Mobile device forensics

Mobile devices can be used to save several types of personal information such as contacts, photos, calendars and notes, SMS and MMS messages.

With the increased availability of such devices on the consumer market and the wider array of communication platforms they support (e.g. email, web browsing) demand for forensic examination grew.

[4] However, this proved to be a time-consuming process, and as the number of mobile devices began to increase, investigators called for more efficient means of extracting data.

[5] Some forensic examiners found that they could retrieve even deleted data using "flasher" or "twister" boxes, tools developed by OEMs to "flash" a phone's memory for debugging or updating.

However, flasher boxes are invasive and can change data; can be complicated to use; and, because they are not developed as forensic tools, perform neither hash verifications nor (in most cases) audit trails.

To meet these demands, commercial tools appeared which allowed examiners to recover phone memory with minimal disruption and analyze it separately.

[4] Over time these commercial techniques have developed further and the recovery of deleted data from proprietary mobile devices has become possible with some specialist tools.

To reduce the risk of evidence being lost, law enforcement agents must submit a preservation letter to the carrier, which they then must back up with a search warrant.

Mobiles will often be recovered switched on; as the aim of seizure is to preserve evidence, the device will often be transported in the same state to avoid a shutdown, which would change files.

[2] It is to note that while this technique can prevent triggering a remote wipe (or tampering) of the device, it doesn't do anything against a local Dead man's switch.

The mobile device would recognize the network disconnection and therefore it would change its status information that can trigger the memory manager to write data.

[11] Most acquisition tools for mobile devices are commercial in nature and consist of a hardware and software component, often automated.

AccessData, Sleuthkit, ESI Analyst and EnCase, to mention only some, are forensic software products to analyze memory images.

This method has an advantage in that the operating system makes it unnecessary to use specialized tools or equipment to transform raw data into human interpretable information.

Logical extraction acquires information from the device using the original equipment manufacturer application programming interface for synchronizing the phone's contents with a personal computer.

In such cases, if the device allows file system access through its synchronization interface, it is possible to recover deleted information.

This technique uses trial and error in an attempt to create the correct combination of password or PIN to authenticate access to the mobile device.

Despite the process taking an extensive amount of time, it is still one of the best methods to employ if the forensic professional is unable to obtain the passcode.

With current available software and hardware it has become quite easy to break the encryption on a mobile device's password file to obtain the passcode.

Early investigations consisted of live manual analysis of mobile devices; with examiners photographing or writing down useful material for use as evidence.

Without forensic photography equipment such as Fernico ZRT, EDEC Eclipse, or Project-a-Phone, this had the disadvantage of risking the modification of the device content, as well as leaving many parts of the proprietary operating system inaccessible.

The hardware includes a number of cables to connect the mobile device to the acquisition machine; the software exists to extract the evidence and, occasionally, even to analyze it.

Such mobile forensic tools are often ruggedized for harsh environments (e.g. the battlefield) and rough treatment (e.g. being dropped or submerged in water).

[24] Generally, because it is impossible for any one tool to capture all evidence from all mobile devices, mobile forensic professionals recommend that examiners establish entire toolkits consisting of a mix of commercial, open source, broad support, and narrow support forensic tools, together with accessories such as battery chargers, Faraday bags or other signal disruption equipment, and so forth.

Some tools have additionally been developed to address increasing criminal usage of phones manufactured with Chinese chipsets, which include MediaTek (MTK), Spreadtrum and MStar.

This method contains the potential danger of total data destruction: it is possible to destroy the chip and its content because of the heat required during desoldering.

The BGA technique bonds the chips directly onto the PCB through molten solder balls, such that it is no longer possible to attach probes.

The miniaturizing of device parts opens the question how to automatically test the functionality and quality of the soldered integrated components.

To find the correct bits in the boundary scan register one must know which processor and memory circuits are used and how they are connected to the system bus.

[11] For external memory and the USB flash drive, appropriate software, e.g., the Unix command dd, is needed to make the bit-level copy.

A forensic expert examining a mobile device that was seized during an investigation
iPhone in an RF shield bag
RTL Aceso, a mobile device acquisition unit
A ball-grid array component displaying the "popcorn effect"
Moisture in this circuit board turned to steam when it was subjected to intense heat. This produces the so-called "popcorn effect."