Department of Computer Science and Engineering

Technical Talk
&
Hands-On Session on Mobile Forensic Report

Academic Year 2022-23 Targeted Audience from SIET CSE, ISE & AIDS
Students
Name of the Event Technical Talk & Number of Participants 100 +
Hands-ON
Date of Conduction 17-03-2023 Time 3-30 PM

Venue Skill Lab, SIET Resource DR Dinesha H A, CED,

Cybrsena
About the Talk
Digital forensics is a branch of forensic science, focusing on the recovery and investigation of raw data residing
in electronic or digital devices. Mobile forensics is a branch of digital forensics related to the recovery of digital
evidence from mobile devices. Forensically sound is a term used extensively in the digital forensics community to
qualify and justify the use of particular forensic technology or methodology. The main principle for a sound forensic
examination of digital evidence is that the original evidence must not be modified. This is extremely difficult with
mobile devices. Some forensic tools require a communication vector with the mobile device, thus
standard write protection will not work during forensic acquisition. Other forensic acquisition methods may involve
removing a chip or installing a bootloader on the mobile device prior to extracting data for forensic examination. In
cases where the examination or data acquisition is not possible without changing the configuration of the device, the
procedure and the changes must be tested, validated, and documented. Following proper methodology and guidelines
is crucial in examining mobile devices as it yields the most valuable data. As with any evidence gathering, not
following the proper procedure during the examination can result in loss or damage of evidence or render it
inadmissible in court.

The mobile forensics process is broken into three main categories: seizure, acquisition,
and examination/analysis. Forensic examiners face some challenges while seizing the mobile device as a source of
evidence. At the crime scene, if the mobile device is found switched off, the examiner should place the device in
a faraday bag to prevent changes should the device automatically power on. Faraday bags are specifically designed
to isolate the phone from the network. If the phone is found switched on, switching it off has a lot of concerns attached
to it. If the phone is locked by a PIN or password or encrypted, the examiner will be required to bypass the lock or
determine the PIN to access the device. Mobile phones are networked devices and can send and receive data through
different sources, such as telecommunication systems, Wi-Fi access points, and Bluetooth. So if the phone is in a
running state, a criminal can securely erase the data stored on the phone by executing a remote wipe command. When
a phone is switched on, it should be placed in a faraday bag. If possible, prior to placing the mobile device in the
faraday bag, disconnect it from the network to protect the evidence by enabling the flight mode and disabling all
network connections (Wi-Fi, GPS, Hotspots, and so on). This will also preserve the battery, which will drain while in
a faraday bag and protect against leaks in the faraday bag. Once the mobile device is seized properly, the examiner
may need several forensic tools to acquire and analyze the data stored on the phone.

Mobile device forensic acquisition can be performed using multiple methods, which are defined later. Each of
these methods affects the amount of analysis required. Should one method fail, another must be attempted. Multiple
attempts and tools may be necessary in order to acquire the most data from the mobile device.

Mobile phones are dynamic systems that present a lot of challenges to the examiner in extracting and analyzing
digital evidence. The rapid increase in the number of different kinds of mobile phones from different manufacturers
makes it difficult to develop a single process or tool to examine all types of devices. Mobile phones are continuously
evolving as existing technologies progress and new technologies are introduced. Furthermore, each mobile is designed
with a variety of embedded operating systems. Hence, special knowledge and skills are required from forensic experts
to acquire and analyze the devices. Mobile forensics is the process of recovering digital evidence from mobile devices
using accepted methods. Unlike traditional digital forensics processes, mobile forensics solely focuses on retrieving
information from mobile devices such as smartphones, androids, and tablets. Mobile devices are a goldmine of data.
These small-sized gadgets amass huge amounts of qualitative and quantitative data that can be helpful in
investigations. That's why mobile forensics is becoming important for court proceedings and civil or criminal
investigations. The forensics process for mobile devices broadly matches other branches of digital forensics; however,
some concerns apply. Generally, the process can be broken down into three main categories: seizure, acquisition, and
examination/analysis.
Objectives
To disseminate the knowledge of mobile forensic among students

Mobile forensic challenges

One of the biggest forensic challenges when it comes to the mobile platform is the fact that data can be
accessed, stored, and synchronized across multiple devices. Law enforcement and forensic examiners often
struggle to obtain digital evidence from mobile devices. The following are some of the reasons:

Hardware differences: The market is flooded with different models of mobile phones from different
manufacturers.
Mobile operating systems: Unlike personal computers where Windows has dominated the market for
years, mobile devices widely use more operating systems, including Apple’s iOS, Google’s Android,
RIM’s BlackBerry OS, Microsoft’s Windows Mobile, HP’s webOS, Nokia’s Symbian OS, and many others.
Mobile platform security features: Modern mobile platforms contain built-in security features to
protect user data and privacy. These features act as a hurdle during the forensic acquisition and
examination. For example, modern mobile devices come with default encryption mechanisms from the
hardware layer to the software layer.
Lack of resources: As mentioned earlier, with the growing number of mobile phones, the tools
required by a forensic examiner would also increase. Forensic acquisition accessories, such as USB
cables, batteries, and chargers for different mobile phones, have to be maintained in order to acquire
those devices.
Generic state of the device: Even if a device appears to be in an off state, background processes may
still run. For example, in most mobiles, the alarm clock still works even when the phone is switched off.
A sudden transition from one state to another may result in the loss or modification of data.
Anti-forensic techniques: Anti-forensic techniques, such as data hiding, data obfuscation, data forgery,
and secure wiping, make investigations on digital media more difficult.
Dynamic nature of evidence: Digital evidence may be easily altered either intentionally or
unintentionally. For example, browsing an application on the phone might alter the data stored by that
application on the device.
Accidental reset: Mobile phones provide features to reset everything. Resetting the device accidentally
while examining may result in the loss of data.
Device alteration: The possible ways to alter devices may range from moving application data,
renaming files, and modifying the manufacturer’s operating system. In this case, the expertise of the
suspect should be considered.
Passcode recovery: If the device is protected with a passcode, the forensic examiner needs to gain
access to the device without damaging the data on the device.
Communication shielding: Mobile devices communicate over cellular networks, Wi-Fi networks,
Bluetooth, and Infrared. As device communication might alter the device data, the possibility of further
communication should be eliminated after seizing the device.
Lack of availability of tools: There is a wide range of mobile devices. A single tool may not support all
the devices or perform all the necessary functions, so a combination of tools needs to be used. Choosing
the right tool for a particular phone might be difficult.
Malicious programs: The device might contain malicious software or malware, such as a virus or a
Trojan. Such malicious programs may attempt to spread over other devices over either a wired
interface or a wireless one.
Legal issues: Mobile devices might be involved in crimes, which can cross geographical boundaries. In
order to tackle these multijurisdictional issues, the forensic examiner should be aware of the nature of
the crime and the regional laws.
Glimpse of course conduction are as follows…
Session Flow & conduction View

Dr. Basavesha D
HOD, Dept of CSE