Mobile Device Forensics
Data Types
The Forensic Process
Data Acquisition Types
Mobile device forensics is the science of recovering digital evidence or data from a mobile device under forensically sound conditions using accepted methods. A mobile device is any electronic object that is capable of holding data or providing communication between one or more electronic devices. A basic mobile device consists of a miniature keyboard, a small display screen, a microprocessor, non-volatile (nowadays mostly flash) and volatile memory (RAM). These memory types are soldered to the Printed circuit board. The memory type of the mobile device and unique interfaces is what makes the forensic process a little different on a mobile device as compared to computer forensics. The goal of mobile device forensics is usually to provide evidence in legal cases, whether criminal or civil or to recover data in the event of a hardware or software failure. Mobile devices can be used to save several types of personal information such as contacts, photos, calendars and notes. They started to displace classic paper helpers like schedulers and address books.
Data Types
As mobile device technology advances, the amount and types of data that can be found on a mobile device is constantly increasing.
Types of data that can be found on mobile devices can include, but is not limited to:
- multimedia files (sounds, music, images, video, podcasts)
- messages (SMS, MMS, Twitter, Chat)
- e-mails
- browser history/bookmarks/cookies
- personal information (Calendars, Contacts, Notes)
- log files (calls, networks, applications)
- maps (Google, OpenStreetMap)
- connection information (Bluetooth, WLAN, VPN)
- GPS positions
- running processes
- routing tables
- network and connectivity statistics
- boot sequence, default libraries
The Forensic Process
The forensics process is very complicated but can be best described when generalized into four categories. Those categories are preservation, acquisition, examination and analysis, and reporting. While each is very broad and can have very specific details, there are a few guidelines one must always consider.
Preservation
Preservation is the process of seizing a suspect's property without altering or changing the contents of the data that reside on devices or removable media. It is the first step in digital evidence recovery. In this process it is import to document every action taken when searching for and collecting evidence. Maintaining a quality chain of custody will begin at the crime scene. It is important to maintain a chain of custody to prevent a mistrial or dismissal of evidence. Upon arrival, it is important to primarily ensure the safety of those present. Secondly, one must ensure to protect the integrity of physical and digital evidence. It is then that one can then formulate a search plan to evaluate the scene and identify possible evidence. All potential evidence should then be secured, documented and/or photographed. In the documentation, it is important to include a permanent historical record of the scene. Document the location and condition of all electronic media, especially the mobile device. Ensure to document the condition in which the mobile device was seized. This means photograph the screen to show what was visible on screen at the time of seizure and photograph the surrounding area. In the surrounding area it is important to recover non-technological evidence such as hand written notes, blank pads of paper with indented writing, hardware and software manuals, text or graphical printouts and photographs.
Acquisition
The second step in the forensic process is acquisition. Acquisition is the process of imaging or otherwise obtaining information from a digital device and all its peripheral equipment and media. Acquisition provides phonebook information, appointment calendar information, text and multi-media message logs, call logs, e-mail logs, photos, audio and video recordings, web browsing logs and location information. In the acquisition, it is not just the digital evidence that prove useful. It is important to note as much information as possible when the acquisition takes place. Noting things such as date/times on the device and sometimes thing like ringtones can prove useful. Acquisition can take place in one of two settings, the crime scene or the laboratory. Acquisition in the crime scene allows for collection of all data that could be lost in transport due to battery loss or external conditions as previously explained. However, sometimes it is not possible to find a controlled environment to allow for acquisition in which certain variables are met. For this reason, it is sometimes more beneficial to perform the acquisition in the laboratory. When possible, it is best to perform an acquisition at the crime scene and another at the laboratory, this is beneficial since the state of a mobile phone is always changing. It is important to properly identify the device in the laboratory prior to examination. Be sure to document the type of device i.e. make and model, OS, serial numbers if available and any other important characteristics. When it is time for the acquisition to take place, it important to note which type was taken. One must be prepared before trying to examine data of a device. Therefore it is best practice to have an identical device for tests and deep (and sometimes destructive) investigation. For a deep inspection all unknown built-in chips have to be identified by noting the written part number and search for the device and chip datasheet. This is important because a new chip with new (unknown to the analyzer) features could be built-in. Investigating available firmware updates can also give useful hints. After an example investigation one has to check if all expectations were achieved. The question "Leave it on or switch the device off?" is tricky for mobile devices. On the one hand the volatile memory must be saved. On the other hand there can be a memory manager with a wear leveling algorithm, which can overwrite deleted data such that this data is unrecoverable. For mobile devices volatile memory is usually only used as CPU memory to work as cache and to hold state information. Therefore, it should be saved to get information about possible temporary data or connected networks. After this the mobile device should be switched off by removing the battery. The memory manager must not be able to overwrite data because overwritten data is not recoverable. Leaving the mobile device on, connecting it to a recharger and putting it into a faraday cage is not a good practice because the memory manager continues his work. The mobile device would recognize the network disconnection and therefore it would change its status information that can trigger the memory manager to write data. The non-volatile memory saves all other data, e.g., user information and application data. Nowadays mostly flash memory is used in mobile devices as internal non-volatile memory. Additionally, this memory can often be extended with external memory.
Examination & Analysis
Once the acquisition has taken place, examination and analysis can take place. The examination process uncovers digital evidence, including that which may be hidden or obscured. The results are gained through applying established scientifically based methods, and should describe the content and state of the data fully, including the source and the potential significance. Data reduction, separating relevant from irrelevant information, occurs once the data is exposed. The analysis process differs from examination in that it looks at the results of the examination for its direct significance and probative value to the case. Examination is a technical process that is the province of a forensic specialist. However, analysis may be done by roles other than the forensic analyst, such as the investigator or the forensic examiner (PDF). It is important for the examiner to have studied the case and become familiarized with the parameters of the wrongdoing. It is advisable for the examiner to conduct the study of the case alongside the forensic analyst. Examination and analysis is a very tedious process but is the basis for a solid court case.
