0% found this document useful (0 votes)
32 views5 pages

Challenges of Acquiring Mobile Devices While Minimizing The Loss of Usable Forensics Data

The document discusses the challenges of acquiring data from mobile devices for forensic analysis while preserving evidence. It can be difficult due to the secure and mobile nature of devices, the potential for remote data destruction, and expensive software/hardware needed for extraction. Different acquisition methods like logical, physical and cloud-based are described as well as issues around unlocking devices.

Uploaded by

raghu vardhan
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
0% found this document useful (0 votes)
32 views5 pages

Challenges of Acquiring Mobile Devices While Minimizing The Loss of Usable Forensics Data

The document discusses the challenges of acquiring data from mobile devices for forensic analysis while preserving evidence. It can be difficult due to the secure and mobile nature of devices, the potential for remote data destruction, and expensive software/hardware needed for extraction. Different acquisition methods like logical, physical and cloud-based are described as well as issues around unlocking devices.

Uploaded by

raghu vardhan
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 5

Challenges of acquiring mobile devices while

minimizing the loss of usable forensics data


Herrera, Lazaro A
Computer Science
Nova Southeastern University
Miami, FL
[email protected]

Abstract—The move from computers to mobile devices unlocked for an extended period of time. Additional actions to
has placed forensic professionals in a tough spot when capture data such as jailbreaking, installing applications(such
performing analysis of seized hardware. Forensics as AFLogical OSE for Android can modify the data contained
specialists must contend with hardware that is designed to within a device, compromising the evidence extracted from a
be secure as it is highly mobile, is capable of receiving mobile device. These challenges have been mostly solved on
commands from a suspect after it has been seized which existing devices such as desktops, laptops and flash drives,
could include commands that are capable of destroying but are unique to newer generation mobile devices. Mobile
evidence remotely, obsolescence of certain forensics devices offer a unique challenge when acquiring data. As
methods such as deleted file recovery from block storage standalone devices, mobile devices are self managed and are
while having to purchase expensive software and not as easy to image as a standard computer or storage
hardware packages to extract any usable data. medium as a hard drive, flash drive or a multimedia card.
Extracting data from a mobile device is colloquially referred
Keywords—forensics, mobile forensics, challenges to as ‘acquiring’ a device.
I. I​NTRODUCTION II. P​RIMER​ ​ON​ A​CQUISITIONS
Capturing mobile devices for forensic examination is The main types of acquisition are: manual, logical, file
complicated. Starting with seizure, changes must be system, physical, brute force, chip-based, and cloud.
inherently made to the underlying hardware to keep it safe for
forensics (storing phones in faraday cages, putting phones in A. Manual acquisitions
airplane mode, hooking it up to power to keep it from dying). The simplest of acquisitions, manual acquisition tasks the
Newer methods of authentication such as face recognition, or forensic investigator or specialist with examining a suspect’s
fingerprint scanning can complicate the issues and may device directly [1]. Pictures are taken of the screen and the
inadvertently be triggered by an examiner while seizing the contents of any apps containing any evidentiary value (emails,
physical hardware which would create a log of actions that photos, text messages, and so forth). Manual acquisitions are
modify the underlying evidence. If a device was left open by a rare due to the prevalence of security on mobile devices (pin,
user, removing a pin code or password causes certain data to password, fingerprint) b
be removed so forensics examiners may need to keep a device
ut may end up being required if an examiner lacks the and hidden files on the device. These usually require more
tooling for a specific device such as an older phone or when advanced tools like the Cellebrite UFED being used in the
performing car forensics. referenced document and require more knowledge to operate
along with some additional software to interpret any output.
B. Logical acquisitions
Logical acquisitions utilize a mobile device’s ability to D. Physical acquisitions
generate backups and extract any data the device is able to Physical acquisitions enable ‘extracting data by copying
access within its storage system [2]. Both Android and iOS the total file system’ [1] off of a mobile device. These are the
have support for backups and are able to be extracted and closest to an image of a block device such as a hard drive and
analyzed, sometimes even if the device is locked assuming the may require specialized hardware and software to extract the
device has been connected to a seized device. hardware but can be analyzed using any standard suite for
analyzing a disk image from a computer.
C. File system acquisitions
File system acquisitions are used to ‘deep dive into the file
structure, Internet usage or look deep into the applications that
are being used on the device’ [3] through access to the files

978-1-7281-6939-2/20/$31.00 ©2020 IEEE

Authorized licensed use limited to: University of New Brunswick. Downloaded on November 20,2022 at 23:57:03 UTC from IEEE Xplore. Restrictions apply.
G. Cloud acquisitions
Cloud acquisitions look into extracting data from the cloud
a device may be connected to or backed up to [6]. Both
Android and iOS have their respective clouds for backups and
an easy way to retrieve data is to merely restore a backup
from Google Drive or iCloud respectively and examine the
data that was recovered.

