See discussions, stats, and author profiles for this publication at: https://www.researchgate.

net/publication/340939977

Mobile Forensic: Investigation of Dead or Damage Smart Phone -An Overview,

Tools & Technique Challenges from Law Enforcement Perspective.

Article · April 2020

CITATIONS READS

4 9,755

1 author:

Rhythm Kr Dasgupta
JIS COLLEGE OF ENGINEERING
16 PUBLICATIONS 11 CITATIONS

SEE PROFILE

All content following this page was uploaded by Rhythm Kr Dasgupta on 27 April 2020.

The user has requested enhancement of the downloaded file.

 Mobile Forensic: Investigation of Dead or Damage Smart Phone - An
Overview, Tools & Technique Challenges from Law Enforcement Perspective.
Rhythm Kr Dasgupta
Abstract
The rapid development and grow of the
mobile phones industry the possibility of
they are often involved in digital crimes
and digital investigation as well. Mobile
forensic is fast becoming an abbreviated
term that describes the process of applying
digital forensics in mobile phones world.
While the mobile device market provides a
great variety of manufactures and models
causing a strong diversity. It becomes
difficult for a professional investigator to
choose the proper forensics tools or
technique for seizing internal data from
mobile devices. This paper examines the
nature of some of the newer pieces of
information that can become potential
evidence on mobile phones. It also
discusses some of the emerging
technologies and their potential impact on
dead or physical damage Smart phone
based evidence. Finally, the paper gives
recommendation for following the best
practices for investigating smartphones.
Keywords: Mobile forensics, cell phone
evidence, mobile phone forensic toolkits,
digital device forensics, Embedded
System, eMMC, JTAG, SPI, UFI Box.
1. Introduction
Digital forensics is an interesting fast-paced
field that can have a powerful impact on a
wide range of situations such as internal
corporate investigations, civil litigation,
criminal investigations, information gathering,
and issues such as national security. As has
been defined by National Security Database
(NSD), digital forensics is a branch of
forensic science including the retrieval and
investigation of material found in-digital
devices, often related to computer crime.
Mobile device forensic, cellular phone
forensic or mobile forensics are all synonyms
to the same term which refers to the branch of
digital forensics that concern with recovering
of digital evidence or data from a mobile
device under forensically sound conditions.
Mobile Device forensic tool is to obtain data
from a Mobile Device without modifying the
data. Flash memory is currently the most
dominant non-volatile solid-state storage
technology in consumer electronic products.
An increasing number of embedded systems
use high level file systems comparable to the
file systems used on personal computers.
Current forensic tools for examination of
embedded systems like mobile phones or
PDAs mostly perform logical data acquisition.
With logical data acquisition it’s often not
possible to recover all data from a storage
medium. Deleted data for example, but
sometimes also other data which is not
directly relevant from a user standpoint,
can not be acquired and potentially
interesting information might be missed.
For this reason data acquisition is wanted
at the lowest layer where evidence can be
expected. For hard disk based storage
media it’s common to copy all bytes from
the original storage device to a destination
storage device and then do the analysis on
this copy. The same procedure is desired
for embedded systems with solid-state
storage media.
2. Survey on mobile forensics
The National Institute of Standards and
Technology defines mobile phone
forensics as, “the science of recovering
digital evidence from a mobile phone
under forensically sound conditions using
accepted methods”. Turning the power
failure mobile device on may cause
security protocols to reactivate, and it also
connects the device to the live network
introducing the problems previously
stated. Physical acquisitions are much
more difficult on mobile devices as they
require specialised hardware or software
and more training. Logical acquisitions
recover the files and directories of a drive;
information such as call records, text
messages and contact lists, this type of
acquisition cannot recover deleted files.
Many mobile phones come with security
software such as passwords, biometrics, or
pattern locks so the individual can protect
the data within the phone. This can cause
issues for investigators if these measures
are allowed to activate. One such way
these security measures can be activated is
due to power depletion.
Due to the nature of investigations on a
mobile phone, an exact forensically sound
reproduction may not be possible. This
issue requires investigators to take special
care in documenting all the steps taken
during the search of the device. It is
important that this recovery is done under
forensically sound conditions. There are a
number of items that must be kept in mind
when dealing with mobile forensics.
2.1 Chain of custody
Establishing and maintaining the chain of
custody (CoC) and maintaining integrity
on the mobile device can prove quite
difficult when dealing with mobile
devices. Most available forensic tools
require the investigator to install an
application to the system to be analysed.
Additionally, there is no way to physically
make file systems read-only. Investigating
the device in a test environment might be
recognised by malware and lead to
evidence loss. Acquiring evidence from
mobile devices may therefore taint the
integrity of the evidence rendering it non
admirable for trials.

