generally done based on the device model, underlying operating system, its version, and so on. Also, the tools that need to be used during an examination will have to be determined based on the device in question as well as on the scope and goals of the examination. 

The isolation phase

Mobile phones are, by design, intended to communicate via cellular phone networks, Bluetooth, infrared, and wireless (Wi-Fi) network capabilities. When a phone is connected to a network, new data is added to the phone through incoming calls, messages, and application data, which modifies the evidence on the phone.

Complete destruction of data is also possible through remote access or remote wipe commands. For this reason, isolation of the device from communication sources is important prior to the acquisition and examination of the device. Network isolation can be done by placing the phone in radio frequency shielding cloth and then putting the phone in airplane or flight mode. Airplane mode disables a device's communication channels, such as cellular radio, Wi-Fi, and Bluetooth. However, if the device is screen-locked, then this is not possible. Also, since Wi-Fi is now available in airplanes, some devices now have Wi-Fi access enabled in airplane mode.

An alternate solution is isolation of the phone through the use of Faraday bags, which block radio signals to or from the phone. Faraday bags contain materials that block external static electrical fields (including radio waves). Thus, Faraday bags shield seized mobile devices from external interference to prevent wiping and tracking. To work more conveniently with seized devices, Faraday tents and rooms also exist.

The processing phase