Fig 1. Extractions and expected data [32]

E. Brute force acquisitions


Brute force acquisitions directly attack a password or pin
code on a device [4] attempting to bypass the built in security.
Advances in security are usually met by advances in new tools
and require an advanced amount of knowledge.
F. Chip-based acquisitions
JTAG and Chip-off acquisitions attach directly to the
debug headers on a mobile device (for JTAG) or remove the Fig 3. Cloud Extraction via Oxygen Forensics® [34]
chips from the mobile device board and analyze them directly III. I​SSUES​ ​AROUND​ U​NLOCKING​ H​ARDWARE
(for Chip Off) in order to bypass any hardware and read the
underlying memory [5,22]. A. Looking at a device or touching the device
Mobile devices in the 21st century support advanced
biometric unlock schemes with higher end devices supporting
face unlocking technology [7] or having support be standard
in the coming months [8]. Accidentally looking at a device or
attempting to point the device at a suspect to force an unlock
can cost a forensic specialist one chance at unlocking the
device.
Mobile devices in the 21st century come equipped with
fingerprint scanners starting at budget devices (a BLU Studio
device at $64.99 comes equipped with a back mounted
fingerprint scanner as an example) and heading into flagship
devices with ultrasonic under screen fingerprint scanners [9]
or under existing buttons [10] that were considered safe
previously. Accidentally pressing a finger against one of these
fingerprint scanners can cost a forensic specialist one chance
at unlocking the device.
Forensics suites relying on biometric bypasses or even
compelling a suspect legally (through social engineering) to
unlock the device rely on forensics specialists retrieving
devices without losing too many of those attempts at
Fig 2. JTAG Setup for Mobile Device [33] unlocking.
Use of some sort of material (duct tape is a commonly
cited one) to cover any possible fingerprint readers or front
facing cameras (placing duct tape facing upwards and placing
a phone’s camera on the tape) is recommended but the

Authorized licensed use limited to: University of New Brunswick. Downloaded on November 20,2022 at 23:57:03 UTC from IEEE Xplore. Restrictions apply.
knowledge of this issue’s forensic implications is far more switch it from AFU (After First Unlock) into BFU (Before
important than the countermeasures. First Unlock) which will reduce the amount of data that can
be forensically retrieved from the full filesystem down to just
a partial keychain [12]. On Android-based devices, shutting
off the device with ‘require pin to start device’ mode enabled
will lock the bootloader, making low level acquisitions not
possible [13] for most devices.
Keeping devices alive by connecting them to a power
outlet or using a portable battery power bank are the preferred
methods of maintaining or transporting mobile devices while
powered for analysis.
C. Isolating hardware from networks
Mobile devices have the inherent capability of safely
deleting all data in case of theft or loss [14,15]. This
capability makes users of mobile devices more safe and
supports their privacy but criminals also use mobile devices
so these features make mobile device capture more complex.
Existing forensics of computers, and storage media have no
such constraints (since those devices will generally not require
such strict measures) so ongoing education is required.
As a forensics specialist, it might seem like common
sense: just remove the SIM card from the device [11] as
recommended by the first responder guides. This path on
newer iOS devices (iOS 11, 12, and 13) will immediately
disable all biometrics, cause USB restricted mode to be
enabled (more on this later on), and lock the device [16]. As
explored in the previous section, this could cost valuable
methods of evidence retrieval to be outright lost (fingerprints,
face unlock) and make it difficult to retrieve data (as USB
restricted mode) would be enabled.
Common guides for evidence seizing [11] still recommend
that a device should be placed in airplane mode but modern
mobile operating systems require unlocking for airplane mode
to be added to the quick settings menu (in the case of Android
[17]) or can be configured to require unlocking (in the case of
iOS [18]). There is no risk to trying to enable airplane mode
on older devices, but it’s not a guaranteed solution to the
problem of isolating these mobile devices from wireless
networks. As an additional word of caution, even if airplane
Fig 2. Duct tape setup for blocking face recognition
mode is on: iOS devices will not always turn off Bluetooth in
airplane mode [19] and both Android and iOS will allow
radios (wifi and bluetooth) to be enabled even while in
B. Keeping devices powered on
airplane mode [19,20] so accidental activation can still occur
Mobile devices and how they can be managed for by the person collecting the device or the person examining
forensics should be something that each forensics specialist the device in a lab.
should spend a large portion of their time looking into. Unlike
existing devices such as computers, and storage media, Faraday bags or lockboxes can be used to isolate devices
common sense may lead a forensics expert into shutting off from networks before transport (and are usually large enough
devices [11] and depriving themselves of access to evidence to allow for adding a power bank per the previous section). In
from devices. an emergency, enterprising individuals have been known to
use empty metal paint cans or arson cans as makeshift faraday
The most common mobile devices (Android and iPhone) cages [21], although not a lot of research has been performed
implement different types of security based on their current on these methods and there is no guarantee of success.
state. On iOS-based devices, shutting off the device will