2.2 Acquisition Methodology
The first principle when examining
electronic evidence is to keep data held on
a storage medium unchanged. For flash
memory wear levelling might cause
unpredictable data changes. Switching
mobile phones off and/or on has shown
data changes probably caused by wear
levelling and/or garbage collection
algorithms. The general rule of data
acquisition is to keep the number of power
cycles as low as possible.
3. Forensic Investigation Process
Mobile investigation is the process to
analyses the mobile phone to detect and
collect the evidences related to the crime.
The investigation steps are -
(i) Identification: Identifying the system or
the exhibitions that need to be investigated.
(ii) Data acquisition/ Preservation: Taking a
forensic Image or Cloning the data from the
exhibition that belongs to an identified
system.
(iii) Data recovery: Restoring or pulling out
deleted, hidden or actual data from the
image file.
(iv) Forensic analysis: Analyses the digital
artefacts inside the data that has been
recovered.
(v) Presentation of Evidences: Reporting of
evidence found during the analysis face.
4. Data Acquisition Process
The first principle when examining
electronic evidence is to keep data held on
a storage medium unchanged. For flash
memory wear levelling might cause
unpredictable data changes. Switching
mobile phones off and/or on has shown
data changes probably caused by wear
levelling and/or garbage collection
algorithms. The general rule of data
acquisition is to keep the number of power
cycles as low as possible.
In this paper three possible data
acquisition approaches are presented for
obtaining a full copy of flash memory data.
A. Flasher tools.
B. JTAG Test Access Port.
C. Chip-OFF Technique.
A. Flasher tools
The most easy and non-invasive way to
read flash data is by using a simple
hardware interface and software that
copies all flash memory data from the
target system to another system for further
analysis. Unfortunately there’s no general
method for this procedure because every
embedded system can have its own
dedicated interface to data stored in flash
memory chips. There’s also no
standardised “embedded system operating
system” with documented low level flash
memory access functions. These tools
mainly originate from two sources:
potential TAPs and manually trace or
manufacturers or service centers who use
probe to pinpoint appropriate connector
these tools for debugging and diagnostics
pins.
and sometimes for in field software
updates, and hackers who use. Step 2 – solder wire leads to the correct
connector pins or utilise a solder-less jig.
B. JTAG Test Access Port:
Step 3 – connect wire leads to an
JTAG (Joint Test Action Group) is a
appropriate JTAG emulator with support
common hardware interface that provides
for the exhibit device.
your computer with a way to communicate
directly with the chips to access raw data Step 4 – read the flash memory after
on a board. When a forensically sound selecting the appropriate device profile or
extraction options cannot acquire a m a n u a l l y c o n fi g u r i n g t h e c o r r e c t
physical image or when a device is processor/memory settings.
logically damaged or “bricked”. A JTAG
test access port is normally used to test or Step 5 – analyse the extracted data using
debug embedded systems but can also be industry standard forensic tools and
used to access flash memory. The majority custom utilities.
of our JTAG engagements involve
Android phones which are pattern locked
and cannot be bypassed by other means.
We also regularly JTAG prepaid cell
phone models (such as RIM, Net10 and
Virgin) which have their data ports
intentionally disabled by the
carrier.Generally JTAG acquisition is an
extremely effective technique that Binary
Figure 1: Mobile phone ISP Pinout for JTAG
Intelligence utilises to extract a full
physical image (with unallocated space)
from devices that cannot be acquired with
normal tools.