A desired goal is to work on a full bit-level copy of the memory because it is an unmodified memory image. Software tools can interpret and extract the data, even if the data was deleted by the operating system. The memory copy has also the advantage that it can be copied and analyzed by more than one tool or analyzer at once. As an increasing number of mobile devices use high level file systems, similar to the file systems of computers, methods and tools can be taken over from hard disk forensics or only needs slightly changes. Mostly used on NAND memory is the FAT file system. A difference is the used block size, which is larger than 512 byte for hard disks and depends on the used memory type, e.g., NOR type 64, 128, 256 and NAND memory 16, 128, 256, or 512 kbyte.
Different software tools can extract the data from the memory image. One could use specialized and automated forensic software products or generic file viewer like any hex editor to search for characteristics of file headers. The advantage of the hex editor is the deeper insight into the memory management. But working with a hex editor means a lot of handwork and file system as well as file header knowledge. In contrast, specialized forensic software simplifies the search and extracts the data but may not find everything. AccessData, Sleuthkit, and EnCase only to mention some, are forensic software products to analyze memory images. Since there is no tool that extracts all possible information, it is advisable to use two or more tools for examination. It should be clear that at date (Feb 2010) there is not a software solution to get all evidences from flash memories.
Reporting
Reporting is the process of preparing a detailed summary of all the steps taken and conclusions reached in the investigation of a case. Reporting depends on maintaining a careful record of all actions and observations, describing the results of tests and examinations, and explaining the inferences drawn from the evidence. A good report relies on solid documentation, notes, photographs, and tool-generated content. This final step proves to be a lot easier when one has taken careful detail to attention and has properly documented his or her actions step by step. It is important to be able to produce solid and sound reports for others to interpret. While the software used generated various reports, it is important to tie all the information taken in every step of the forensic process and to be able to describe in detail from start to finish the steps taken, why they were taken, and how you were able to draw your conclusion.
Data Acquisition Types
Physical Acquisition
Physical acquisition implies a bit-by-bit copy of an entire physical store (e.g., a memory chip). A physical acquisition has the advantage of allowing deleted files and data remnants to be examined. Physical extraction acquires information from the device by direct access to the flash memories. Generally this is harder to achieve because the device vendors needs to secure against arbitrary reading of memory so that a device may be locked to a certain operator. A physical extraction is the method most similar to the examination of a personal computer. It produces a bit by bit copy of the device's flash memory. Generally the physical extraction is then split into two steps, the dumping phase and the decoding phase.
Logical Acquisition
Logical acquisition implies a bit-by-bit copy of logical storage objects (e.g., directories and files) that reside on a logical store (e.g., a file system partition). Logical has the advantage that system data structures are easier for a tool to extract and organize. Logical extraction acquires information from the device using the vendor interface for synchronizing the contents of the phone with a personal computer. This usually does not produce any deleted information due to it normally being removed from the file system of the phone. However in some cases the phone may keep a database file of information which does not overwrite the information but simply marks it as deleted and available for later overwriting. In this case, if the device allows file system access through their synchronization interface, it is possible to recover deleted information. A logical extraction is generally easier to work with as it does not produce a large binary blob. However a skilled forensic examiner will be able to extract far more information from a physical extraction.
Manual Acquisition
The user interface can be utilized to investigate the content of the memory. Therefore the device is used as normal and pictures are taken from the screen. This method has the advantage that the operating system makes the transformation of raw data into human interpretable information. In practice this method is applied to cell phones, e.g., Project-a-Phone, PDAs and navigation systems. The disadvantage is that only data visible to the operating system can be recovered and that all data are only available in form of pictures.
External Memory
External memory devices are SIM cards, SD cards, MMC cards, CF cards, and the Memory Stick. For external memory and the USB flash drive, appropriate software, e.g., the Unix command ``dd is needed to make the bit-level copy. Furthermore USB flash drives with memory protection do not need special hardware and can be connected to any computer. Many USB drives and memory cards have a write-lock switch that can be used to prevent data changes, while making a copy. If the USB drive has no protection switch a write blocker can be used to mount the drive in a read-only mode or, in an exceptional case, the memory chip can be desoldered. The SIM and memory cards need a card reader to make the copy. The SIM card is soundly analyzed, such that it is possible to recover (deleted) data like contacts or text messages.
Internal Memory
This section describes various possibilities to save the internal storage, nowadays mostly flash memory.
Operations Include:
- System Commands
- AT Commands
- Flasher Tools
- JTAG
Not all mobile devices provide such a standardized interface nor exist a standard interface for all mobile devices, but all manufacturer have one problem in common. The miniaturizing of device parts opens the question how to test automatically the functionality and quality of the soldered integrated components. For this problem an industry group, the Joint Test Action Group (JTAG), developed a test technology called boundary scan.
Despite the standardization there are four tasks before the JTAG device interface can be used to recover the memory. To find the correct bits in the boundary scan register one must know which processor and memory circuits are used and how they are connected to the system bus. When not accessible from outside one must find the test points for the JTAG interface on the printed circuit board and determine which test point is used for which signal. The JTAG port is not always soldered with connectors, such that it is sometimes necessary to open the device and re-solder the access port. The protocol for reading the memory must be known and finally the correct voltage must be determined to prevent damage to the circuit.
The boundary scan produces a complete forensic image of the volatile and non-volatile memory. The risk of data change is minimized and the memory chip must not be desoldered. Generating the image can be slow and not all mobile devices are JTAG enabled. Also it can be difficult to find the test access port.