Authorized licensed use limited to: University of New Brunswick. Downloaded on November 20,2022 at 23:57:03 UTC from IEEE Xplore. Restrictions apply.
data of the device to be appended to or deleted. Properly set
up workstations on Windows or Mac can be set up to never
sync data to a device but lack of knowledge is the enemy in
this instance.
V. I​SSUES​ ​AROUND​ U​NLOCKED​ D​EVICES
A. Removing a PIN code or a backup password
In a hypothetical scenario where a device was found
unlocked or a user willingly unlocked a device, common
sense might lead a forensic specialist to try to remove the
backup password (or the device’s pin code) before performing
logical acquisition. Modern iOS will reset the iPhone
passcode leading to a total loss of ‘the saved Wi-Fi
passwords, Apple Pay transaction history, downloaded
Exchange mail and some other data’ [16] as well as ‘access to
end-to-end encrypted data in iCloud including the iCloud
Fig 4. Metal arson cans for isolating mobile devices keychain, synced messages, Health data’ [16]. There’s no
limit to the amount of backups you can take on iOS devices so
there is no downside to taking both a password protected and
non-password protected backup in case the password is found
IV. I​SSUES​ ​AROUND​ E​XTRACTING​ I​NFORMATION
later. A password protected backup can also be restored to
A. JTAG and Chip Off vs Encryption another device if the password is found later on giving more
JTAG and Chip Off techniques have been used for years options when dealing with locked devices [31].
[22] as the common ways to bypass any hardware features F​UTURE​ W​ORK
available in mobile devices. Recent advances in encryption in
iOS and Android have made these methods highly Future work into validating some of the countermeasures
unsuccessful against more modern devices [23] but they can (duct tape, faraday cages) can be used to show how much
be a successful way to extract physical data from an older zcan be gained by being prepared when capturing devices on
device that is not supported by a forensic specialist’s tools. the scene and how to best allocate a limited budget to
maintain a minimum kit of hardware. Additional work can be
B. Issues connecting to a computer done to make awareness of these issues more prevalent within
On modern iOS devices, USB Restricted Mode has gone the forensics industry.
through multiple iterations but will generally ‘cut off USB
data after one hour’ [24], and can ‘disable all USB C​ONCLUSION
connections immediately if it has been longer than 3 days’ In this paper, some common types of extraction of data in
[25] (original beta release was slated to be seven days [26]) mobile devices were defined, as well as some common pitfalls
without being unlocked. This makes any sort of operation to that can limit the amount of evidentiary data that can be
unlock the device extremely limited in scope unless an retrieved from a device. The issues keeping mobile devices
examiner sets the devices to accept “USB Accessories” in from becoming easy to be forensically examined start beyond
Settings. the walls of a forensics lab as compared to other methods.
Privacy protecting and user assistance features on the scene
On modern Android devices, USB debugging can be used
can become potential land mines for forensics specialists to be
to perform sudo level actions [27]. Many common forensic
tripped and cause additional strain on limited resources.
suites use the Android Debug Bridge (ADB) in order to
perform extractions against mobile devices but recent A​CKNOWLEDGMENT
advances in security have made using ADB dependent on
I would like to acknowledge Dr James Kiper for
having an unlocked device [28] unless extractions are
continuously encouraging me to take on research into fringe
performed on a device that Android has already accepted as a
and underserved topics within the field of computer forensics.
debug device such as a seized computer.
C. Software syncing R​EFERENCES
[1] E. Casey, Handbook of computer crime investigation: forensic tools and
One of the most common ways of retrieving data from technology. Amstersdam: Academic, 2003.
both Android and iOS devices accessible to most forensics [2] S. K. Reddy Mallidi and P. Palli, “A Comprehensive Analysis of
specialists is analysis of exported backups [29]. However this Smartphone Forensics & Data Acquisitions ,” International Journal of
path has some issues [16,30] with device syncing causing the