Basic steps of a JTAG forensic

examination

Step 1 – identify TAPs by researching

documented devices. When TAPs are
Figure 2: JTAG Pin Connected to UFI Box
unknown, inspect the device PCB for
 C. Chip-OFF Technique
"Chip-off" is a technique based on
physically remove a flash memory chip
from a PCB of mobile and read this flash
memory chip with a memory chip
programmer or reader. This is the most
difficult way of data extraction from
mobile phone, video gaming systems,
tablets and network devices. This method
can be used when JTAG is not available
and software tools are failed. This
recovery method works on newer devices
that store data on eMMC or eMCP flash
memory chips and recovered through the
device’s test points in order to bypass
security and perform memory acquisitions
and analysis of this evidence. This
methods starts with de-solder chips from a
PCB for that need an IR station or more
inexpensive Hot Air Gun station with Pre
Heating Station. A chip usually has to be
prepared for further processing (cleaning
and restoring connections) after removing.
It’s difficult to name the model, because
lots of them have the same features.
Data extraction equipment Chips in mobile
devices (eMMC) have interface similar to
SD cards (but eMMC has 8 bit data bus,
SD card – maximum 4 bit). All eMMC can
work on 1 bit bus. But if we use this
feature for data extraction, it will take too
much time. So we need same equipment as
for SD cards and also adapters for chips.
Figure 3: UFI Toolkit
Advantages / disadvantages of Chip-OFF
Technique:
⁃ It can be guaranteed that no data is
written in flash memory because the
embedded system stays powered
down.
⁃ Data from broken or damaged
device can be recovered.
⁃ A complete forensic image can be
produced (all data, inclusive spare
area, bad blocks etc).
⁃ A disadvantage is that there is a risk
of damaging the flash memory chip
due to the heat for de-soldering.
⁃ Requires a high skill level,
disassembling the device and de-
solder flash memory chips.
⁃ Cannot overcome encryption. As if
encryption is enabled you will
extract a raw encrypted image.
⁃ Slow acquisition speed.

Above those technique used in mobile
forensic taking a forensic Image or
Cloning (all data, inclusive spare area, bad
blocks etc) the data flash memory chip.
Figure 4: UFI Box Interface for data Dump
5. File System Analysis & Evidence
Searching:
This step is more of a technical review
conducted by the investigative team on the
basis of the results of the examination of
the evidence. Data acquisition as described
in the previous results in one or more
binary files containing linear bitwise
copies of flash memory data. Identifying
relationships between fragments of data,
analyzing hidden data, determining the
significance of the information obtained
from the examination phase,
reconstructing the event data, based on the
extracted data and arriving at proper
conclusions etc. are some of the activities
to be performed at this stage.
Flash file systems for example often
contain different versions of the same data
objects because flash memory can’t be
erased in small quantities. Especially for
small objects (much smaller than one flash
block) with a high update frequency, a lot
of old versions might exist outside of the
normal high level file system. For FAT file
systems the FAT and directory entries are
interesting candidates for advanced
analysis because of their size, update
frequency and evidence value. A common
forensic tool will show the last version of
the directory, possibly with some files
marked as deleted but from the other
versions of the directory data a lot of the
user behaviour can be reconstructed.
The National Institute of Justice (2004)
guidelines recommend timeframe analysis,
hidden data analysis, application analysis
and file analysis of the extracted data.
Results of the analysis phase may indicate
the need for additional steps in the
extraction and analysis processes. It must
be determined whether the chain of
evidence and timeline of the events are
consistent. Using a combination of tools
for analysis will yield better results. The
results of analysis should be completely
and accurately documented.
6. File System Analysis Tools:
Early phones did not have the capacity to
store large amounts of information so law
enforcement officers did not need to access
mobile phone handsets to get information
on a suspect. The focus was more on
phone records from the
telecommunications companies.
Nowadays, mobile phone have large
storage capacity and a wide array of
application and connectivity options
besides connectivity with the
telecommunications provider. Mobile
phone forensic tools and toolkits are still
immature in dealing with these advances
in mobile phone technology. Mobile
forensic toolkits are developed by third
party companies and the toolkits are not
independently verified or tested for
forensic soundness. The developers of the
toolkits admit to using both, manufacturer
supplied and self developed commands
and access methods to gain data access to
memory on mobile devices.
Some Mobile forensic tools are - Encase,
FTK AccessData, R-Studio, and TSK,
BitPim, Manifest Explorer, Oxygen
Forensic, MOBILedit.
7. Conclusion & Future Scope:
No doubt, mobile forensics or digital
forensic investigation for mobile devices is
the fastest growing and evolving digital
forensic discipline. The digital forensic
process for any devices is consisted of
different steps, starts with the
identification, data acquisition, data
recovery, forensic analysis and
presentation of evidences. While the
specific details of the examination of each
device may differ, the adoption of
consistent examination processes will
assist the examiner in ensuring that the
evidence extracted from each phone is
well documented and that the results are
repeatable and defensible in court.
The future of forensic tools might be able
to improve the power and efficiency of
embedded file systems (e.g. Android,
Windows mobile, IOS etc) examinations
for reasonably skilled IT professionals.
That may be very helpful to detect crimes
and to collect evidences.
Abbreviations
FAT - File Allocation Table.
PCB - Printed Circuit Board.
PDA - Personal Data Assistant.
LBA - Logical Block Address.
LBN - Logical Block Number.
LSN - Logical Sector Number.
USB - Universal Serial Bus.
I/O - Input/Output
WiFi – Wireless Fidelity
FFS - Flash File System.
FSD - File System Driver.
OS - Operating System.
CFI - Common Flash Interface.
FTL - Flash Translation Layer.
JTAG - Joint Test Action Group.
SCSI - Small Computer System Interface.
API - Application Programming Interface.
RAPI - Remote Application Programming
Interface.
TSK - The Sleuth Kit.
TSOP - Thin Small-Outline Package.
IMSI – International Mobile Subscriber
Identity
IMEI – International Mobile Equipment
Identity
SDK – Software Development Kit
SHA1 – Secure Hash Algorithm, version 1
REFERENCES:

