Mobile Forensic Investigation Process

[Edelmar Easley]

Mobileforensics is the process of recovering digital evidence from mobile devices using accepted methods. Unlike traditional digital forensics processes, mobile forensics solely focuses on retrieving information from mobile devices such as smartphones, androids, and tablets. Mobile devices contain an abundance of information from text messages and web search history to location data, so they can be extremely useful for an investigation by law enforcement.

Forensic investigators must track activities across multiple devices to get the full picture of events. For example, a hacker may have used a vulnerable device to gain access to the network and spread it across other, more sensitive devices. Investigators must know how all these devices work and interconnect to be able to accurately assess the course of events.

The mobile forensics process begins with the seizure of the devices in question. Like any other evidence in a forensic investigation, the devices must be handled with great care to preserve evidence and prevent mishandling.

The LIFARS team has conducted a large number of high-profile matters in civil and criminal proceedings, including analysis of advanced malware engineered by sophisticated state-sponsored attackers. Our digital forensics experts have played a key role in a wide range of criminal cases involving a digital element, including organized cybercrime, online money laundering schemes, cyberstalking, data breach litigation, digital extortion, ransomware hacking incidents, DDoS attacks, and more.

Mobile devices are right in the middle of three booming technological trends: Internet of Things, Cloud Computing, and Big Data. The proliferation of mobile technology is perhaps the main reason, or at least one of the main reasons, for these trends to occur in the first place. In 2015, 377.9 million wireless subscriber connections of smartphones, tablets, and feature phones occurred in the United States.

Nowadays, mobile device use is as pervasive as it is helpful, especially in the context of digital forensics, because these small-sized machines amass huge quantities of data on a daily basis, which can be extracted to facilitate the investigation. Being something like a digital extension of ourselves, these machines allow digital forensic investigators to glean a lot of information.

The mobile forensics process aims to recover digital evidence or relevant data from a mobile device in a way that will preserve the evidence in a forensically sound condition. To achieve that, the mobile forensic process needs to set out precise rules that will seize, isolate, transport, store for analysis and proof digital evidence safely originating from mobile devices.

Usually, the mobile forensics process is similar to the ones in other branches of digital forensics. Nevertheless, one should know that the mobile forensics process has its own particularities that need to be considered. Following correct methodology and guidelines is a vital precondition for the examination of mobile devices to yield good results.

Digital forensics operates on the principle that evidence should always be adequately preserved, processed, and admissible in a court of law. Some legal considerations go hand in hand with the confiscation of mobile devices.

Mobile devices are often seized switched on; and since the purpose of their confiscation is to preserve evidence, the best way to transport them is to attempt to keep them turned on to avoid a shutdown, which would inevitably alter files.

A Faraday box/bag and external power supply are common types of equipment for conducting mobile forensics. While the former is a container specifically designed to isolate mobile devices from network communications and, at the same time, help with the safe transportation of evidence to the laboratory, the latter, is a power source embedded inside the Faraday box/bag. Before putting the phone in the Faraday bag, disconnect it from the network, disable all network connections (Wi-Fi, GPS, Hotspots, etc.), and activate the flight mode to protect the integrity of the evidence.

Last but not least, investigators should beware of mobile devices being connected to unknown incendiary devices, as well as any other booby trap set up to cause bodily harm or death to anyone at the crime scene.

The goal of this phase is to retrieve data from the mobile device. A locked screen can be unlocked with the right PIN, password, pattern, or biometrics (Note that biometric approaches while convenient are not always protected by the fifth amendment of the U.S. Constitution). According to a ruling by the Virginia Circuit Court, passcodes are protected, fingerprints not. Also, similar lock measures may exist on apps, images, SMSs, or messengers. Encryption, on the other hand, provides security on a software and/or hardware level that is often impossible to circumvent.

After one identifies the data sources, the next step is to collect the information properly. There are certain unique challenges concerning gathering information in the context of mobile technology. Many mobile devices cannot be collected by creating an image and instead they may have to undergo a process called acquisition of data. Thera are various protocols for collecting data from mobile devices as certain design specifications may only allow one type of acquisition.

The examiner may need to use numerous forensic tools to acquire and analyze data residing in the machine. Due to the sheer diversity of mobile devices, there is no one-size-fits-all solution regarding mobile forensic tools. Consequently, it is advisable to use more than one tool for examination. AccessData, Sleuthkit, and EnCase are some popular forensic software products that have analytic capabilities. The most appropriate tool(s) is being chosen depending on the type and model of mobile device.

All of the information, evidence, and other findings extracted, analyzed, and documented throughout the investigation should be presented to any other forensic examiner or a court in a clear, concise, and complete manner.

Quick Question: What procedure could the McLennan County law enforcement have used immediately at the crime scene to reduce the large backlogs of digital forensics casework at the outset (provided that they had the experts to carry out that procedure)?

Non-invasive methods can deal with other tasks, such as unlocking the SIM lock or/and the operator lock, the operating system update, IMEI number modification, etc. These techniques are virtually inapplicable in cases where the device has sustained severe physical damage. Types of non-invasive mobile forensic methods:

This approach involves instituting a connection between the mobile device and the forensic workstation using a USB cable, Bluetooth, Infrared or RJ-45 cable. Following the connecting part, the computer sends command requests to the device, and the device sends back data from its memory. The majority of forensic tools support logical extraction, and the process itself requires short-term training. On the downside, however, this technique may add data to the mobile device and may alter the integrity of the evidence. Also, deleted data is rarely accessible.

JTAG is a non-invasive form of physical acquisition that could extract data from a mobile device even when data was difficult to access through software avenues because the device is damaged, locked or encrypted. The device, however, must be at least partially functional (minor damages would not hinder this method).

Typically, they are longer and more complex. In cases where the device is entirely non-functional due to some severe damage, it is very likely the only way to retrieve data from the device might be to manually remove and image the flash memory chips of the device. Even if the device or item is in good condition, circumstances may require the forensic expert to acquire the chip's contents physically.

This method refers to manually taking an all-around view through the lenses of an electron microscope and analyzing data seen on the memory chip, more specifically the physical gates on the chip. In a nutshell, micro read is a method that demands utmost level of expertise, it is costly and time-consuming, and is reserved for serious national security crises.

Our organization deals with cases related to mobile-forensics like data extraction from mobile devices, memory cards and cloud data for the personal purpose or legal purposes pertaining to judiciary or police etc. our forensic organization also provides training in the field of mobile forensics using digital forensic UFED tool. Our Mobile-forensics expert appears in the courts as an expert witness for forensic report demonstration by testimony and cross-examination. The mobile-forensics services are available all across the states of India especially in the metropolitan cities like Delhi NCR, Mumbai, Kolkata, Bangalore etc.

Mobile device forensics, also known as mobile forensics, is a subfield of digital forensics that involves extracting information from a mobile device (such as smartphones and tablets) in a forensically sound manner. The information obtained via mobile device forensics may include deleted files, application data, GPS data, call logs, text messages, and photographs and videos.

Like other domains of forensics, mobile device forensics is commonly used to recover evidence in connection with a criminal investigation. As such, mobile device forensic investigators must take care to retrieve and analyze data that is legally admissible as evidence.

Therefore, mobile device forensic analysts must be intimately familiar with mobile devices and their operating systems and file systems. They should also have experience with various software and hardware tools for extracting data from mobile devices. Finally, mobile device forensic analysts should have strong problem-solving and critical thinking skills and knowledge of the legal issues surrounding collecting data from mobile devices.

3a8082e126