Authorized licensed use limited to: University of New Brunswick. Downloaded on November 20,2022 at 23:57:03 UTC from IEEE Xplore. Restrictions apply.
Advanced Research in Computer Science and Software Engineering, https://support.apple.com/guide/iphone/change-access-to-items-when-ip
vol. 6, no. 2, pp. 270–276, Feb. 216AD. hone-is-locked-iph9a2a69136/13.0/ios/13.0. [Accessed: 28-Feb-2020].
[3] “Quick Look - Cellebrite UFED Using Extract Phone Data & File [19] “Use Airplane Mode on your iPhone, iPad, iPod touch, and Apple
System DumpQuick Look - Cellebrite UFED Using Extract Phone Data Watch,” Apple Support, 12-Nov-2019. [Online]. Available:
& File System Dump,” SANS Digital Forensics and Incident Response https://support.apple.com/en-us/HT204234. [Accessed: 28-Feb-2020].
Blog | Quick Look - Cellebrite UFED Using Extract Phone Data & File [20] “Connect through Bluetooth on your Android device - Android Help,”
System Dump | SANS Institute, 22-Sep-2010. [Online]. Available: Google. [Online]. Available:
https://www.sans.org/blog/quick-look-cellebrite-ufed-using-extract-pho https://support.google.com/android/answer/9075925?hl=en. [Accessed:
ne-data-file-system-dump/. [Accessed: 23-Feb-2020]. 28-Feb-2020].
[4] S. Bommisetty, R. Tamma, and H. Mahalik, Practical mobile forensics: [21] “Paint Can Faraday Cage,” Alpha Rubicon, 29-Jun-2017. [Online].
dive into mobile forensics on iOS, Android, Windows, and Blackberry Available:
devices with this action-packed, practical guide. Packt Publishing http://www.alpharubicon.com/elect/faradaytooshiegalore.htm.
Limited, 2014. [Accessed: 28-Feb-2020].
[5] A. N. Yakovlev and A. S. Danilova, “JTAG and Chip-Off Technologies [22] K. Curran, A. Robinson, S. Peacocke, and S. Cassidy, “Mobile Phone
in Computer Forensics,” Theory and Practice of Forensic Science, vol. Forensic Analysis,” International Journal of Digital Crime and
13, no. 3, pp. 109–115, 2018. Forensics, vol. 2, no. 3, pp. 15–27, 2010.
[6] M. Faheem, N.-A. Le-Khac, and T. Kechadi, “Toward a new mobile [23] O. Afonin, “iOS vs. Android: Physical Data Extraction and Data
cloud forensic framework,” 2016 Sixth International Conference on Protection Compared,” ElcomSoft blog, 20-Oct-2017. [Online].
Innovative Computing Technology (INTECH), 2016. Available:
[7] “About Face ID advanced technology,” Apple Support, 26-Feb-2020. https://blog.elcomsoft.com/2017/10/ios-vs-android-physical-data-extract
[Online]. Available: https://support.apple.com/en-us/HT208108. ion-and-data-protection-compared/. [Accessed: 28-Feb-2020].
[Accessed: 27-Feb-2020]. [24] O. Afonin, “iOS 12 Enhances USB Restricted Mode,” ElcomSoft blog,
[8] “Turning it up to 11: the first Developer Preview of Android 11,” 09-Oct-2019. [Online]. Available:
Android Developers Blog, 19-Feb-2020. [Online]. Available: https://blog.elcomsoft.com/2018/09/ios-12-enhances-usb-restricted-mod
https://android-developers.googleblog.com/2020/02/Android-11-develo e/. [Accessed: 28-Feb-2020].
per-preview.html. [Accessed: 29-Feb-2020]. [25] V. Katalov, “USB Restricted Mode Inside Out,” ElcomSoft blog,
[9] “What is the Ultrasonic Fingerprint scanner on Galaxy S20, S20 , and 12-Jul-2018. [Online]. Available:
S20 Ultra?,” The Official Samsung Galaxy Site. [Online]. Available: https://blog.elcomsoft.com/2018/07/usb-restricted-mode-inside-out/.
https://www.samsung.com/global/galaxy/what-is/ultrasonic-fingerprint/. [Accessed: 29-Feb-2020].
[Accessed: 27-Feb-2020]. [26] O. Afonin, “iOS 11.4 to Disable USB Port After 7 Days: What It Means