[1] Garfinkel, Digital Forensics Research: The Next 10Years, Digital Investigation, 7 (2010), S64-S73.
[2] AccessData. (n.d.). Mobile Phone Examiner. Retrieved May 15, 2010, from AccessData: http://www.accessdata.com/
mobilephoneexaminer.html
[3] R. Ayers, W. Jansen, L. Moenner, and A. Delaitre, CellPhone Forensic Tools: An Overview and Analysisupdate,
NISTIR 7387, 2007.
[4] Oxygen Forensic . (n.d.). Oxygen Forensic Suite 2010. Retrieved May 15, 2010, from Oxygen Forensic: http://
www.oxygen-forensic.com
[5] Android Inc. (n.d.). What is Android|Android Developers. Retrieved May 23, 2010, from Android Developers: http://
developer.android.com/guide/basics/what-is- android.html
[6] Rick Ayers, Wayne Jansen, Nicolas Cilleros, and Ronan Daniellou. (October 2007). retrieved from Cell Phone
Forensic Tools: An Overview and Analysis. National Institute of Standards and Technology http://csrc.nist.gov/
publications/nistir/nistir-7100-PDAForensics.pdf
[7] Paraben Corporation. (n.d.). Device Seizure. Retrieved May 29, 2010, from Paraben Corporation http:/www.paraben-
forensics.com/device-seizure.htm
[8] Lim, N., & Khoo, A. (2009, June). Forensics of Computers and Handheld Devices: Identical or Fraternal Twins?
Communications of the ACM , pp. 132-135.
[9] Apple Inc. (n.d.). iPhone Technologies Overview. Retrieved May 22, 2010, from iPhone Reference Library: http://
developer.apple.com/iphone/library/documentation/Mi scellaneous/Conceptual/iPhoneOSTechOverview/iPhoneOS
Technologies/iPhoneOSTechnologies.html#//apple_ref/doc/u id/TP40007898-CH3-SW1
[10] Symbian Foundation. (n.d.). Symbian Software Model. Retrieved May 23, 2010, from Symbian Developer
Community: http://developer.symbian.org/wiki/index.php/Symbian_Syste m_Model
[11] Guidance Software. (n.d.). EnCase Neutrino. Retrieved May 28, 2010, from Guidance Software:
[12] Klaver, C. (2010). Windows Mobile Advanced Forensics. Digital Investigation, Volume 6, Issues 3-4, Pages
147-167, May 2010,
[13] Mislan, R. (2008). Mobile Device Analysis. Small Scale Digital Device Forensics Journal .
[14] Schiffman, J. (2010). Blackberry OS Report 2. Retrieved May 24, 2010, from http://www.cse.psu.edu/~enck/
cse597a- s09/slides/appmodel_blackberry.pdf
[15] Wayne Janson and Aurélien Delaitre, Mobile Forensic Reference Materials: A Methodology and Reification,
National Institute of Standards and Technology, http://csrc.nist.gov/publications/nistir/ir7617/nistir-7617.pdf
[16] Casey, E., Bann, M., & Doyle, J. (n.d.). Introduction to Windows Mobile Forensics. Digital Investigation Volume 6,
Issues 3-4, Pages 136-146, May 2010

View publication stats