- Practical Mobile Forensics
- Rohit Tamma Oleg Skulkin Heather Mahalik Satish Bommisetty
- 716字
- 2021-06-24 16:38:56
Understanding mobile forensics
Digital forensics is a branch of forensic science focusing on the recovery and investigation of raw data residing in electronic or digital devices. The goal of the process is to extract and recover any information from a digital device without altering the data present on the device. Over the years, digital forensics has grown along with the rapid growth of computers and various other digital devices. There are various branches of digital forensics based on the type of digital device involved, such as computer forensics, network forensics, and mobile forensics.
Mobile forensics is a branch of digital forensics that deals with the acquisition and recovery of evidence from mobile devices. Forensically sound is a term used extensively in the digital forensics community to qualify and justify the use of a particular forensic technology or methodology. One of the core principles that drive sound forensic examination is that the original evidence must not be altered in any form. This is extremely difficult with mobile devices. Some forensic tools require a communication vector with the mobile device, and thus standard write protection will not work during forensic acquisition.
Other forensic acquisition methods may involve detaching a chip or installing a custom bootloader on the mobile device prior to extracting data for forensic examination. In cases where examination or data acquisition is not possible without changing the configuration of the device, the procedure and the changes must be carefully tested and documented for later reference. Following proper methodology and guidelines is crucial in examining mobile devices as doing so yields the most valuable data. As with any evidence gathering, not following the proper procedure during the examination can result in loss or damage of evidence or render it inadmissible in court.
The mobile forensics process is broken down into three main categories—seizure, acquisition, and examination/analysis. Forensic examiners face some challenges while seizing the mobile device as a source of evidence. At the crime scene, if the mobile device is found switched off, you as the examiner should place the device in a Faraday bag to prevent changes should the device automatically power on. Faraday bags are specifically designed to isolate a phone from a network.
If the phone is found switched on, switching it off has a lot of concerns attached to it. If the phone is locked by a PIN or password, or encrypted, you will be required to bypass the lock or determine the PIN to access the device. Mobile phones are networked devices and can send and receive data through different sources, such as telecommunication systems, Wi-Fi access points, and Bluetooth. So, if the phone is in a running state, a criminal could securely erase the data stored on the phone by executing a remote wipe command. When a phone is switched on, it should be placed in a Faraday bag. If possible, prior to placing a mobile device in a Faraday bag, you should disconnect it from the network to protect the evidence by enabling flight mode and disabling all network connections (Wi-Fi, GPS, hotspots, and so on). This will also preserve the battery, which will drain while in a Faraday bag, and protect against leaks in the Faraday bag. Once the mobile device is seized properly, the examiner may need several forensic tools to acquire and analyze the data stored on the phone.
Mobile device forensic acquisition can be performed using multiple methods, which will be defined later. Each of these methods affects the amount of analysis required, which will be discussed in greater detail in the upcoming chapters. Should one method fail, another must be attempted. Multiple attempts and tools may be necessary in order to acquire the maximum amount of data from the mobile device.
Mobile phones are dynamic systems that present a lot of challenges for us in extracting and analyzing digital evidence. The rapid increase in the number of different kinds of mobile phones from different manufacturers makes it difficult to develop a single process or tool to examine all types of devices. Mobile phones are continuously evolving as existing technologies progress and new technologies are introduced. Furthermore, each mobile is designed with a variety of embedded operating systems. Hence, special knowledge and skills are required from forensic experts to acquire and analyze the devices.