[10] “Use Touch ID on iPhone and iPad,” Apple Support, 24-Apr-2019. for Mobile Forensics,” ElcomSoft blog, 09-Oct-2019. [Online].
[Online]. Available: https://support.apple.com/en-us/HT201371. Available:
[Accessed: 27-Feb-2020]. https://blog.elcomsoft.com/2018/05/ios-11-4-to-disable-usb-port-after-7
[11] “Best Practices for Seizing Electronic Evidence v4.2.” [Online]. -days-what-it-means-for-mobile-forensics/. [Accessed: 29-Feb-2020].
Available: [27] M. Xu, W. Sun, and M. Alam, “Security enhancement of secure USB
https://www.cwagweb.org/wp-content/uploads/2018/05/BestPracticesfo debugging in Android system,” 2015 12th Annual IEEE Consumer
rSeizingElectronicEvidence.pdf. [Accessed: 27-Feb-2020]. Communications and Networking Conference (CCNC), 2015..
[12] V. Katalov, “BFU Extraction: Forensic Analysis of Locked and [28] “Configure on-device developer options : Android Developers,”
Disabled iPhones,” ElcomSoft blog, 26-Dec-2019. [Online]. Available: Android Developers. [Online]. Available:
https://blog.elcomsoft.com/2019/12/bfu-extraction-forensic-analysis-of- https://developer.android.com/studio/debug/dev-options. [Accessed:
locked-and-disabled-iphones/. [Accessed: 27-Feb-2020]. 29-Feb-2020].
[13] O. Afonin, “Forensic Acquisition: Android,” ElcomSoft blog, [29] J. Han and S. Lee, “A practical approach to analyze smartphone backup
07-Mar-2020. [Online]. Available: data as a digital evidence.”
https://blog.elcomsoft.com/2016/01/forensic-acquisition-android/. [30] “Use iTunes to sync your iPhone, iPad, or iPod with your computer,”
[Accessed: 27-Feb-2020]. Apple Support, 13-Feb-2020. [Online]. Available:
[14] “Find, lock, or erase a lost Android device,” Google Account Help. https://support.apple.com/en-us/HT210612. [Accessed: 29-Feb-2020].
[Online]. Available: [31] “Restore your iPhone, iPad, or iPod touch from a backup,” Apple
https://support.google.com/accounts/answer/6160491?hl=en. [Accessed: Support, 09-Oct-2019. [Online]. Available:
28-Feb-2020]. https://support.apple.com/en-us/HT204184. [Accessed: 29-Feb-2020].
[15] “Erase a device in Find My iPhone on iCloud.com,” Apple Support. [32] “What Happens When You Press that Button?” [Online]. Available:
[Online]. Available: https://smarterforensics.com/wp-content/uploads/2014/06/Explaining-C
https://support.apple.com/guide/icloud/erase-your-device-mmfc0ef36f/i ellebrite-UFED-Data-Extraction-Processes-final.pdf. [Accessed:
cloud. [Accessed: 28-Feb-2020]. 29-Feb-2020].
[16] V. Katalov, “The Worst Mistakes in iOS Forensics,” ElcomSoft blog, [33] “JTAG Forensics,” Binary Intelligence, 25-Mar-2013. [Online].
30-Jan-2020. [Online]. Available: Available:
https://blog.elcomsoft.com/2020/01/the-worst-mistakes-in-ios-forensics/ http://www.binaryintel.com/services/jtag-chip-off-forensics/jtag-forensi
. [Accessed: 28-Feb-2020]. cs/. [Accessed: 29-Feb-2020].
[17] “Control airplane mode, private DNS & other network settings on [34] “OXYGEN FORENSICS,” Oxygen Forensics - Mobile forensic
Android - Android Help,” Google. [Online]. Available: solutions: software and hardware. [Online]. Available:
https://support.google.com/android/answer/9089903?hl=en. [Accessed: http://www.oxygen-forensic.com/en/products/oxygen-forensic-detective
28-Feb-2020]. . [Accessed: 29-Feb-2020].
[18] “Change access to items when iPhone is locked,” Apple Support.
[Online]. Available:

Authorized licensed use limited to: University of New Brunswick. Downloaded on November 20,2022 at 23:57:03 UTC from IEEE Xplore. Restrictions apply.

You might also like